Legal liability: it's not the favorite topic of discussion among designers and developers for online businesses, but everyone realizes the weight of those words. When it comes to taking ownership of legal liability, most prefer to pass it along to someone else.

With that in mind, could a designer or a developer be held legally liable for the legal agreements (i.e. Privacy Policies and Terms of Service agreements) of their clients' websites or mobile apps?

This is a common question in a time when data security and consumer privacy are taking center stage. In this article, we'll shed some light on the topic.

What customers say about TermsFeed:

This really is the most incredible service that most website owners should consider using.

Easy to generate custom policies in minutes & having the peace of mind & protection these policies can offer is priceless. Will definitely recommend it to others. Thank you.

- Bluesky's review for TermsFeed. Read all our testimonials here.

With TermsFeed, you can generate:

The Designer-Client Relationship

Designers and developers are the architects of the online presence of their clients. Whether it be a website or mobile application, the functionality, look, feel, and performance of the product will depend on the work of designers and developers in response to the wants and needs of the client.

Most of these relationships are defined by a clear contract that outlines the project requirements, price, and deliverables. The standard contract does not, however, always address the necessity of legal agreements or whose responsibility it is to create them.

It is all too common for clients to turn to their designers/developers for advice on everything from online marketing to legal or privacy questions. However, it would be wise to tread very carefully when it comes to providing advice about legal agreements.

These are the basic legal responsibilities of a designer/developer:

  • Provide an original product that does not infringe on any existing copyrights.
  • Comply with the terms of the agreed-upon contract.
  • Provide a secure system that does not leave consumer information vulnerable to attack or compromise.

That's it.

As the designer/developer, you are not legally required to provide anything more. You can, however, encourage your clients to adopt the latest privacy and security standards - an action that may even reduce your own legal liability in the future.

There is no legal liability in encouraging your clients to adopt the latest Privacy by Design framework. Privacy by Design (PbD) is a best-practices framework that infuses privacy protection and security into every aspect of the functionality and design of an online platform.

This approach is not only a good idea for any online business, it is a basic requirement of the European Union's General Data Protection Regulation (GDPR) in Article 25.

First of all, a website designer or developer should never write, draft, advise, or automatically generate legal agreements for clients:

  • Privacy Policies
  • Terms and Conditions (T&Cs) (these are also known as Terms of Use agreement or Terms of Service agreement)
  • Disclaimer
  • EULA
  • Return Policies for ecommerce stores

It is fully the responsibility of the business owner to write their own Privacy Policy and Terms and Conditions, because a) they know more about the nature of their own business, and b) the client will be the one who owns and processes user information, fulfills orders, and otherwise manages the day-to-day business.

However, you can refer them to trustworthy legal agreement generators, like Termsfeed, to get started. Once the client has legal agreements, you can help to make those statements easily accessible to visitors and advise the most transparent and GDPR-compliant measures of user consent.

One popular method of designing easy-to-understand legal papers is to lay them out in an interesting and easy-to-follow format, like this example from Facebook:

Facebook Terms and Policies page

Here you can easily navigate each legal document that Facebook provides for consumers, along with links to Cookies Policy, ads management, payment terms, and more. Once a user clicks through to one of the legal agreements, each is laid out in a clear and interesting format, such as this Data Policy design:

Facebook Data Policy homepage with menu and summary

Facebook provides visitors with a navigational summary where they can jump to any specific part of the policy that they would like to see. Once again, links to the Cookies Policy and ad management interface are also provided in an easy-to-understand and engaging interface.

Remember that all legal text, copy, and statements must be provided directly by the client, but you can help visitors to navigate and process the information easily.

Through design work, not legal work, you can help your clients with legal compliance.

Best Practices to Recommend

When it comes to data collection and processing, the end decisions will lie with the client, but the designer/developer can (note we say "can" and not "must") recommend a few best practices that will limit the liability of everyone involved.

Besides navigation and readability, here are a few other PbD practices to consider:

1. Minimization of Data Processing

Wherever possible, minimize the quantity of consumer data that is collected, processed, or shared.

Whether the methods of collection are direct user forms, cookies or other means, do not collect personal information that is not absolutely necessary to provide website or app services.

For example, if the services do not require information about the user's geolocation, future internet activity, or social media contacts, is it necessary to collect them?

Other recommendations to keep in mind in regard to minimizing consumer data:

  • Minimize personal data that is shared with third parties.
  • Delete unnecessary personal data once it has served its purpose.
  • Delete data once it is old or outdated.

2. Keep Users Involved in Their Data Processing

From collection to storage to communication, the end users should understand and stay involved in the processing of their personal data.

Here are a few guidelines:

  • Obtain clear and unambiguous user consent before collecting any type of data, even via cookies.

    Marsh gives users several options to consent to or opt-out of browser cookies upon navigating to their website:

  • Marsh website Cookie Settings screen

  • Provide links to legal papers throughout the site or app and require users to agree to them before using the service.

    Sky Communications requires users to agree to both the Privacy Policy and Terms and Conditions before registering on their site:

  • Sky Communications: Screenshot of Create ID registration form page

  • Don't send marketing communications or other types of advertising to users without their express consent.

    You can see here how Nestlé lets users choose which types of communication they wish to receive within the contact form:

  • Nestle's marketing signup form with checkboxes for consent

  • Give users easy access to their personal information and allow them to manage, edit, or delete that information at their discretion.

    Google gives users an easy-to-understand interface in which to review data, manage or update information, manage preferences, or delete their accounts:

  • Google Account: Control, protect and secure your account interface

3. Keep the Database Clean

According to the GDPR, online businesses will be required to keep their consumer data current and valid. Over time, your clients should do the following to keep their databases clean and compliant:

  • Keep a clear record of each users' data consent preferences.
  • Periodically remind users to review and update their personal information.
  • Delete all personal information of users when they delete their accounts.
  • Once a business has been closed or sold, delete all records of personal information on file.

Security Responsibilities

As discussed above, the designer/developer does not have any legal responsibility or liability when it comes to online legal papers. Data encryption and general security, on the other hand, may fall under the legal responsibility of the designer or developer.

For example, in 2015, Alpine Banks suffered a data breach and the web developer was sued for failing to provide sufficient data encryption. In another case just last year, Equifax immediately pointed a blaming finger at one of their software developers for a massive data breach that compromised the data of millions of users.

In short, if a data breach occurs, clients are quick to blame designers and developers for security flaws. It is advisable to follow every security protocol possible to limit your liability.

Best Practices

Although data security and encryption go far beyond this list, here are a few simple best practices to follow in regard to basic security:

  • Pseudonymize personal information whenever possible by separating data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately.
  • Require users to create strong passwords that include both capital and lowercase letters, numbers, and special characters.
  • Ensure that all components of a website or mobile app, such as CMS, security and functionality plugins, payment gateways, etc., stay up-to-date at all times.
  • Avoid storing sensitive information such as financial data or health-related data on your client's platform. Use third-party payment processors and HIPPA-compliant servers for sensitive information.
  • Perform rigorous penetration testing on your product before turning it over for public use.

Keep Yourself Protected

Despite your best privacy advice, design efforts, and security measures, it may happen that a future client could try to assign the blame to you in the case of a privacy dispute or security breach. You can take preventative measures ahead-of-time to reduce your own potential liability, such as:

  1. Write a strong contract: Although it is always best to consult a lawyer when drafting your contracts, make sure to include a section that limits your liability in the case of data breaches, lost profits, lost savings, or damages.
  2. Make your business into a legitimate corporation or LLC: Even if you're an independent contractor, forming an official corporation or LLC can protect your personal assets from any potential court settlements or judgements that your business suffers.
  3. Educate yourself on liability insurance: There are many different types of professional liability insurance, but not all of them will cover damages resulting from a data breach, privacy dispute, or lost profits lawsuit. Know the differences between cyber liability insurance, professional liability insurance, and general liability insurance. Find out which ones your business requires.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy