requirements and best practice for legal information on your website

basic questions

do I need to read this?

This post refers to all UK business websites (both B2B and B2C). Personal websites are generally exempt from these requirements.

what are the potential ramifications?

Failure to comply with consumer protection regulations could result in action being taken by consumer protection bodies, regulators (in the UK, the Information Commissioner’s Office), or by customers themselves. It could also result in damage to a business's reputation.

In practice the initial response is unlikely to be anything more than a letter asking you to correct the situation. But providing required information in a prominent place can provide reassurance to your audience.

how could Brexit affect this area?

EU directives have been enabled in the UK by various Regulations. If the UK leaves the EU, legislation may be re-examined – but in the short to medium term, things are unlikely to change.

what you need to tell users

who you are

Every operator of a business website must publish basic identifying information: 

  • name
  • geographical address
  • contact details (both email and non-electronic)
  • details of any relevant supervisory authority
  • VAT number, if registered

This information does not need to be on every page, but it must be clear and easily accessible. Links from a website page footer to specific pages are generally acceptable.

Specific types of websites will require additional details:

  • Limited companies must show the company registration information: usually the registered number, registered address and any trading names
  • Members of regulated professions must show the professional body and regulations
  • Websites where goods and services are sold online must provide details of the contracts, Terms and Conditions for the contracts, and Delivery and Returns Policy

what personal data you collect

Website users have a right to know what information you are collecting on them, and to refuse to give you that information. Some of this information will be obvious, such as user registration fields. However, some can be collected without the user knowing – for example hidden form fields, cookies, and local storage in Flash or HTML5.

EU cookie law

All websites owned in the EU, or targeted towards EU citizens, are expected to comply with the “Cookie law” (which applies to all local storage methods, not just cookies). This should:

  • Tell the user that you will be storing cookies
  • Get their agreement (opt-out is assumed to be acceptable) or provide instructions on how to refuse
  • Provide more information about the cookies (see Cookies policy)

what you do with that personal data

privacy policy

The Data Protection Act 1998 specifies that if a business collects and uses data that relates to an identifiable living person, it must give that person information including:

  • The business which owns the website
  • What personal data the business will collect
  • What use will be made of that data

That person also has the right of access to the data, and the right to have it corrected. Instructions on how to go about this should also be included in the privacy policy.

cookies policy

This can be treated as a subsidiary of the privacy policy. It should include:

  • A list of the cookies collected
  • Who issues these cookies and how they will be used
  • Information on how to block or delete cookies

For general information about cookies, you could link to http://www.aboutcookies.org.

about online purchases

terms and conditions – commercial

Policies for Terms and Conditions, and Delivery and Returns, are required as part of the Consumer Protection (Distance Selling) Regulations and Electronic Commerce Regulations (EC Directive). These terms must state:

  • The identity and postal address of the supplier
  • A description of the service
  • The contract price, inclusive of taxes (including VAT information if applicable)
  • Delivery costs (if applicable)
  • Payment and delivery arrangements
  • Notification of the right of cancellation
  • The cost of the means of communication by which the contract is to be concluded (eg premium rate telephone numbers)
  • The period for which the terms are available
  • Minimum duration of the contract, where it is not of one-off performance

PCI DSS

If you store, process, or transmit cardholder data on your servers, you will be subject to Payment Card Industry Data Security Standard requirements. These are onerous, so in most cases we recommend outsourcing payment gateways to external suppliers.

other legal requirements

access

The Equality Act (2010) advises that a website must satisfy Priority 1 (Level A), and should satisfy Priority 2 (Level AA), of the W3C Web Content Accessibility Guidelines. Priority 3 (Level AAA) is not generally considered to be relevant.

While these guidelines are generally met during the website design and development process, they also need to be considered when content is added. For example, images added to the site should have the ALT attribute added to provide alternate text for screen readers.

copyright and trademarks

All original work is copyrighted by default, so there is no legal requirement to put a © notice on your website. Likewise, there is no requirement to display ™ or ® symbols, though you may wish to do so in order to notify users of your intellectual property. 

Depending on the sources of your content, you may need or want to supply copyright information and credits – eg for images or graphics.

terms and conditions – general

A general T&Cs page (as opposed to the commercial version discussed above) can be used to gather together various legal notices such as legal disclosure, usage, copyright, disclaimers, etc.

 

If you want to take back control of your web sites and applications then get in touch with miggle to see how we can deliver operational freedom for you in Drupal.

 

credits and sources

accessibility

cookies

general