Article

Tech Tuesday: Legal Requirements for Websites – Making Sure You’re Compliant

28 February 2017 | Tim Hatton | About a 10 minute read
Tags: commerce, compliance, Data protection, e-commerce, legal, legislation, online shopping, regulations, requirments, rules, website development, websites


If you’re launching a new website then you will be occupied with the usual concerns – how do I build it?  How do I design it?  How do I promote it?  Bottom of the list (and often forgotten completely) is the need to make sure your website complies with the myriad of legislation and regulations which govern websites online.

For example did you know:

  • You must have your the name and address of your business on your website
  • You can’t use pictures of the Royal Family on a banner advert without explicit consent
  • If you are trading online, you must provide a valid email address for correspondence – not just a contact form
  • Website owners have a defence against being liable for defamatory user generated content, but only if they act within certain timescales
  • There are certain claims you must be able to justify if you make them on a website

Legislation, Codes and Acts

This is not an exhaustive list, but it does cover the main regulations affecting operation of a website or other digital services in the UK.

Electronic Commerce (EC Directive) Regulations 2002

Almost every website and app – regardless of whether it would be described as an ‘ecommerce’ website or not – falls under the scope of this regulation.  The act covers “information society services” – defined as “any service normally provided for remuneration at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, at the individual request of a recipient of the service”

However, in 2002 the DTI ruled that the scope of the act does not only include those websites buying and selling online – it ruled that it covers “those offering online information or commercial communications (adverts) or providing tools allowing for search, access and retrieval of data” – which is the vast majority of websites.

Key parts of the act include:

  • A minimum set of information to be provided on a website being: name, geographical address, email address (not just a contact form), VAT number, and any relevant trade associations .  
  • Commercial communications (advertising) must show that it is commercial, who the communication is from and if it is a promotional offer or competition. This also applies to non-website communication such as text messages.
  • Consumer contracts are not based on the ‘country of origin’ principle – that is, if you sell products to France, you have to comply with French consumer laws (not just UK)
  • If you sell online, you must state in a “clear, comprehensible and unambiguous manner” the steps required to place and order, including terms and conditions – and provide these in a manner which can be printed and stored
  • You must send an electronic acknowledgement of the order ‘without undue delay’ and provide instructions on how to correct any errors made

The legislation: http://www.legislation.gov.uk/uksi/2002/2013/made

General Data Protection Regulation 2018

This EU-wide legislation is similar in scope to the UK-only DPA (see below) and will replace the existing EU Data Protection Directive 95/46/EC. It will come into effect from 25 May 2018.  It will not be affected by Brexit – the government have confirmed that leaving the EU will not affect the commencement of GDPR.

For most organisations there is little practicable difference between the DPA and the GDPR – data which falls under the scope of the DPA will fall within the scope of the GDPR (e.g. HR records, customer contacts etc.)  

Examples of where the GDPR does differ from existing legislation:

  • There is a key ‘accountability’ requirement – organisations have to be able to demonstrate how they comply with the GDPR
  • The identification of ‘personal data’ is broader – pseudonymised identifiers (for example, an IP address of a customer) could now count as an identifier depending on how difficult they are to attribute them to an individual
  • The scope of the legislation applies to non-EU organisations handling EU citizens’ data

More information from the ICO: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/introduction/

The regulation: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

CAP Non-Broadcast Advertising Code

The Committee of Advertising Practice code enforced by the Advertising Standards Authority on all non-broadcast advertising, sales promotion and direct marketing materials.  This includes websites, email marketing, online advertising amongst others.  The code is designed to ensure marketing communications abide by the ASA / CAP credo of being ‘legal, honest, decent and truthful’.  It deals with such areas as:

  • Misleading information in advertising, including claims which require substantiation when they are made – and those which cannot be made (e.g. you cannot claim a product can help win in a game of chance)
  • Not using anything in marketing communications which is likely to cause harm or offence
  • The particular steps to be taken when advertising to children
  • Running promotional activities (e.g. promoters may not claim a person has won a prize when they have not done so)

The code: https://www.cap.org.uk/Advertising-Codes/Non-Broadcast.aspx

Privacy and Electronic Communications (PECR)

The PECR goes in hand with the Data Protection Act (see below) to provide protection for individuals’ privacy.  The rules cover (among other areas):

  • Electronic marketing such as automated calls, emails, text messages – particularly unsolicited marketing and consent.  The regulations cover topics such as ‘soft opt-in’ and viral marketing.
  • Use of cookies on websites – telling people what they are, why they are being stored, and getting the person’s consent – including the importance of understanding what constitutes ’implied consent’.  
  • Keeping communications services secure (applies mainly to telecoms companies and ISPs)
  • Customer privacy regarding traffic and location data – for example, location of a mobile phone

Cookie Law information: https://www.cookielaw.org/faq/

Guide to PECR from the ICO: https://ico.org.uk/for-organisations/guide-to-pecr/

Data Protection Act 1998

Data gathered by UK organisations and companies has to comply with the DPA – data must be used fairly and lawfully, for specific purposes and not kept for longer than is necessary among other requirements.

Individuals have the right to make a request to be provided with all data which an organisation has on them, for which organisations can charge a nominal fee.  Organisations which do not respond in a timely fashion to these requests – or who have not been using data lawfully or not keeping it secure – can be fined.

Gov.uk guidance on the act: https://www.gov.uk/data-protection/the-data-protection-act

The act: http://www.legislation.gov.uk/ukpga/1998/29/contents

The Defamation (Operators of Websites) Regulations 2013

This is a lesser known act, but of importance to publishers of websites which allow user comments or user generated content – and as anyone who’s used YouTube will know, user comments are not always the most tactful or polite!  The act provides a degree of protection for the operator of the website from legal action arising from someone posting defamatory material on their site – as well as the form that any complaint has to take, and the information to be provided.  However, the defence is only valid if certain activities are taken within a specific time frame – or lose the defence.

Commentary on the legislation by Wright Hassall: https://www.wrighthassall.co.uk/knowledge/legal-articles/2014/03/03/defamation-operators-websites-regulations-2013/

The legislation: http://www.legislation.gov.uk/uksi/2013/3028/contents/made

General Legislation

As well as the above legislation, there are several acts regarding normal business operations which contain items that apply to doing business online, as well as through physical premises.

Companies Act 2008

This act governs the operation of public and private limited companies in England and Wales.  As far as it relates to the operation of websites there are requirements on display of the registered company details and address.

gov.uk information: https://www.gov.uk/running-a-limited-company/signs-stationery-and-promotional-material

Equality Act 2010

The Equality Act replaced the older Disability Discrimination act.  The act makes general accessibility requirements of businesses to ensure they can be used by people with disabilities.  

The act states that service providers must make “reasonable adjustments” to enable disabled people to access their services.  Some suggestions are made as to what a “reasonable adjustment” might be and factors such as financial, resource and level of disruption of making any change can be taken into account  In effect this means that the larger the company, the better the access which they would be expected to provide.

As the act does not specifically state how the accessibility of a website can be measured, a general position is that the WCAG 2.0 guidelines would be a good indicator of the standard reasonably expected, with at least WCAG Priority 1 (Level A) being met.

The act: http://www.legislation.gov.uk/ukpga/2010/15/contents

gov.uk guidance to the act: https://www.gov.uk/guidance/equality-act-2010-guidance#equalities-act-2010-legislation

Out-Law.com commentary on the act: http://www.out-law.com/page-330

Consumer Contract Regulations

Most commercial transactions which aren’t done face to face are covered by the Consumer Contract Regulations, which came into force in 2014 and subsumed the original Distance Selling Regulations (2000).  Key parts of the regulations include:

  • A “right to cancel” of 14 days from when you receive an order (the right starts from when an order is placed) – although there are certain goods to which this doesn’t apply, or where use of the goods in this period will reduce the refundable amount
  • Consumers must waive their right to cancel for downloadable digital content – or they have to wait until the end of the 14 day period before they can download the digital content
  • ‘Pre ticked boxes’ cannot be used to add items to a customer’s basket – if a company does this, a consumer is entitled to a refund

Guidance for businesses on gov.uk: https://www.gov.uk/online-and-distance-selling-for-businesses/overview


Summary

If you’re planning on launching a new website, then you need to make sure it complies with the different regulatory acts and laws in order to operate in the UK.  Non-compliance with these regulations may result in fines and potentially more serious penalties – as well as commercial impact with, for example, contracts not being able to be enforced.

As an important part of the work being done to build a website, a requirement may be made to ensure that any work done is in line with relevant legislation.  Organisations should always seek professional legal help to confirm compliance with these, but an understanding of the scope and main areas of legislation may help you to spot problems which need further investigation and clarification and save a lot of pain once the site has gone live!

 

Read More From This Author

Share this blog post

Related Articles

Careers

We’re looking for bright, dynamic people to join our team!

Discover More Roles