Does your business have a website? Here’s some useful information on how to stay on the right side of the law.
If you’re a business owner you’re probably already saddled with a lot of legal requirements, so it can be easy to forget about your website.
Many business owners overlook the issue until they get caught out, at which point they can be looking at a criminal-enforcement issues, fines, extra audits, disruptions to online services, as well as significant reputational damage.
On the flip side, search engines actually reward websites that take compliance seriously. For example, you can boost your search engine ranking by making your website more secure through deployment of SSL encryption and improving accessibility for impaired users. Making your website more accessible for impaired users will also present your business in a more favourable light to these customers and can therefore add sales to your bottom line.
What is compliance?
For the purpose of this blog, compliance refers to a series of laws and protocols that website owners have a responsibility to comply with. Some of these vary from country to country due to specific consumer protection laws, while others are more universal standards and expectations that have sprung up as the internet has developed over time. Here are some of the most important topics you need to think about from a compliance perspective:
- Display of business information.
- Protocols for communicating with consumers, offering services and selling online.
- Data protection.
- Handling of payment card data.
- Accessibility for impaired users.
- Observance of country specific consumer protection laws.
Information available on your website
The Electronic Commerce (EC Directive) Regulations 2002 is the major framework governing electronic commerce in the UK and states that the following information should be disclosed on your website:
- The business name needs to be clearly displayed.
- The geographic address of the business.
- Contact details of the service provider, to allow prompt communication.
- Details of a register, including any registration number.
- Confirmation of whether a business is a member of a trade.
- Details of any relevant supervisory authority if the services are subject to authorisation.
- Details of any professional body the service provider is registered with.
- The VAT number, if a business has one.
- Clear pricing, including whether VAT and delivery costs are included.
Online marketing, privacy and cookies
With regard to marketing emails, cookies and data protection, the main requirements are set out in The Data Protection Act (1998) and The Privacy and Electronic Communications (EC Directive) Regulations 2003. Some notable requirements include:
- You must tell people if cookies are being used on your website, explain what the cookies do, and obtain user consent to store a cookie on their device. You must still comply, even if your website is hosted overseas.
- You should have prior consent before sending unsolicited emails, unless a recipient’s contact details were obtained during a sale or negotiation for the sale of a product or service.
This is a complex area of law which is governed by a number of overlapping pieces of EU and UK legislation, including The Sale of Goods Act, The Consumer Credit Act, The Consumer Contract Regulations 2013, The Distance Selling Regulations and the Electronic Signatures Regulations. Important things to remember, include:
- Before a customer places an order, you must set out the steps required to conclude the contract, state if the contract will be stored by you or made permanently accessible, state how input errors can be corrected, provide links to relevant codes of conduct you abide by, and specify the language of the contract.
- The website should clearly set out the identity of the supplier (postal address and email address), provide a description of the goods and services being supplied, list the price (including all taxes and delivery costs), describe payment and delivery arrangements, and cancellation rights.
- To create a binding contract you need to present an unconditional offer, allow for consideration and make it clear that you plan to enter into a legally binding contract.
- Before an order is placed the customer should take action to demonstrate they have read the terms and conditions (e.g. tick a box on your website to confirm). Once the order has been placed you then need to acknowledge receipt of the order and provide information about their options for cancellation.
Payment Card Industry (PCI) compliance is another important issue to consider if you plan to take online payments or donations. These are 12 standards created by PCI members (a group of of major credit card companies) and failure to comply can result in fines and the removal of your merchant status. The standards are:
- Install and maintain a firewall to protect data.
- Do not use vendor-supplied default passwords or other security parameters.
- Protect stored data.
- Encrypt the transmission of cardholder data and sensitive information.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to data on a need-to-know basis.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
A sensible place to start is to make sure you have a PCI compliant web hosting plan (if you are unsure, contact your webhost and get email confirmation from them), install an SSL certificate, create secure passwords, and configure appropriate antivirus scanning and a firewall.
Don’t forget that to be properly PCI compliant you will also need to undergo some form of assessment – this may be a self-assessment questionnaire or fuller independent audit – dependent on the amount of transactions going through your website. For small vendors, using a platform like PayPal Website Payments Standard can also help you to reduce the required level of PCI compliance as it helps to mitigate certain payment processing risks.
The Disability Discrimination Act 1995 and The Equality Act 2010 require that websites are user friendly for people with impairments, but it is the World Wide Web Consortium (W3C) that has developed the main guidelines. There are 12 guidelines that you should take account of:
- Provide text alternatives for non-text content.
- Provide captions and other alternatives for multimedia.
- Create content that can be presented in different ways.
- including by assistive technologies, without losing meaning.
- Make it easier for users to see and hear content.
- Make all functionality available from a keyboard.
- Give users enough time to read and use content.
- Do not use content that causes seizures.
- Help users navigate and find content.
- Make text readable and understandable.
- Make content appear and operate in predictable ways.
- Help users avoid and correct mistakes.
- Maximise compatibility with current and future user tools.
There are tools available that can help you test how accessible your website is, and you can find out more detailed information about W3C standards at https://www.w3.org/WAI/ You may also be interested in our recent UK marketing compliance post.
This article should not be construed as legal advice. Always seek appropriate legal advice if you want to ensure you comply with the law.
The article was written by Jamie Hewitt, Director of RocketshipWP, a boutique web design agency specialising in WordPress. Build and manage your own website with our one day WordPress course.