Are you launching a new website? Whether it's a simple blog, an ecommerce store, or a community message board, you must consider your legal position.
From privacy to consumer protection to copyright, there are many ways in which the law can affect website operators.
This legal landscape might not be as daunting as you think. We're going to talk you through the key legal issues you should consider and the practical compliance steps you might need to take.
- 1. About Your Website
- 2. Privacy Law
- 2.1. Minimizing Data Collection
- 2.2. Cookie Consent
- 2.3. Cookies Policy
- 2.5. Data Security
- 3. Consumer Protection Law
- 3.1. Creating Terms and Conditions
- 3.2. Disclaimers
- 3.3. Returns and Refunds
- 3.4. Affiliate Links
- 4. Copyright Law
- 4.1. Third-Party Content
- 4.2. Takedown Requests
- 5. Defamation Law
- 6. Displaying Your Legal Notices
- 7. Summary
About Your Website
We're going to look at four areas of law that are particularly important for website operators:
- Privacy law
- Consumer protection law
- Copyright law
- Defamation law
All websites are affected by different laws in different ways. Two main factors determine which laws will affect your website:
- The purpose of your website. If you're running an ecommerce website, you're more likely to be affected by consumer protection law. If you're using cookies to track your users, privacy law is a critical consideration.
- The location of your users. Because many websites have users worldwide, you may need to consider the laws of multiple jurisdictions.
Privacy law is a crucial consideration for every website.
If your users are located across several legal jurisdictions, you'll have to comply with several privacy laws. Here's a list of some important privacy laws around the world:
- United States: California Online Privacy Protection Act (CalOPPA) and the California Consumer Privacy Act (CCPA) as amended by the CPRA
- European Union and European Economic Area: General Data Protection Regulation (GDPR)
- United Kingdom: GDPR and Data Protection Act 2018 (DPA 2018)
- Canada: Personal Information Protection and Electronic Documents Acts (PIPEDA)
- Australia: Privacy Act 1988
- South Africa: Personal Information Protection Act (POPI Act)
- Brasil: Lei Geral de Proteção de Dados (LGPD)
All of these laws have different requirements and standards. It's important to familiarize yourself with the laws affecting your website.
Minimizing Data Collection
When it comes to privacy, a good rule is to minimize the amount of data you're collecting. This reduces your overall compliance burden and the chances of experiencing a damaging data breach.
Here are some ways you can minimize the amount of data your website collects:
- If you're using analytics tools, such as Google Analytics, ensure you don't log information such as IP address, browser type, or other technical data unless you need it.
- If you need to log analytics data, take steps to de-identify it, such as by removing the last digits of an IP address.
- When collecting data via web forms, e.g. for mailing lists, customer service inquiries, or sales, consider what data you actually need to carry out the transaction. Don't collect any other data.
If you have users in the U.S., you may need to comply with the CCPA (CPRA). If so, you may be required to let users opt out of certain tracking cookies. This means setting up a "Do Not Sell My Personal Information" page.
Here's how Pearson displays its "Do Not Sell My Personal Information" link:
For more information, see our article CCPA: Does Using Third-Party Cookies Count as Selling Personal Information?
In the UK and the EU, you must obtain opt-in consent for any cookies that are not necessary to either make your website function correctly or provide a service requested by the user. All advertising and analytics cookies require consent in the UK and the EU.
Some other jurisdictions also require you to get consent for cookies or to allow users the opportunity to opt out of cookies. For more information, see our article: Cookie Consent Outside of the EU.
Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA/CPRA and other privacy laws:
- For GDPR, CCPA/CPRA and other privacy laws
- Apply privacy requirements based on user location
- Get consent prior to third-party scripts loading
- Works for desktop, tables and mobile devices
- Customize the appearance to match your brand style
Create your Cookie Consent banner today to comply with GDPR, CCPA/CPRA and other privacy laws:
Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.
At Step 2, add in information about your business.
At Step 3, select a plan for the Cookie Consent.
You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:
Display the Cookie Consent banner on your website by copy-paste the installation code in the
</head>section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.
Your Cookies Policy should explain:
- What cookies do
- What types of cookies you use
- How long cookies will remain on a user's device
- How to opt out of certain cookies
To give you an idea of how a Cookies Policy can look, here's the introduction to Shelter's Cookies Policy:
- Your contact details
- The types of personal information you collect (e.g., names, email addresses, IP address)
- The types of any third parties with whom you share personal information (e.g., marketing companies, vendors, cookie providers)
- Information about any relevant consumer privacy rights (e.g. GDPR data subject rights, PIPEDA access rights, CCPA/CPRA consumer rights)
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
Practically every legal jurisdiction now has cybersecurity or data breach notification laws. Such laws require businesses to keep personal information safe and notify the authorities in the event of a security incident.
You need to keep hackers out of your system and keep your users' personal information secure. Even lists of email addresses associated with a particular brand can be valuable to hackers, who can use this information in targeted phishing campaigns.
Here are simple ways to improve the security of your website and the personal information you collect:
- Keep your passwords strong and change them regularly.
- Keep platform software and website scripts up-to-date. Hackers are constantly seeking zero-day vulnerabilities they can exploit to gain access to websites.
- Conduct due diligence whenever installing third-party software or working with new service providers.
- Use SSL encryption wherever possible, for example to secure account login pages.
- Encrypt or pseudonymize any personal information you store.
For more information, see our article: Protecting Personal Data in Your Business.
Consumer Protection Law
Consumer protection law, and contract law more generally, are most relevant to ecommerce websites. But even if you don't sell goods or services through your website, you should still consider whether you need to comply with certain aspects of consumer protection law.
Creating Terms and Conditions
Creating a Terms and Conditions agreement sets clear rules regarding the use of your website and can provide some legal protection for your business.
Our Terms and Conditions Generator makes it easy to create a Terms and Conditions agreement for your business. Just follow these steps:
At Step 1, select the Website option or the App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
Enter the email address where you'd like the T&C delivered and click "Generate."
You'll be able to instantly access and download the Terms & Conditions agreement.
Here are some clauses typically contained in website Terms and Conditions agreements:
- Any restrictions on the use of your website: Can people in any country access your services? Is your website intended for children?
- Your policy on user accounts, including the conditions under which you can restrict, suspend, or remove a person's account.
- Information about billing and payments.
- Any relevant disclaimers (which we'll discuss below).
- A "limitation of liability" clause, which limits the amount you will pay in damages if your website or services cause harm to your users.
- An "indemnity" clause, which requires users to pay damages covering any harm they cause to your business.
- A "governing jurisdiction" clause, which sets the national law through which your terms should be interpreted, and establishes which country's courts will deal with any legal disputes.
Wherever possible, you should ensure your users read and accept your Terms and Conditions (for example, before creating an account). You should also ensure you provide a conspicuous link to your Terms and Conditions on your home page.
For more information, see our article: How to Write Terms and Conditions.
Website disclaimers aim to limit your liability for any harms caused by your website. There are several types of website disclaimers.
Some disclaimers seek to limit your association with any third-party articles or comments on your site.
Here's an example from PBC Foundation:
Disclaimers can also seek to limit liability for factual errors of omissions present on a website.
Here's an example from VSO:
Returns and Refunds
If you sell goods or services through your website, you must ensure you have a Returns and Refunds Policy that aligns with the consumer protection law in the markets in which you operate.
You can set your own Returns and Refunds Policy, but it must be at least as generous as the legal minimum standard. It's important to learn the rules that exist wherever your customers are based.
In the U.S., legal requirements for returns and refunds vary across states. In many states, businesses are required to honor any Returns and Refunds Policy they have in place, but there are no specific requirements as to what the policy must say.
Here are the rules in some other major markets:
- European Union: The Consumer Sales and Guarantees Directive (available here) means that all new products purchased in the EU carry a minimum two-year warranty. The Consumer Rights Directive (available here) allows customers who have bought products online (or via mail or phone) 14 days to return it for a full refund.
- United Kingdom: The Consumer Rights Act 2015 (available here) imposes similar rules to those protecting consumers in the EU.
- Canada: Provincial laws govern consumer rights, such as British Columbia's Sale of Goods Act (available here) and Quebec's Consumer Protection Act (available here).
- Australia: Most household goods carry an implied warranty that they are of satisfactory quality and fit for purpose. Businesses cannot operate a "no refunds" policy (more information available here).
See our Return and Refund Policy Generator for more information.
If you use affiliate links to generate income on your website, you must be clear and transparent about this.
When managing your website's use of affiliate links, a good starting point is the guidance provided by the U.S. Federal Trade Commission (FTC), which sets out some rules on making appropriate disclosures.
Here are the basic rules provided by the FTC. Many jurisdictions outside of the U.S. have similar rules:
- Every page that contains an affiliate link must present a disclosure
- Disclosures must be unambiguous, clear, and conspicuous
- Disclosures must be made "above the fold" (i.e. visible on a web page without the need to scroll down)
- Disclosures must not be buried in a block of text
Here's PCMag's affiliate disclosure, which appears on every page on the PCMag website containing affiliate links:
For more information, see our articles:
- Legal Agreements for Affiliate Marketing
- Affiliate Disclaimers for UK Websites
- Disclaimer for Amazon Associates
Website owners can end up in legal trouble for reproducing copyrighted content without permission. In most cases, this is easy to avoid.
You automatically own the copyright to content you create and display on your website, but there are some benefits to registering your copyright.
You must ensure you have any necessary licenses for third-party content you display on your website. Just because something is freely available online, this doesn't necessarily mean you can reproduce it on your site.
If you don't want to pay for content or create your own, you can obtain free-to-use images from online resource libraries like Unsplash.
In the U.S., the Digital Millennium Copyright Act (DMCA) requires websites to take down content that allegedly infringes copyright.
If an individual believes that your website is hosting their copyrighted content, they request that you take it down. If you do so in an "expeditious" (reasonably quick) manner, then you can avoid being prosecuted for copyright infringement.
Note that the DMCA covers user-generated content hosted on your website.
You should create a system for facilitating DMCA takedown requests and explain to users how they can make a DMCA takedown request.
Here's how GitHub does this:
You should also consider adding a DMCA clause to your Terms and Conditions.
In the EU, online copyright law is mainly covered by the eCommerce Directive (available here). You can comply with takedown requests to minimize your risk of legal issues, but you can also ask the supposed copyright owner to substantiate their request. Similar rules apply in the UK.
If you run a content-sharing platform that operates in the EU, you must comply with Article 17 of the Copyright Directive.
To avoid issues with defamation law, you should, of course, avoid making any defamatory statements on your website. But what if you allow users to share user-generated content?
User-generated content can include:
- Comments beneath blog posts
- Posts on a forum or message board
- Articles or blog posts created by users
- User reviews
- User-contributed media
Websites aren't like traditional news media. The law generally views websites as "intermediaries" when they host content created by third parties. This means that website owners are usually protected from defamation claims, to some extent.
However, when it comes to user-generated content, you should always proceed with caution. To minimize risk, many websites choose not to allow user-generated content at all.
Here are some of the laws covering intermediary liability that you should be aware of:
- In the U.S., Section 230 of the Communications Decency Act (available here) protects website operators from defamation suits arising from content posted by third-parties, providing certain conditions are met. At the time of writing, U.S. legislators are considering a repeal of Section 230.
- In the UK, Section 5 of the Defamation Act 2013 (available here) protects website operators from defamation claims relating to user-generated content, but only if the user can be identified.
- Across the EU, intermediary liability laws are applied inconsistently from country to country. It's important to be aware of the eCommerce Directive (available here).
For more information, see our article Legal Issues with User Generated Content.
Displaying Your Legal Notices
Here's an example from the home page of TechRadar that displays many legal agreements nicely in one section (typically the website footer):
Here's how Trending Travel does this:
Your Terms and Conditions are unlikely to be enforced by a court unless your users have accepted them. It's important to require that your users accept your Terms and Conditions before taking actions such as creating an account or making a purchase.
We've looked at four areas of law to consider when launching a new website. Here's a recap:
- Minimize the amount of personal information you collect
- Get consent for cookies, if required
- Create a Cookies Policy
- Ensure your website and your users' personal information is secure
Consumer protection law:
- Create a Terms and Conditions agreement
- Create any appropriate disclaimers
- Create a Returns and Refunds Policy, if required
- Create affiliate link disclosures, if required
- Ensure you have a license for any third-party content
- Create a system for complying with any relevant notice-and-takedown laws
- Consider how you can avoid any legal issues with user-generated content on your site
While there will surely be other legal considerations you'll need to explore and address when launching your new website, the issues discussed above are the most common ones that will affect the widest range of people.
By addressing each of them, you'll be on your way to having a compliant website.