October 6, 2022

6 Steps to Complete Website Compliance

When launching a website most people focus just on the design and development of it and do not pay enough attention to legal matters. However, one must understand that legal matters are at least as important as the design and development of a website. In this article we are focusing on outlining the legal requirements for websites to operate legally. Any website owner should consider the following compliance requirements and take steps to ensure compliance with legal requirements and stay away from high penalties. 

When launching a website most people focus just on the design and development of it and do not pay enough attention to legal matters. However, one must understand that legal matters are at least as important as the design and development of a website. 

Not paying sufficient attention to legal requirements may lead to monetary fines or may drag you into an unpleasant situation with your visitors and users. In this article we are focusing on outlining the legal requirements for websites to operate legally. Any website owner should consider the following compliance requirements and take steps to ensure compliance with legal requirements and stay away from high penalties. 

Cookie Consent Compliance

One of the main components of a website compliance is cookie consent compliance. This is to ensure that cookies are not installed before consent is obtained from the user.

1.1. What is a cookie consent notice?

A cookie consent notice is a mechanism used to collect consent choices of your website visitors. It can be a banner, pop-up, box on the website that tells your website visitors that you are using cookies and/or other similar tracking technologies, present your cookie policy and allows them to accept, deny or customize the use of cookies by your website. 

1.2. Why would you need a cookie consent notice?

You need a cookie consent notice on your website for two essential reasons. The first is that it is a requirement, direct or indirect, under the most robust data privacy and cookie laws around the world. For example, the EU law requires websites to ask for consent of their users before placing any cookies on their devices. This is usually done by a cookie consent notice on the websites such as a cookie banner, or a pop-up window.

In addition, cookie consent notice helps to establish a trust relationship between you and your users by building complete transparency. In fact, this transparency may establish a strong bond between you and your users, and you help you generate more leads and make conversions. 

1.3 What are the requirements relating to cookie consent notices?

A cookie consent notice is required by data privacy and cookie laws of certain countries and regions. It is also used to comply with data protection laws which require prior consent for the collection of personal data. Below we will focus on the relevant laws of particular states or regions. 

1.3.1 The requirements in the EU

The EU cookie law is composed of the General Data Protection Regulation and the EU ePrivacy Directive, also known as the EU Cookie Directive. Besides, the legal framework has been complemented by the European Data Protection Board (EDPB) Consent Guidelines and the Planet 49 case

The ePrivacy Directive requires websites to obtain prior consent before using cookies. Users must also be given clear and comprehensive information about the use of cookies and they must be offered an option to easily refuse the cookies. This does not prevent websites from placing the so-called “strictly necessary cookies” that are used solely to carry out or facilitate the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the user.  

The GDPR gives the users a right to be informed about the collection and processing of their personal data. Websites are required to provide to their users such information as what data they collect, how long they retain such data, who they share the data with, etc. 

The requirements of the GDPR and the ePrivacy Directive can be satisfied by the use of a cookie consent notice, such as a cookie banner. It is an easy and practical way of providing the necessary information to users before collecting their data, and also to obtain their consent and allow them to refuse the use of cookies. 

The EDPB Consent Guidelines provided clarity on certain issues relating to cookies. In Particular, the EDPB stated that 1) the “cookie walls” are not lawful, and 2) scrolling/browsing cannot be relied on as a means of indication of consent.

The final major source of the EU cookie law framework is the Planet 49 case. The Court of Justice of the European Union (CJEU) rendered a decision which sheds light on some important aspects of cookie usage by websites. According to the judgment of the CJEU, 1) pre-ticked check-boxes were declared invalid, 2) when consent is required for the placement of cookies under the ePrivacy Directive, the GDPR standard of consent applies (freely given, specific, informed, and unambiguous), 3) consent cannot be bundled as it does not meet the “specificity” requirement under the GDPR, and thus websites must request consent for different cookie usage purposes (granular consent), 4) information must be given to visitors, including, among other matters, the duration of the cookie lifespan and whether third parties will have access to these technologies, and the categories of third-party recipients of cookies, and 5) regardless of whether the cookies constitute personal data or not Article 5(3) of the e-Privacy Directive (the cookie consent rule) applies to any information placed or accessed from an individual's device.

Some of the national Data Protection Authorities (DPA) of the EU Member States have also issued guidelines relating to the cookies. These cookie guidelines set out clarifications on various aspects of cookie usage by websites that are subject to the jurisdiction of particular DPAs. Compliance with national cookie guidelines is not mandatory but is strongly recommended for those who fall under the territorial scope of the relevant DPA. For example, CNIL Cookie Guidelines are relevant for organizations with an establishment in France.

Based on the aforementioned sources of the EU cookie law framework, in order to comply with EU cookie laws, you must ensure that you satisfy the following minimum requirements, apart from any additional requirements set forth by national DPA cookie guidelines. 

  1. Do not place cookies before obtaining consent from your users (“Strictly necessary cookies” are exempt from this rule).
  2. Provide your users with clear and comprehensive information about the use of cookies on your website. 
  3. Make sure that consent you obtain satisfies the GDPR consent standards (consent must be freely given, specific, informed, and unambiguous).
  4. Allow your users to easily refuse the use of cookies.
  5. Do not rely on scrolling/browsing as an indication of consent.
  6. Do not use cookie walls 
  7. Obtain separate consent for different cookie categories. 

1.3.2 The requirements of the CCPA 

The main legislative act concerning data protection in the state of California is the California Consumer Privacy Act (CCPA). The does not expressly require obtaining consent for the use of cookies. The only exception under the CCPA is to have prior consent from minors when selling their personal information through the use of cookies. If they are between 13-16 years old, you must seek consent directly from them. If they are younger than 13 years old, then you must seek consent from their parents or guardians. 

However, it must be emphasized that the CCPA does not require websites to obtain cookie consent before collecting the data from minors but before selling their data. What counts as “selling” under the CCPA is defined as the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration”. 

While the definition of “sale” contains an exception for situations in which information is shared with a service provider, it is debatable whether the exception applies when the information is shared with behavioral advertising networks. This is because behavioral advertising networks may not meet the 3 conditions of service provider exception under the CCPA. Firstly, the transfer of information to the service provider must be necessary for the business. It is debatable how necessary the transfer of personal information to behavioral advertising networks are for businesses. Secondly, the fact of transferring data to behavioral advertising networks must be provided to the users. Some businesses may fail to indicate this in their privacy policies, knowingly or due to the lack of legal consciousness. Thirdly, the agreement with the service provider must prohibit secondary use of the data. However, these networks may be willing to continue using the data for other purposes. Given all these, it is not 100 percent guaranteed that transfer of data to behavioral advertising networks would benefit from service provider exception. 

While prior cookie consent is not expressly required, in order to mitigate the risk that the use of third party behavioral advertising could be considered a “sale” under the CCPA you are encouraged to obtain prior cookie consent from your users before placing third party behavioral advertising cookies.

Other than the CCPA, another important law in California relating to consumer privacy is the California Privacy Rights Act (CPRA), also referred to as the “CCPA 2.0”. The CPRA was adopted in 2020, takes effect on January 1, 2023, and becomes fully enforceable on July 1, 2023 with a lookback period from January 1, 2022. Even though CPRA updates the CCPA in many aspects, its requirements regarding the cookie consent remain the same as that of the CCPA’s.  

1.3.3 The requirements in Canada

The cookies are regulated under various laws in Canada. This includes the Anti-Spam Legislation (CASL) and PIPEDA. Cookie consent is mainly regulated under the CASL.

CASL regulates, among other things, the installation of computer programs (i.e., cookies) on users’ devices. The main rule is that before placing any computer program on a user’s device, you must first obtain an express consent from them. For example, a website is prohibited from installing a computer program (or updating an existing program) automatically on a user’s device before obtaining express consent. However, in certain circumstances, you are considered to have express consent without even asking for it. This is the case for installation of certain computer programs, including cookies. This means that you do not have to request prior consent before deploying cookies on users’ browsers. However, if you want to rely on this exception you must know that you are only considered to have consent for as long as the user's conduct indicates that they consent to it. For example, if a user disables Javascript in their browser, or similarly, a user disables cookies in their browser you cannot be considered to have consent to deploy cookies. More examples can be listed. 

According to the CASL, if you want to rely on prior consent exception, the main point is that the user’s conduct must be such that it is reasonable to believe that they consent to the cookies’s installation. As you can see, this exception may not always apply and you may be acting in breach of CASL. That is why it may be wiser to have a cookie banner to collect prior cookie consent in order to ensure you don’t have to think about whether the exception applies to you. 

When you request express prior consent to install a computer program, including cookies, you must clearly and simply set out the following:

  1. The reason you are seeking consent;
  2. Who is seeking consent (i.e., name of the company; or if consent is sought on behalf of another person, that person's name);
  3. If consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is being sought;
  4. The mailing address and one other piece of contact information (i.e., telephone number, email address, or Web address);
  5. A statement indicating that the person whose consent is sought can withdraw their consent; and
  6. A description in general terms of the functions and purpose of the computer program to be installed.

It is also important to be aware that you have the burden of proof of consent collection. This simply means that you must keep records of consent to be able to prove compliance with CASL.

Another important issue is that if a person withdraws their consent, you can no longer rely on that consent for future updates that are installed in the background.

1.3.4 The requirements in other privacy laws

Other data protection and privacy laws are also relevant for cookie consent requirements. 

LGPD: Cookies are not specifically addressed by the LGPD. However, since most cookies collect personal data it means that cookie deployment is subject to prior consent. The consent is considered valid under the LGPD if it is:

  • Freely given
  • Informed, specific, and unambiguous
  • Given in writing
  • Easily withdrawn

These conditions can be met by implementing a cookie banner on your website. 

Read more about LGPD cookie banner requirements

Thai PDPA: Under the Thai PDPA, you must ask for consent before collecting personal data. This also applies to cookies. Before placing cookies on users’ browsers you need to ask for consent. Besides, when you request consent, it must be done in an easily understandable manner, which is non-deceptive and differs from other content on your website.

Read more about PDPA consent requirements here

Privacy Policy Compliance

One of the most indispensable elements of website compliance is privacy policy compliance. Today, most data protection laws require, either directly or indirectly, to have a privacy policy on your website.

2.1. What is a privacy policy?

A privacy policy is a legal document that discloses how you handle personal data - how you collect, process, store and delete it. It is a legal requirement under many data protection laws around the world. Apart from being a legal requirement it is also a  tool that helps your business to cultivate trust with the people who visit your website. Essentially, it makes your potential clients aware of the exact kind of personal information you collect about them and what you intend to use it for. A privacy policy is also referred to as a Privacy Statement or a Privacy Notice under different data protection or privacy laws. 

2.2. Do I need a privacy policy?

You need a privacy policy for two main reasons. Firstly, it is a legal requirement under some state, or regional data protection laws. These laws control how you engage with your website visitors and require you to provide your users with certain information about how you collect, process and store personal data. 

Privacy policy is required either as part of the transparency obligation (i.e., GDPR), or it is a direct legal requirement under some laws (i.e., CalOPPA). 

Secondly, your website requires a privacy policy because it is critical to establishing trust with site visitors. Clients gain confidence in your website as a secure and reliable platform to play, share, and buy when you make it obvious what information you collect from them and how you intend to utilize it.

2.3. Legal requirements concerning privacy policy

Legal requirements for a privacy policy may differ based on the country. Some laws explicitly require website operators to have a privacy policy posted on their websites. However, there are laws which do not explicitly require websites to publish a privacy policy. This does not mean that if the law you are bound by does not oblige you to have a privacy policy you should not have one. The need for a privacy policy is also important for two issues. Firstly, you are bound by a transparency requirement under many data protection laws (i.e., GDPR) and you can fulfill this by having a privacy policy, and secondly, your users will expect you to have a privacy policy in order to have information on how you collect and process their personal data.

2.3.1 The requirements under the GDPR

GDPR does not directly require businesses to have a privacy policy. However, GDPR requires businesses to be transparent about their data processing principles and practices. And privacy policy is the easiest way to comply with the transparency requirement. 

GDPR sets out certain information that you have to provide to your users. This means that you must ensure that your privacy policy provides all this information that is required under the GDPR for meeting transparency obligations. Accordingly, a GDPR-compliant privacy policy should contain the following elements:

  • Your identity and contact details
  • The categories of personal data you process
  • How you collect and process personal data
  • Why do you collect and process data
  • Details on international data transfers, if any
  • Data subject rights
  • How to exercise data subject rights
  • With whom you share data
  • Contact details on the Data Protection Officer, if any

This is just the necessary minimum of information that the GDPR requires you to provide. You can add more if you want.

2.3.2 The requirements under the CCPA

In California, there are two main laws that govern the collection and processing of personal data - California Consumer Privacy Act (CCPA) and California Online Privacy Protection Act (CalOPPA). 

A Privacy policy is explicitly required by the CalOPPA and indirectly by the CCPA. If CCPA applies to your business, then certainly CalOPPA applies as well.

When you combine the requirements from both laws, you’ll understand that your privacy policy should be written in plain, easily understandable language and contain at least the following:

  • What kind of information do you collect and process
  • Why do you collect and process information
  • How do you collect and process information
  • How users can request access, change, move, or deletion of their personal data
  • The method for verifying the identity of the person who submits a request
  • Sales of users’ personal data and how they can opt-out of the selling of their data
  • Information on financial incentives where providing personal information is involved.

2.3.3 The requirements in Canada

In Canada, the federal law governing the collection and processing of personal information is the Personal Information Protection and Electronic Documents Act (PIPEDA). Similar to the GDPR, the PIPEDA does not contain a direct obligation to have a privacy policy, but it does explicitly require businesses to be transparent about their data collection and processing practices. This is a requirement set out under the “principle of openness”. This principle requires that organizations must be open about their policies and practices with respect to the management of personal information. Users must be able to receive information about the websites’ policies and practices without unreasonable efforts and in an understandable language. 

The minimum information to be provided to users must contain the following:

(a) the name or title, and the address, of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded; 

(b) the means of gaining access to personal information held by the organization; 

(c) a description of the type of personal information held by the organization, including a general account of its use; 

(d) a copy of any brochures or other information that explain the organization’s policies, standards, or codes; and 

(e) what personal information is made available to related organizations (e.g., subsidiaries). 

PIPEDA states that how you must communicate this information to your business depends on the nature of the business and other factors. For example, an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number. Providing online access simply means having a privacy policy (a document outlining the data management policies and practices). 

2.3.4 The requirements in other privacy laws

There are other major laws in other countries which are relevant for privacy policy requirements.

LGPD: Just like the GDPR, the Brazilian General Data Protection Regulation (LGPD) does not directly require businesses to have a privacy policy. However, there is an obligation of giving the data subjects clear, precise and easily accessible information about the processing of personal data. This is known as the transparency principle. Other than this, there is also the principle of free access. This principle means that data subjects have the right to free and facilitated access to the form and duration of the processing of their data, and the integrity of their data. In order to comply with the principles of transparency and free access you should have a privacy policy setting out information required under the LGPD. 

Swiss FADP:  There is no specific legal requirement under the Swiss Federal Act on Data Protection (Swiss FADP) to post a privacy policy on a website. However, under the principles of purpose limitation and recognisability in the Swiss FADP, organizations must tell data subjects how they plan to use the personal data, where the data subject cannot recognise such purposes from the circumstances of collection. Besides, in the case of collecting sensitive data websites must provide data subjects with specific information.

Nevertheless, despite the fact that there is no specific legal requirement for organizations to post a privacy policy, the Swiss Federal Data Protection and Information Commissioner (Swiss FDPIC) recommends that every organization offering products and services online should follow transparent data processing practices, including by posting a data privacy notice (privacy policy) on their website.

2.3.5 Cookie Policy

Apart from a privacy policy, website owners must also consider having a cookie policy. A cookie policy is a document that informs website visitors about how you engage in data collection using cookies and other similar tracking technologies on your site. 

Most of the time, a cookie policy is a separate document from a privacy policy. However, some websites prefer combining the cookies policy and privacy policy into one single document. 

Terms and Conditions

Websites should have legal documents setting out how their users can interact with them and what rights and obligations exist between websites and their users. Typically, two types of legal documents are needed in order to achieve this purpose. Website Terms of Use and Terms of Service (also referred to as Terms and Conditions and User Agreement). 

3.1. What are the Terms of Service?

This component serves as the legally binding agreement between websites and their potential clients that interacts with them. Typically, it comprises information such as what the service or product is, under which conditions the user buys it, shipping and return policies, disclaimers of any liabilities, as well as copyright safeguards for the websites. Sometimes this document is also referred to as User Agreement or Terms and Conditions. There could be other names used for the same document but the rationale remains the same.

This document is an essential part of your website since it helps to avoid any misunderstanding about what your business is selling and the terms on which you are selling it. By having Terms of Service, you can ensure that there is no ambiguity and your clients will understand what their duties and rights are in their relations with you and act accordingly. Also, you can feel at ease knowing that the terms of service of your website provide clarity about what should happen in any given situation.

3.2. What are the Website Terms of Use?

Website Terms of Use is a legal agreement that sets out rules about how a visitor must interact with the website. This is a distinct document as opposed to the Terms of Service (Terms and Conditions) in that the Terms of Service are rules focused on what you sell (either goods or service).

Website Terms of Use outlines the necessary regulations on how your website may be used. You set up rules for visitors using your business’s website. To put it simply, this component explains to your visitors what they can and cannot do on your website, their rights and prohibitions when they browse your website.

It is not a legal requirement to have a Website Terms of Use but it is extremely important to have this component as this is a way to create legal protection for your website and your company. Additionally, Website Terms of Use play a crucial role in protecting your intellectual property, inclusive of your trademarks and the content you upload.

Terms and Conditions and Terms of Use can form one single document, but sometimes it may be more practical to divide it into two docs - one for the use of the website for all visitors, and one for those who buy something from your business.

TLS Compliance

Web application security is one of the most important topics for website owners. This ensures that the communication between the websites and servers are secure. The technology that helps to achieve this security is SSL/TLS (we will describe the difference between the two down below). This standard technology ensures that communication between two systems (i.e., e-commerce website and internet browser) is safeguarded against potential dangers such as theft of sensitive personal data and credit card information. 

SSL/TLS standard prevents hackers from reading data when it is sent over the connection as it uses encryption algorithms to scramble data in transit. It is an alternative to plain text data transfer between the server and the website in which the transfer is encrypted and thus is prone to security breaches. Therefore, SSL/TLS is a must whenever sensitive information such as usernames and passwords or payment processing information is being transferred.

4.1. What is the difference between SSL and TLS?

SSL stands for Secure Sockets Layer, whereas TLS means Transport Layer Security. Basically the two acronyms mean the same thing and the only difference between them is that TLS is the updated and more secure version of the SSL. Thus, SSL is no more in use and it has been replaced by TLS. However, this standard technology achieved fame under the name of SSL, it is still being referred to as SSL/TLS.

4.2. Why do you need TLS protocol compliance?

There are three main reasons why you should use SSL/TLS for your website:

  • Authentication: SSL/TLS certificate allows you to prove to your users that you are who you say you are. Without a SSL/TLS certification any server can pretend to be your server, and thus can hijack any information that people transmit to your server. Using SSL/TLS your users can ensure the identity of your server.
  • Ensuring trust: When people visit websites and transmit some sensitive information such as payment information, they want to ensure that your website is secure and not prone to cyber thefts of information. Having an SSL/TLS certificate can create a sense of trust between you and your users. It is a visible way of showing your users that they can trust you and it’s much more effective than anything you say about yourself.
  • Compliance: Certain sectoral standards may require you to maintain a certain level of security. Using an SSL/TLS certificate is an integral part of the security measures you are required to follow. Examples include, PCI-DSS, HIPAA, and NIST Guidelines.

4.3. What are the industry standards requiring TLS compliance?

There are several organizations, including the National Institute of Standards and Technology (NIST) that have issued guidelines requiring TLS compliance as part of network security requirements. The following instruments are the most widely adopted. 

  1. NIST’s Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (SP 800-52 Rev. 2)
  2. The Payment Card Industry Data Security Standard (PCI-DSS)

4.3.1 NIST standards

The National Institute of Standards and Technology (NIST) is an agency of the US Department of Commerce. The organization issues guidelines in order to help other organizations to meet the regulatory compliance requirements. The NIST published Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (SP 800-52 Rev. 2), in 2005 which provides guidance for selecting and configuring TLS protocol implementations. The NIST SP 800-52 Rev. 2 requires that all government TLS servers and clients support TLS 1.2 configured with FIPS-based cipher suites and recommends that agencies develop migration plans to support TLS 1.3 by January 1, 2024.

4.3.2 PCI-DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that organizations that handle credit card information maintain a secure environment (i.e, e-commerce websites). In order to be compliant with PCI DSS, organizations must abide by TLS. 

Website Accessibility Compliance

Another essential element of website compliance is website accessibility. This is especially important as most services, programs and activities are being offered on the web. 

5.1. What is website accessibility?

Website accessibility is a practice of ensuring that people with disabilities have equal access to websites, without any barriers that prevent interaction with websites. There are international, regional and local laws, as well as international standards which set out requirements for accessibility of websites by the disabled. Examples include the UN Convention on the Rights of Persons with Disabilities, Americans with Disabilities Act (ADA), EU Website Accessibility Directive, the European Accessibility Act, and the Web Content Accessibility Guidelines (WCAG).

5.2. Why do you need web accessibility?

Website accessibility is becoming more and more important as more services, programs and activities, whether public or commercial, are offered on the web. You need to be cautious about web accessibility, and consider compliance with it for at least 3 main reasons. 

1) it will help you to improve the lives of people with disabilities;

2) you can achieve a greater audience or consumer base, and

3) you will make sure you are not getting sued due to breach of laws.

5.3 What are the legal requirements relating to website accessibility?

Legal requirements relating to the website accessibility depend on the relevant law. There are international, regional and national legal instruments in this field. Below we outline the major laws in this field and its basic requirements. 

5.3.1 UN Convention on the Rights of Persons with Disabilities 

The United Nations Convention on the Rights of Persons with Disabilities (UNCRPD) was adopted on 13 December 2006 and entered into force on 3 May 2008. The purpose of the UNCRPD is the promotion and protection of the full and equal enjoyment of all human rights and fundamental freedoms by all persons with disabilities. 

Article 9 of the Convention is about accessibility which also covers web accessibility. The same article sets out that the Member States of the Convention require that appropriate measures are taken to ensure access for persons with disabilities, on equal basis with others, to information and communication technologies, including the Internet.

5.3.2 USA ADA Act

The Americans with Disabilities Act (ADA) is a US law that prohibits discrimination based on disability. It was enacted in 1990 in order to end discrimination against those with disabilities. The ADA was not directly about online compliance. It was initially adopted in order to make the life of the disabled easier in public facilities. It was, for long, debatable whether the ADA applied to commercial websites as well. Even though there is no explicit coverage of commercial websites under the law, the requirement that “places of public accommodation” must provide equal access to the disabled is interpreted by some courts to apply the law to commercial websites, despite the fact that there were courts that decided otherwise. 

The US Department of Justice has interpreted that the ADA also includes websites. First of all, Title 2 of the ADA prohibits discrimination against people with disabilities in state and local governments. State and local governments must ensure that their communications with people with disabilities are as effective as their communications with others. A website that does not provide equal accessibility to those with disabilities limits the ability of the disabled to access the services offered by the state and local governments on equal terms. Therefore, the US Department of Justice considers that the ADA applies to services and programs of state and local governments that are offered through websites. 

Secondly, Title 3 of the ADA forbids discrimination against the disabled by businesses open to the public (also referred to as “places of public accommodation”). According to the US Department of Justice, many online commercial websites are likely to fall under the scope of the “places of public accommodation” and thus require ADA compliance.

5.3.3 EU Website Accessibility Laws

In the European Union, there are two laws that are about website accessibility. The first law is the Website Accessibility Directive. The other law is the European Accessibility Act. 

The Website Accessibility Directive is an EU initiative which was adopted in 2016 with the aim to ensure that websites and mobile applications are accessible equally by those with disabilities in the EU. The Directive applies to public sector bodies only. 

The Directive requires, among other things, the publication of an accessibility statement for websites and mobile applications, calls for a feedback mechanism for users to flag accessibility problems, and expects regular accessibility monitoring by EU Member States. 

The directive was complemented by the European Accessibility Act of 2019 which extends the applicability of accessibility rules to private sector organizations, except for microenterprises (those with less than 10 employees or annual turnover less than 2 million EUR). The requirements of the Act must have been implemented by the Member States by 2025.

5.3.4 WCAG 

The Web Content Accessibility Guidelines (WCAG) are a series of guidelines developed by the World Wide Web Consortium (W3C). The guidelines are a set of recommendations in order to make Web content more accessible, especially for people with disabilities. While they are not binding by themselves, they have been referenced in major laws and court cases worldwide, including the ADA. 

The first version of the WCAG (1.0) was released in 1999 and consisted of 14 principles. WCAG 2.0 was released in 2008 consisting of 12 guidelines organized under 4 principles (websites must be perceivable, operable, understandable, and robust), and each guideline with testable success criteria. The latest version of these guidelines - WCAG 3.0 were released in December 2021. 


Impressum is a legal requirement in certain countries (especially in german-speaking countries like Germany, Austria and Switzerland) for businesses with an online presence. It is also referred to as “Imprint”. An impressum is a basic legal notice to visitors of a website about the website or business owner, as well as the basic information about the company.

Impressum is required for commercial websites and business social media pages. It is not required from websites that are non-commercial and/or personal in nature and do not generate an income. 

Impressum generally include the following information:

  • Name of the owner or manager of the website
  • Registered business address
  • Contact information (i.e., phone number, email address)
  • Official incorporation information (i.e., official name and registration number of the company)

What to include in an Impressum depends on the applicable law. So, you must check whether your country requires your website to have an Impressum or a similar arrangement, and check what information is required from you to post on your website. If you are operating a commercial website in a German-speaking country, it is likely that you must comply with the requirements of Impressum.

There are similar legal arrangements in other countries even though not necessarily referred to as Impressum/Imprint. For example, the French law requires all professional websites (regardless of whether they sell online or not) to have certain information published on their sites. This is to ensure that users of the websites can contact websites and that their rights are always protected in relation to site owners. 

This is generally referred to as “Legal Mentions” (Mentions Légales in French) and includes the following mandatory information to be made public on the internet:

Information about the entrepreneur (full name and domicile) or official registration name of companies

  • Contact details of the company (or entrepreneur) 
  • Registration number and VAT number (where applicable)
  • Information about the web hosting provider (name, contact details)
  • CNIL declaration number (where available)
  • For a regulated profession, reference to the professional rules applicable and the professional title
  • General terms of sale, if the site is a merchant site
  • Information about cookies

If the required information is not provided by a website there could be high monetary penalties such as €75 000 for individuals and €375 000 for legal persons. Besides, there is imprisonment for up to 1 year for individuals. 


Website compliance is an important matter for website owners. Most website owners take website compliance for granted and do not think that the consequences are severe. Without legal compliance any website risks getting fined in very high amounts. In order to feel safe you should check the requirements mentioned in this article, ensure you understand them, and take appropriate steps to bring your website into compliance. Website legal compliance will save you from having to pay high amounts of fines and will ensure your brand identity is not damaged due to violations of legal requirements.