The importance of a well-designed, attractive and engaging website cannot be overestimated, but has enough consideration been given to ensuring your website meets the minimum legal requirements? Andrew Brennan warns that ignorance of the regulations governing corporate websites is no defence.
When it comes to websites, meeting the legal requirements is not a topic high on the list for most businesses and so many appear unaware of the laws governing corporate websites, or believe they only refer to e-commerce sites or sites selling products to consumers.
In reality, the websites of all UK registered businesses must clearly display the name of the business, the full registered address, place of registration and registration number, with the VAT number, where appropriate. If a business undertakes any regulated activities, the details of the regulators must also be clearly displayed. For businesses selling products, services or digital content to consumers through their website, information about the offering and right to cancel must be provided.
In 2011 the law on how cookies can be used was changed, with website users now having to consent to their use, but many websites have still not made the necessary changes. If users are suspicious about a business’ policy, they might block cookies in their browsers and ruin their experience of the site; this could eventually require a costly re-design of the site, allowing it work without cookies. It’s better to explain what cookies are used, what information they’re gathering and what will be done with it.
The most compliance concerns are raised by the collection, storage and use of personal data, which includes the sharing or selling-on of information obtained by sites. To improve engagement with visitors, websites often offer free information, reports or top tips in exchange for personal information, hoping to capture email addresses, postal addresses and phone numbers — if a visitor provides personal contact details, as far as the law is concerned, they have consented to being contacted.
There is no issue with emailing them at a later date, but it must be in relation to their original enquiry or transaction. The means to unsubscribe from such communications and be removed from any list holding their personal contact details, must also be included.
If a business wants to email individuals with general marketing information, unrelated to their original enquiry, they must obtain ‘opt-in’ consent, usually done by providing boxes to tick. But it’s critical these boxes are not pre-ticked, as an individual must positively affirm consent. Any business and still using pre-ticked boxes risks enforcement action.
Although these rules currently only apply to individuals (and strangely, partnerships but not LLPs) and not corporate visitors to a website, businesses must still be cautious, as corporate visitors might provide personal contact details, which would then be covered by the regulations. Interestingly, if a website user provides address details and phone numbers, businesses can contact them by telephone or post for marketing purposes, unless or until they are told to stop doing so.
When any business intends to use personal information captured through its website, it becomes a data controller and must appoint a designated data controller. The business must explain to those using the site, who have had information gathered, what data is being collected and why. The Privacy Policy should advise if this information is for direct marketing purposes and include a method of contacting the data controller — an email link will do.
The introduction of tougher new consumer data protection laws are expected to tighten the rules governing corporate websites. Failure to comply with the new rules could result in enforcement action and heavy fines, so businesses should begin the journey to compliance now and ensure they have all the appropriate policies in place.
A set of ‘terms and conditions’ is not a legal necessity but can help prevent future problems. Ideally they should define what the business does and what Intellectual Property (IP) it owns on the site. Another valuable policy is a ‘disclaimer of liability’ which advises visitors that although information on the site is accurate to the knowledge of the website owner, it should not be taken as fact.
Many businesses now allow visitors to their site to add product and service reviews, in an attempt to build stronger customer relationships. However the business should have an ‘acceptable use’ policy, easily found on the site, to protect the business from anyone posting illegal or offensive material. The policy allows the site owner to take action, including removing posts, banning individuals and even reporting their activity — without this policy the business could be the one in trouble.
Every business should check its site carefully and ensure it complies; if doubt exists, consult a lawyer that understand this dynamic area of law, then pay attention to any future changes to the rules governing corporate websites.
Andrew Brennan is a lawyer in the Intellectual Property and Technology team at commercial law firm SGH Martineau.