What laws and legislation affect your business website

Do you know what laws and regulations effect your website?

I will start this post with the usual proviso.   I am not a lawyer and you should always get proper legal advice. That said, if you go in with as much knowledge as possible, then that legal advice will cost you less.   My blog post this week is about some key legal responsibilities, you need to consider, when creating and managing your website for your business or organisation.

Data Protection and GDPR

Hopefully you have all heard about the new  EU data protection legislation 'General Data Protection Regulations' or GDPR for short.  You have until May 25th 2018 to prepare.    Much of the legislation is not new.  However, it does make some areas of responsibility a lot clearer.  The law covers the rights of the consumer to privacy of their data and how it is used.

The main areas it covers:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

What do you need to do?

Below is an overview of the main points to consider, but you need to familiarize yourself with the  new legislation and ensure you understand your responsibility as it pertains to your business.

  • Audit the data you hold.
  • Check you have consent for all the data you hold.
  • Ensure any personal data held by your website or business is secure.
  • If not already in place, ensure that as data is collected you are gaining the proper and explicit consent for it's use.
  • Update your terms and conditions and privacy policy so it states clearly the data you collect and what is done with it.
  • Have procedures in place to inform individuals within 72 hours if you suspect the security of their data has been compromised.

Further Reading

For more information on GDPR  see the overview on the ICO website

If you have a WordPress website WPMU Dev have produced a really good article on this:

Is Your Website GDPR Compliant? How to Get Ready for the General Data Protection Regulations

EU Cookie Law

Use of cookies is covered by the The Privacy and Electronic Communications Regulations (PECR).  These regulations cover other aspects of electronic communications such as  marketing calls, emails, texts and faxes, but cookie's and their use on websites,was one of the key changes when the regulations came into law.  These regulations were put in place to compliment the data protection regulations.

You need to  ensure that any cookies on your website are optional, if not directly required for essential functionality.   Be very careful how you identify essential functionality.  Exceptions are made for cookies that are essential to provide an online service at someone’s request (eg to remember what’s in their online basket, or to ensure security in online banking). This does not cover cookies for collecting statistical information such as those used by Google analytics.

What is a Cookie

A cookie is a small text file place on you computer by websites that can be used to store information about a visit to that website.

What are the different types of cookies?

A cookie can be classified by its lifespan and the domain to which it belongs. By lifespan, a cookie is either a:

  • session cookie which is erased when the user closes the browser or
  • persistent cookie which remains on the user's computer/device for a pre-defined period of time.

As for the domain to which it belongs, there are either:

  • first-party cookies which are set by the web server of the visited page and share the same domain
  • third-party cookies stored by a different domain to the visited page's domain. This can happen when the webpage references a file, such as JavaScript, located outside its domain.

You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent.

Consent can be implied, but must be knowingly given.

More useful reading can be found on the ICO website or the European commission website

Accessibility and discrimination

The Equality Act 2010 (EQA) which came into force in October 2010, replacing the Disability Discrimination Act 1995 (DDA) in England, Scotland and Wales, was introduced with the intention of dealing with the issue of disability discrimination.

As a website owner you are required to make  'reasonable adjustments' to ensure your website isaccessible to everyone, including users with impairments to their:

  • sight - like blind, partially sighted or colour blind people
  • hearing - like people who are deaf or hard of hearing
  • mobility - like those who find it difficult to use a mouse or keyboard
  • thinking and understanding - like people with dyslexia, autism or learning difficulties

This can include simple measure such as:

  • putting good descriptions on your images using the alt tag.
  • adding subtitles to a video.
  • structuring you content so it is easy to ready
  • using colors with good contrast
  • ensuring your website is navigable for someone not able to use a mouse.

You can find some good information on your legal responsibility concerning accessibility on  Gov.uk

The standard for web accessibility is Web Content Accessibility Guidelines (WCAG 2.0)  you need to ensure your website meets AA level compliance.

Selling online and Distance selling

If you are selling your services or products online you need to be aware of the the Electronic Commerce (EC Directive) Regulations 2002.   This was put in place to further protect consumers when buying products or services online.  The legislation is quite detailed but includes what information you must include on your website such as company name, addresss    As of 1st January 2007, it is compulsory to provide additional information such as a company registration, as outlined in the Companies Act 2006.

What information you are required to publish

  • You need to clear identify your company with address and contact details
  • include details of memberships, professional bodies
  • If VAT registered you must include you VAT registration number
  • If a limited company you must include you company  registration

Your customers need to be able to easily change or delete orders as part of the checkout process.

The act also includes information about contracts between the buyer and seller when made online that could effect the way your checkout process should work.   The regulations state that electronic contracts should be able to be completed online, and that the consumer has the right and the ability to revise any mistakes in their order prior to making their purchase (their conclusion of the contract). Once the order is placed, confirmation of the order and all relevant information including terms and conditions, delivery times and prices should be sent to the consumer without 'undue delay'.

In other words it should be easy to change an alter an order and all terms and conditions including delivery should be clear and sent to the customer when the order is completed.

Ensure your product and service descriptions are not misleading

You also need to look at the way you ardertise your products and services.  Be sure your product and service information is clear and consise and not misleading in anyway.

Don't send out spam

The law also covers unslisted emails and how people concent to any email you send to them beyon what is required for the product or service they have purchase from you.