The definition of compliance as a legal term, means to obey the rules. In the context of website compliance, it means to make sure that you adhere to or comply with the legislation and legal requirements that are relevant for your website.
The GDPR, which came into effect in May 2018, stands for The General Data Protection Regulation. The Regulation applies to all European companies - as well as companies outside the EU - that process data about European citizens. The GDPR regulates how companies collect, store, process, and manage people's data. The law also lays down the rights of people to their data, including the right to be forgotten, the right to information, and the right to data portability.
The EU Cookie Directive regulates the usage of cookies but also covers other forms of online tracking technologies, including device fingerprinting. The Directive is therefore broader and applies to more than just cookies. The Directive says that a person isn't allowed to store or gain access to information stored in a person’s computer, unless specific requirements are met, including (a) giving clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) obtaining consent from the person.
The E-commerce Directive harmonises the rules in the EU for online businesses, so they know what they need to do in regards to, e.g., commercial communication, information requirements, and electronic contracts. The Directive sets out the basic requirements on mandatory consumer information, steps to follow in online contracting, and rules on commercial communications, for example, online advertisement and unsolicited commercial communications, also known as the “spam” rules.
There are different types of cookies, which all have different legal requirements depending on what the purpose of the cookie is, and whether the cookies are necessary or non-necessary:
There are a number of requirements for what you need to do and include on your website to ensure cookie compliance, these are:
There are a number of consents that can be relevant for you to collect on your website. The consents you collect depends on what kind of website you have, e.g., is it a webshop or just a website, and which cookies would you like to be able to use on your website. It’s important to collect the following types of consents when running a website:
You should also be aware that:
Email marketing has become a widely used revenue channel for ecommerce and businesses more generally. However, there are rules about who you may send email marketing offers or newsletters to. To make sure you email marketing efforts are compliant:
Remember that the rules might differ if you are sending email marketing to business leads / prospects.
Your Terms & Conditions are the legal document outlining the agreement between you and e.g., your users. If you have a webshop, the document will outline everything around the purchase, for example the price, shipping and delivery, warranty, law and venue and how a potential dispute between you and your customer should be handled. The document, which is legally binding when the customer consents to it is a way of protecting you and your customer, if a dispute or discrepancy was to arise. There are a number of things you must include in your terms and conditions, for example:
Remember it’s important that the customer actively accepts your T&Cs. Additionally you must also make sure that:
Your company’s information needs to be visible, and easy to find on your website. The information you need to include is:
It must be easy for users and customers to contact you. The contact information you need to include on your website are:
You are not allowed to simply have a contact form on your website as the only way for a customer to get in touch with you, your contact information must also be visible.
There are a number of requirements to how you describe the products or services you sell. These vary depending on what you are selling, e.g. if you are selling clothes you must clearly describe the material the clothing is made from.
For services it is a requirement to provide the customer information about a cancellation fee if you have one, and when a cancellation fee comes into effect.
There are a number of data points you need to collect to make sure that your consents are valid. This is known as an audit trail, and include:
You must be able to keep records of all the consents you obtain. These records are also known as consent evidence. Without proper consent evidence, your consents are not considered compliant by the data authorities.
The level of security you need depends on what you are selling, but as a minimum you need to make sure that your payment flow or accepted methods of payment are secure. There are strict rules regarding encryption and payment security, which is why many companies use external payment service platforms.
You must always consider the target audience on your website, as there may be restrictions based on the content on the site and the age group you are advertising towards. If you are targeting children, or if your website features content with age restrictions such as alcohol then there are a number of things you need to do to be compliant.
Another area where you need to be aware of the data you collect, is if your website is healthcare related, and you collect sensitive personal information, and need make sure that you comply with extra restrictions and rules about gathering this sort of information.
You must also show your prices with VAT, or at the very least have the option to show the prices with VAT.
You must be transparent about any agreements with influencers or other marketing activities that could be considered hidden advertisement.
There are requirements for the language use on your website. You must write clearly and in a way where it is easy for your (target) audience to understand what you mean. This means that generally speaking you need to make sure your website is written in the native language of the country your target audience is in.
This means that you must have your website in different versions, that match the language in the countries that you are marketing yourself to.
There are some exceptions, to countries which have multiple native languages, or where English is acceptable to use even though it isn’t an official language.
One way of keeping track of consents and the evidence you need is through a consent management solution that tracks your cookie consents.
With Legal Monster you can collect and document consent for all cookies used on your site. We use geotargeting to ensure that you collect the right consent in each of your markets, depending on the jurisdiction of the user or customer. Our solution detects which cookies you use and collects compliant consents for those. With Legal Monster you get a full audit trail, so you can prove consents to a data authority if you need to.