Is my website breaking the law?

Putting together a website is a lot of work. By the time you’re ready to publish you’ll have spent hours writing and checking copy, sourcing and collating images and other assets, and going over the finer details with your web designer and web developer in preparation for the big launch. Unless the field in which you work is strictly regulated (or slightly shady) then the last thing likely to be on your mind is the question of whether your new wesbite is actually breaking the law.

First of all let’s get the disclaimers out of the way. This article is aimed at owners of bona fide UK businesses who just want an overview of the current legal requirements for a business website. If you’re running a 419 scam or operating some other nefarious enterprise then following the guidelines below won’t get you off the hook if you get caught.

Secondly, although prosecution is unlikely if your website doesn’t comply with the below, please bear in mind I am not a lawyer. So if you have any doubts or questions over the legality of your website then you should seek your own legal counsel. Don’t ask me!

So here are the key areas to look at to be sure that your website complies with the law here in the UK.

Be clear about who you are

The Companies Act 2006 has the dubious distinction of being one of the longest piece of legislation on the books with its 1,300 sections over 700 pages. Obviously it covers a lot of stuff—and amongst this it a requirement that you must disclose certain information about your business on your website. Where you put it is up to you, but it does have to be easy to find.

The information required by the Companies Act is as follows.

  • Your company name (or trading name if you are a sole trader or partnership);
  • In the case of a company—your registration number, place of registration and registered office address;
  • Both the postal address and email address of your business;
  • A means to contact your business by non-electonic means (such as a telephone number and postal address);
  • Your VAT number (if registered) even if your website is not used for transactions or taking payments;
  • The name of any trade organisations or professional associations to which your business belongs (along with any registration details).

It might seem like a no-brainer that this information should be included on your website—surely you want customers to know who you are and how they can contact you, right? But so many businesses get it wrong. I often see websites that offer no means of contact other than an email address and enquiry form. Not only is this technically illegal but it undermines the site’s credibility. How can you expect a prospective customer to place their trust in a faceless online entity who isn’t prepared to publish the address of their location? This is common even on e-commerce sites where the customer is taking a leap of faith as it is!

Provide visitors with the right to privacy over their data

A website can be one of the most valuable sources of new leads and customers for your business. However, since GDPR legislation came into force in 2018 there are strict rules that govern the collection and processing of personal information. If your website provides visitors with the means to submit enquiry forms or subscribe to an email list (and it really should) then you should have the following in place.

  • Visitors must actively give their consent to receive future communications from you beyond their initial enquiry;
  • You must make it easy for people to withdraw their consent and opt out of being contacted by you;
  • You should only collect and hold personal information that is necessary to carry out the task in hand—if you don’t need to know then don’t ask;
  • If you use cookies to track visitor behaviour you must notify them that this is the case.

Compliance with these requirements should’t be too onerous. Obtaining consent before bombarding your prospects with email is only common sense. Email marketing is a powerful tool for growing your business but it only works if your prospect is genuinely interseted in what you have to offer. It also makes sense to ask for the bare minimum of information in your forms. Conversion rates drop off rapidly with the more fields that people have to complete—so fewer form fields will equate to more submissions.

Cookie consent is a litte more awkward. Letting people know you are tracking them is only polite (although I don’t think most people really care). Implementing a basic cookie notice is easy enough with a WordPress plugin like Cookie Notice by dFactory. It is free to use, easy to deploy and fairly unobtrusive in operation.

Publish a privacy policy

Publishing a privacy policy on your website is perhaps the most arduous of these steps to implement and lots of businesses get it wrong. They forget that a privacy policy is a public declaration of the privacy standards to which you will hold yourself accountable. WordPress tries to get you off on the right footing by creating a draft privacy policy page which you are encouraged to go through and fill in the blanks. It’s a good start—but it still requires you to think carefully about what measures you will put in place.

Your privacy policy needn’t be lengthy or complicated. In fact the plainer and simpler the language the better. In summary it just needs to set out the following information.

  • Who you are and how you may be contacted;
  • The contact details of your data protection officer (if applicable);
  • A description of how you will use any personal data that you collect, and how and where it will be stored;
  • Details of any third parties with whom you share the personal data—this should include links to the privacy policies of those organisations;
  • How long you will store personal information or the criteria you use to determine how long it is kept;
  • How people may withdraw their consent for you to hold and process their data;
  • An overview of the cookies your website uses and their purpose (or a link to a separate cookie policy that provides this).

The easy option is to copy and paste someone else’s privacy policy, or to ask your web designer if they have off-the-shelf policy you can use—but this isn’t really an appropriate solution. Even engaging a solicitor to prepare a privacy policy tailored to your business isn’t necessarily a shortcut. By publishing a policy you are committing to the terms it sets out and unless you know and understand what these are then you are setting yourself up for a fall. So if you are not writing your own privacy policy it is important that you read and understand any policy that you do adopt and publish.

Protect the rights of the consumer

If your business sells to consumers then it will be subject to the Consumer Rights Act 2015 regardless of whether you are selling online or not. However if you are selling online then your website must provide clear information about the cost of items for sale and whether or not this includes VAT and delivery. You must also publish your payment terms and the rights of the consumer to cancel. You must acknowledge the receipt of any order promptly and without undue delay. And of course any goods offered for sale on your site must be described accurately.

Distance selling regulations will also apply, which means you must tell the customer that they have 14 days in which to change their mind once their order has been delivered. If you don’t inform them of this then they may cancel at anytime up to 12 months from delivery. Unless otherwise agreed, delivery must be wthin 30 days of the order being placed.

Make your site accessible

Under the Accessibilty Act 2010 your website must be accessible to anyone who needs it. If your web designer knows what they are doing then this shouldn’t present too many problems. Following the basic principals of good design and content optimisation will go a long way towards ensuring that your site is accessible to the majority users.

Secure your website

If your website is hacked this can not only result in bad things happening to the site itself, but may also compromise the information held in your website’s database. This can include personal information from user accounts and form submissions—not a good position in which to find yourself. The most common reason that websites get hacked is that they are running on old versions of software, so keeping your site’s software updated is really important. If this is something you don’t have the time, knowledge or inclination to do then pay your web developer to do it for you. (Check out our website care plans for details of the services we offer.)

Having an SSL certificate installed on your server allows communication between your website and the user’s browser to be encrypted. This is essential if you are taking payments on your website and is mandatory under the Payment Card Industry Data Security Standard (PCI DSS). But even if your site does not take card payments it is good practice to have an SSL certificate installed simply because most browsers now issue warnings when the connection is unencrypted. On non-transactional websites, the risks highlighted by this warning are purely hypothetical but it can undermine the visitor’s confidence in the site nonetheless. For several years now, having a valid SSL certificate has been a positive ranking signal for search engines. So if customer confidence and search rankings are important to you then having a valid SSL certificate is a must.

Don’t steal content

Under UK law, the copyright in any original work is owned by its creator. So before you can legally use someone else’s content you need their explicit permission to do so. This means you can’t just copy and paste text from another website or grab images that you find in a Google search. There are plenty of legitimate sources where images, audio and video can be obtained for free or licensed at a very reasonable cost. So if you have content on your website which was not created by yourself or by a member of your staff—and you do not have explicit permission to use it—then you are probably breaking the law.

Not only is this immoral but it undermines the integrity of your business. And if you have a viable business there is no justification for it. There have been several high profile cases recently where business have been called-out publicly for their misappropriation of artists’ work and suffered from the negative publicity as a result. So when it comes to sourcing content for your website, it pays to do the right thing.

Leave a comment