We have saved a total of for our clients since 2015
Legalo
Legalo

Website Legal Requirements & Compliance Guidance

our team picture of Stephen image

Stephen Avila

Understanding website legal requirements is essential for any business, founder or organisation operating a website.

Whether you run a business website, a startup landing page, an eCommerce store or a personal blog, you must ensure your website is web legal.

Failure to do so can expose you to the risk of civil liability and, in some cases, statutory fines. 

Our free website compliance package includes all the templates most website owners need to meet a website’s legal requirements.

Hand-drawn charcoal sketch featuring a protective website compliance shield on pillars of T&Cs and Privacy Policy promoting Legalo's free website compliance template pack.

This guide is written to provide website owners and development agencies with the knowledge required to ensure that their websites meet all legal requirements of the applicable rules and regulations.

Website Legal Requirements

In this guide, we explain all of the legal requirements, rules and regulations, that commonly apply when operating a website in the UK. We’ll explain how and when the legal rules and regulations apply. 

In addition, we include practical step-by-step guidance on what you need to do to make sure that your website complies with the legal requirements.

As solicitors with extensive experience advising on website compliance law and related legal issues, we understand the importance of having a clear understanding of compliance laws. 

Website Business Information Requirements

Charcoal sketch for Legalo website compliance showing an e-commerce shopping basket with laptop and mobile phone icons for E-Commerce Regulations and Companies Act.

Under the Electronic Commerce (EC Directive) Regulations 2002, and the Companies Act 2006, every UK-based business must display specific information on their website. 

The following information must be included where the business operates through a company or sells products or services online:

  • Registered business name.
  • Registration number (for companies and limited liability partnerships (LLPs)).
  • Place of registration (e.g., England & Wales, Scotland) (if a company or LLP).
  • Registered office address (for companies and LLPs).
  • Geographical address of the place of business (if selling online or concluding a contract for services online).
  • VAT number (if the business is VAT registered).
  • Details of any relevant trade or professional body memberships, registrations or authorisations.

Sole traders and partnerships using a business name other than their own must also include the information below.

  • The names of all individuals who have an ownership interest in the business.
  • An address where the business can be contacted and served with legal documents.

ACTIONABLE TIP: Put this information in your website footer so it appears consistently across the site.

We should flag that, contrary to the guidance given in many online guides covering the topic of ‘website legal requirements’, the Business Names Act no longer applies. That act was repealed by sections of the Companies Act 2006.

Website Cookie Legal Requirements

Hand-drawn illustration of website legal requirements and website compliance, featuring a checked laptop browser, a PECR cookie jar, and GDPR columns.

If your website uses analytics, advertising tools, embedded content, or similar tracking technologies, it is likely to be using cookies. 

Cookies are small text files stored on a user’s device when they visit a website. The cookies are commonly used to remember settings and support the website’s functionality. They may also provide data on the visitors’ use of the website. 

In most instances, cookies are designed to improve a visitor’s experience on a website. They provide information related to the user, such as their location. Accordingly, it is necessary to obtain a visitor’s consent to the cookies to comply with the relevant legal rules.

Cookie Legislation

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) were introduced to provide people in the UK with a range of privacy-related rights. They operate alongside the Data Protection Act 2018 and UK GDPR to protect the privacy of individuals.

PECR read alongside UK GDPR requires that visitors to a website must provide prior consent to the use of non-essential cookies by a website to access information relating to the user’s device, or their use of the website. 

We refer to these two pieces of legislation collectively as the “Cookies Rules”.

You’ll likely be familiar with the ‘cookie’ consent pop-ups. You see them on the majority of websites when visiting them for the first time.

The Information Commissioner’s Office (“ICO”) provides detailed further guidance on the use of cookies (and similar technologies) for further reading

Failure to comply with PECR and data protection law can lead to regulatory action by the ICO, including enforcement action and fines. 

Fines issued by the ICO under PECR are capped at £500,000. A huge sum! However, fines issued by the ICO under UK GDPR can be even larger. The ICO can issue fines of up to £17.5 million, or 4% of a company’s annual turnover.

ACTION TIP: Use a compliant cookie banner plugin that blocks non-essential cookies until consent is given.

The potential for a fine by the ICO can be avoided by incorporating a cookie consent pop-up on your website. If your site is built on WordPress, this can be done with the help of the various cookies popup plugins available.

Data Protection & Privacy Legal Requirements

Website Legal Requirements Data Protection Act & UK GDPR Image

Any website that processes personal data must do so in compliance with UK data protection law. 

The two main sources of UK data protection law for website owners are:

  • The Data Protection Act 2018 , which sets out the general UK framework for data protection and supplements UK GDPR; and
  • The General Data Protection Regulation (UK GDPR), which applies to organisations processing personal data.

We’ll refer to these two pieces of legislation collectively as “the Data Protection Legislation”.

Individual and business that collect, and processes, personal information are subject to the Data Protection Legislation.

The Data Protection Legislation requires that any website owner processing personal data must notify users of their data protection rights. For example, the right to access, the right to erasure and the right to restrict processing. 

Data Protection Rights

There are seven data protection rights in total. You can read our separate guide to Data Protection for website owners fr a fuller explanation. It provides a comprehensive review of data protection rights and the Data Protection Legislation.

It is not only eCommerce websites that ‘collect’ and ‘process’ personal data. If your website uses cookies or has a contact form you will be collecting personal data. 

The penalties for breaching the Data Protection Legislation are the same as for breach of the Cookies Rules. So worth taking action to avoid.

ACTIONABLE TIP: Add a clear, properly drafted privacy policy to your website.

A well-drafted privacy policy will cover all of your data protection legislation obligations. It will also keep you on the right side of the law! There are many high-quality privacy policy generators and templates available on the internet. 

Our website privacy policy template has been drafted by me, Stephen a solicitor with over twenty years of experience advising on website legal compliance.

Website Mailing Lists & Legal Requirements

Many websites provide visitors with the ability to sign up for a mailing list. Under UK GDPR visitors must provide their consent to receive a newsletter or other marketing communication. 

The legal requirements for general mailing list sign-ups are very straightforward. If a visitor enters their email address to sign up for a newsletter, they will have provided ‘consent’ by the act of signing up. Even if that is just inputting their email address.

For example, as visitors to this website do, as you can see below.

However, where many websites inadvertently breach GDPR is when they offer a free ‘download’ as a means of collecting email addresses to then send marketing emails to. 

By adding their email address, the visitor will have consented to receive that specific download. However, they will not be deemed to have consented to receive further marketing communications or to be added to the website’s mailing list.

If your website offers a free downloadable resource as a means to build your marketing email list, you must get ‘express’ consent at the point you collect the email. See the example below:

Take note that when you send marketing communications, such as a newsletter, you must include an option for the recipient to unsubscribe each time the communication is sent.

ACTIONABLE TIP: If you want to send ongoing marketing emails, make the consent wording clear at sign-up and use a separate unticked box.

Information Legal Requirements for eCommerce Websites

"Website

For individuals or companies operating an eCommerce website, such as an online shop, specific information must be provided to the customers of the website.

The requirements are contained in the Electronic Commerce (EC Directive) Regulations 2002 (the “eCommerce Regulations”). Where the eCommerce website also sells to non-business customers (i.e. consumers) additional information obligations apply

eCommerce Regulations

The eCommerce Regulations require that the following information must be provided to all customers:

  • Contact information, including an email address.
  • Clear and unambiguous pricing, including taxes and delivery costs.
  • Accessible, clear, and concise contract terms.
  • Details of any technical steps required to conclude a contract

Consumer Information & Cancelling Rights

If your website sells to consumers, then in addition to the information above, you must also:

  • Clearly inform consumers about their payment obligations.
  • Provide accurate product or service descriptions.
  • Notify customers of their 14-day right to cancel.

Once the sale has been completed the eCommerce website must also:

  • Send a confirmation email with contract details and cancellation rights.
  • Deliver goods within 30 days, unless otherwise agreed with the customer.

If a trader fails to give the required cancellation information, the consumer’s cancellation period can be extended by up to 12 months, rather than ending after the usual 14 days.

It should be noted that the website will have to cover any return costs unless it has clearly notified the consumer in advance that this will not be the case.

For a full explanation of the rights that consumers have to cancel an order made online for goods or services check out our seperate guide.

ACTIONABLE TIP: A properly drafted set of website terms of sale can help cover many of these information requirements.

We provide a range of eCommerce terms and conditions templates suitable for eCommerce businesses. Each was drafted by me, Stephen, or my co-founder, David, an experienced web law solicitor.

Website Accessibility Requirements
Website Legal Requirements - The Equality Act

Under UK law, website providers have a legal obligation not to discriminate against people with a disability. This includes learning disabilities, and visual, motor or cognitive disabilities.

The relevant legislation is The Equality Act 2010 (“EQA”). Under EQA a website provider must make reasonable adjustments to ensure that they provide an equal website experience to all of their visitors, regardless of disability.

An individual who can demonstrate that they have suffered discrimination by a website provider due to its inaccessibility can bring a civil action against the provider.

To obtain damages, they would have to show that they suffered some ‘loss’. That could be emotional as well as financial loss.

There is also a risk that a fine could be levied, which can be up to £5,000.

The Equality Act does not set out the technical requirements to be met by a website. However, the World Wide Web Consortium (“W3C”) provides comprehensive guidance on the technical aspects of compliance. We recommend reading their Web Content Accessibility Guidelines (“WCAG”).

The WAVE tool published by Utah State University is an excellent free tool for testing your website’s compliance against the W3C WCAG.

ACTIONABLE TIP: Use the free Wave tool: test your website’s WCAG compliance.

Additional website Legal Compliance Considerations

The above guidance covers the ‘core’ legal requirements for a website. However, website legal compliance also requires that your website does not infringe on other rights belonging to individuals or organisations.

A comprehensive guide to the legal requirements for a website would not be complete without considering intellectual property and defamation.

Intellectual Property Compliance

Website Legal Compliance Copyright Designs & Patents Act Image

Original website content will usually benefit from copyright protection. In the UK copyright protection arises under the Copyright Designs and Patents Act 1988 (“CDPA”).

Under the CDPA copyright infringement occurs if a website reproduces the content of another website, subject to certain exceptions. For example, if the content is republished for criticism or review, or with the owner’s consent.

If your website contains material that infringes on a third party’s content you run the risk of them taking legal action against you, or your business.

A copyright owner whose copyright is infringed will be entitled to claim damages from you. Generally, a court will seek to establish what was a reasonable licence fee for the content in question and award that as the damages-based amount to the copyright owner.

Copyright and Images

Particular care should be taken when using third-party images, such as photos, on your website. Many image rights owners use web crawling technology to identify the use of unlicensed images. 

The author, that’s me, Stephen, in my capacity as a solicitor, have personal experience in representing numerous website owners who have been sued for image copyright infringement. It happens more frequently than it should with the number of excellent free and paid image libraries available.

If your copyright is infringed, a sensible first step is to send a copyright infringement notice requiring the infringing party to remove the content. If they do not comply, you can send a DMCA Takedown Notice to require their Internet Service Provider to remove the infringing content.

Whilst not required under the CDPA, we recommend adding the copyright (©) to the footer of your website, along with the year and your name, or that of your business. Doing so notifies third parties that you treat your content as benefiting from copyright protection, and this is a requirement for copyright protection in many countries.

ACTIONABLE TIP: Only use licensed images on your website.

Website Compliance – Defamation and Libel

Defamation occurs when an untrue statement is made relating to an individual or business that causes or may cause harm to the reputation of the subject of the statement. 

When defamation occurs in written form, it is called ‘libel.

Liability for libel can occur when a third party (i.e. a website owner) publishes the defamatory statement. This is what puts website owners at risk.

Websites that allow user-generated content need to consider their legal obligations. Many websites allow users to post comments to the website, as do online forums. 

The best practice is to require that the comment or content is approved before being published. Online forums often require that this is done until the user obtains a defined level of trust in the platform.

The Defamation Act 2013 (the “DA2013”) provides a defence to website operators if user-generated libellous content is published on their website. For full guidance read our guide to Website Legal Compliance with User Generated Content.

Case-Specific Website Legal Requirements

Below we summarise the information contained in the above guide as it relates to specific business types:

Sole Trader Website Legal Requirements

Website Legal Requirements Sole Traders & the Law Image

The website compliance laws applying to a sole trader are largely the same as those that apply to any other business. The exception is that the provisions of the Companies Act 2006 will not apply.

Sole traders that do not sell goods or services via their website only need to include their business name and contact details. If the sole trader is VAT registered the VAt number must be included too.

The rest of the legal requirements covered in this guide are equally applicable to sole traders as to other business types.

Company Website Legal Requirements

Website_Legal_Requirements_Companies_&_the_Law

A business trading via a limited company will be subject to the full range of legal requirements set out in this guide. 

Any business type not selling online, whether a company or not, – i.e. non eCommerce businesses, will not be required to comply with the requirements of the eCommerce directive but will be subject to the remainder of the compliance laws covered in this guide.

Website Legal Requirements – FAQs

Website Legal Compliance Popular FAQs Image

We regularly receive questions related to the legal requirements for a website and the related rules and regulations. We cover the most common questions below.

What Legally Needs to be on a Website?

The exact requirements of what needs to be on a website will depend on whether it is selling goods or services online or not. However, the following will apply:

  • Business information requirements (Companies Act 2006 and eCommerce Regulations)
  • Data protection and privacy requirements (UK GDPR and Data Protection Act 2018)
  • Cookies requirements (PECR)
  • Key contract terms (eCommerce Regulations 2002 and Consumer Rights Act 2015)
  • Website accessibility requirements (Equality Act 2010 and WCAG)

Does a website need terms and conditions?

It is good practice for all websites to have terms and conditions. If your website sells goods or services online, then it is a legal requirement to have terms and conditions. The terms and conditions must contain the information required under the eCommerce Regulations 2002 and the Consumer Rights Act 2015.

What policies should a company have on its website?

All websites should include the following three policies:

  1. Privacy Policy
  2. Cookies Policy
  3. Website Terms and Conditions

Legal Compliance Policies to Include on Your Website

Website Legal Compliance Know Your Policies Image

Complying with the legal requirements for a website is relatively easy. A significant part of compliance requires that certain information be provided to visitors and customers of the website.

Three policies should be considered a must for any website:

  • Terms of Use: These outline the conditions users agree to when using a website. They are an ideal place to include the information required under the eCommerce Regulations, the Companies Act and the Consumer Protection Act.
  • Privacy Policy: Compliance with the Data Protection Legislation can be achieved with a well drafted privacy policy.
  • Cookie Policy: If the website uses cookies or other tracking technologies a cookies policy and a cookie popup will enable compliance.

Understanding and complying with the relevant website legal requirements is essential for any business operating online.

By following the actionable tips in this guide, you’ll ensure your website adheres to the relevant laws and regulations, protecting your business from fines and legal action.

As a solicitor specialising in website compliance law and legal services, I hope this guide serves as a valuable resource for your online business. 

Get Legal & Compliance tips straight to your inbox, free!