Website legal requirements - list of documents you need

Camilla Lassen
Written by
Camilla Lassen
November 10, 2020

Is your website GDPR compliant? To ensure website legal requirements here are some of the documents and legal elements you need:

  • A cookie policy and cookie banner
  • A Privacy Policy
  • Collect email marketing consent
  • Consider links to third party websites
  • A Terms & Conditions document

1. A checklist for cookie consent

To ensure cookie compliance you need to:

  • Know what cookies you are using and why
  • Have a cookie banner on your website
  • Be aware of the difference between necessary and non-necessary cookies
  • Block non-necessary cookies until your user has given consent
  • Ensure your users can easily access and change their cookie settings and that the information you provide is easy to understand
  • Have an easily accessible cookie policy on your website
  • Have an audit trail, so you can document who gave consent to what, when, and how (including the wording used in the cookie banner, the edition of the cookie policy etc.)
  • Remember to log and store the cookie consents for the lawful duration required in your country, e.g., in some countries up to 5 years
  • Consider if your use of the cookies actually fits the purpose you describe in your cookie policy

2. Cookie policy checklist

Cookie policy is an important part of your website legal requirements.

Your GDPR compliant cookie policy needs to include:

  • Your company details, e.g., name, registration number, full company address, contact information
  • A description of why, how and what you use cookies for
  • A definition of what a cookie is
  • A description of the different types of cookies on your website: Their purpose, provider, duration and how you use them, including but not limited to: - Necessary or essential cookies - Non-necessary cookies, such as - Analytical cookies - Marketing cookies
  • Third party cookies used on your website (remember to include a link to their privacy policy)
  • A link to your own privacy policy
  • Your agreement with third party providers, declaring whether or not you have reviewed a third party vendor’s privacy policy, cookie policy and cookie use
  • How users can control their cookie settings and whether this will impact their use of the website.
  • Information about the possibility of opting-out of being tracked (and how they can do it).
  • Remember to draft your cookie policy in a way so that people can actually understand it
  • You should also think about the design of your policy. Many authorities recommend that policies be split up into sections so that they can be “unfolded” making it easier for the user to read and understand the content of the policy

3. Your Privacy policy

When working with your privacy policy:

  • Make sure it is available on on your website
  • Make sure it is available in all the places where you collect personal data, e.g., sign-up forms, newsletter pop-ups, etc.
  • Make sure you can prove that you gave your users the option to read the privacy policy through when their consent was given
Compliance checklist

Privacy policy checklist

To make website privacy policy GDPR compliant you need to have a privacy policy that clearly states:

  • What personal data is collected from your users (the purposes) and what you are using this data for
  • Who you are sharing the data with
  • Your security measures and if data is transferred to other countries
  • The data retention periods for the specific data collected
  • How to file a complaint and to whom
  • How the user can exercise their right to request:
  • Data access
  • Data deletion
  • Data edits
  • Make sure your privacy policy is easy to read and understand
  • Make sure you can prove that you gave your users / customers the option to read the privacy policy through when their consent was given

4. Email marketing

In relation to email marketing, you need to consider the following:

  • Do you collect consent to email marketing?
  • Do you make it possible for your users to object to direct marketing, opting-out or unsubscribing?
  • Make sure that you mention in the email marketing consent copy;
  • your company name and information as the sender,
  • what you will be sending email marketing about, and
  • through what channels.

5. Links to third-party websites

In relation to third party websites, you need to think about the following:

  • Do you link to third-party websites?
  • Do you have a statement notifying your user that third-party website content is neither under your control nor the responsibility of your company

6. Terms & Conditions

In relation to Terms & Conditions (T&C), you need to think about the following:

  • Is the T&Cs document accepted by the customer?
  • Can the T&Cs be downloaded?
  • Can you prove that the T&Cs have been accepted?
  • Do you give instructions on how to cancel the subscription / correct errors?
  • Remember to use a good payment provider
  • Do your T&C's state the minimum duration of the contract?
  • There also needs to be information about price, cancellation, return policy, law and venue, delivery, information about the product/service, how to complain etc.,

Disclaimer: Depending on your line of business, country, industry and customer type (e.g. children, consumers etc.) you might need other documents and information so please note that this list is not exhaustive.

Further reading

To sum it up, these are the main website legal requirements, which will make your online project GDPR compliant.

We also compiled an in-depth article about website compliance, where you can find out more about the compliance elements and legislation you need to comply with as a website owner.