There are many things to consider when it comes to ensuring the compliance of a website. This is in part due to different and overlapping website legislation, an area which only gets more complex the more countries your business operates in.
We have therefore compiled this guide, to give you an overview of some of the general information you need to run your website or webshop, and stay compliant. Throughout the text we refer to a website, but the legislation is also applicable to webshops. This guide has been tailored for companies operating in Europe. We are working towards creating as complete a guide as possible, but it is currently an ongoing project, and should be seen as such.
Disclaimer (26 March 2020): The information on this page is not intended as legal advice and shouldn’t be considered as such. We strongly recommend that you seek legal advice if you’re unsure as to how to become compliant and your use of Openli. Please also keep in mind that these recommendations are not exhaustive and that more requirements might be applicable to your business.
Ensuring compliance is essential. Whether you run your business online or offline, most businesses have a website, where they ‘meet’ their customers and collect and measure user-data in some form.
To be compliant on your website you need to be aware of the key legislation in effect, and also which legislation is relevant based on what you have on your website. In this guide you will be able to find information about:
What do we mean by compliance?
Key legislation related to websites
Key areas where compliance impacts your website and what you should do
Compliance elements and what you need to know
The definition of compliance as a legal term, means to obey the rules. In the context of website compliance, it means to make sure that you adhere to or comply with the legislation and legal requirements that are relevant for your website.
The definition of compliance as a legal term, means to obey the rules. In the context of website compliance, it means to make sure that you adhere to or comply with the legislation and legal requirements that are relevant for your website.
The GDPR, which came into effect in May 2018, stands for The General Data Protection Regulation. The Regulation applies to all European companies - as well as companies outside the EU - that process data about European citizens. The GDPR regulates how companies collect, store, process, and manage people's data. The law also lays down the rights of people to their data, including the right to be forgotten, the right to information, and the right to data portability.
The EU Cookie Directive regulates the usage of cookies but also covers other forms of online tracking technologies, including device fingerprinting. The Directive is therefore broader and applies to more than just cookies. The Directive says that a person isn't allowed to store or gain access to information stored in a person’s computer, unless specific requirements are met, including (a) giving clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) obtaining consent from the person.
The E-commerce Directive harmonises the rules in the EU for online businesses, so they know what they need to do in regards to, e.g., commercial communication, information requirements, and electronic contracts. The Directive sets out the basic requirements on mandatory consumer information, steps to follow in online contracting, and rules on commercial communications, for example, online advertisement and unsolicited commercial communications, also known as the “spam” rules.
To make the above legal legislation and requirements as concrete as possible, we have outlined some of the components or elements you must incorporate into your website to ensure compliance. The rules regarding your privacy policy and consent collection come from the GDPR. The rules for the rest of the elements come from the cookie and e-commerce directives. The way the directives are applied can vary depending on the country you are operating in, and the jurisdiction of your website visitors.
There are different types of cookies, which all have different legal requirements depending on what the purpose of the cookie is, and whether the cookies are necessary or non-necessary:
There are a number of requirements for what you need to do and include on your website to ensure cookie compliance, these are:
There are a number of consents that can be relevant for you to collect on your website. The consents you collect depends on what kind of website you have, e.g., is it a webshop or just a website, and which cookies would you like to be able to use on your website. It’s important to collect the following types of consents when running a website:
You should also be aware that:
Email marketing has become a widely used revenue channel for ecommerce and businesses more generally. However, there are rules about who you may send email marketing offers or newsletters to. To make sure you email marketing efforts are compliant:
Remember that the rules might differ if you are sending email marketing to business leads / prospects.
If you have a website, you probably already have a privacy policy. The privacy policy is the document where you describe what data you are collecting about your website visitors, customers etc. The reason why you need it is because of the GDPR. The GDPR gives users a right to information about how their data is being collected, processed and stored. And that’s why you need to have your privacy policy online and make sure that there is a link to it, when you are collecting data about your users, customers etc. The privacy policy should include the following information:
Your Terms & Conditions are the legal document outlining the agreement between you and e.g., your users. If you have a webshop, the document will outline everything around the purchase, for example the price, shipping and delivery, warranty, law and venue and how a potential dispute between you and your customer should be handled. The document, which is legally binding when the customer consents to it is a way of protecting you and your customer, if a dispute or discrepancy was to arise. There are a number of things you must include in your terms and conditions, for example:
Remember it’s important that the customer actively accepts your T&Cs. Additionally you must also make sure that:
Your company’s information needs to be visible, and easy to find on your website. The information you need to include is:
It must be easy for users and customers to contact you. The contact information you need to include on your website are:
You are not allowed to simply have a contact form on your website as the only way for a customer to get in touch with you, your contact information must also be visible.
You must create a section on your website - a legal library, where your legal documents such as your Privacy Policy, Cookie Policy, Terms & Conditions can be found. It is a legal requirement that they are easy to find - and easy to read and understand. So avoid legal lingo and overcomplicated sentences.
There are a number of requirements to how you describe the products or services you sell. These vary depending on what you are selling, e.g. if you are selling clothes you must clearly describe the material the clothing is made from.
For services it is a requirement to provide the customer information about a cancellation fee if you have one, and when a cancellation fee comes into effect.
There are a number of data points you need to collect to make sure that your consents are valid. This is known as an audit trail, and include:
You must be able to keep records of all the consents you obtain. These records are also known as consent evidence. Without proper consent evidence, your consents are not considered compliant by the data authorities.
The level of security you need depends on what you are selling, but as a minimum you need to make sure that your payment flow or accepted methods of payment are secure. There are strict rules regarding encryption and payment security, which is why many companies use external payment service platforms.
You must always consider the target audience on your website, as there may be restrictions based on the content on the site and the age group you are advertising towards. If you are targeting children, or if your website features content with age restrictions such as alcohol then there are a number of things you need to do to be compliant.
Another area where you need to be aware of the data you collect, is if your website is healthcare related, and you collect sensitive personal information, and need make sure that you comply with extra restrictions and rules about gathering this sort of information.
You must also show your prices with VAT, or at the very least have the option to show the prices with VAT.
You must be transparent about any agreements with influencers or other marketing activities that could be considered hidden advertisement.
There are requirements for the language use on your website. You must write clearly and in a way where it is easy for your (target) audience to understand what you mean. This means that generally speaking you need to make sure your website is written in the native language of the country your target audience is in.
This means that you must have your website in different versions, that match the language in the countries that you are marketing yourself to.
There are some exceptions, to countries which have multiple native languages, or where English is acceptable to use even though it isn’t an official language.
One way of keeping track of consents and the evidence you need is through a consent management solution that tracks your cookie consents.
With Openli you can collect and document consent for all cookies used on your site. We use geotargeting to ensure that you collect the right consent in each of your markets, depending on the jurisdiction of the user or customer. Our solution detects which cookies you use and collects compliant consents for those. With Openli you get a full audit trail, so you can prove consents to a data authority if you need to.
