Guide: How do I make my website compliant?

There are many things to consider when it comes to ensuring the compliance of a website. This is in part due to different and overlapping website legislation, an area which only gets more complex the more countries your business operates in.

We have therefore compiled this guide, to give you an overview of some of the general information you need to run your website or webshop, and stay compliant. Throughout the text we refer to a website, but the legislation is also applicable to webshops. This guide has been tailored for companies operating in Europe. We are working towards creating as complete a guide as possible, but it is currently an ongoing project, and should be seen as such.

image

Disclaimer (26 March 2020): The information on this page is not intended as legal advice and shouldn’t be considered as such. We strongly recommend that you seek legal advice if you’re unsure as to how to become compliant and your use of Legal Monster. Please also keep in mind that these recommendations are not exhaustive and that more requirements might be applicable to your business.

How to run a website and stay compliant

Ensuring compliance is essential. Whether you run your business online or offline, most businesses have a website, where they ‘meet’ their customers and collect and measure user-data in some form.

To be compliant on your website you need to be aware of the key legislation in effect, and also which legislation is relevant based on what you have on your website. In this guide you will be able to find information about:

What do we mean by compliance?

Key legislation related to websites

Key areas where compliance impacts your website and what you should do

Compliance elements and what you need to know

What do we mean by compliance?

The definition of compliance as a legal term, means to obey the rules. In the context of website compliance, it means to make sure that you adhere to or comply with the legislation and legal requirements that are relevant for your website.

Key legislation for your website

The definition of compliance as a legal term, means to obey the rules. In the context of website compliance, it means to make sure that you adhere to or comply with the legislation and legal requirements that are relevant for your website.

The General Data Protection Regulation - GDPR (from 2018)

The GDPR, which came into effect in May 2018, stands for The General Data Protection Regulation. The Regulation applies to all European companies - as well as companies outside the EU - that process data about European citizens. The GDPR regulates how companies collect, store, process, and manage people's data. The law also lays down the rights of people to their data, including the right to be forgotten, the right to information, and the right to data portability.

The EU Cookie Directive - an amendment to the E-Privacy Directive (from 2009)

The EU Cookie Directive regulates the usage of cookies but also covers other forms of online tracking technologies, including device fingerprinting. The Directive is therefore broader and applies to more than just cookies. The Directive says that a person isn't allowed to store or gain access to information stored in a person’s computer, unless specific requirements are met, including (a) giving clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) obtaining consent from the person.

The e-Commerce Directive (from 2000)

The E-commerce Directive harmonises the rules in the EU for online businesses, so they know what they need to do in regards to, e.g., commercial communication, information requirements, and electronic contracts. The Directive sets out the basic requirements on mandatory consumer information, steps to follow in online contracting, and rules on commercial communications, for example, online advertisement and unsolicited commercial communications, also known as the “spam” rules.

Key areas where compliance impacts your website and what you should do

To make the above legal legislation and requirements as concrete as possible, we have outlined some of the components or elements you must incorporate into your website to ensure compliance. The rules regarding your privacy policy and consent collection come from the GDPR. The rules for the rest of the elements come from the cookie and e-commerce directives. The way the directives are applied can vary depending on the country you are operating in, and the jurisdiction of your website visitors.

Cookies

There are different types of cookies, which all have different legal requirements depending on what the purpose of the cookie is, and whether the cookies are necessary or non-necessary:

  • Necessary cookies have to do with the core functionality of your website. You do not need consent from a user to use these. Examples of necessary cookies are;
    • A cookie used to remember the goods a user wishes to buy when they go to the checkout or add goods to their shopping basket
    • Cookies that are essential to comply with security requirements in regards to an activity a user has requested, e.g. in connection with online banking services
  • Non-necessary cookies are used to collect personal data for marketing, remarketing and analytics purposes. You need permission from a user before you can begin tracking them with non-essential cookies, and be sure that you have a legal basis for collecting this data. Non-necessary cookies can be:
    • Cookies that helps collect data about how users’ are using your website
    • Social media plugins on your website
    • Advertising cookies
    • Cookies used to recognise a user when they return to your website so you can tailor the experience they receive

There are a number of requirements for what you need to do and include on your website to ensure cookie compliance, these are:

  • You need to have a cookie banner on your website
  • You need to ask for consent before tracking non-necessary cookies
  • Your users need to be able to change their cookie settings easily, and the information you provide must be comprehensible
  • You need to have an accessible cookie policy on your website
  • You must document the cookie consents you obtain

Consent collection

There are a number of consents that can be relevant for you to collect on your website. The consents you collect depends on what kind of website you have, e.g., is it a webshop or just a website, and which cookies would you like to be able to use on your website. It’s important to collect the following types of consents when running a website:

  • Cookie consents,
  • Email marketing consent (see below)
  • Consent to your Terms & Conditions (T&Cs).

You should also be aware that:

  • You must ensure that those using your website and signing up for your services, or buying things from you have given consent before you track how they use your website.
  • There are specific requirements to the wording used in the consent text, e.g that your company name should always be included
  • There are specific requirements as to how the users are giving their consents, e.g. opt-in must be used in regards to email marketing and T&Cs
  • For consent to be considered compliant, you must always be able to document it. You can read more about consent evidence in the element section called ‘Audit trail’.

Email marketing

Email marketing has become a widely used revenue channel for ecommerce and businesses more generally. However, there are rules about who you may send email marketing offers or newsletters to. To make sure you email marketing efforts are compliant:

  • It is not permitted to send email marketing or newsletters, unless you have been given explicit consent,
  • You may not ask for consent via an email,
  • The consent must be explicitly obtained for marketing purposes,
  • A consent is only valid from the time it was obtained,
  • You may send offers to existing customers, who has provided you with an email address when they have bought something from you - provided you gave the an option to unsubscribe (also known as opt-out) and remember you can only send them email marketing about similar goods, e.g. if they have bought trainers then they can send you offers about shoes
  • It must at all times, and in all communication your send out, be easy to unsubscribe or opt-out from your email marketing or newsletter

Remember that the rules might differ if you are sending email marketing to business leads / prospects.

Privacy policy

If you have a website, you probably already have a privacy policy. The privacy policy is the document where you describe what data you are collecting about your website visitors, customers etc. The reason why you need it is because of the GDPR. The GDPR gives users a right to information about how their data is being collected, processed and stored. And that’s why you need to have your privacy policy online and make sure that there is a link to it, when you are collecting data about your users, customers etc. The privacy policy should include the following information:

  • how you will process your users’ personal data,
  • which data you are collecting about them,
  • what you will do with the data (also known as the purpose),
  • who you will share it with,
  • will you use suppliers to process the personal data,
  • for how long you keep it,
  • and how you will keep it safe and secure.

Terms and conditions (T&Cs)

Your Terms & Conditions are the legal document outlining the agreement between you and e.g., your users. If you have a webshop, the document will outline everything around the purchase, for example the price, shipping and delivery, warranty, law and venue and how a potential dispute between you and your customer should be handled. The document, which is legally binding when the customer consents to it is a way of protecting you and your customer, if a dispute or discrepancy was to arise. There are a number of things you must include in your terms and conditions, for example:

  • The legal entity (your company, including your address, company registration number, country, email etc)
  • Information about your services / product
  • The customer’s / user’s rights and obligations
  • How a dispute will be handled
  • How to file a complaint
  • Law and venue
  • Delivery and shipment
  • Payment information, including when money will be deducted from the user’s bank account

Remember it’s important that the customer actively accepts your T&Cs. Additionally you must also make sure that:

  • The T&Cs must not make the customer worse off than what is stated in the law
  • You can document that your customers consented to your T&Cs

Information about your company

Your company’s information needs to be visible, and easy to find on your website. The information you need to include is:

  • Company name,
  • Company physical address,
  • Your postal address if it is different from your physical address
  • Company VAT number,
  • Contact information such as an email address, and a phone number, so that a customer can get in touch with your company, please see the next section for more information

Contact information

It must be easy for users and customers to contact you. The contact information you need to include on your website are:

  • Email address,
  • Phone number if you have one,

You are not allowed to simply have a contact form on your website as the only way for a customer to get in touch with you, your contact information must also be visible.

Legal documents

You must create a section on your website - a legal library, where your legal documents such as your Privacy Policy, Cookie Policy, Terms & Conditions can be found. It is a legal requirement that they are easy to find - and easy to read and understand. So avoid legal lingo and overcomplicated sentences.

Product description: Goods & services

There are a number of requirements to how you describe the products or services you sell. These vary depending on what you are selling, e.g. if you are selling clothes you must clearly describe the material the clothing is made from.

For services it is a requirement to provide the customer information about a cancellation fee if you have one, and when a cancellation fee comes into effect.

Audit trail

There are a number of data points you need to collect to make sure that your consents are valid. This is known as an audit trail, and include:

  • The date and time the specific consent was obtained
  • The user’s information given in connection with the consent, e.g. the user’s email, name, IP address etc.
  • What the user gave consent to, and more specifically
    • Whether the user consented to receive email marketing, what was the consent text that the user consented to, e.g. “Yes, I would like to receive email marketing about shoes and clothing from Company A”
    • Whether the user was informed about your privacy policy, what information did you give the user, e.g. “We process your personal data in accordance with our Privacy Policy (LINK (to privacy policy))”
    • Whether the user was asked to consent to your Terms & Conditions, what was the wording of the specific consent, e.g. “I hereby accept Company A’s Terms & Conditions”
    • How did the user give his / her consent, e.g. opt-in, opt-out, implied / implicit etc.
    • What did the button say when the user signed up, e.g. “yes, sign me up”
  • What was the specific wording of the terms & conditions that the user consented to
  • What was the specific wording of the privacy policy that the user was informed about

You must be able to keep records of all the consents you obtain. These records are also known as consent evidence. Without proper consent evidence, your consents are not considered compliant by the data authorities.

Security

The level of security you need depends on what you are selling, but as a minimum you need to make sure that your payment flow or accepted methods of payment are secure. There are strict rules regarding encryption and payment security, which is why many companies use external payment service platforms.

Your target audience (children, health care, alcohol, etc.)

You must always consider the target audience on your website, as there may be restrictions based on the content on the site and the age group you are advertising towards. If you are targeting children, or if your website features content with age restrictions such as alcohol then there are a number of things you need to do to be compliant.

Another area where you need to be aware of the data you collect, is if your website is healthcare related, and you collect sensitive personal information, and need make sure that you comply with extra restrictions and rules about gathering this sort of information.

Pricing

You must also show your prices with VAT, or at the very least have the option to show the prices with VAT.

Influencers and hidden advertisement

You must be transparent about any agreements with influencers or other marketing activities that could be considered hidden advertisement.

Language

There are requirements for the language use on your website. You must write clearly and in a way where it is easy for your (target) audience to understand what you mean. This means that generally speaking you need to make sure your website is written in the native language of the country your target audience is in.

This means that you must have your website in different versions, that match the language in the countries that you are marketing yourself to.

There are some exceptions, to countries which have multiple native languages, or where English is acceptable to use even though it isn’t an official language.

Working with Cookie Consent Systems

One way of keeping track of consents and the evidence you need is through a consent management solution that tracks your cookie consents.

With Legal Monster you can collect and document consent for all cookies used on your site. We use geotargeting to ensure that you collect the right consent in each of your markets, depending on the jurisdiction of the user or customer. Our solution detects which cookies you use and collects compliant consents for those. With Legal Monster you get a full audit trail, so you can prove consents to a data authority if you need to.

image