The legal requirements of a website vary with the type of industry it’s involved in and the type of data it collects. You may have to adhere to different requirements depending on the nature of your website.
Some of the most stringent regulations concern data privacy laws. These laws are meant to provide users with the right to know and control what personal data is being collected, sold, and shared. Websites must provide the means to do this, or they fall out of compliance.
KEY TAKEAWAYS
If you’re building a website, you are going to need to be aware of the following website laws and regulations:
- Data Privacy and Collection Requirements (GDPR, CCPA, etc)
- Cookie Requirements (GDPR, ePrivacy, etc)
- Data Security Requirements
- Accessibility Requirements (ADA, WCAG, etc)
- Ecommerce Security
- Copyright and Plagiarism Requirements
- Content Licensing and Attribution
- Anti-Spam Laws
- Disclaimers
In this article we are going to cover what data privacy laws mean for your website and what other legal requirements there are for websites.
Website Laws That May Impact You
The following list of rules and regulations offers a brief explanation of the relevant legal requirements and website laws that may impact your business.
| Legislation | Description |
GDPR |
If your website is offering goods or services to those located in the European Union, Iceland, Norway, Lichtenstein, Switzerland or UK you must comply with the sweeping privacy laws generated by the General Data Protection Regulation. Complying with the GDPR starts with a comprehensive privacy policy that details what, how, when, and where data is collected. |
CCPA |
The California Consumer Privacy Act is a data privacy law that regulates how businesses worldwide are allowed to handle the personally identifiable information of California residents. The CCPA is primarily focused on privacy laws that require that you present a cookie policy that explains the cookies you collect and store and how you or third parties may use them. More on cookie consent solutions below. CCPA is also known for their unique definition of the term “sale”, and if your website is in business of selling personal information this is the one you should study closely. |
CPRA |
In November 2020, an addendum to the CCPA was put in place that strengthened the depth and breadth of California’s data privacy requirements. The California Privacy Rights Act is a powerful data privacy law that affects the privacy and notice requirements for websites that may be accessible to consumers in California. The CPRA expands on the CCPA by requiring that websites that share personal data be fully compliant with all privacy laws. Previously, only websites that sold data had to be compliant. The CPRA goes into effect Jan. 1, 2023. |
COPPA |
The FTC enforces the sweeping Children’s Online Privacy Protection Act to help protect children’s privacy and keep them safe online. COPPA website regulations require that websites obtain consent from parents before collecting personal information from kids under the age of 13. |
CalOPPA |
In addition to basic GDPR rules, other legal requirements for websites include complying with the provisions of California’s Online Privacy Protection Act. Your privacy policy must use the word “privacy” in a direct link from the website’s homepage and reveal third-party information regarding exactly who collects data. |
EU Cookie Law |
The EU Cookie Directive (otherwise known as either the EU Cookie Law or the ePrivacy Directive) requires websites to have a dedicated cookie policy and to get consent from users before they can store or retrieve personal information on a computer, smartphone, or tablet. Designed to protect data privacy, it strives to make customers aware of just how much information about them is collected by websites. This allows for an informed choice regarding whether or not they should continue providing the information. |
Eraser Button Law |
The Privacy Rights for California Minors in the Digital World Act (also called the Eraser Button Law) applies to websites that allow users under the age of 18 to register and post content. The Eraser Button Law states that these websites must inform users under the age of 18 that they have the legal right and ability to remove the content or information they have contributed at any time. |
ADA |
The Americans With Disabilities Act requires certain standards for website accessibility for users facing a disability. This means that all electronic information and technology, including your website, must be accessible to those with disabilities. |
List of Website Legal Requirements
In addition to data privacy policies, your website might need to meet the accessibility requirements of the ADA, as well as requirements regarding ecommerce, copyright, plagiarism, and anti-spam laws.
Specific industries also have requirements for websites if they pertain to health, legal, and financial matters.
While not legally required, certain disclosures like terms of use, terms and conditions, shipping policies, and return policies are also useful to present. Contact information and informative pages about the business itself are also becoming more commonplace and are expected by the consumer.
Now let’s take a look at what legal requirements your website needs to meet.
Data Privacy and Collection Requirements
Privacy laws are the foundation of the general requirements for legal compliance. Policies almost always begin with the fact that data is being collected, followed by a detailed explanation of the types of data that a website may collect and a user’s right to access and control that data.
The following requirements affect all websites:
- Explain the type of personal information you collect.
- Define how you use and share data.
- Disclose the use of third-party services.
- Describe how users can control their data.
- Inform website users of whether and how they are being tracked.
Privacy Policy
Since 2018, the GDPR has required companies that process the personal information of EU residents to do so with strict and explicit data privacy measures in place. The privacy policy must detail what, how, when, and where personal data is collected. It also provides for disclosure of third-party collection, rights of data subjects and usage and related data security and consumer access.
Under the CPRA, you must provide consumers with the ability to “opt out” of having you sell their private information. Once that request is made, you must wait at least 12 months before asking consumers to opt back into the sale of their personal information.
Create a Privacy Policy Using Termly
Here’s how you can use Termly’s generator to create a comprehensive and compliant privacy policy.
Step 1: Go to Termly’s privacy policy generator.
Step 2: Answer a few simple prompts and questions, and go through all of the steps until you reach “Final Details.”
Step 3: Once you’ve filled in everything and you are satisfied with the preview, click “Publish.” You will then be prompted to create an account on Termly so you can save and edit your privacy policy further.
“Do Not Sell My Personal Information” Link
A website cannot sell personal information if it does not have a clear and conspicuous “Do Not Sell My Personal Information” link on its homepage, along with disclosures in its privacy policy about what personal information is actually sold.
“Do Not Share My Personal Information” Link
If your business shares or discloses personal information to third parties for cross-context behavioral advertising, the CPRA requires that you inform your users by posting a “Do Not Share My Personal Information” link and providing consumers with the ability to opt out. This rule applies to websites dealing with California residents, who also meet at least one of the following thresholds:
- They have annual gross revenues of at least $25 million.
- They derive 50% or more of your annual revenues from selling Californian consumers’ personal information
- They annually buy, receive for commercial purposes, sell, or share for commercial purposes, the personal information of over 50,000 consumers, households, or devices in California.
Under the CPRA, a new category of protected personal information was created in which consumers have the right to limit the use and disclosure of their sensitive personal information — for example, their race or sexual orientation.
If businesses want their websites to be legally sound, they must provide an explicit and noticeable link on their website homepage titled “Do Not Share My Personal Information.”
Consent Requirements
Although the GDPR and the EU Cookie Law are based in the EU, they apply to all businesses that presently or can potentially market to EU consumers. This means that US businesses with EU customers need a cookie policy that meets the transparency and consent requirements of the GDPR and the EU Cookie Law. These rules require that users give explicit and informed consent before a website can process their information.
With regard to consent under the CCPA, a user’s proactive consent in advance of data collection is not required. You can collect, use, and store cookie data right away without any confirmation from the user, as long as your cookie policy is prominently posted and users get to choose their cookie preferences.
Consent requirements under the new CPRA go further in terms of safeguarding data from consumers under the age of 16. Active consent is required to sell or share a minor’s personal information. That same active consent is required under COPPA for any user under the age of 13.
Data Security Requirements
As part of the FTC’s Fair Information Practice Principles, a website’s security measures for protecting users’ data and deleting old data should be defined in their own section. The required security measures you’ll need to have in place will depend on the amount of data you collect and its sensitivity. These measures need to be in place to lower the risk of cyber security breaches.
For example, PayPal explains that it uses data encryption, firewalls, physical access controls, and information access authorization controls to protect your data.
Cookie Requirements
Under the GDPR, EU Cookie Law, CCPA, and CPRA, you are legally required to inform users of how you use the cookies you collect. You can place that information in your privacy policy or explain it in a separate cookie policy.
You are legally required to place the following in your cookie policy:
- Disclose that your site collects and stores cookies.
- Explain what cookies are and why your site uses them.
- Disclose the types of cookies that you or third parties use.
- Explain how you collect information (e.g., forms, sign-ups, subscriptions).
- State why you or a third party is collecting the information.
- Inform users of how they can opt in, opt out, or customize their cookie experience.
- Use policy language that is accessible and easy to understand.
Cookie requirements under current data privacy laws strive to give users as much control as possible over their data and how it gets used. For example, the current California Privacy Rights Act allows California consumers to specifically opt out of both the sale and the sharing of their data.
Websites must provide the means to do this, or they fall out of compliance with cookie requirements.
The inclusion of the term “sharing,” as it relates to a user’s personal information, will undoubtedly increase the number of businesses that must comply with the CPRA.
Cookie Consent Solution
In accordance with the EU Cookie Law and the GDPR, you must ask users to consent to your site’s cookie policy — typically done using a cookie banner — as well as provide an opportunity for users to set their cookie preferences.
In the US, there are stricter rules for children. For example, COPPA requires active parental consent for children under the age of 13, and the expanded CPRA requires consent for children under 16. It would be best to use a cookie consent manager to ensure your website is compliant with all consent rules.
Use Our Website Scanner To Comply With Cookie Requirements
Find out what cookies are on your website by using our online cookie scanner:
Accessibility Requirements
The ADA prohibits discrimination based on disability. It requires that websites be accessible to everyone, including those with hearing or visual impairments.
Accessibility can mean making your website compatible with:
- Larger fonts
- Web reading tools
- Transcripts for videos
- Written descriptions of images
- Clear contrast between fonts and backgrounds
These accommodations can be helpful to everyone and ensure that no individual gets discriminated against based on a disability. Any website belonging to a business that has at least 15 employees and is open for more than 20 weeks a year must comply with the ADA.
Technically, the ADA does not explicitly address websites, and the courts have not consistently upheld that websites must comply. Note, however, that under Title II of the ADA, local and state government websites must be accessible to those with disabilities.
Ecommerce Considerations
On an ecommerce website, you must employ safety and security measures to protect your customers’ private information. Therefore, HTTPS, or hypertext transfer protocol secure, should be automatically engaged. HTTP is the system used to send information between a website and a user’s web browser, with HTTPS being the secure version of that system.
This protection is critical for all ecommerce websites. If you choose not to use HTTPS, it could expose the financial information of customers attempting to make a purchase on your website.
Copyright and Plagiarism Requirements
Original content is inherently copyrighted, whether or not you, as the website owner, developer, or creator, officially register your site online with the Copyright Office. Any unattributed or unauthorized use of another website’s original content will be flagged as plagiarism or copyright infringement.
This extends to web copy that may have been borrowed from another website. It also affects the images that may have been downloaded from places such as Google Images.
Content Licensing and Attribution
Professionally produced content may be legally licensed for use on your own website. The content can include various media like photos, videos, audio content, graphics, infographics, mixed media content, music, digital social media content, logos, drawings, tables, symbols, and more. Licenses can be acquired directly through an agreement with a publisher or from a content library that has already licensed the material for use.
Particularly with images, content licensing is required, and at a minimum, attribution to the rightful owner should be provided.
Anti-Spam Laws
Spam includes any unsolicited or irrelevant emails sent in bulk to a list of people. This can consist of unsolicited commercial emails trying to get customers to purchase something. It also includes fraudulent messages, such as those proliferating phishing scams, lottery scams, or computer viruses.
In the US, a law called the Controlling the Assault of Non-Solicited Pornography and Marketing Act, or the CAN-SPAM law, deals with marketing emails and allows recipients to opt out of messages they don’t want. Unfortunately, the unsubscribing process can be quite convoluted.
Canada’s Anti-Spam Law creates a stricter opt-in system, in which customers must sign up to receive marketing emails. Unlike in the US, unsubscribing must be fast and easy.
The GDPR also covers spam, and its provisions are the strictest. For example, the GDPR always requires recipients to opt into marketing messages, and there’s no implied consent from people who are already your customers.
Consider Disclaimers
One of the most common disclaimers on websites expressly disclaims any responsibility for actions users take based on the site’s content. Disclaimers can be separated into their own section, or they can be part of your terms and conditions.
Additional disclaimers will depend on the unique nature of your website. For example, you can:
- Disclaim liability for third-party or advertiser content on your site — including affiliate links
- State that the site’s content is for informational purposes only and not professional advice
- State that users cannot use your original content without permission
- If a legal website, present a disclaimer that the website does not establish an attorney-client relationship and blog posts do not constitute legal advice
List of Legal Requirements for Websites in Specific Industries
In addition to a website’s legal requirements we covered above, various industries must follow specialized requirements.
HIPAA Requirements for Health Websites
The Health Insurance Portability and Accountability Act of 1996 regulates the collection and sharing of patients’ personal health information. Therefore, if your website deals with health information, you must take special care with how you collect it.
HIPAA rules and regulations consist of three major components:
- The HIPAA privacy rules
- The security of health data rules
- Rules regarding notifications for healthcare data breaches
Patients also need to be informed regarding their rights over their health care data.
Some of the most common HIPAA violations include keeping unsecured records, not properly encrypting data, and improperly disposing of medical records. In addition, if your website contains contact forms or uses a booking system, be sure they are HIPAA compliant.
ABA Requirements for Legal Websites
The American Bar Association requires compliance with its ABA Rules of Professional Conduct, which regulate what attorneys can and cannot express on their websites.
For example, the legal requirements for a website created by an attorney include:
- Attorneys cannot say they specialize in or are experts in a particular area of law unless they hold a special accreditation from a state-regulated body.
- Attorneys cannot make misrepresentations or unsubstantiated claims, such as how they are the best in the entire city, state, or region.
- Attorneys cannot make promises about legal outcomes, including allusions to past settlements that imply future ones will be similar.
Financial Website Requirements
Financial institutions face distinct requirements for their websites because they are subject to hacking and viruses designed to retrieve customers’ financial information.
E-banking websites typically expose financial institutions to the highest risk per transaction, particularly with commercial transactions, which usually involve higher dollar amounts. In addition to data security controls like encryption, financial websites should have authentication processes for new and existing customers and avoid possible violations of laws regarding required consumer privacy disclosures about the collection and storage of financial data.
In addition, public companies are subject to specific Securities and Exchange Commission regulations that govern when, what, and how content should be posted publicly on their websites.
Contractor Website Requirements
When you’re a general contractor or subcontractor, it pays for you to have your licensing credentials on prominent display on your website. Although there appear to be no federal regulations for contractor websites, check with your state licensing board to determine whether you’re required to display your contracting license ID when advertising to customers online.
Not Legally Required But Recommended
Some sections are not legally required, but it is a good idea to have them on your website because they are generally accepted as essential components of a website.
“About Us” Page
An “About Us” page gives users some insight into how the business started and what ideals are most important to the business owner. It can create a much-needed connection between customers and the business owner.
Contact Information
Contact information is an indispensable element of a website. Social media contact information has also become an expected component of websites. It creates another avenue of contact for customers to make a connection and may lead to more sales.
Terms and Conditions
Terms and conditions generally set forth the rules for your website. For example, when selling goods directly from your site, you should display your terms and conditions regarding billing, pricing, shipping, and returns so customers know what to expect.
Particularly if your website uses third-party information, the terms and conditions should clearly state that you are not responsible for the accuracy of third-party statements, nor do you endorse third-party statements or actions.
Terms of Use
Although it’s not required by law, a “Terms of Use” page is useful for setting out the rules for the use of your website. Of course, the rules will vary according to the type of site you are creating, but they can include disclaimers limiting liability or establishing where and how disputes are to be settled.
Shipping, Return, and Refund Policies for Ecommerce Websites
The purpose of shipping, return, and refund policies is to outline the specific requirements as to how, when, and under what circumstances shoppers can ship or return their purchased items.
Refunds are not automatically required for ecommerce websites, which makes the inclusion of clear and straightforward rules all the more important.
Well-written policies demonstrate that you care about your customers and their satisfaction with your goods and services.
Summary
The best way to stay out of legal trouble and remain compliant with state, federal, and international laws is to be transparent with your users.
Make your privacy and cookie policies clear and conspicuous, and users will appreciate your straightforward handling of their most private and personal data. In addition, be sure you comply with industry standards and international laws for websites.
Creating a legally compliant website will lead to a safer business model, stronger customer trust and loyalty, and a lower risk of privacy and security breaches.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
