Website Legal Requirements & Compliance Guidance
Posted by Stephen on May 25, 2023
Understanding website legal requirements is essential for any individual or organisation with a website.
Whether you have an information website for your business, are selling online, or run a personal blog you must ensure your website is web legal.
Failure to do so can result in a risk of civil liability and, or statutory fines.
Our website compliance package provides all the templates you need to meet a website’s legal requirements. This guide is written to provide website owners and development agencies with the knowledge required to ensure that their websites meet all legal requirements of the applicable rules and regulations.
Website Legal Requirements
In this guide, we will take you through all of the legal requirements, rules and regulations, for operating a website in the UK. We’ll explain how and when the legal rules and regulations apply.
In addition, we will provide step-by-step guidance on what you need to do to make sure that your website complies with the legal requirements.
As solicitors with extensive experience in website compliance law and related legal services, we understand the importance of having a clear understanding of compliance laws.
Website Business Information Requirements
Under the Electronic Commerce (EC Directive) Regulations 2002, and the Companies Act 2006, every UK-based business must display specific information. This is information related to their business on their website.
The following must be included on the website of a business located in the UK. This applies where that business is a company or sells products or services online:
- Registered business name.
- Registration number (for companies and limited liability partnerships (LLPs)).
- Place of registration (e.g., England & Wales, Scotland) (if a company or LLP).
- Registered office address (for companies and LLPs).
- Geographical address of the place of business (if selling online or concluding a contract for services online).
- VAT number (if the business is VAT registered).
- Membership details and registration numbers for any trade or professional associations that the business is a member of.
Sole traders and partnerships using a business name other than their own must also include the information below.
- The names of all individuals involved in the business.
- An address where the business can be contacted and served with legal documents.
ACTIONABLE TIP: Include this information in the website’s footer.
We should flag that contrary to the guidance given in many online guides covering the topic of ‘website legal requirements’, the Business Names Act no longer applies. That act was repealed by sections of the Companies Act 2006.
Website Cookie Legal Requirements
If your website has any type of analytics tracking set up, then you will be using cookies on your website.
Cookies are small text files that are sent to your browser by a website that a user visits. The cookies provide data on the visitors’ use of the website.
In most instances, cookies are designed to improve a visitor’s experience on a website. They provide information related to the user, such as their location. Accordingly, it is necessary to obtain a visitor’s consent to the cookies to comply with the relevant legal rules.
Cookie Legislation
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) were introduced to provide people in the UK with a range of privacy-related rights. They operate alongside The Data Protection Act 2018 and UK GDPR to protect the privacy of individuals.
PECR and UK GDPR each require that visitors to a website must provide prior consent to the use of cookies by a website to access information relating to the user’s device, or their use of the website.
We refer to these two pieces of legislation collectively as the “Cookies Rules”.
You’ll likely be familiar with the ‘cookie’ consent pop-ups. You see them on the majority of websites when visiting them for the first time.
The Information Commissioner’s Office (“ICO”) provides detailed further guidance on the use of cookies (and similar technologies) for further reading
Failure to comply with PECR and UK GDPR by obtaining visitor consent could result in a fine. Fines are issued by the ICO.
Fines issued by the ICO under PECR are capped at £500,000. A huge sum! However, fines issued by the ICO under UK GDPR can be even larger. The ICO can issue fines of up to £17.5 million, or 4% of a company’s annual turnover.
ACTION TIP: Install a cookies policy plugin.
The potential for a fine by the ICO can be avoided by incorporating a cookie consent pop-up on your website. For WordPress websites, this can be done with the help of the various popup plugins available.
Data Protection & Privacy Legal Requirements
Any website that processes personal data must do so in compliance with the data protection legislation.
There are two pieces of data protection legislation that apply in the UK. These are:
- The Data Protection Act 2018 sets out the general framework for data protection law in the UK. Part 2 of the DPA 2018 implements UK GDPR. It sits alongside UK GDPR and supplements it in certain areas with additional privacy-related rules.; and
- The General Data Protection Regulation (UK GDPR). This law applies to businesses that process personal data.
We’ll refer to these two pieces of legislation collectively as “the Data Protection Legislation”.
Individual and business that collect, and processes, personal information are subject to the Data Protection Legislation.
The Data Protection Legislation requires that any website owner processing personal data must notify users of their data protection rights. For example, the right to access, the right to erasure and the right to restrict processing.
Data Protection Rights
There are seven data protection rights in total. Read our guide to Data Protection and Website Owners. It provides a comprehensive review of data protection rights and the Data Protection Legislation
It is not only eCommerce websites that ‘collect’ and ‘process’ personal data. If your website uses cookies or has a contact form you will be collecting personal data.
The penalties for breaching the Data Protection Legislation are the same as for breach of the Cookies Rules. So worth taking action to avoid.
ACTIONABLE TIP: Add a Privacy Policy to your website
A well-drafted privacy policy will cover all of your data protection legislation obligations. It will also keep you on the right side of the law! There are many high-quality privacy policy generators and templates available on the internet.
Our website privacy policy template has been drafted by Stephen a solicitor with over twenty years of experience in website law.
Website Mailing Lists & Legal Requirements
Many websites provide visitors with the ability to sign up for a mailing list. Under UK GDPR visitors must provide their consent to receive a newsletter or other marketing communication.
The legal requirements for general mailing list sign-ups are very straightforward. If a visitor enters their email address to sign up for a newsletter they will have provided ‘consent’ by the act of signing up. Even if that is just inputting their email address.
For example, as visitors to this website do, as you can see below.
However, where many websites inadvertently breach GDPR is when they offer a free ‘download’ as a means of collecting email addresses to then send further marketing emails to.
By adding their email address the visitor will have consented to receive that specific download. However, they will not be deemed to have consented to receive further marketing communications or to be added to the website’s mailing list.
If your website offers a free downloadable resource as a means to build your marketing email list you must get ‘express’ consent at the point you collect the email. See the example below:
Take note that when you send marketing communications, such as a newsletter, you must include an option for the recipient to unsubscribe each time the communication is sent.
ACTIONABLE TIP: Add a ‘consent’ tick box to your download form.
Information Legal Requirements for eCommerce Websites
For individuals or companies operating an eCommerce website, such as an online shop, specific information must be provided to the customers of the website.
The requirements are contained in the Electronic Commerce (EC Directive) Regulations 2002 (the “eCommerce Regulations”). Where the eCommerce website also sells to non-business customers (i.e. consumers) additional information obligations apply
eCommerce Regulations
The eCommerce Regulations require that the following information must be provided to all customers:
- Contact information, including an email address.
- Clear and unambiguous pricing, including taxes and delivery costs.
- Accessible, clear, and concise contract terms.
- Details of any technical steps required to conclude a contract
Consumer Rights Act 2015
If your website sells to consumers then in addition to the information above you must also:
- Clearly inform consumers about their payment obligations.
- Provide accurate product or service descriptions.
- Notify customers of their 14-day right to cancel.
Once the sale has been completed the eCommerce website must also:
- Send a confirmation email with contract details and cancellation rights.
- Deliver goods within 30 days, unless otherwise agreed with the customer.
If an eCommerce website fails to provide the above information to a consumer then the consumer has an indefinite right to cancel the order and require a refund.
It should be noted that the website will have to cover any return costs unless it has clearly notified the consumer in advance that this will not be the case.
ACTIONABLE TIP: All of the information obligations can be met by including a comprehensive set of terms and conditions of sale on the website.
We provide a range of eCommerce terms and conditions templates suitable for eCommerce businesses. Each was drafted by Stephen, our co-founder and experienced web law solicitor.
Website Accessibility Requirements
Under UK law website providers have a legal obligation not to discriminate against people with a disability. This includes learning disabilities, and visual, motor or cognitive disabilities.
The relevant legislation is The Equality Act 2010 (“EQA”). Under EQA a website provider must make reasonable adjustments to ensure that they provide an equal website experience to all of their visitors, regardless of disability.
An individual that can demonstrate that they have suffered discrimination by a website provider due to its inaccessibility can bring a civil action against the provider.
To obtain damages they would have to show that they suffered some ‘loss’. That could be emotional as well as financial loss.
There is also a risk that a fine could be levied, which can be up to £5,000.
EQU does not set out the technical requirements to be met by a website. However, the World Wide Web Consortium (“W3C”) provides comprehensive guidance on the technical aspects of compliance. We recommend reading their Web Content Accessibility Guidelines (“WCAG”).
The WAVE tool published by Utah State University is an excellent free tool for testing your website’s compliance against the W3C WCAG.
ACTIONABLE TIP: Use the free Wave tool: test your website’s WCAG compliance.
Additional website Legal Compliance Considerations
The above guidance covers the ‘core’ legal requirements for a website. However, website legal compliance also requires that your website does not infringe on other flights belonging to individuals or organisations.
A comprehensive guide to the legal requirements for a website would not be complete without considering intellectual property and defamation.
Intellectual Property Compliance
Original website content will benefit from copyright protection. In the UK copyright protection arises under the Copyright Designs and Patents Act 1988 (“CDPA”).
Under the CDPA copyright infringement occurs if a website reproduces the content of another website, subject to certain exceptions. For example, if the content is republished for criticism or review, or with the owner’s consent.
If your website contains material that infringes on a third party’s content you run the risk of them taking legal action against you, or your business.
A copyright owner whose copyright is infringed will be entitled to claim damages from you. Generally, a court will seek to establish what was a reasonable licence fee for the content in question and award that as the damages-based amount to the copyright owner.
Copyright and Images
Particular care should be taken when using their party images, such as photos, on your website. Many image rights owners use web crawling technology to identify the use of unlicensed images.
The author in his capacity as a solicitor has personal experience in representing numerous website owners who have been sued for image copyright infringement. It happens more frequently than it should with the number of excellent free and paid image libraries available.
If your copyright is infringed then you may wish to send a copyright infringement notice requiring the infringing party to remove the content. If they do not comply you can send a DMCA Takedown Notice to require their Internet Service Provider company to remove the infringing content.
Whilst not required under the CDPA we recommend adding the copyright (©) to the footer of your website, along with the tear and your name, or that of your business. Doing so notify third parties that you treat your content as benefiting from copyright protection, and this is a requirement for copyright protection in many countries.
ACTIONABLE TIP: Only use licensed images on your website.
Website Compliance – Defamation and Libel
Defamation occurs when an untrue statement is made relating to an individual or business that causes or may cause, harm to the reputation of the subject of the statement.
When defamation occurs in written form it is called ‘libel.
Liability for libel can occur when a third party (i.e. a website owner) publishes the defamatory statement. This is what puts website owners at risk.
Websites that allow user-generated content need to consider their legal obligations. Many websites allow users to post comments to the website, as do online forums.
The best practice is to require that the comment or content is approved before being published. Online forums often require that this is done until the user obtains a defined level of trust in the platform.
The Defamation Act 2013 (the “DA2013”) provides a defence to website operators if user-generated libellous content is published on their website. For full guidance read our guide to Website Legal Compliance with User Generated Content.
Case-Specific Website Legal Requirements
Below we summarise the information contained in the above guide as it relates to specific business types:
Sole Trader Website Legal Requirements
The website compliance laws applying to a sole trader are largely the same as those that apply to any other business. The exception is that the provisions of the Companies Act 2006 will not apply.
Sole traders that do not sell goods or services via their website only need to include their business name and contact details. If the sole trader is VAT registered the VAt number must be included too.
The rest of the legal requirements covered in this guide are equally applicable to sole traders as to other business types.
Company Website Legal Requirements
A business trading via a limited company will be subject to the full range of legal requirements set out in this guide.
Any business type not selling online, whether a company or not, – i.e. non eCommerce businesses, will not be required to comply with the requirements of the eCommerce directive but will be subject to the remainder of the compliance laws covered in this guide.
Website Legal Requirements – FAQs
We regularly receive questions related to the legal requirements for a website and the related rules and regulations. We cover the most common questions below.
What Legally Needs to be on a Website?
The exact requirements of what needs to be on a website will depend on whether it is selling goods or services online or not. However, the following will apply:
- Business information requirements (Companies Act 2006 and eCommerce Regulations)
- Data protection and privacy requirements (UK GDPR and Data Protection Act 2018)
- Cookies requirements (PECR)
- Key contract terms (eCommerce Regulations 2002 and Consumer Rights Act 2015)
- Website accessibility requirements (Equality Act 2010 and WCAG)
Does a website need terms and conditions?
It is good practice for all websites to have terms and conditions. If your website sells goods or services online then it is a legal requirement to have terms and conditions. The terms and conditions must contain the information required under the eCommerce Regulations 2002 and the Consumer Rights Act 2015.
What policies should a company have on its website?
All websites should include the following three policies:
- Privacy Policy
- Cookies Policy
- Website Terms and Conditions
Legal Compliance Policies to Include on Your Website
Complying with the legal requirements for a website is relatively easy. A significant part of compliance requires that certain information is provided to visitors and customers of the website.
Three policies should be considered a must for any website:
- Terms of Use: These outline the conditions users agree to when using a website. They are an ideal place to include the information required under the eCommerce Regulations, the Companies Act and the Consumer Protection Act.
- Privacy Policy: Compliance with the Data Protection Legislation can be achieved with a well drafted privacy policy.
- Cookie Policy: If the website uses cookies, or other tracking technologies a cookies policy and a cookie popup will enable compliance.
Understanding and complying with the relevant website legal requirements is essential for any business operating online.
By following the actionable tips in this guide, you’ll ensure your website adheres to the relevant laws and regulations, protecting your business from fines and legal action.
As a solicitor specialising in website compliance law and legal services, I hope this guide serves as a valuable resource for your online business.