6 Steps to Complete Website Compliance
When launching a website most people focus just on the design and development of it and do not pay enough attention to legal matters. However, one must understand that legal matters are at least as important as the design and development of a website. In this article we are focusing on outlining the legal requirements for websites to operate legally. Any website owner should consider the following compliance requirements and take steps to ensure compliance with legal requirements and stay away from high penalties.
When launching a website most people focus just on the design and development of it and do not pay enough attention to legal matters. However, one must understand that legal matters are at least as important as the design and development of a website.
Not paying sufficient attention to legal requirements may lead to monetary fines or may drag you into an unpleasant situation with your visitors and users. In this article we are focusing on outlining the legal requirements for websites to operate legally. Any website owner should consider the following compliance requirements and take steps to ensure compliance with legal requirements and stay away from high penalties.
Cookie Consent Compliance
One of the main components of a website compliance is cookie consent compliance. This is to ensure that cookies are not installed before consent is obtained from the user.
1.1. What is a cookie consent notice?
1.2. Why would you need a cookie consent notice?
You need a cookie consent notice on your website for two essential reasons. The first is that it is a requirement, direct or indirect, under the most robust data privacy and cookie laws around the world. For example, the EU law requires websites to ask for consent of their users before placing any cookies on their devices. This is usually done by a cookie consent notice on the websites such as a cookie banner, or a pop-up window.
In addition, cookie consent notice helps to establish a trust relationship between you and your users by building complete transparency. In fact, this transparency may establish a strong bond between you and your users, and you help you generate more leads and make conversions.
1.3 What are the requirements relating to cookie consent notices?
A cookie consent notice is required by data privacy and cookie laws of certain countries and regions. It is also used to comply with data protection laws which require prior consent for the collection of personal data. Below we will focus on the relevant laws of particular states or regions.
1.3.1 The requirements in the EU
The EU cookie law is composed of the General Data Protection Regulation and the EU ePrivacy Directive, also known as the EU Cookie Directive. Besides, the legal framework has been complemented by the European Data Protection Board (EDPB) Consent Guidelines and the Planet 49 case.
The GDPR gives the users a right to be informed about the collection and processing of their personal data. Websites are required to provide to their users such information as what data they collect, how long they retain such data, who they share the data with, etc.
The EDPB Consent Guidelines provided clarity on certain issues relating to cookies. In Particular, the EDPB stated that 1) the “cookie walls” are not lawful, and 2) scrolling/browsing cannot be relied on as a means of indication of consent.
The final major source of the EU cookie law framework is the Planet 49 case. The Court of Justice of the European Union (CJEU) rendered a decision which sheds light on some important aspects of cookie usage by websites. According to the judgment of the CJEU, 1) pre-ticked check-boxes were declared invalid, 2) when consent is required for the placement of cookies under the ePrivacy Directive, the GDPR standard of consent applies (freely given, specific, informed, and unambiguous), 3) consent cannot be bundled as it does not meet the “specificity” requirement under the GDPR, and thus websites must request consent for different cookie usage purposes (granular consent), 4) information must be given to visitors, including, among other matters, the duration of the cookie lifespan and whether third parties will have access to these technologies, and the categories of third-party recipients of cookies, and 5) regardless of whether the cookies constitute personal data or not Article 5(3) of the e-Privacy Directive (the cookie consent rule) applies to any information placed or accessed from an individual's device.
Some of the national Data Protection Authorities (DPA) of the EU Member States have also issued guidelines relating to the cookies. These cookie guidelines set out clarifications on various aspects of cookie usage by websites that are subject to the jurisdiction of particular DPAs. Compliance with national cookie guidelines is not mandatory but is strongly recommended for those who fall under the territorial scope of the relevant DPA. For example, CNIL Cookie Guidelines are relevant for organizations with an establishment in France.
Based on the aforementioned sources of the EU cookie law framework, in order to comply with EU cookie laws, you must ensure that you satisfy the following minimum requirements, apart from any additional requirements set forth by national DPA cookie guidelines.
- Do not place cookies before obtaining consent from your users (“Strictly necessary cookies” are exempt from this rule).
- Make sure that consent you obtain satisfies the GDPR consent standards (consent must be freely given, specific, informed, and unambiguous).
- Do not rely on scrolling/browsing as an indication of consent.
- Do not use cookie walls
- Obtain separate consent for different cookie categories.
1.3.2 The requirements of the CCPA
However, it must be emphasized that the CCPA does not require websites to obtain cookie consent before collecting the data from minors but before selling their data. What counts as “selling” under the CCPA is defined as the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration”.
While the definition of “sale” contains an exception for situations in which information is shared with a service provider, it is debatable whether the exception applies when the information is shared with behavioral advertising networks. This is because behavioral advertising networks may not meet the 3 conditions of service provider exception under the CCPA. Firstly, the transfer of information to the service provider must be necessary for the business. It is debatable how necessary the transfer of personal information to behavioral advertising networks are for businesses. Secondly, the fact of transferring data to behavioral advertising networks must be provided to the users. Some businesses may fail to indicate this in their privacy policies, knowingly or due to the lack of legal consciousness. Thirdly, the agreement with the service provider must prohibit secondary use of the data. However, these networks may be willing to continue using the data for other purposes. Given all these, it is not 100 percent guaranteed that transfer of data to behavioral advertising networks would benefit from service provider exception.
While prior cookie consent is not expressly required, in order to mitigate the risk that the use of third party behavioral advertising could be considered a “sale” under the CCPA you are encouraged to obtain prior cookie consent from your users before placing third party behavioral advertising cookies.
Other than the CCPA, another important law in California relating to consumer privacy is the California Privacy Rights Act (CPRA), also referred to as the “CCPA 2.0”. The CPRA was adopted in 2020, takes effect on January 1, 2023, and becomes fully enforceable on July 1, 2023 with a lookback period from January 1, 2022. Even though CPRA updates the CCPA in many aspects, its requirements regarding the cookie consent remain the same as that of the CCPA’s.
1.3.3 The requirements in Canada
The cookies are regulated under various laws in Canada. This includes the Anti-Spam Legislation (CASL) and PIPEDA. Cookie consent is mainly regulated under the CASL.
According to the CASL, if you want to rely on prior consent exception, the main point is that the user’s conduct must be such that it is reasonable to believe that they consent to the cookies’s installation. As you can see, this exception may not always apply and you may be acting in breach of CASL. That is why it may be wiser to have a cookie banner to collect prior cookie consent in order to ensure you don’t have to think about whether the exception applies to you.
When you request express prior consent to install a computer program, including cookies, you must clearly and simply set out the following:
- The reason you are seeking consent;
- Who is seeking consent (i.e., name of the company; or if consent is sought on behalf of another person, that person's name);
- If consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is being sought;
- The mailing address and one other piece of contact information (i.e., telephone number, email address, or Web address);
- A statement indicating that the person whose consent is sought can withdraw their consent; and
- A description in general terms of the functions and purpose of the computer program to be installed.
It is also important to be aware that you have the burden of proof of consent collection. This simply means that you must keep records of consent to be able to prove compliance with CASL.
Another important issue is that if a person withdraws their consent, you can no longer rely on that consent for future updates that are installed in the background.
1.3.4 The requirements in other privacy laws
Other data protection and privacy laws are also relevant for cookie consent requirements.
LGPD: Cookies are not specifically addressed by the LGPD. However, since most cookies collect personal data it means that cookie deployment is subject to prior consent. The consent is considered valid under the LGPD if it is:
- Freely given
- Informed, specific, and unambiguous
- Given in writing
- Easily withdrawn
These conditions can be met by implementing a cookie banner on your website.
Thai PDPA: Under the Thai PDPA, you must ask for consent before collecting personal data. This also applies to cookies. Before placing cookies on users’ browsers you need to ask for consent. Besides, when you request consent, it must be done in an easily understandable manner, which is non-deceptive and differs from other content on your website.
2.3.1 The requirements under the GDPR
- Your identity and contact details
- The categories of personal data you process
- How you collect and process personal data
- Why do you collect and process data
- Details on international data transfers, if any
- Data subject rights
- How to exercise data subject rights
- With whom you share data
- Contact details on the Data Protection Officer, if any
This is just the necessary minimum of information that the GDPR requires you to provide. You can add more if you want.
2.3.2 The requirements under the CCPA
In California, there are two main laws that govern the collection and processing of personal data - California Consumer Privacy Act (CCPA) and California Online Privacy Protection Act (CalOPPA).
- What kind of information do you collect and process
- Why do you collect and process information
- How do you collect and process information
- How users can request access, change, move, or deletion of their personal data
- The method for verifying the identity of the person who submits a request
- Sales of users’ personal data and how they can opt-out of the selling of their data
- Information on financial incentives where providing personal information is involved.
2.3.3 The requirements in Canada
The minimum information to be provided to users must contain the following:
(a) the name or title, and the address, of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded;
(b) the means of gaining access to personal information held by the organization;
(c) a description of the type of personal information held by the organization, including a general account of its use;
(d) a copy of any brochures or other information that explain the organization’s policies, standards, or codes; and
(e) what personal information is made available to related organizations (e.g., subsidiaries).
2.3.4 The requirements in other privacy laws
Terms and Conditions
3.1. What are the Terms of Service?
This component serves as the legally binding agreement between websites and their potential clients that interacts with them. Typically, it comprises information such as what the service or product is, under which conditions the user buys it, shipping and return policies, disclaimers of any liabilities, as well as copyright safeguards for the websites. Sometimes this document is also referred to as User Agreement or Terms and Conditions. There could be other names used for the same document but the rationale remains the same.
This document is an essential part of your website since it helps to avoid any misunderstanding about what your business is selling and the terms on which you are selling it. By having Terms of Service, you can ensure that there is no ambiguity and your clients will understand what their duties and rights are in their relations with you and act accordingly. Also, you can feel at ease knowing that the terms of service of your website provide clarity about what should happen in any given situation.
Web application security is one of the most important topics for website owners. This ensures that the communication between the websites and servers are secure. The technology that helps to achieve this security is SSL/TLS (we will describe the difference between the two down below). This standard technology ensures that communication between two systems (i.e., e-commerce website and internet browser) is safeguarded against potential dangers such as theft of sensitive personal data and credit card information.
SSL/TLS standard prevents hackers from reading data when it is sent over the connection as it uses encryption algorithms to scramble data in transit. It is an alternative to plain text data transfer between the server and the website in which the transfer is encrypted and thus is prone to security breaches. Therefore, SSL/TLS is a must whenever sensitive information such as usernames and passwords or payment processing information is being transferred.
4.1. What is the difference between SSL and TLS?
SSL stands for Secure Sockets Layer, whereas TLS means Transport Layer Security. Basically the two acronyms mean the same thing and the only difference between them is that TLS is the updated and more secure version of the SSL. Thus, SSL is no more in use and it has been replaced by TLS. However, this standard technology achieved fame under the name of SSL, it is still being referred to as SSL/TLS.
4.2. Why do you need TLS protocol compliance?
There are three main reasons why you should use SSL/TLS for your website:
- Authentication: SSL/TLS certificate allows you to prove to your users that you are who you say you are. Without a SSL/TLS certification any server can pretend to be your server, and thus can hijack any information that people transmit to your server. Using SSL/TLS your users can ensure the identity of your server.
- Ensuring trust: When people visit websites and transmit some sensitive information such as payment information, they want to ensure that your website is secure and not prone to cyber thefts of information. Having an SSL/TLS certificate can create a sense of trust between you and your users. It is a visible way of showing your users that they can trust you and it’s much more effective than anything you say about yourself.
- Compliance: Certain sectoral standards may require you to maintain a certain level of security. Using an SSL/TLS certificate is an integral part of the security measures you are required to follow. Examples include, PCI-DSS, HIPAA, and NIST Guidelines.
4.3. What are the industry standards requiring TLS compliance?
There are several organizations, including the National Institute of Standards and Technology (NIST) that have issued guidelines requiring TLS compliance as part of network security requirements. The following instruments are the most widely adopted.
- NIST’s Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (SP 800-52 Rev. 2)
- The Payment Card Industry Data Security Standard (PCI-DSS)
4.3.1 NIST standards
The National Institute of Standards and Technology (NIST) is an agency of the US Department of Commerce. The organization issues guidelines in order to help other organizations to meet the regulatory compliance requirements. The NIST published Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (SP 800-52 Rev. 2), in 2005 which provides guidance for selecting and configuring TLS protocol implementations. The NIST SP 800-52 Rev. 2 requires that all government TLS servers and clients support TLS 1.2 configured with FIPS-based cipher suites and recommends that agencies develop migration plans to support TLS 1.3 by January 1, 2024.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that organizations that handle credit card information maintain a secure environment (i.e, e-commerce websites). In order to be compliant with PCI DSS, organizations must abide by TLS.
Website Accessibility Compliance
Another essential element of website compliance is website accessibility. This is especially important as most services, programs and activities are being offered on the web.
5.1. What is website accessibility?
Website accessibility is a practice of ensuring that people with disabilities have equal access to websites, without any barriers that prevent interaction with websites. There are international, regional and local laws, as well as international standards which set out requirements for accessibility of websites by the disabled. Examples include the UN Convention on the Rights of Persons with Disabilities, Americans with Disabilities Act (ADA), EU Website Accessibility Directive, the European Accessibility Act, and the Web Content Accessibility Guidelines (WCAG).
5.2. Why do you need web accessibility?
Website accessibility is becoming more and more important as more services, programs and activities, whether public or commercial, are offered on the web. You need to be cautious about web accessibility, and consider compliance with it for at least 3 main reasons.
1) it will help you to improve the lives of people with disabilities;
2) you can achieve a greater audience or consumer base, and
3) you will make sure you are not getting sued due to breach of laws.
5.3 What are the legal requirements relating to website accessibility?
Legal requirements relating to the website accessibility depend on the relevant law. There are international, regional and national legal instruments in this field. Below we outline the major laws in this field and its basic requirements.
5.3.1 UN Convention on the Rights of Persons with Disabilities
The United Nations Convention on the Rights of Persons with Disabilities (UNCRPD) was adopted on 13 December 2006 and entered into force on 3 May 2008. The purpose of the UNCRPD is the promotion and protection of the full and equal enjoyment of all human rights and fundamental freedoms by all persons with disabilities.
Article 9 of the Convention is about accessibility which also covers web accessibility. The same article sets out that the Member States of the Convention require that appropriate measures are taken to ensure access for persons with disabilities, on equal basis with others, to information and communication technologies, including the Internet.
5.3.2 USA ADA Act
The Americans with Disabilities Act (ADA) is a US law that prohibits discrimination based on disability. It was enacted in 1990 in order to end discrimination against those with disabilities. The ADA was not directly about online compliance. It was initially adopted in order to make the life of the disabled easier in public facilities. It was, for long, debatable whether the ADA applied to commercial websites as well. Even though there is no explicit coverage of commercial websites under the law, the requirement that “places of public accommodation” must provide equal access to the disabled is interpreted by some courts to apply the law to commercial websites, despite the fact that there were courts that decided otherwise.
The US Department of Justice has interpreted that the ADA also includes websites. First of all, Title 2 of the ADA prohibits discrimination against people with disabilities in state and local governments. State and local governments must ensure that their communications with people with disabilities are as effective as their communications with others. A website that does not provide equal accessibility to those with disabilities limits the ability of the disabled to access the services offered by the state and local governments on equal terms. Therefore, the US Department of Justice considers that the ADA applies to services and programs of state and local governments that are offered through websites.
Secondly, Title 3 of the ADA forbids discrimination against the disabled by businesses open to the public (also referred to as “places of public accommodation”). According to the US Department of Justice, many online commercial websites are likely to fall under the scope of the “places of public accommodation” and thus require ADA compliance.
5.3.3 EU Website Accessibility Laws
In the European Union, there are two laws that are about website accessibility. The first law is the Website Accessibility Directive. The other law is the European Accessibility Act.
The Website Accessibility Directive is an EU initiative which was adopted in 2016 with the aim to ensure that websites and mobile applications are accessible equally by those with disabilities in the EU. The Directive applies to public sector bodies only.
The Directive requires, among other things, the publication of an accessibility statement for websites and mobile applications, calls for a feedback mechanism for users to flag accessibility problems, and expects regular accessibility monitoring by EU Member States.
The directive was complemented by the European Accessibility Act of 2019 which extends the applicability of accessibility rules to private sector organizations, except for microenterprises (those with less than 10 employees or annual turnover less than 2 million EUR). The requirements of the Act must have been implemented by the Member States by 2025.
The Web Content Accessibility Guidelines (WCAG) are a series of guidelines developed by the World Wide Web Consortium (W3C). The guidelines are a set of recommendations in order to make Web content more accessible, especially for people with disabilities. While they are not binding by themselves, they have been referenced in major laws and court cases worldwide, including the ADA.
The first version of the WCAG (1.0) was released in 1999 and consisted of 14 principles. WCAG 2.0 was released in 2008 consisting of 12 guidelines organized under 4 principles (websites must be perceivable, operable, understandable, and robust), and each guideline with testable success criteria. The latest version of these guidelines - WCAG 3.0 were released in December 2021.
Impressum is a legal requirement in certain countries (especially in german-speaking countries like Germany, Austria and Switzerland) for businesses with an online presence. It is also referred to as “Imprint”. An impressum is a basic legal notice to visitors of a website about the website or business owner, as well as the basic information about the company.
Impressum is required for commercial websites and business social media pages. It is not required from websites that are non-commercial and/or personal in nature and do not generate an income.
Impressum generally include the following information:
- Name of the owner or manager of the website
- Registered business address
- Contact information (i.e., phone number, email address)
- Official incorporation information (i.e., official name and registration number of the company)
What to include in an Impressum depends on the applicable law. So, you must check whether your country requires your website to have an Impressum or a similar arrangement, and check what information is required from you to post on your website. If you are operating a commercial website in a German-speaking country, it is likely that you must comply with the requirements of Impressum.
There are similar legal arrangements in other countries even though not necessarily referred to as Impressum/Imprint. For example, the French law requires all professional websites (regardless of whether they sell online or not) to have certain information published on their sites. This is to ensure that users of the websites can contact websites and that their rights are always protected in relation to site owners.
This is generally referred to as “Legal Mentions” (Mentions Légales in French) and includes the following mandatory information to be made public on the internet:
Information about the entrepreneur (full name and domicile) or official registration name of companies
- Contact details of the company (or entrepreneur)
- Registration number and VAT number (where applicable)
- Information about the web hosting provider (name, contact details)
- CNIL declaration number (where available)
- For a regulated profession, reference to the professional rules applicable and the professional title
- General terms of sale, if the site is a merchant site
- Information about cookies
If the required information is not provided by a website there could be high monetary penalties such as €75 000 for individuals and €375 000 for legal persons. Besides, there is imprisonment for up to 1 year for individuals.
Website compliance is an important matter for website owners. Most website owners take website compliance for granted and do not think that the consequences are severe. Without legal compliance any website risks getting fined in very high amounts. In order to feel safe you should check the requirements mentioned in this article, ensure you understand them, and take appropriate steps to bring your website into compliance. Website legal compliance will save you from having to pay high amounts of fines and will ensure your brand identity is not damaged due to violations of legal requirements.
CPRA Data Retention
Unlike other data protection laws, such as the GDPR of the EU, the CPRA does not prevent you from collecting personal data freely without asking anyone. However, it doesn’t allow you to keep it longer than needed. This article will delve into the CPRA requirements for data retention.
CPRA and Employee Data: What You Need to Know
Under the CPRA, employee personal information is any information that could be used to determine who a person is and how they work. California employees have all the same rights guaranteed by the California Privacy Rights Act as any other consumer. Learn all you need to know about CPRA and Employee Data here.
Your users have the right to know what personal information is being collected about them, and they may contact you with a request to get information about how you handle personal information, ask you to delete it, transfer it to another company, or do something similar. Under the CPRA, you are obliged to respond to them. In this article, we explain how to comply with such consumer requests and the CPRA.