April 13, 2023

6 Steps to Complete Website Compliance

In this article, we are focusing on outlining the legal requirements for websites to operate legally. Any website owner should consider the following compliance requirements and take steps to ensure compliance with legal requirements and avoid high penalties.

When launching a website, most people focus just on the design and development of it and need to pay more attention to legal matters. However, one must understand that legal issues are at least as important as the design and development of a website. In this article, we are focusing on outlining the legal requirements for websites to operate legally. Any website owner should consider the following compliance requirements and take steps to ensure compliance with legal requirements and avoid high penalties.

When launching a website, most people focus just on the design and development of it and do not pay enough attention to legal matters. However, one must understand that legal issues are at least as important as the design and development of a website. 

Not paying sufficient attention to legal requirements may lead to monetary fines or drag you into an unpleasant situation with your visitors and users. In this article, we are focusing on outlining the legal requirements for websites to operate legally. Any website owner should consider the following compliance requirements and take steps to ensure compliance with legal requirements and avoid high penalties. 

Cookie Consent Compliance

One of the main components of website compliance is cookie consent compliance. This is to ensure that cookies are not installed before consent is obtained from the user.

1.1. What is a cookie consent notice?

A cookie consent notice is a mechanism used to collect consent choices of your website visitors. It can be an opt-in cookie banner, pop-up, or box on the website that tells visitors that you are using cookies and other similar tracking technologies, present your cookie policy, and allows them to accept, deny or customize the use of cookies by your website. 

1.2. Why would you need a cookie consent notice?

You need a cookie consent notice on your website for two crucial reasons. The first is that it is a direct or indirect requirement under the most robust data privacy and cookie laws worldwide. For example, the EU law requires websites to ask for the consent of their users before placing any cookies on their devices. A cookie consent notice on the websites, such as a cookie banner or a pop-up window, usually does this.

In addition, cookie consent notice helps to establish a trusting relationship between you and your users by building complete transparency. This transparency may show a strong bond between you and your users, and you help you generate more leads and make conversions. 

1.3 What are the requirements relating to cookie consent notices?

Certain countries’ and regions' data privacy and cookie laws require a cookie consent notice. It is also used to comply with data protection laws that require prior consent to collect personal data. Below we will focus on the relevant laws of particular states or regions. 

1.3.1 The requirements in the EU

The EU cookie law comprises the General Data Protection Regulation and the EU ePrivacy Directive, also known as the EU Cookie Directive. Besides, the European Data Protection Board (EDPB) Consent Guidelines and the Planet 49 case have complemented the legal framework.

The ePrivacy Directive requires websites to obtain prior consent before using cookies. Users must also be given clear and comprehensive information about the use of cookies and be offered an option to refuse the cookies easily. This does not prevent websites from placing the so-called “strictly necessary cookies” used solely to carry out or facilitate the transmission of a communication over an electronic communications network or as strictly necessary to provide an information society service explicitly requested by the user.  

The banner shall appear on the first webpage of your website, where the user lands for the first time.

The GDPR gives users the right to be informed about collecting and processing data. Websites must provide users with information such as what data they gather, how long they retain it, which they share it with, etc. 

The requirements of the GDPR and the ePrivacy Directive can be satisfied by using a cookie consent notice, such as a cookie banner. It is an easy and practical way of providing the necessary information to users before collecting their data, obtaining their consent, and allowing them to refuse to use cookies. 

The EDPB Consent Guidelines provided clarity on some issues regarding cookies. In Particular, the EDPB stated that 1) the “cookie walls” are not lawful, and 2) scrolling/browsing cannot be relied on as a means of indication of consent.

The final primary EU cookie law framework source is the Planet 49 case. The Court of Justice of the European Union (CJEU) rendered a decision that sheds light on some crucial aspects of website cookie usage. According to the judgment of the CJEU:

  • Pre-ticked checkboxes were declared invalid,
  • When consent is required for the placement of cookies under the ePrivacy Directive, the GDPR standard of consent applies (freely given, specific, informed, and unambiguous),
  • Consent cannot be bundled as it does not meet the “specificity” requirement under the GDPR, and thus websites must request consent for different cookie usage purposes (granular consent),
  • The information must be given to visitors, including, among other matters, the duration of the cookie lifespan and whether third parties will have access to these technologies, the categories of third-party recipients of cookies, and,
  • Whether the cookies constitute personal data, Article 5(3) of the e-Privacy Directive (the cookie consent rule) applies to any information placed or accessed from an individual’s device.

Some of the national Data Protection Authorities (DPA) of the EU Member States have also issued cookie-related guidelines. These cookie guidelines set out clarifications on various aspects of cookie usage by websites that are subject to the jurisdiction of particular DPAs. Compliance with national cookie guidelines is not mandatory but is strongly recommended for those who fall under the territorial scope of the relevant DPA. For example, CNIL Cookie Guidelines are appropriate for organizations established in France.

Based on the sources above of the EU cookie law framework, to comply with EU cookie laws, you must ensure that you satisfy the following minimum requirements, apart from any additional requirements set forth by national DPA cookie guidelines. 

  1. Do not place cookies before obtaining consent from your users (“Strictly necessary cookies” are exempt from this rule).
  2. Provide your users with clear and comprehensive information about using cookies on your website. 
  3. Ensure that the consent you obtain satisfies the GDPR consent standards (consent must be freely given, specific, informed, and unambiguous).
  4. Allow your users to refuse the use of cookies easily.
  5. Do not rely on scrolling/browsing as an indication of consent.
  6. Do not use cookie walls. 
  7. Obtain separate consent for different cookie categories. 

1.3.2 The requirements of the CCPA 

In the absence of a data protection law passed on a federal level by the federal government, the main legislative act concerning data protection in California is the California Consumer Privacy Act (CCPA). The does not expressly require obtaining consent for the use of cookies. The only exception under the CCPA is to have prior consent from minors when selling their personal information through cookies. If they are between 13-16 years old, you must seek consent directly from them. If they are younger than 13, you must seek consent from their parents or guardians. 

However, it must be emphasized that the CCPA does not require websites to obtain cookie consent before collecting data from minors but before selling their data. What counts as “selling” under the CCPA is defined as the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration.” 

While the definition of “sale” contains an exception for situations where information is shared with a service provider, it is debatable whether the exception applies when the data is shared with behavioral advertising networks. This is because behavioral advertising networks may not meet the three conditions of service provider exception under the CCPA:

  1. Firstly, the transfer of information to the service provider must be necessary for the business. It is debatable how necessary the transfer of personal information to behavioral advertising networks is for companies.
  2. Secondly, transferring data to behavioral advertising networks must be provided to the users. Due to the lack of legal consciousness, some businesses may knowingly fail to indicate this in their privacy policies.
  3. Thirdly, the agreement with the service provider must prohibit the secondary use of the data. However, these networks may be willing to continue using the data for other purposes.

Given all these, it is not 100 percent guaranteed that data transfer to behavioral advertising networks would benefit from service provider exceptions. 

While prior cookie consent is not expressly required, to mitigate the risk that third-party behavioral advertising could be considered a “sale” under the CCPA, you are encouraged to obtain prior cookie consent from your users before placing third-party behavioral advertising cookies.

Other than the CCPA, another essential law relating to consumer privacy in California is the California Privacy Rights Act (CPRA), also called the “CCPA 2.0”. The CPRA was adopted in 2020, takes effect on 1 January 2023, and becomes fully enforceable on 1 July 2023 with a lookback period from 1 January 2022. Even though CPRA updates the CCPA in many aspects, its requirements regarding cookie consent remain the same as that of the CCPA.  

1.3.3 The requirements in Canada

The cookies are regulated under various laws in Canada. This includes the Anti-Spam Legislation (CASL) and PIPEDA. Cookie consent is mainly regulated under the CASL.

CASL regulates, among other things, the installation of computer programs (i.e., cookies) on users’ devices. The main rule is to obtain their consent before placing any computer program on a user’s device. For example, a website is prohibited from automatically installing a computer program (or updating an existing program) on a user’s device before obtaining express consent. However, you must have express consent without asking for it in certain circumstances. This is the case for installing specific computer programs, including cookies. This means you do not have to request prior consent before deploying cookies on users’ browsers. However, if you want to rely on this exception, you must know that you are only considered to have consent for as long as the user’s conduct indicates that they consent to it. For example, if a user disables Javascript in their browser, or similarly, a user disables cookies in their browser, you cannot be considered to have consented to deploy cookies. More examples can be listed. 

According to the CASL, if you want to rely on a prior consent exception, the main point is that the user’s conduct must be such that it is reasonable to believe that they consent to the installation of the cookies. As you can see, this exception may not always apply, and you may be acting in breach of CASL. That is why it may be wiser to have a cookie banner to collect prior cookie consent to ensure you don’t have to consider whether the exception applies to you. 

When you request express prior consent to install a computer program, including cookies, you must set out the following:

  1. The reason you are seeking consent;
  2. Who is seeking consent (i.e., name of the company; or if consent is sought on behalf of another person, that person’s name);
  3. If consent is sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is being sought;
  4. The mailing address and one other piece of contact information (i.e., telephone number, email address, or Web address);
  5. A statement indicating that the person whose consent is sought can withdraw their consent; and
  6. A description in general terms of the functions and purpose of the computer program to be installed.

It is also essential to be aware that you have the burden of proof of consent collection. This means that you must keep records of consent to prove compliance with CASL.

Another critical issue is that if a person withdraws their consent, you can no longer rely on that consent for future updates installed in the background.

1.3.4 The requirements in other privacy laws

Other data protection and privacy laws are also relevant for cookie consent requirements. 

LGPD: Cookies are not explicitly addressed by the LGPD. However, since most cookies collect personal data, cookie deployment is subject to prior consent. The consent is considered valid under the LGPD if it is:

  • Freely given
  • Informed, specific, and unambiguous
  • Given in writing
  • Easily withdrawn

These conditions can be met by implementing a cookie banner on your website. 

Read more about LGPD cookie banner requirements.

Thai PDPA: Under the Thai PDPA, you must ask for consent before collecting personal data. This also applies to cookies. Before cookies are placed on users’ browsers, you must ask for consent. Besides, when you request consent, it must be done in an easily understandable manner, which is non-deceptive and differs from other content on your website.

Read more about PDPA consent requirements here.

Privacy Policy Compliance

One of the most indispensable elements of website compliance is privacy policy compliance. Today, most data protection laws require, either directly or indirectly, to have a privacy policy on your website.

2.1. What is a privacy policy?

A privacy policy is a legal document that discloses how you handle personal data - how you collect, process, store, and delete it. It is a legal requirement under many data protection laws around the world. Apart from being a legal requirement, it is also a tool that helps your business to cultivate trust with the people who visit your website. Essentially, it makes your potential clients aware of the exact kind of personal information you collect about them and what you intend to use it for. A privacy policy is called a Privacy Statement or a Privacy Notice under different data protection or privacy laws. 

2.2. Do I need a privacy policy?

You need a privacy policy for two main reasons. Firstly, it is a legal requirement under some state, or regional data protection laws. These laws control how you engage with your website visitors and require you to provide your users with specific information about collecting, processing, and storing personal data. 

A privacy policy is required either as part of the transparency obligation (i.e., GDPR) or a direct legal requirement under some laws (i.e., CalOPPA). 

Secondly, your website requires a privacy policy because it is critical to establishing trust with site visitors. Clients gain confidence in your website as a secure and reliable platform to play, share, and buy when you make it obvious what information you collect from them and how you intend to utilize it.

2.3. Legal requirements concerning privacy policy

Legal requirements for a privacy policy may differ based on the country. Some laws explicitly require website operators to have a privacy policy posted on their websites. However, some laws do not expressly require websites to publish a privacy policy. This does not mean that you should not have one of the laws that bind you does not oblige you to a privacy policy. The need for a privacy policy is also essential for two issues. Firstly, you are bound by a transparency requirement under many data protection laws (i.e., GDPR). You can fulfill this by having a privacy policy. Secondly, your users will expect you to have a privacy policy to have information on how you collect and process their data.

2.3.1 The requirements under the GDPR

GDPR does not directly require businesses to have a privacy policy. However, GDPR requires companies to be transparent about their data processing principles and practices. And privacy policy is the easiest way to comply with the transparency requirement. 

GDPR sets out certain information that you have to provide to your users. This means you must ensure that your privacy policy provides all the information required under the GDPR to meet transparency obligations. Accordingly, a GDPR-compliant privacy policy should contain the following elements:

  • Your identity and contact details
  • The categories of personal data you process
  • How you collect and process personal data
  • Why do you manage and process data
  • Details on international data transfers, if any
  • Data subject rights
  • How to exercise data subject rights
  • With whom do you share data
  • Contact details on the Data Protection Officer, if any

This is just the necessary minimum of information that the GDPR requires you to provide. You can add more if you want.

2.3.2 The requirements under the CCPA

In California, two primary laws govern the collection and processing of personal data - the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). 

A Privacy policy is explicitly required by the CalOPPA and indirectly by the CCPA. If CCPA applies to your business, then certainly CalOPPA applies as well.

When you combine the requirements from both laws, you’ll understand that your privacy policy should be written in plain, easily understandable language and contain at least the following:

  • What kind of information do you collect and process?
  • Why do you collect and process information?
  • How do you collect and process information?
  • How users can request access, change, move, or deletion of their data
  • The method for verifying the identity of the person who submits a request
  • Sales of users’ data and how they can opt out of the selling of their data
  • Information on financial incentives where providing personal information is involved.

2.3.3 The Requirements in Canada

In Canada, the federal law governing the collection and processing of personal information is the Personal Information Protection and Electronic Documents Act (PIPEDA). Like the GDPR, the PIPEDA is not directly obligated to have a privacy policy. Still, businesses must be transparent about their data collection and processing practices. This is a requirement set out under the “principle of openness.” This principle requires that organizations be open about their policies and practices concerning the management of personal information. Users must be able to receive information about the websites’ policies and practices without unreasonable efforts and in understandable language. 

The minimum information to be provided to users must contain the following:

(a) the name or title and the address of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded; 

(b) the means of gaining access to personal information held by the organization; 

(c) a description of the type of personal information held by the organization, including a general account of its use; 

(d) a copy of any brochures or other information that explain the organization’s policies, standards, or codes; and 

(e) what personal information is available to related organizations (e.g., subsidiaries)? 

PIPEDA states that how you must communicate this information to your business depends on the company's nature and other factors. For example, an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access or establish a toll-free telephone number. Providing online access means having a privacy policy (a document outlining the data management policies and practices). 

2.3.4 The requirements in other privacy laws

Other significant laws in other countries are relevant to privacy policy requirements.

LGPD: Just like the GDPR, the Brazilian General Data Protection Regulation (LGPD) does not directly require businesses to have a privacy policy. However, there is an obligation to give the data subjects clear, precise, and easily accessible information about the processing of personal data. This is known as the transparency principle. Other than this, there is also the principle of free access. This principle means that data subjects have the right to free and facilitated access to the form and duration of the processing of their data and the integrity of their data. To comply with the principles of transparency and free access, you should have a privacy policy setting out the information required under the LGPD. 

Swiss FADP: There is no specific legal requirement under the Swiss Federal Act on Data Protection (Swiss FADP) to post a privacy policy on a website. However, under the principles of purpose limitation and recognisability in the Swiss FADP, organizations must tell data subjects how they plan to use personal data, where the data subject cannot recognize such purposes from the circumstances of collection. Besides, in the case of collecting sensitive data websites must provide data subjects with specific information.

Nevertheless, despite the fact that there is no specific legal requirement for organizations to post a privacy policy, the Swiss Federal Data Protection and Information Commissioner (Swiss FDPIC) recommends that every organization offering products and services online should follow transparent data processing practices, including by posting a data privacy notice (privacy policy) on their website.

2.3.5 Cookie Policy

Apart from a privacy policy, website owners must also consider having a cookie policy. A cookie policy is a document that informs website visitors about how you engage in data collection using cookies and other similar tracking technologies on your site. 

Most of the time, a cookie policy is a separate document from a privacy policy. However, some websites prefer combining cookies and privacy policies into one document. 

Terms and Conditions

Websites should have legal documents setting out how their users can interact with them and what rights and obligations exist between websites and their users. Typically, two types of legal documents are needed to achieve this purpose. Website Terms of Use and Terms of Service (also referred to as Terms and Conditions and User Agreement). 

3.1. What are the Terms of Service?

This component serves as the legally binding agreement between websites and their potential clients that interacts with them. Typically, it comprises information such as what the service or product is, under which conditions the user buys it, shipping and return policies, disclaimers of any liabilities, and website copyright safeguards. Sometimes this document is also called a User Agreement or Terms and Conditions. Other names could be used for the same document, but the rationale remains the same.

This document is an essential part of your website since it helps avoid misunderstanding what your business is selling and the terms on which you are selling it. By having Terms of Service, you can ensure that there is no ambiguity, and your clients will understand their duties and rights in their relations with you and act accordingly. Also, you can feel at ease knowing that the terms of service of your website provide clarity about what should happen in any given situation.

3.2. What are the Website Terms of Use?

Website Terms of Use is a legal agreement that sets out rules about how a visitor must interact with the website. This is a separate document as opposed to the Terms of Service (Terms and Conditions) in that the Terms of Service are rules focused on what you sell (goods or services).

Website Terms of Use outlines the necessary regulations on how your website may be used. You set up rules for visitors using your business’s website. Simply put, this component explains to your visitors what they can and cannot do on your website, their rights, and prohibitions when browsing it.

It is not a legal requirement to have a Website Terms of Use but it is crucial to have this component as this is a way to create legal protection for your website and your company. Additionally, Website Terms of Use are essential to protecting your intellectual property, including your trademarks and the content you upload.

Terms and Conditions and Terms of Use can form one document, but sometimes it may be more practical to divide it into two docs - one for the website for all visitors and one for those who buy something from your business.

TLS Compliance

Web application security is one of the essential topics for website owners. This ensures that the communication between the websites and servers is secure. The technology that helps achieve this security is SSL/TLS (we will describe the difference between the two below). This standard technology ensures that communication between two systems (i.e., e-commerce website and internet browser) is safeguarded against potential dangers such as theft of sensitive personal data and credit card information. 

SSL/TLS standard prevents hackers from reading data sent over the connection as it uses encryption algorithms to scramble data in transit. It is an alternative to plain text data transfer between the server and the website in which the transfer is encrypted and thus is prone to security breaches. Therefore, SSL/TLS is a must whenever sensitive information such as usernames and passwords or payment processing information is being transferred.

4.1. What is the difference between SSL and TLS?

SSL stands for Secure Sockets Layer, whereas TLS means Transport Layer Security. The two acronyms mean the same thing; the only difference between them is that TLS is the updated and more secure version of the SSL. Thus, SSL is no more in use, and TLS has replaced it. However, this standard technology achieved fame under the name of SSL, it is still being referred to as SSL/TLS.

4.2. Why do you need TLS protocol compliance?

There are three main reasons why you should use SSL/TLS for your website:

  • Authentication: SSL/TLS certificate allows you to prove to your users that you are who you say you are. Without an SSL/TLS certification, any server can pretend to be your server and thus can hijack any information that people transmit to your server. Using SSL/TLS, your users can ensure the identity of your server.
  • Ensuring trust: When people visit websites and transmit sensitive information, such as payment information, they want to ensure that your website is secure and not prone to cyber theft. Having an SSL/TLS certificate can create a sense of trust between you and your users. It is a visible way of showing your users that they can trust you, and it’s much more effective than anything you say about yourself.
  • Compliance: Certain sectoral standards may require you to maintain a certain level of security. Using an SSL/TLS certificate is an integral part of the security measures you must follow. Examples include PCI-DSS, HIPAA, and NIST Guidelines.

4.3. What are the industry standards requiring TLS compliance?

Several organizations, including the National Institute of Standards and Technology (NIST), have issued guidelines requiring TLS compliance as part of network security requirements. The following instruments are the most widely adopted. 

  1. NIST’s Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (SP 800-52 Rev. 2)
  2. The Payment Card Industry Data Security Standard (PCI-DSS)

4.3.1 NIST standards

The National Institute of Standards and Technology (NIST) is an agency of the US Department of Commerce. The organization issues guidelines to help other organizations meet regulatory compliance requirements. The NIST published Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (SP 800-52 Rev. 2), in 2005 which provides guidance for selecting and configuring TLS protocol implementations. The NIST SP 800-52 Rev. 2 requires all government TLS servers and clients to support TLS 1.2 configured with FIPS-based cipher suites and recommends that agencies develop migration plans to support TLS 1.3 by 1 January 2024.

4.3.2 PCI-DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that organizations that handle credit card information maintain a secure environment (i.e., e-commerce websites). In order to be compliant with PCI DSS, organizations must abide by TLS. 

Website Accessibility Compliance

Another essential element of website compliance is meeting the website accessibility requirements. This is especially important as most services, programs, and activities are offered online. 

5.1. What is website accessibility?

Website accessibility ensures that people with disabilities have equal access to websites without any barriers that prevent interaction with websites.

This includes measures for people with visual impairments, physical disabilities, and so on. The requirements include adjusting the web design and the website content to how they consume it, using assistive technologies, screen readers, and other means for digital accessibility.

There are international, regional, and local laws, as well as international standards which set out requirements for the accessibility of websites by people with disabilities. Examples include the UN Convention on the Rights of Persons with Disabilities, the Americans with Disabilities Act (ADA), The Rehabilitation Act of 1973, the EU Website Accessibility Directive, the European Accessibility Act, and the Web Content Accessibility Guidelines (WCAG 2.1).

ADA is the world’s most renowned accessibility law. Ensuring ADA website compliance is not a difficult task, as there are many tools to embed the requirements seamlessly in your website.

5.2. Why do you need web accessibility?

Website accessibility standards are becoming increasingly important as more services, programs, and public or commercial activities are offered on the web. You need to be cautious about web accessibility and consider compliance with it for at least three main reasons. 

1) it will help you to improve the lives of people with disabilities;

2) you can achieve a greater audience or consumer base, and

3) you will ensure you are not getting sued due to a breach of laws.

Basically, there are two main reasons why you need to address your website accessibility issues: it will create a better user experience for impaired persons, and it will make your website compliant with the accessibility requirements.

5.3 What are the legal requirements relating to website accessibility?

Legal requirements relating to website accessibility depend on the relevant law. There are international, regional, and national legal instruments in this field. Below we outline the significant laws in this field and their basic requirements. 

5.3.1 UN Convention on the Rights of Persons with Disabilities 

The United Nations Convention on the Rights of Persons with Disabilities (UNCRPD) was adopted on 13 December 2006 and entered into force on 3 May 2008. The purpose of the UNCRPD is to promote and protect the full and equal enjoyment of all human rights and fundamental freedoms by all persons with disabilities. 

Article 9 of the Convention is about accessibility which also covers web accessibility. The same article states that the Member States of the Convention requires that appropriate measures are taken to ensure access for persons with disabilities, on an equal basis with others, to information and communication technologies, including the Internet.

5.3.2 USA ADA Act - How to Get an ADA-Compliant Website?

The Americans with Disabilities Act (ADA) is a US law that prohibits discrimination based on disability. It was enacted in 1990 to end discrimination against those with disabilities. The ADA was not directly about online compliance. It was initially adopted in order to make the life of people with disabilities easier in public facilities. It was, for a long, debatable whether the ADA applied to commercial websites as well. Even though there is no explicit coverage of commercial websites under the law, the requirement that “places of public accommodation” must provide equal access to people with disabilities is interpreted by some courts to apply the law to commercial websites, even though there were courts that decided otherwise. 

The US Department of Justice has interpreted that the ADA also includes websites. First, Title 2 of the ADA prohibits discrimination against people with disabilities in state and local governments. State and local governments must ensure that their communications with people with disabilities are as effective as with others. A website that does not provide equal access to those with disabilities limits the ability of people with disabilities to access the services offered by the state and local governments on similar terms. Therefore, the US Department of Justice considers that the ADA applies to services and programs of state and local governments that are offered through websites. 

Secondly, Title 3 of the ADA forbids discrimination against people with disabilities by businesses open to the public (also called “places of public accommodation”). According to the US Department of Justice, many online commercial websites are likely to fall under the scope of the “places of public accommodation” and thus require ADA compliance.

5.3.3 EU Website Accessibility Laws

In the European Union, two laws are about website accessibility. The first law is the Website Accessibility Directive. The other law is the European Accessibility Act. 

The Website Accessibility Directive is an EU initiative adopted in 2016 to ensure that websites and mobile applications are accessible equally to those with disabilities in the EU. The Directive applies to public sector bodies only. 

The Directive requires, among other things, the publication of an accessibility statement for websites and mobile applications, calls for a feedback mechanism for users to flag accessibility problems, and expects regular accessibility monitoring by EU Member States. 

The Directive was complemented by the European Accessibility Act of 2019, which extends the applicability of accessibility rules to private sector organizations, except for microenterprises (those with less than ten employees or annual turnover of less than 2 million EUR). The requirements of the Act must have been implemented by the Member States by 2025.

5.3.4 WCAG 

The Web Content Accessibility Guidelines (WCAG) are a series of guidelines developed by the World Wide Web Consortium (W3C). The guidelines recommend making Web content more accessible, especially for people with disabilities. While they are not binding by themselves, they have been referenced in significant laws and court cases worldwide, including the ADA. 

The first version of the WCAG (1.0) was released in 1999 and consisted of 14 principles. WCAG 2.0 was released in 2008, consisting of 12 guidelines organized under four principles (websites must be perceivable, operable, understandable, and robust), and each guideline with testable success criteria. The latest version of these guidelines - WCAG 3.0 were released in December 2021. 


Impressum is a legal requirement in certain countries (especially in German-speaking countries like Germany, Austria, and Switzerland) for businesses with an online presence. It is also referred to as “Imprint.” An Impressum is a fundamental legal notice to website visitors about the website or business owner and the company’s basic information.

Impressum is required for commercial websites and business social media pages. It is unnecessary for websites that are non-commercial and personal and do not generate income. 

Impressum generally includes the following information:

  • Name of the owner or manager of the website
  • Registered business address
  • Contact information (i.e., phone number, email address)
  • Official incorporation information (i.e., the official name and registration number of the company)

What to include in an Impressum depends on the applicable law. So, you must check whether your country requires your website to have an Impressum or a similar arrangement and check what information you need to post on your website. If you are operating a commercial website in a German-speaking country, it is likely that you must comply with the requirements of Impressum.

Similar legal arrangements exist in other countries, even though they are not necessarily called Impressum/Imprint. For example, French law requires all professional websites (regardless of whether they sell online or not) to have certain information published on their sites. This is to ensure that users of the websites can contact websites and that their rights are always protected about site owners. 

This is generally referred to as “Legal Mentions” (Mentions Légales in French) and includes the following mandatory information to be made public on the Internet:

Information about the entrepreneur (full name and domicile) or official registration name of companies

  • Contact details of the company (or entrepreneur) 
  • Registration number and VAT number (where applicable)
  • Information about the web hosting provider (name, contact details)
  • CNIL declaration number (where available)
  • For a regulated profession, reference to the professional rules applicable and the professional title
  • General terms of sale, if the site is a merchant site
  • Information about cookies

If a website does not provide the required information, there could be high monetary penalties such as €75 000 for individuals and €375 000 for legal persons. Besides, there is imprisonment for up to 1 year for individuals. 


Website compliance is an essential matter for website owners. Most website owners take business website compliance for granted and do not think the consequences are severe. Without legal compliance, any website risks getting fined in very high amounts. To feel safe, you should check the requirements mentioned in this article, ensure you understand them, and take appropriate steps to bring your website into compliance. Website legal compliance will save you from having to pay high amounts of fines and will ensure your brand identity is not damaged due to violations of legal requirements.

Start your Free Trial