Are you launching a new website? Whether it's a simple blog, an ecommerce store, or a community message board, you must consider your legal position.

From privacy to consumer protection to copyright, there are many ways in which the law can affect website operators.

This legal landscape might not be as daunting as you think. We're going to talk you through the key legal issues you should consider and the practical compliance steps you might need to take.



About Your Website

We're going to look at four areas of law that are particularly important for website operators:

  • Privacy law
  • Consumer protection law
  • Copyright law
  • Defamation law

All websites are affected by different laws in different ways. Two main factors determine which laws will affect your website:

  • The purpose of your website. If you're running an ecommerce website, you're more likely to be affected by consumer protection law. If you're using cookies to track your users, privacy law is a critical consideration.
  • The location of your users. Because many websites have users worldwide, you may need to consider the laws of multiple jurisdictions.

Privacy Law

Privacy Law

Privacy law is a crucial consideration for every website.

If your users are located across several legal jurisdictions, you'll have to comply with several privacy laws. Here's a list of some important privacy laws around the world:

  • United States: California Online Privacy Protection Act (CalOPPA) and the California Consumer Privacy Act (CCPA) as amended by the CPRA
  • European Union and European Economic Area: General Data Protection Regulation (GDPR)
  • United Kingdom: GDPR and Data Protection Act 2018 (DPA 2018)
  • Canada: Personal Information Protection and Electronic Documents Acts (PIPEDA)
  • Australia: Privacy Act 1988
  • South Africa: Personal Information Protection Act (POPI Act)
  • Brasil: Lei Geral de Proteção de Dados (LGPD)

All of these laws have different requirements and standards. It's important to familiarize yourself with the laws affecting your website.

Minimizing Data Collection

When it comes to privacy, a good rule is to minimize the amount of data you're collecting. This reduces your overall compliance burden and the chances of experiencing a damaging data breach.

Here are some ways you can minimize the amount of data your website collects:

  • If you're using analytics tools, such as Google Analytics, ensure you don't log information such as IP address, browser type, or other technical data unless you need it.
  • If you need to log analytics data, take steps to de-identify it, such as by removing the last digits of an IP address.
  • When collecting data via web forms, e.g. for mailing lists, customer service inquiries, or sales, consider what data you actually need to carry out the transaction. Don't collect any other data.

Many websites use cookies to track users' activity. Cookies can be useful for advertising and analytics, but they can intrude on your users' privacy. Depending on where your users are based, you may need to obtain their consent for using certain types of cookies.

If you have users in the U.S., you may need to comply with the CCPA (CPRA). If so, you may be required to let users opt out of certain tracking cookies. This means setting up a "Do Not Sell My Personal Information" page.

Here's how Pearson displays its "Do Not Sell My Personal Information" link:

Pearson website with Do Not Sell My Personal Information page link highlighted

For more information, see our article CCPA: Does Using Third-Party Cookies Count as Selling Personal Information?

In the UK and the EU, you must obtain opt-in consent for any cookies that are not necessary to either make your website function correctly or provide a service requested by the user. All advertising and analytics cookies require consent in the UK and the EU.

You can obtain cookie consent via a consent solution, such as a cookie banner. Here's an example from the BBC:

BBC Cookie Consent banner: Full screenshot

Some other jurisdictions also require you to get consent for cookies or to allow users the opportunity to opt out of cookies. For more information, see our article: Cookie Consent Outside of the EU.


Cookies Policy

Cookies Policy

In addition to allowing users to opt into or out of cookies, you also need to provide comprehensive information about how and why your website uses cookies. You can do this by creating a Cookies Policy.

Your Cookies Policy should explain:

  • What cookies do
  • Why you use cookies
  • What types of cookies you use
  • How long cookies will remain on a user's device
  • How to opt out of certain cookies

To give you an idea of how a Cookies Policy can look, here's the introduction to Shelter's Cookies Policy:

Shelter Cookies Policy: Intro section

For more information, see our article How to Write a Cookies Policy or use our Cookies Policy Generator to create your own.

Creating a Privacy Policy

Creating a Privacy Policy

Almost every website needs a Privacy Policy. This document provides your users with a comprehensive overview of how you collect, use, and share personal information. It can integrate your Cookies Policy, if you have one.

The contents of your Privacy Policy will vary according to where you users are based.

Here are the minimum requirements for a Privacy Policy in most jurisdictions:

  • Your contact details
  • The types of personal information you collect (e.g., names, email addresses, IP address)
  • The types of any third parties with whom you share personal information (e.g., marketing companies, vendors, cookie providers)
  • Information about your use of cookies (and a link to your Cookies Policy, if you have one)
  • Information about any relevant consumer privacy rights (e.g. GDPR data subject rights, PIPEDA access rights, CCPA/CPRA consumer rights)

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.


Data Security

Practically every legal jurisdiction now has cybersecurity or data breach notification laws. Such laws require businesses to keep personal information safe and notify the authorities in the event of a security incident.

You need to keep hackers out of your system and keep your users' personal information secure. Even lists of email addresses associated with a particular brand can be valuable to hackers, who can use this information in targeted phishing campaigns.

Here are simple ways to improve the security of your website and the personal information you collect:

  • Keep your passwords strong and change them regularly.
  • Keep platform software and website scripts up-to-date. Hackers are constantly seeking zero-day vulnerabilities they can exploit to gain access to websites.
  • Conduct due diligence whenever installing third-party software or working with new service providers.
  • Use SSL encryption wherever possible, for example to secure account login pages.
  • Encrypt or pseudonymize any personal information you store.

For more information, see our article: Protecting Personal Data in Your Business.

Consumer Protection Law

Consumer Protection Law

Consumer protection law, and contract law more generally, are most relevant to ecommerce websites. But even if you don't sell goods or services through your website, you should still consider whether you need to comply with certain aspects of consumer protection law.

Creating Terms and Conditions

Most websites, particularly those which allow users to create an account or make purchases, display a Terms and Conditions, Terms of Service, or Terms of Use agreement (these terms are often used interchangeably).

Creating a Terms and Conditions agreement sets clear rules regarding the use of your website and can provide some legal protection for your business.

Our Terms and Conditions Generator makes it easy to create a Terms and Conditions agreement for your business. Just follow these steps:

  1. At Step 1, select the Website option or the App option or both.

    TermsFeed Terms and Conditions Generator: Create Terms and Conditions - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Terms and Conditions Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Terms and Conditions Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the T&C delivered and click "Generate."

    TermsFeed Terms and Conditions Generator: Enter your email address - Step 4

    You'll be able to instantly access and download the Terms & Conditions agreement.

Here are some clauses typically contained in website Terms and Conditions agreements:

  • Any restrictions on the use of your website: Can people in any country access your services? Is your website intended for children?
  • Your policy on user accounts, including the conditions under which you can restrict, suspend, or remove a person's account.
  • Information about billing and payments.
  • Any relevant disclaimers (which we'll discuss below).
  • A "limitation of liability" clause, which limits the amount you will pay in damages if your website or services cause harm to your users.
  • An "indemnity" clause, which requires users to pay damages covering any harm they cause to your business.
  • A "governing jurisdiction" clause, which sets the national law through which your terms should be interpreted, and establishes which country's courts will deal with any legal disputes.

Wherever possible, you should ensure your users read and accept your Terms and Conditions (for example, before creating an account). You should also ensure you provide a conspicuous link to your Terms and Conditions on your home page.

For more information, see our article: How to Write Terms and Conditions.

Disclaimers

Website disclaimers aim to limit your liability for any harms caused by your website. There are several types of website disclaimers.

Some disclaimers seek to limit your association with any third-party articles or comments on your site.

Here's an example from PBC Foundation:

PBC Foundation Privacy Policy: Legal Disclaimer with views expressed highlighted

Disclaimers can also seek to limit liability for factual errors of omissions present on a website.

Here's an example from VSO:

VSO Privacy Policy: Disclaimer with omissions and errors highlighted

For more information, see our Disclaimer Examples article and use our Disclaimer Generator to create your own disclaimers.

Returns and Refunds

If you sell goods or services through your website, you must ensure you have a Returns and Refunds Policy that aligns with the consumer protection law in the markets in which you operate.

You can set your own Returns and Refunds Policy, but it must be at least as generous as the legal minimum standard. It's important to learn the rules that exist wherever your customers are based.

In the U.S., legal requirements for returns and refunds vary across states. In many states, businesses are required to honor any Returns and Refunds Policy they have in place, but there are no specific requirements as to what the policy must say.

Here are the rules in some other major markets:

  • European Union: The Consumer Sales and Guarantees Directive (available here) means that all new products purchased in the EU carry a minimum two-year warranty. The Consumer Rights Directive (available here) allows customers who have bought products online (or via mail or phone) 14 days to return it for a full refund.
  • United Kingdom: The Consumer Rights Act 2015 (available here) imposes similar rules to those protecting consumers in the EU.
  • Canada: Provincial laws govern consumer rights, such as British Columbia's Sale of Goods Act (available here) and Quebec's Consumer Protection Act (available here).
  • Australia: Most household goods carry an implied warranty that they are of satisfactory quality and fit for purpose. Businesses cannot operate a "no refunds" policy (more information available here).

See our Return and Refund Policy Generator for more information.

If you use affiliate links to generate income on your website, you must be clear and transparent about this.

When managing your website's use of affiliate links, a good starting point is the guidance provided by the U.S. Federal Trade Commission (FTC), which sets out some rules on making appropriate disclosures.

Here are the basic rules provided by the FTC. Many jurisdictions outside of the U.S. have similar rules:

  • Every page that contains an affiliate link must present a disclosure
  • Disclosures must be unambiguous, clear, and conspicuous
  • Disclosures must be made "above the fold" (i.e. visible on a web page without the need to scroll down)
  • Disclosures must not be buried in a block of text

Here's PCMag's affiliate disclosure, which appears on every page on the PCMag website containing affiliate links:

PCMag affiliate disclaimer

For more information, see our articles:

Copyright Law

Website owners can end up in legal trouble for reproducing copyrighted content without permission. In most cases, this is easy to avoid.

You automatically own the copyright to content you create and display on your website, but there are some benefits to registering your copyright.

Third-Party Content

You must ensure you have any necessary licenses for third-party content you display on your website. Just because something is freely available online, this doesn't necessarily mean you can reproduce it on your site.

If you don't want to pay for content or create your own, you can obtain free-to-use images from online resource libraries like Unsplash.

Takedown Requests

In the U.S., the Digital Millennium Copyright Act (DMCA) requires websites to take down content that allegedly infringes copyright.

If an individual believes that your website is hosting their copyrighted content, they request that you take it down. If you do so in an "expeditious" (reasonably quick) manner, then you can avoid being prosecuted for copyright infringement.

Note that the DMCA covers user-generated content hosted on your website.

You should create a system for facilitating DMCA takedown requests and explain to users how they can make a DMCA takedown request.

Here's how GitHub does this:

GitHub Copyright claims DMCA page with submit a takedown and counter notice highlighted

You should also consider adding a DMCA clause to your Terms and Conditions.

In the EU, online copyright law is mainly covered by the eCommerce Directive (available here). You can comply with takedown requests to minimize your risk of legal issues, but you can also ask the supposed copyright owner to substantiate their request. Similar rules apply in the UK.

If you run a content-sharing platform that operates in the EU, you must comply with Article 17 of the Copyright Directive.

Defamation Law

Defamation Law

To avoid issues with defamation law, you should, of course, avoid making any defamatory statements on your website. But what if you allow users to share user-generated content?

User-generated content can include:

  • Comments beneath blog posts
  • Posts on a forum or message board
  • Articles or blog posts created by users
  • User reviews
  • User-contributed media

Websites aren't like traditional news media. The law generally views websites as "intermediaries" when they host content created by third parties. This means that website owners are usually protected from defamation claims, to some extent.

However, when it comes to user-generated content, you should always proceed with caution. To minimize risk, many websites choose not to allow user-generated content at all.

Here are some of the laws covering intermediary liability that you should be aware of:

  • In the U.S., Section 230 of the Communications Decency Act (available here) protects website operators from defamation suits arising from content posted by third-parties, providing certain conditions are met. At the time of writing, U.S. legislators are considering a repeal of Section 230.
  • In the UK, Section 5 of the Defamation Act 2013 (available here) protects website operators from defamation claims relating to user-generated content, but only if the user can be identified.
  • Across the EU, intermediary liability laws are applied inconsistently from country to country. It's important to be aware of the eCommerce Directive (available here).

For more information, see our article Legal Issues with User Generated Content.

Displaying Your Legal Notices

We've looked above at how to create legal documents such as a Privacy Policy, Cookies Policy, and Terms and Conditions agreement. You also need to display these prominently on your website.

Here's an example from the home page of TechRadar that displays many legal agreements nicely in one section (typically the website footer):

TechRadar website footer with Terms and Conditons Privacy Policy and Cookies Policy highlighted

You should provide a link to your Privacy Policy whenever you collect personal information from your users. You can also use such opportunities to ask your users to agree to your Terms and Conditions.

Here's how Trending Travel does this:

Trending Travel email sign-up form with checkbox to agree to Terms and Conditions and Privacy Policy

Your Terms and Conditions are unlikely to be enforced by a court unless your users have accepted them. It's important to require that your users accept your Terms and Conditions before taking actions such as creating an account or making a purchase.

Summary

We've looked at four areas of law to consider when launching a new website. Here's a recap:

  • Privacy law:

    • Minimize the amount of personal information you collect
    • Get consent for cookies, if required
    • Create a Cookies Policy
    • Create a Privacy Policy
    • Ensure your website and your users' personal information is secure
  • Consumer protection law:

    • Create a Terms and Conditions agreement
    • Create any appropriate disclaimers
    • Create a Returns and Refunds Policy, if required
    • Create affiliate link disclosures, if required
  • Copyright law:

    • Ensure you have a license for any third-party content
    • Create a system for complying with any relevant notice-and-takedown laws
  • Defamation law:

    • Consider how you can avoid any legal issues with user-generated content on your site

While there will surely be other legal considerations you'll need to explore and address when launching your new website, the issues discussed above are the most common ones that will affect the widest range of people.

By addressing each of them, you'll be on your way to having a compliant website.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy