11 February 2020
Legal liability. It's not the favorite topic of discussion among designers and developers for online businesses, but everyone realizes the weight of those words. When it comes to taking ownership of legal liability, most prefer to pass it along to someone else.
With that in mind, could a designer or a developer be held legally liable for the legal agreements (i.e. Privacy Policies and Terms of Service agreements) of their clients' websites or mobile apps?
This is a common question in a time when data security and consumer privacy are taking center stage. In this article, we'll shed some light on the topic.
Designers and developers are the architects of the online presence of their clients. Whether it be a website or mobile application, the functionality, look, feel, and performance of the product will depend on the work of designers and developers in response to the wants and needs of the client.
Most of these relationships are defined by a clear contract that outlines the project requirements, price, and deliverables. The standard contract does not, however, always address the necessity of legal agreements or whose responsibility it is to create them.
It is all too common for clients to turn to their designers/developers for advice on everything from online marketing to legal or privacy questions. However, it would be wise to tread very carefully when it comes to providing advice about legal agreements.
These are the basic legal responsibilities of a designer/developer:
As the designer/developer, you are not legally required to provide anything more. You can, however, encourage your clients to adopt the latest privacy and security standards - an action that may even reduce your own legal liability in the future.
There is no legal liability in encouraging your clients to adopt the latest Privacy by Design framework. Privacy by Design (PbD) is a best-practices framework that infuses privacy protection and security into every aspect of the functionality and design of an online platform.
This approach is not only a good idea for any online business, it is a basic requirement of the European Union's General Data Protection Regulation (GDPR) in Article 25.
First of all, a website designer or developer should never write, draft, advise, or automatically generate legal agreements for clients.
However, you can refer them to trustworthy legal agreement generators, like Termsfeed, to get started. Once the client has legal agreements, you can help to make those statements easily accessible to visitors and advise the most transparent and GDPR-compliant measures of user consent.
One popular method of designing easy-to-understand legal papers is to lay them out in an interesting and easy-to-follow format, like this example from Facebook:
Here you can easily navigate each legal document that Facebook provides for consumers, along with links to Cookies Policy, ads management, payment terms, and more. Once a user clicks through to one of the legal agreements, each is laid out in a clear and interesting format, such as this Data Policy design:
Facebook provides visitors with a navigational summary where they can jump to any specific part of the policy that they would like to see. Once again, links to the Cookies Policy and ad management interface are also provided in an easy-to-understand and engaging interface.
Remember that all legal text, copy, and statements must be provided directly by the client, but you can help visitors to navigate and process the information easily.
Through design work, not legal work, you can help your clients with legal compliance.
When it comes to data collection and processing, the end decisions will lie with the client, but the designer/developer can (note we say "can" and not "must") recommend a few best practices that will limit the liability of everyone involved.
Besides navigation and readability, here are a few other PbD practices to consider:
Wherever possible, minimize the quantity of consumer data that is collected, processed, or shared.
Whether the methods of collection are direct user forms, cookies or other means, do not collect personal information that is not absolutely necessary to provide website or app services.
For example, if the services do not require information about the user's geolocation, future internet activity, or social media contacts, is it necessary to collect them?
Other recommendations to keep in mind in regard to minimizing consumer data:
From collection to storage to communication, the end users should understand and stay involved in the processing of their personal data.
Here are a few guidelines:
Obtain clear and unambiguous user consent before collecting any type of data, even via cookies.
Marsh gives users several options to consent to or opt-out of browser cookies upon navigating to their website:
Provide links to legal papers throughout the site or app and require users to agree to them before using the service.
Don't send marketing communications or other types of advertising to users without their express consent.
You can see here how Nestlé lets users choose which types of communication they wish to receive within the contact form:
Give users easy access to their personal information and allow them to manage, edit, or delete that information at their discretion.
Google gives users an easy-to-understand interface in which to review data, manage or update information, manage preferences, or delete their accounts:
According to the GDPR, online businesses will be required to keep their consumer data current and valid. Over time, your clients should do the following to keep their databases clean and compliant:
As discussed above, the designer/developer does not have any legal responsibility or liability when it comes to online legal papers. Data encryption and general security, on the other hand, may fall under the legal responsibility of the designer or developer.
For example, in 2015, Alpine Banks suffered a data breach and the web developer was sued for failing to provide sufficient data encryption. In another case just last year, Equifax immediately pointed a blaming finger at one of their software developers for a massive data breach that compromised the data of millions of users.
In short, if a data breach occurs, clients are quick to blame designers and developers for security flaws. It is advisable to follow every security protocol possible to limit your liability.
Although data security and encryption go far beyond this list, here are a few simple best practices to follow in regard to basic security:
Despite your best privacy advice, design efforts, and security measures, it may happen that a future client could try to assign the blame to you in the case of a privacy dispute or security breach. You can take preventative measures ahead-of-time to reduce your own potential liability, such as: