The internet is a central part of how we do business, communicate with one another, transfer sensitive information, and so much more. Because we use websites for so much of our lives, we also have laws that govern what they need to include.
These laws are designed to protect users and their data, to ensure that people have equal access, and to fight back against infringements on copyrighted material, intellectual property, and so on.
So, that means that web developers need to be acutely aware of website legal requirements, building sites with compliance in mind – not just design and function.
While this isn’t an exhaustive list of every legal requirement that applies to websites, it is a broad overview. If you’re building sites for a specific industry, dig deep into the legal requirements of that sector to make sure you’re following applicable laws. In general, however, this overview will give you a broad idea of what requirements are in place, and why they need to be followed.
Why Comply?
With literally millions of sites on the world wide web, you may wonder what the point of legal compliance is… Surely not every site is built to exact legal specifications, so why should you comply?
It comes down to legitimacy. If you want to do business, provide accurate information, and grow a site with real traffic, complying with legal requirements is going to protect you, the client you built the site for, the site’s users, and everyone in between.
Failing to meet legal requirements could result in a lawsuit or worse, as well as damage your reputation, cost you time and money, and potentially land you in hot water that takes years to sort out.
On the flip side, though, being diligent about complying with website laws shows professionalism and attention to detail. It lets potential clients know that you take their security, their customers, and their bottom line seriously.
Whether you’re building a website for your own organization or external clientele, taking care to meet legal requirements will be a little more work up front, but can save you from headaches (and legal consequences) down the road.
Here are some of the larger legal requirements for websites you’ll need to know about…
Privacy and Data
Laws vary some by country, but most require that sites using any kind of cookie/data gathering provide a privacy policy for users. Even when a country doesn’t require privacy policies by law, Google and Apple require them of any sites using their services.
You can put a link to your policy in the footer of your site, as part of the “About” page, or anywhere else where users can easily find it. Within your privacy policy, disclose how your site collects data, how that data is handled and processed, whether data is confidential or shared with third parties, how data is stored, and what measures you have in place to protect user information.
This section of your site should be as clear and detailed as possible, not only for legal requirements, but to establish trust with your site users as well.
Cookie Consent
Based on the General Data Protection Regulation (GDPR) laws passed in the European Union, any website that gets traffic from the EU must comply with several regulations about user data. Because the EU is massive and the internet is global, “getting traffic from the EU” applies to just about every website… Including yours.
Cookie policies and consent notices are part of these requirements. Per the GDPR law, you must provide site visitors with the opportunity to opt in or out of cookie use.
You can provide this notice and opt in choice in your header, footer, or in a pop-up (as you’ve likely seen on other sites), and that information must include:
- A disclosure that your site uses cookies
- A description of why/how the site uses cookies
- How the information from cookies is managed (with a link to your privacy policy)
- What the user is agreeing to by opting in
- An option to opt in, opt out, or customize cookies or ad settings
Remember, if the opt in uses a checkbox, it must be unchecked by default to comply with GDPR law.
GDPR
As described above, the GDPR is a law passed by the European Union that applies to all sites that receive traffic from EU countries. Failure to comply with these obligations can result in fines and other financial penalties.
These regulations mostly concern user data, privacy, right to data, and potential data breaches. Under the rules of the GDPR, sites must:
- Notify users of any data breach within 72 hours of the breach’s discovery
- Allow users to access information being collected, stored, and processed
- Give users a way to consent to (and withdraw consent from) data collection and usage
- Limit access to user data to only employees that need information to process user requests (consented to by the user)
- Organizations with over 250 employees, or any enterprise processing data for over 5,000 users in any 12-month period must appoint a Data Protection Officer to manage GDPR compliance
- Restrict all data collection and processing to that which is absolutely necessary to complete business
Terms and Conditions
Website terms and conditions are not required by law, but having them in place could protect from legal ramifications if something goes wrong. These terms lay out the rules of your website, and will vary depending on the specific purpose of the site in question.
As a general rule, however, your terms and conditions page should include:
- Liability Disclaimer – A statement that the site owner is not responsible for providing complete, accurate information for any purpose, that the site owner is not responsible for for the accuracy of any third party statements or user comments, and that the site does not endorse any claims or statements made by a third party
- Privacy Policy – See above
- Governing Law – A declaration of what state (or province) and nation your site is operating from, and what body shall govern any disputes
- Copyright – A simple notice of copyright and trademark (such as “Copyright 2021 yoursite.com)
HTTPS and SSL
For websites participating in ecommerce of any kind, using HTTPS (that is, the secured version of HTTP provided by an SSL certificate) is essential.
The “S” attached to HTTP means that the information sent between the user’s browser and the site is secured – and any ecommerce website without this security measure in place could expose credit card information and create an identity theft risk for the customer, which reflects poorly on your business and could land you in court.
Copyright, Plagiarism, Duplicate Content
Not exactly a singular law, but websites adhere to the same general rules about copyright infringement and plagiarism as any other medium. Online, however, it’s that much easier for people to copy and paste, use images found in simple Google searches, and so on.
This means being extra careful about the copy and content on any given website you’re building. Original content published on any website is inherently copyrighted, and using it somewhere else without permission is an infringement upon that copyright – and sometimes seen as downright plagiarism.
Make sure that you properly attribute (and backlink) any externally sourced content, that your images have the proper licensing, and that copy given to you by a client is lifted from another website.
Failure to keep these things in mind could result in content being removed from your site, stricken from search results, or potentially removed from your server in a DMCA takedown… Even worse, using plagiarized content could lead to a lawsuit.
CalOPPA
To protect the “personally identifiable information” of California residents, the California Online Privacy Protection Act (CalOPPA) was enacted, and requires sites based in California (or receiving traffic from California) to take measures to protect certain user information.
This protected information is anything “personally identifiable” and includes first and last names, physical and mailing addresses, phone numbers, email addresses, physical and virtual contact information, telephone numbers, birth dates, details about physical appearance, social security numbers, or any other information that could identify an individual.
To protect this information and comply with CalOPPA, your site’s privacy policy must:
- Clearly state what information is being collected, stored, and/or processed
- Disclose all third parties this information may be shared with
- Inform users how they can receive updates about the site’s privacy policy
- Disclose the date of the privacy policy’s most recent update
- Inform users how they can change their information on your site
- Explain how users can make a “Do Not Track” request
Disclaimers
Disclaimers may appear as part of your terms and conditions page, and may vary depending on the specifics of your site. The point is to directly disclaim the site owner of any legal liability based on a user’s experience on the site.
Such disclaimers may include:
- Original content cannot be used without express permission
- The site owner’s opinion and site content are solely their own
- The site content is to be seen as information only, not a representation of expertise or advice
- Disclaim responsibility for any third party or advertiser content that may appear on the site
- Disclaim responsibility for any user action taken based on the site’s information
The Americans with Disabilities Act (ADA)
The ADA is a United States law that prohibits discrimination based on disability, and requires that websites be accessible to everyone regardless of disability – including hearing or visual impairments.
Websites belonging to organizations with 15 or more employees and open more than 20 weeks per year must comply with ADA requirements for website accessibility. Such compliance will include ALT text for all images, closed captions on videos, all site functions accessible by keyboard, compatibility with site readers for the visually impaired, and many, many other factors.
Because ADA compliance is both required by law and a general best practice for SEO and broad user accessibility, it’s worth doing a deep dive to make sure your website is appropriately compliant. Consult this thorough checklist and look for WordPress plugins and other services that will check for compliance and areas for improvement across every aspect of your site.
Industry-Specific Legal Requirements
Some industries have strict website requirements that other industries do not – and rightfully so! When it comes to law, the medical field, and other industries that can have potentially massive impacts on the people who use their sites and services, these requirements are in place to protect users from false claims or losing sensitive information.
Attorneys
Regulated by the ABA Rules of Professional Conduct 7.1 – 7.3, attorney websites have restrictions about what they can and cannot say. This is not an exhaustive list, but the cornerstones of these regulations include:
- Attorney sites cannot claim expertise in a particular area of law practice without accreditation from a regulated body in that area
- Misrepresentation is prohibited, including stock photography presented as actual attorneys, promises about outcomes, unsubstantiated claims, and implications that clients will receive the same legal outcomes as past clients
- Clear disclaimers about website copy/blogs not constituting legal advice, and that communication through the website does not establish attorney-client relationships or resulting protections
Healthcare
Healthcare provider websites of all kinds must maintain HIPAA compliance, which most critically includes protecting any sensitive patient health information. This most commonly applies to contact form and booking systems, which may be vulnerable to data breaches in the event of a site hack.
To maintain HIPAA compliance, many healthcare websites use third party services that specialize in the healthcare industry.
Contractors
Laws vary by state, but many require contractors of all kinds to provide proof of licensing on their websites (usually by license ID). Failure to include this information can result in fines.
Financial Advisors
Like attorney websites, financial advisors have strict regulations about making unsubstantiated claims about results or presenting client testimonials as typical outcomes. They must also take great care to protect sensitive client information, disclose data collection practices. Failure to take these regulations into account can result in lawsuits and licensing restrictions.
There is no shortage of compliance measures web developers need to take in service of their clients (or their own businesses). This general overview should give you a good idea of the basics, but if you’re building a site that deals with a particular industry and/or sensitive user data, it’s important to dive deep to find as much information about compliance as possible.
Taking a strong stance on fulfilling legal requirements, protecting users, and disclosing all relevant information will help you (and your clients) build trust with site visitors, stay up to date with the latest in data protection best practices, and avoid lawsuits and other legal consequences!
Website legal compliance may be extra work in the development stages, but it’s an essential part of the process that’s well worth it in the long run.
