Is your website legal?
Many sites aren’t fully compliant with online regulations – and the consequences could be serious. Nik Rawlinson lays down the law
How to not fall foul of online regulations.
We’re sorry to have to tell you this, but you may be breaking the law. In fact, you’ve probably been doing so for some time.
The problem is your website. In creating and maintaining it, it’s natural that you’ve prioritised design, content and SEO – all the things that bring visitors to your site and turn them into customers. But there are legal requirements that you need to attend to as well. If you’ve created the site yourself, you might well have failed to take them all into account – and if you’ve used an out-of-house developer or bought an off-the-shelf template, there’s a chance that the issues haven’t even been brought up.
So what are those requirements? They’re mostly to do with the information that needs to be present on your site. The specifics will vary from business to business; below we’ll discuss some of the major issues that affect almost all organisations, but if in doubt we recommend you take professional legal advice, to ensure you’re following both the spirit and the letter of the law.
Who are you?
Your website probably includes some sort of contact page, but does it contain all the information it should? Registered companies have a legal obligation to include certain official details on everything from their headed notepaper to their email footers – and their websites.
As a bare minimum, your company name and number, registered office and place of registration should be stated clearly on your website. Note
“Your company name and number, registered office and place of registration should be stated clearly on your website”
that your registered office might not be your place of business: many companies are registered by accountants or solicitors on behalf of their clients, using their own addresses. If this is the case for you, make sure the distinction between the legal address where notices can be served (your registered address) and the correspondence address for customers is clear. If you’re registered for VAT, include your VAT number.
If you’re using a template site with a standard footer, consider including the information there so it appears on every page, not just your contact page.
Collecting information
Is your website being used to collect data? If you have a contact form on your site, the answer is yes. You might assume that, when a visitor sends you a message, they understand it will be electronically stored in some way – even if that only means it sits in your inbox until you have a chance to deal with it. However, you need to make
it explicit at the point of collection that you’re gathering potentially personal information.
This is a requirement of GDPR and, as the ICO points out, there are different ways to do it. For clarity, a “layered approach” is recommended, where next to the form you simply present “a short notice containing key information, such as the identity of your organisation and the way you use the personal data”. This can then contain links that expand additional layers of information, or direct the reader to a page setting out your data protection details in full.
There’s no formal template that you have to follow: in its guidance ( pcpro.link/290ico), the ICO declares that “data controllers have a degree of discretion as to what information they consider needs to go within each layer, based on the data controller’s own knowledge of their processing”.
You don’t need to overload the collection page with legal information – just make sure that the visitor knows where to find the information should they wish to review it. Another possible approach is to use a “just-intime notice” that pops up when a visitor’s cursor enters a particular form field. This again keeps the page clean and easy to navigate, while ensuring that the legally mandated information can’t be missed.
Usage data and analytics
As well as accepting messages from your website visitors, you’re probably recording information about activity on your site. This includes details of what pages people are visiting and what links they’re following – and if you’re using analytics plugins to monitor your web traffic, you’ll probably also be tracking their IP addresses, location data and more.
Be aware that GDPR counts this as “personal data”. Even if you don’t directly identify the visitor, what’s collected may well be sufficient to distinguish an individual from other website users. Therefore, you must get consent before starting to track user activity – which is one reason why all those big intrusive overlays have started appearing on websites.
You also need to know that GDPR gives individuals the right to request that their information be deleted. This means you need to appoint both a data controller and a data processor, and make it easy for visitors to find contact details for at least the first of these. If you’re not certain what the difference is, the data controller is the person in your business who determines what data needs to be gathered and how it is to be used. The data processor carries out the controller’s instructions and keeps a record of what’s been collected and how it’s been processed. In organisations with more than 250 employees, it’s also necessary to appoint a data protection officer.
Disclosing cookies
Whether or not you’re using analytics, there’s a good chance that some function of your website relies on cookies. The EU’s Privacy and Electronic Communications Regulations state that if you’re using cookies, you must alert visitors to the fact, explain what they do (and why) and get explicit consent for storing cookies on their device.
The good news is that you only need to do this the first time you set cookies, but it’s important to get the form right. Those using WordPress can take advantage of a wide range of pre-built cookie compliance plugins – just search the repository for “cookie” – which will pop up cookie notices and provide a mechanism by which visitors can opt out.
If you’re creating your own cookie consent form, you’ll need to ensure that you’re presenting all the required information. At the very least, link to a page detailing which cookies you’re using, including any third-party cookies set by services such as YouTube when you embed a video, so that visitors can manually delete them, or block them through their browser settings. The same is true of local storage if you’re accessing that, and cookies set by plugins such as Flash. If you’re not sure about exactly what information you need to put on your cookie information page, you can always model your own page after the ICO’s ( pcpro.link/290cookies); pcpro.link/290cookies since this is the body responsible for policing cookie compliance in the UK, it should be a pretty safe example to follow.
What about if embedded elements want to create and
“If you’re using cookies, you must alert visitors to the fact, explain what they do (and why) and get explicit consent”
access cookies as soon as they’re loaded, before the user has had a chance to give their consent? You’re unlikely to get many complaints about this from users – in all likelihood, most will simply click to accept your cookies. However, the ICO warns that “setting cookies before users have had the opportunity to look at the information provided about cookies, and make a choice about those cookies, is likely to lead to compliance problems”.
The practice isn’t banned outright: the guidance states only that “wherever possible” cookies shouldn’t be stored until users have had the opportunity to understand what cookies are being used and make their choice. However, the ICO continues: “Where this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options. A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available.” You can download the complete set of guidance notes from pcpro.link/290cookies2.
Your privacy policy
It’s been a legal requirement to publish a privacy policy on your website since the passing of the Data Protection Act 1988. Lately the requirement has been reaffirmed by the Data Protection Act 2018, which supplements GDPR in advance of the UK’s planned exit from the European Union.
Similar to your cookie policy, your privacy policy statement must contain details of the kind of information you’re collecting and how long you’re going to retain it, who you’re going to share it with and how you plan to use it. It should also include contact details for queries, including the name of your data protection officer if you have 250 or more employees, and information on how individuals can withdraw consent for your handling and processing of their personal information. All of this must be written in plain English and be easy to find.
If you’re not sure how to draft a privacy policy, again a good starting point is to find an existing policy from a trustworthy source and use it as a template for your own. For example, at pcpro.link/290privacy you’ll find the privacy policy statement for
gov.uk, the website of the UK government – which ought to be pretty reliable blueprint.
Equality Act compliance
The Equality Act 2010 protects people from discrimination, wherever it occurs. When it comes to websites, the bit that you need to pay attention to is Section 20, which concerns itself with what it calls a “duty to make adjustments”. This stipulates that your site must not “put a disabled person at a substantial disadvantage […] in comparison with persons who are not disabled”.
What does this mean in practice? You might assume that a website would be equally accessible to all, but think about people with mobility restrictions or impaired vision. You might well need to re-engineer some of the workings of your site to ensure it’s accessible to such visitors. For example, consider implementing keyboard shortcuts to aid navigation for those who have difficulty using a mouse or trackpad – you’ll find a guide at pcpro.link/290kb.
Visitors with impaired vision, meanwhile, often rely on screen-reading software – so you should label every element you can, at the very least providing alt tags for images and title tags for links. Using relative rather than absolute sizes in your HTML code will ensure that the page can be magnified gracefully, and using standard HTML elements such as H1 and H2 rather than bespoke styles will help screen readers understand the structure of your page. As a side benefit, it will also help web crawlers parse your site, which could give you a boost in the search engine ratings.
If you don’t already know how accessible your website is, try visiting it with a text-based browser such as Lynx. This will give you a demonstration of how easy it is to navigate with a keyboard, and whether you’ve correctly labelled all the important elements.