What are the legal requirements for a website a 10 step Guide

We’ve all heard of GDPR by now but that’s just the tip of the iceberg when it comes to ensuring your website is above board. We get asked a lot, what are the legal requirements for a website? So we’ve pulled together ten areas of legal compliance into a handy checklist to help keep you on the right side of the law.

What we will cover

Start as you mean to go on

When is the best time to audit your website for legal compliance? The sooner you get working on it the better as the authorities can come knocking (or emailing) at any time. 

If you are currently setting up a new website (maybe your first proper website!) you should ask your chosen web designer to run through this checklist with you so you can start off on the right foot.

If you aren’t sure what you’re doing or if you are falling foul of the legalities after GDPR, then get in touch to discuss a data audit workshop.

Disclaimer: We’re not lawyers so the information below is not intended as a substitute for getting legal advice! We are merely your common or garden digital marketers, however, we can make recommendations for experts in digital legal advice where necessary.

1.Get clear with GDPR

We mention GDPR first because falling foul of this relatively new piece of data protection legislation can potentially expose you to business-ending fines. The good news is that it is relatively simple to comply with the regulation and you are unlikely to face a serious problem unless you are completely reckless with data.

The key points to act on are:

  • If you use your website to get people to sign up to your mailing list, the forms you use must default to the ‘no consent’ option. In other words, visitors will need to ‘opt in’ to your mailing list by ticking a checkbox or in some other obvious way. 
  • Include on your sign-up form (or prominently nearby) details of what your visitor is signing up for (e.g. an email newsletter to be sent out once a month at the most).
  • Make sure it is easy for subscribers to withdraw their consent and have their data erased on request.
  • If a subscriber or account holder asks for a copy of the data you hold on them, you must be able to send it to them quickly.
  • You must only collect the amount of personal data you need and keep it for as long as you need it. 
  • You must have a data breach and cookie policy. These usually form part of a Privacy Policy and WordPress provide a useful template for this page as part of their core files.

2.Locking the doors

Cybercrime is probably your biggest risk as a business owner and hackers are ramping up their attacks in response to the number of people remote working and using poorly secured Wi-Fi connections. 

From a website perspective, the most important steps you can take are to ensure your software is up to date and to install an SSL certificate. 

If you have a WordPress site, check your email details are correct and pop in to the back end every now and then to ensure plugins and WordPress itself are up to date (you will see red warning icons if any need updating). You can choose to have minor updates applied automatically.

An SSL certificate will enable encrypted communications from the front end of your website to the server. If you visit your website and the browser shows the padlock icon and an https:// address then you are good. Vu Online set up SSL certificates as standard when developing  sites but there are WordPress plugins that make the process very easy. For more on plugins, consider booking a spot on our upcoming WordPress Training Course.

3.Identify yourself!

If you are a registered company, there are certain steps you have to comply with when setting up a website. These are governed by the Companies Act (2016) and include certain information that you have to legibly display on your website, including:

  • Your registered company name
  • Your company registration number
  • Your country of registration
  • Your registered office address
  • A contact address and email address
  • Details of how to contact you physically
  • VAT number (even if you don’t sell online)
  • Professional body membership details

If you are a sole trader or partnership, you only need to include the owner’s legal name/s and an address where you can be contacted by customers (and to which legal documents can be served). These can be added to your Privacy Policy.

4.How do your cookies crumble?

Cookies are tiny files that pack a lot of power. Through them, you and services you host on your site (e.g. Google Adsense) can potentially track visitors across the web.

Cookies are also important when saving online sessions so you don’t have to log in to a website every time you access a new page. As explained above, a cookie policy is part of GDPR regulations. 

5.Be sales savvy

If you run an e-commerce site there are a host of legal regulations you will need to get familiar with. These include Consumer Contracts Regulations, E-Commerce Regulations, Consumer Rights Act and PCI DSS.

While on the topic of online selling, you should make sure that any online advertising you do is legit. If you use a service such as Google Ads or Facebook Ads, your ad content will go through an approval process anyway. However, if you are hosting your own banner ads or publishing sponsored content, you should familiarise yourself with the rules set out by the Advertising Standards Authority (ASA).

6.Is your website accessible?

America has seen some eye-watering fines imposed on websites that have discriminated against people with disabilities. UK website owners have so far been lucky but there is always the risk of falling foul of the Equalities Act (2010).

To remain compliant and provide a fair service for all visitors, make sure your website is compatible with the most commonly used assistive technologies such as speech recognition, screen magnifiers and screen readers. Think about people with visual impairments when choosing fonts and type sizes and avoid colour combinations that are difficult to read (website content design software is starting to flag this up). 

Whatever steps you take, formalise them in an Accessibility Statement.

7.Don’t be a content copycat

Copying other people’s website content – text or images – is not only lazy, it can land you in a lot of hot water. In school or college, you might have got a detention, lines or a failed assignment. In the commercial world, you might find yourself facing hundreds or even thousands of pounds of fines for copyright infringement.

While you should always be writing your own content (for search engine optimisation reasons as much as anything), images can be a more difficult issue, especially if you don’t want to take or commission your own photographs. 

Fortunately, there are plenty of royalty-free image sites out there and Google even allows you to filter their image search facility by clicking ‘Tools’ and selecting the ‘Usage Rights’ filter. Unless images are confirmed as being in the public domain (or under licence CC0 1.0, which means the same thing) you will usually be required to publish an attribute to the author of the image. 

8.Draws, competitions and lotteries

While it is perfectly fine to run free and paid competitions online without a permit or licence, there are a couple of pieces of legislation you need to be aware of.

First, the Betting, Gaming and Lotteries Act (1963) sets out the steps businesses must take to ensure they are not running an illegal lottery. This includes ensuring people are able to enter a competition for free and that they will have an equal chance of winning even if competing with paid entries. Competitions must also have an element of skill (e.g. a question that must be answered correctly). While random draws are permitted, they must be free to enter.

If you intend to run a lottery, contact the Gambling Commission for guidance and an application form.

Second, the ASA’s CAP code sets requirements on the notification of winners. A recent consultation concluded that providing winners are not identifiable (e.g. by only including their initial, surname and county), it is possible to comply with both the CAP code and GDPR.

9.Ofcom and offensive content: watch this space!

While legal content on the internet is largely unregulated, this could be changing soon. As part of their upcoming Online Harms Act, the UK government are expected to give the communications regulator Ofcom some powers to regulate online content, particularly where this is likely to harm children.

10.Industry specific compliance

If you are in an industry such as finance, healthcare or law, there are likely to be all sorts of additional standards and regulations that affect how you design and operate your website. If you are unclear about online compliance, contact your industry’s membership body for advice.

So there we have, the fact you are here, asking what are the legal requirements for a website means you are likely going to be doing everything right, but if you need any help then get in touch with us to discuss, what we don’t know or cant legally advise on can be answered by one of our trusted partners, all part of the joy of being part of the Tribe – helping us all do better business in Devon.

Do you know anyone who may be interested in this project?

Click to share:

gdpr audit

Data / GDPR Audit

Even as a small business, you have obligations under the Data Protection Act 2018 to meet basic requirements on handling customer data. We’ll start you on a path to handle customer data safely and fairly with a simple GDPR audit for small businesses.