A Ten Step Legal Checklist for your Website
We’ve all heard of GDPR by now but that’s just the tip of the iceberg when it comes to ensuring your website is above board. We’ve pulled together ten areas of legal compliance into a handy checklist to help keep you on the right side of the law.
Some other relevant articles...
Here's what we will cover...
- Start as you mean to go on
- Get clear with GDPR
- Locking the doors
- Identify yourself!
- How do your cookies crumble?
- Be sales savvy
- Is your website accessible?
- Don’t be a content copycat
- Draws, competitions and lotteries
- Ofcom and offensive content: watch this space!
- Industry specific compliance
Start as you mean to go on
When is the best time to audit your website for legal compliance? The sooner you get working on it the better as the authorities can come knocking (or emailing) at any time.
If you are currently setting up a new website (maybe your first proper website!) you should ask your chosen web designer to run through this checklist with you so you can start off on the right foot.
Disclaimer: We’re not lawyers so the information below is not intended as a substitute for getting legal advice!
1.Get clear with GDPR
We mention GDPR first because falling foul of this relatively new piece of data protection legislation can potentially expose you to business-ending fines. The good news is that it is relatively simple to comply with the regulation and you are unlikely to face a serious problem unless you are completely reckless with data.
The key points to act on are:
- If you use your website to get people to sign up to your mailing list, the forms you use must default to the ‘no consent’ option. In other words, visitors will need to ‘opt in’ to your mailing list by ticking a checkbox or in some other obvious way.
- Include on your sign-up form (or prominently nearby) details of what your visitor is signing up for (e.g. an email newsletter to be sent out once a month at the most).
- Make sure it is easy for subscribers to withdraw their consent and have their data erased on request.
- If a subscriber or account holder asks for a copy of the data you hold on them, you must be able to send it to them quickly.
- You must only collect the amount of personal data you need and keep it for as long as you need it.
2.Locking the doors
Cybercrime is probably your biggest risk as a business owner and hackers are ramping up their attacks in response to the number of people remote working and using poorly secured Wi-Fi connections.
From a website perspective, the most important steps you can take are to ensure your software is up to date and to install an SSL certificate.
If you have a WordPress site, check your email details are correct and pop in to the back end every now and then to ensure plugins and WordPress itself are up to date (you will see red warning icons if any need updating). You can choose to have minor updates applied automatically.
An SSL certificate will enable encrypted communications from the front end of your website to the server. If you visit your website and the browser shows the padlock icon and an https:// address then you are good. Vu Online set up SSL certificates as standard when developing sites but there are WordPress plugins that make the process very easy. For more on plugins, consider booking a spot on our upcoming WordPress Training Course.
If you are a registered company, there are certain steps you have to comply with when setting up a website. These are governed by the Companies Act (2016) and include certain information that you have to legibly display on your website, including:
- Your registered company name
- Your company registration number
- Your country of registration
- Your registered office address
- A contact address and email address
- Details of how to contact you physically
- VAT number (even if you don’t sell online)
- Professional body membership details
4.How do your cookies crumble?
Cookies are tiny files that pack a lot of power. Through them, you and services you host on your site (e.g. Google Adsense) can potentially track visitors across the web.
5.Be sales savvy
If you run an e-commerce site there are a host of legal regulations you will need to get familiar with. These include Consumer Contracts Regulations, E-Commerce Regulations, Consumer Rights Act and PCI DSS.
While on the topic of online selling, you should make sure that any online advertising you do is legit. If you use a service such as Google Ads or Facebook Ads, your ad content will go through an approval process anyway. However, if you are hosting your own banner ads or publishing sponsored content, you should familiarise yourself with the rules set out by the Advertising Standards Authority (ASA).
6.Is your website accessible?
America has seen some eye-watering fines imposed on websites that have discriminated against people with disabilities. UK website owners have so far been lucky but there is always the risk of falling foul of the Equalities Act (2010).
To remain compliant and provide a fair service for all visitors, make sure your website is compatible with the most commonly used assistive technologies such as speech recognition, screen magnifiers and screen readers. Think about people with visual impairments when choosing fonts and type sizes and avoid colour combinations that are difficult to read (website content design software is starting to flag this up).
Whatever steps you take, formalise them in an Accessibility Statement.
7.Don’t be a content copycat
Copying other people’s website content – text or images – is not only lazy, it can land you in a lot of hot water. In school or college, you might have got a detention, lines or a failed assignment. In the commercial world, you might find yourself facing hundreds or even thousands of pounds of fines for copyright infringement.
While you should always be writing your own content (for search engine optimisation reasons as much as anything), images can be a more difficult issue, especially if you don’t want to take or commission your own photographs.
Fortunately, there are plenty of royalty-free image sites out there and Google even allows you to filter their image search facility by clicking ‘Tools’ and selecting the ‘Usage Rights’ filter. Unless images are confirmed as being in the public domain (or under licence CC0 1.0, which means the same thing) you will usually be required to publish an attribute to the author of the image.
8.Draws, competitions and lotteries
While it is perfectly fine to run free and paid competitions online without a permit or licence, there are a couple of pieces of legislation you need to be aware of.
First, the Betting, Gaming and Lotteries Act (1963) sets out the steps businesses must take to ensure they are not running an illegal lottery. This includes ensuring people are able to enter a competition for free and that they will have an equal chance of winning even if competing with paid entries. Competitions must also have an element of skill (e.g. a question that must be answered correctly). While random draws are permitted, they must be free to enter.
If you intend to run a lottery, contact the Gambling Commission for guidance and an application form.
Second, the ASA’s CAP code sets requirements on the notification of winners. A recent consultation concluded that providing winners are not identifiable (e.g. by only including their initial, surname and county), it is possible to comply with both the CAP code and GDPR.
9.Ofcom and offensive content: watch this space!
While legal content on the internet is largely unregulated, this could be changing soon. As part of their upcoming Online Harms Act, the UK government are expected to give the communications regulator Ofcom some powers to regulate online content, particularly where this is likely to harm children.
10.Industry specific compliance
If you are in an industry such as finance, healthcare or law, there are likely to be all sorts of additional standards and regulations that affect how you design and operate your website. If you are unclear about online compliance, contact your industry’s membership body for advice.