The legal documents you need on your website

Openli webinar

This webinar ended, but you can watch it on demand by submitting a form below

The legal documents you need on your website

Date: The 9th of November

Time: 03:00 - 04:00 PM

Operating online requires that you have legal policies available for your users and customers. Some of these policies are cookie policy, privacy policy etc.

During this webinar, we’ll take you through the documents and tell you why you need them and what they should include.

Webinar speakers


Stine Mangor Tornmark

CEO, Openli

Lawyer specialised in privacy and marketing law, with six years experience from Plesner and six years as VP for Legal and Compliance at Trustpilot.


Speaker 1: Good afternoon, everybody. Before we jump into this webinar for today about the legal documents you need on your website, I will just let people join and give it a few minutes. No, not minutes. Just a few seconds. I hope you're all well, and that the sound and the video is going through clearly. Oh, you can't hear me? Can you hear me now? Okay, give me a second. Oh, you can ... Okay, thank you [Aliyah 00:00:47]. Nathan, maybe it's on your end, unless everybody else is having some issues. Oh, good. Thank you. For one second, I thought it was my headset. It's not my best-performing headset, but hopefully Nathan, you will figure out how to get the sound going. A webinar ... Oh, good. Fantastic. It's a good way to start.

That actually gives me a good way to actually ask you guys to give any questions you may have along the way. Shoot them off. It makes this conversation for me a little bit more fun, and feel that I'm not just talking to myself. What I'll do now is I'm going to share my screen, and I'll take you through the legal documents you need on your website. I'm not able to see all your questions all the time, but I will try to check in and see what you might have of questions, and otherwise I will cover them at the end.

Let's jump into it and share my screen now. Okay, you should be able to see it now. Good. We're jumping over here, and doing a presentation. Today's subject for this webinar is about the legal documents you need on your website.

Why am I talking about this? Well, my background is an attorney, both from a law firm and from a company called Trustpilot. I have been working for a [inaudible 00:02:22] law firm here in Denmark for six years, where I have big clients like Google, Netflix and HBO, and help them with their e-commerce and data privacy and marketing. I then jumped over to a company called Trustpilot, where I built out their legal team and compliance team and privacy teams. From there on, I got a sense of I'd really love to be a part of a startup, and take that journey where you're building something from the ground up and really making a difference.

So I started Openli together with two co-founders a few years ago now. What we've been building is compliance software to make it easier for companies to be compliant online. Given the fact that I'm very much driven about making a difference, very much driven about actually helping smaller companies or a mid-size company be compliant, because the bigger ones, they can afford it, right? Our purpose has been to share some of all that knowledge that I have from my past and give it onwards, and that's what we're doing today.

Today, we're going to be jumping into the legal documents you need on your website. We're going to go through just in brief terms overall the legislation you need, what authorities you can maybe find guidance from. A lot of them have some really good guides out there, some really good advice on what you need to focus on. Then we'll cover the legal documents you need, and some of the requirements related to those documents. That's what we'll be jumping into now.

Firstly, the challenge as you all know, is that having a website isn't just having a website. It's not just adding stuff on it and making some really, really impressive and well-working web shops and landing pages. There are a lot of more details that come with that, and a lot more requirements coming from ... You have to have your payment gateways up and running, but there's also all these legal requirements that are impacting you of course as well. So it's not easy, and we know that.

In addition to that, the landscape is ever-changing. The legal rules never just remain the same. New rules come out, new verdicts, new guidelines. To make it even more complicated, of course just in Europe, it's not the same if you are working in France as if you have customers in Belgium, or if you are from the UK or in Denmark. On top of that, the rules differ if you are selling to businesses compared to if you're selling to consumers.

When I'm going through these slides that will come up, I will outline the generic rules that apply, regardless of whether or not you're selling to businesses or consumers. But it's important just also to remember that will be some rules, and there will be something that I haven't covered because they're so specifically related to a segment or a specific small little type of industry. But if you're doing what I'm going to be going through, you're in a pretty good spot, just FYI.

The legislation we're going to cover today is sale of goods. It is e-commerce, it's data protection, it's advertising and marketing laws, it's cookies and it's consumer legislation. All of these types of legal subjects are all regulating how and what type of documents you should have on your website. When I'm meaning how, it's also how you're going to be presenting those documents, in what language, in what form ... Should they be presented as a link? Should it be possible to download them? There are so many small tweaks here and there that is impacting the legality of your legal documents on your website.

If we jump into it, the authorities where you can find guidance, but where you are also of course in trouble if you don't do it the right way, is of course the ICO, just as an example in the UK. They're governing everything related to data protection and cookies. The reason why I'm referring to the ICO, because I know that a lot of you might not be from the UK, but the UK data protection office, which is the ICO, is one of the strongest and most powerful data protection authorities in Europe. Together with the French, these guys are actually setting the standards in many ways, and they have really good guidelines, and they have really good explanations of what are the requirements that you need to abide by. So if you need to find some kind of inspiration, or if you're in doubt what applies, this is actually a good place to find that type of information.

The Advertising Standards Authority in the UK is also of course an important body to keep in mind if you're in the UK. This is more UK-specific. In Denmark, just as an example, you have the Danish Data Protection agencies, you have the Danish Business Authorities, and you have the Danish Consumer Ombudsman. The Danish Consumer Ombudsman are the authority that is regulating if you send out spam emails. If consumers complain, they are also the ones that would tell if you can use influencers, just as an example, in your marketing, and they will also be the ones that are giving you guidelines on how to draft your terms and conditions toward consumers et cetera.

You have CNIL in France, and you have the Dutch Data Protection Agency as well, also having really good guidelines. If you need inspiration, those are some of the bodies that you can go to and find some advice.

If we jump more into it, the type of legal documents you need on your website is terms and conditions. I'll come back to that, but those are the terms that regulate a purchase if people are buying something from your website. It can be if you are selling software, but it could also be if you're selling goods. Then you have to have your privacy policy. That is a document where you are describing how you're processing your users' information, and I'll give you a bit more flavor into that. That can be a very long document, and actually it takes a lot of work to do it properly, especially if your consumers is to understand what it is you're actually doing.

Then you need a refund policy. This is only applicable if you're selling to consumers, so if you're in the B2B market, this isn't a requirement. Then I personally strongly recommend that you have a copyright policy/trademark policy. This is the policy, and I'll also cover that, where you explain what people are allowed to do with your trademarks, and what they can't do. Then if you're linking to other sites, you need a third-party link statement, and I'll give you a flavor to that. And then you need the cookie policy. But just FYI, these are the standard documents that we'll be covering in this session, but there are many more.

One of the things that I was kind of contemplating on whether or not we should cover in this little webinar was whether we should go through all the documents you need if you're selling to B2Bs. I had a look at some of all you guys joining, and there was a bit of a mix between whether or not you're B2C or B2B. So I've excluded that, but if that is something you could be interested in, just let me know and I'll be happy to cover that as well. But if you're doing B2B software, and if for example you're a data processor, so you're helping your customers with ... it can be software, it could be like Openli. We're helping companies collect compliance consents online. Well, then we're a data processor, and here, we need even more documents, and there needs to be even more information available on our website about what we do.

That could also be turned into some really strong selling documents and arguments for you in your sales processes, but that's something we won't be covering in this session. It's just so you guys know.

Before we dive into the different types of legal documents you need, I just wanted to outline something that is generic across all your documents, and that is, they need to include the following information. You need to include your name, and by name, I mean full company name, the address, so people can actually see where you're located, the street number and city and country. There needs to be an email, and this can be a [email protected] It can also be to support. It doesn't have to be a person, but there needs to be an email that you can write to.

There also needs to be a telephone number, and this is where many people actually are non-compliant. But you actually should be including a telephone number on your website. You can't, just FYI, in many of your documents, actually just link to a Contact Us page or About Us page where you include this type of information. But in some of the documents, you actually need to include this piece of information. Now when I say "piece", I mean this list of information.

Then you need to include your VAT number, your company registration number, and if you're a part of a specific group or a body. For example if you're a doctor, you need to have that type of badge and approval stamp that you would have if you are an accredited doctor. It could also be that you are part of a certification, so you would need and include that information as well.

Just to give you a bit of flavor of the differences, in France and Poland, just as an example, you need to include information about your share capital. Many of you joining this webinar today aren't in Poland or in France, but if you're selling to French people, and you have a French website directed towards the French audience, well, then you actually need to include this information on your French website.

In Germany, as another example, you need to include information about the owner. So it isn't as easy, but it's at least manageable and it's not that difficult. It's more just actually having the information available.

Another thing you need to also be mindful of in regards to the information that you need to include on your website: it needs to be easily accessible, and there needs to be continuous access to them. So you can't just put it in a hidden link where nobody is able to find it. You can give it on the first page, or as I mentioned, on an underlying page, but for example where you on your front page have your About Us or a Contact Us type of link, so that it's very obvious where you could find the information.

When I say that, you need be mindful again that France has a rule that the information must be accessible on all sub-pages on a company's website. So here, you can't really just link to another sub-page. You have to include the information on that specific sub-page again and again and again, because it needs to be on all of them. In Germany, it's a requirement that you have an imprint, or an Impressum as they call it in Germany, where you include a lot of this information, and it has to be very easy to find, and it can't be more than two clicks away from all pages of the company's website.

If we then dive into the first document, this is the T&Cs or the contract. When we're talking about this, this is very relevant if you can sign up to a service, if you can buy something online, so here there is some kind of contract that is put in place between you and a customer. One of the things you need to be very mindful and think about when we're talking about the overall scope of these T&Cs, I'm not diving into the specifics, is that it has to be approved by the consumers or the customer. You need their acceptance. It can't be that you just by saying, "If you want access to our site or to our account, you need to accept the terms," and then they can't actually select them. That would be non-compliant. There needs to be a tick box. That tick box can be mandatory so that people can't get access to your account unless they accept the terms, but there needs to be an active consent from the customer's side.

Then you need to be mindful that the terms should be downloadable. You have to be able to prove that they accepted your T&Cs, so you need to have some kind of audit trail or approval. You have to send a receipt of an order or a subscription. You need to give instructions on how to cancel the subscription or correct any errors. Let's say that they added in a wrong VAT number, or their address was incorrect. There needs to be a way to change it. It doesn't have to be that can go back and edit the form once submitted, but if you for example have an account, make sure that it's possible for the user to edit their contact details, or at least have a very clear description/instruction on how you can do so.

Then payment, always ... In the past, it was more complicated, but with companies like Stripe, it's become much more easy to actually collect payment. When you have Shopify and all those types of providers, well, then it becomes a bit more easy than it was in the past. Then also remember you need to tell for how long they're signing up. It might be that they can sign up forever, and there's a month termination. Or if it's for a 12-month term and you can't cancel in the meantime, make sure that you write that very specifically.

Just once again, it is super important that consumers need to give active consent to your terms and conditions. So does the B2Bs. If you can't prove that they actively gave consent to your document, it could actually mean that your contract isn't valid, and you don't have that to rely on.

Then the T&Cs when we're talking about consumers, they have to be available in all local languages of the country where you're promoting your services in. If you have a French website, everything is in French. You're maybe from the UK, then you actually have to have your T&Cs in French. It's not good enough that they're in English.

When we're talking about the contract and the transactional information that you have to have in the contract, well, then you have to have a clear description of what it is that they're buying. You have to have a clear description of the price and whether or not it's with VAT. You have to state how they can pay when the goods/services subscription is being delivered and performed. If it's a consumer, there needs to be a right of cancellation, and it needs to be outlined. It should also be done in the same way for businesses.

You need to explain how you're dealing with customer complaints. You need to write details of whether or not you or your customer would be responsible for a return or refund. This is only for consumers, by the way. Then we're talking about contractually ... being able to cancel a contract.

Well, I would definitely recommend that you have information about breach of contract if we're talking about B2Bs. So for example, let's say that there is a breach of a contract. Well then list that you have a 14-day right to actually remedy any type of wrongdoing or fault on your end, otherwise you could be in a situation where they would be able to cancel immediately, and nobody is interested in that.

Then there needs to be information about law and venue. There are very specific requirements related to B2C, but in B2B settings, you can actually decide what type of law and what type of venue you prefer. So if you are from Germany, you could state that German law applies, and it would be a German venue, which definitely would be in your interests, so make sure that you have that in your T&Cs. Then again, as I mentioned, make sure that your contact details are in the documents as well.

Then there is some additional documents you need to think about when we're talking about T&Cs and buying online, and that is you need to send an order confirmation without undue delay after the conclusion of an agreement. This is regarding consumers, but it is also good practice to do when we're talking about selling to businesses. You also need, especially for consumers, to send an electronic receipt of an order confirming that you've received it and what the contract is actually about.

Okay. Jumping further in, so now we're coming to the privacy policy. The privacy policy is the document that is describing how you're processing your consumers' data. When we're talking about online data collection, it is for example when you're collecting information from a signup form, when you're collecting information from users when they're subscribing to a newsletter. But it's also when you're selling online, or the use of their ... Let's say they sign up for a webinar, like us here today. Well here, every time you actually obtain information from a user on your website or a customer, you need to make sure that in that signup form, that there is a link to your privacy policy, because you're capturing their personal information. That privacy policy needs to include your contact details that were covered above, but here you also need to tell them what personal data is collected from the users, what you're using the data for.

Let's take us as an example, and what we're doing here today. When you signed up, you were asked to of course give your name and your email, and then we registered you for the webinar. In that regard, we need to include our privacy policy, because now, we're capturing your data. What we're collecting it for is actually to serve you this webinar, so we could send you a reminder. And afterwards, I'm going to send you an email saying, "Here is a link to the video." Those are the purposes that we're using the data for.

Then we need to tell you what information are we sharing, and who are we sharing it with. In this regard, we aren't sharing it with anybody, but we're actually using sub-processors. The sub-processors we're using are Crowdcast, because they're helping actually to serve this webinar. So when we're talking, they have actually on our behalf, collected the email, because you've got access to it and you signed up, and your name.

What we did, and just to give you guys as an example, is that as part of our compliance, we make sure that Crowdcast have all their data processing activities approved by us. So we took a look at their security settings. We took a look at the contract that we entered into with Crowdcast. Given the fact that they're located in ... let's say just as an example, in a country outside of the EU, we couldn't send them that information unless we had a data transfer in place, a legal basis for it.

What we had to do is look at whether or not that there was a standard contractual clause in place, and I'll come back to that in just a short little while, because otherwise you can't send data outside of the EU about EU citizens. What we also did when you signed up, and gave you access to our privacy policy, is tell you that if you had any kind of complaint about how we're processing your data, you were more than welcome of course to send us an email and let us know what your concerns were, but you could also complain to the Danish Data Protection Agency, because they are the authority that is regulating what we do, because we're located in Denmark.

Then we are telling you how you can get access to the information we're processing about you, that you have a right to be deleted, and how you can make changes or edits to the data that we collected about you.

In our privacy policy, we actually also have a lot of information about how we keep your data safe. We explain in a 21-long page document, how we're actually doing in regards to security, so our security standards, the different types of data processing activities and practices that we have in place, so you have an idea of how we're protecting your information. Then what I just told you, we tell you whether or not your data is being transferred to other countries. By the way, the only thing we're doing here is transferring it to Crowdcast so that they could help produce this webinar with their software.

Now, Crowdcast is located in the US, just as an example, so you guys get a sense of what it is we're meaning. When a company is located in the US, we had a verdict in July that is very important to be aware of, called Schrems II.

That decision actually have a big impact on European companies, but even bigger impact on American companies, because you're not allowed to transfer data to companies in the US unless you've done the following. You have to do an audit. You have to review the company, their security standards, their data practices and processing activities. You have to do a risk assessment of that company, and you have to make sure that you have a data processing agreement in place, and you have to make sure that you also have a legal basis for sending that information to the US.

Previously, everybody, or a lot of companies ... Not everybody, but a lot of companies in the US relied on what is called the privacy shield. A privacy shield is some kind of authorization certification meaning that you live up to the European standards for data protection. But in July, that was totally overruled and couldn't be used any more. So the only way that you can actually transfer data today to the US, there are some exceptions, is with the use of what is called standard model clauses or standard contractual model clauses. That is called an SCC, and that is what you need to have in place with the vendors you have in the US.

You might be thinking, "Why are we talking about this when we're talking about legal documents I need to have on my website?" Well, the reason why we're talking about it is that you need to describe this in your privacy policy, and you need to have it available on your website. You might be thinking, "Okay, what is the likelihood that somebody would complain about us?" Well, that's maybe a fair point. The data protection authorities are busy, and a lot of companies have a lot of data breaches. I think actually we had 58,000 complaints accumulated last year, just to give you ... Not in Denmark, but across Europe. So there is a lot of other wrongdoings out there, just as an example.

But it's actually also about building that trust to consumers. It is about actually caring and doing the right thing. So it's a lot about actually being accountable, and describing on your website what you do and why you do it, so that people can feel confident that when they're using your service, that you have it under control.

Well, the privacy policy, as I just mentioned previously, needs to be accessible to all people when you collect their information. For example, when they're signing up to an email marketing newsletter, that's where you also need it. You also need to remember that you should give people a possibility of opting out or unsubscribing to email marketing, and I would strongly recommend that you also describe how you can opt out/unsubscribe in your privacy policy.

Then it is super important that you look at your privacy policy and see, is it actually understandable? Is it easy to read? Is it nice on the eye? Make sure to prove that you actually gave people the ability to read your privacy policy at the time that they gave you the information.

Jumping into the next area, that is related to trademarks or copyright, you might call it. It's not the same, by the way, but regardless of that, you should on your website, have a copyright policy stating restrictions of the use and copying of copyright-protected material on your website. You should also have guidelines on how people are allowed to use your logo, your name, your trademarks, what's authorized to use and what's unauthorized to use. And if they want to use it, should they notify you in advance? Or do you just want to give them free access to use your logo, for example in regards to some kind of customer statement, just as an example?

Then in both regards to the copyright policy and to the trademark guidelines, make sure that you include information about when you updated it, and that you can make changes to it along the way, so that it's not a static document.

If you're linking to third-party websites on your site, which many people do, you need to consider making a statement. And this can be included in your privacy policy. You can also choose to have it as a separate link ... about the fact that those sites you're referring to aren't under your control, and it is not your responsibility, but it is the responsibility of that company you're linking to.

What you also normally would do is actually include a sentence to simply state so that the user reading the terms or your privacy policy ... I would recommend including it in your privacy policy ... that those types of links is regulated by that third-party website's privacy policy. So you would recommend that they read that privacy policy before they actually give any information away to that third-party website. Okay?

Final document: the cookie policy. Your cookie policy is where you describe how you're using cookies on your website. You need to include information about what a cookie is, and you might be thinking, "Why do I need to do that?" Well, that is because a lot of users do not know what cookies are. So it's kind of like framing what this policy is about. Then you need to describe the different types of cookies you use on your website, and how you use them. Here, we're differentiating ourselves between necessary cookies and the non-necessary cookies. As an example, that could be your analytical cookies. Why is that important? Well, the thing is, there is a difference in terms of capturing consent. There is a difference in the two between whether or not you need to block them before the user gives consent, and then there's also a question about if they are regarded as third-party cookies or first-party cookies.

Third-party cookies are seen as way more intrusive, way more dangerous, and therefore we will also have an obligation to link to those third-party cookie providers, because they're capturing the data for their own purposes. So here you need to include a privacy policy link to those providers.

Then you need to include information about the agreements you have in place with them, and finally you also in your cookie policy should include information about how they can control their cookie settings and opt out.

Now here is a little piece of information that is very important. You also need to include information about each cookie you use in your cookie policy. That means a cookie policy shouldn't be a static document. Every time you update a cookie, you should include information about that updated cookie. It might be that you use a new cookie for a new purpose. It might be that you are using new cookies. Well, that information should be captured into your cookie policy, so it's always kept up to date.

If you're using Openli, you might have seen these texts in the cookie policies. That is capturing that update continuously, so as soon as the scanner is picking up a new cookie, that is being updated. If you're using another provider, just make sure that there is a link in your cookie policy, so it continuously updates itself, and you do not need to be continuously looking at this, because otherwise you would be doing nothing else than just maintaining this document then. I know that it's important for a business to work on being compliant, but it's also important to actually work on what it is you guys are doing, meaning selling your goods, selling your software, promoting your services.

Finally make sure that the cookie policy also includes information about how the user can find and withdraw their consent. The language you have, not just in the banner, but also in the policy, needs to be easy, needs to be understandable. That goes through all the documents that we're talking about. It is so easy to get a document that people don't understand, and it is super easy to just copy/paste it. But if the people don't understand what you're doing with their data or in regards to cookies or in the terms and conditions, you might be in a situation where a court or an authority could come to the conclusion that it was written in such a way that the user weren't able to understand it, and therefore it wouldn't be legal, and you would be in a situation where the court could be ruling in the favor of the consumer/customer instead of you.

That means make sure that people understand what you're saying, and also have it in the language of that country where you're located/established. But if you're also offering your services to specific countries, and you have targeted websites for those markets, you need to make sure that your policies are translated and compliant in that market.

Just a few little tips before we close off, and I'll be happy to answer any questions you have. I would strongly recommend that you do annual checks, kind of like reviews of your documents, that you have some checklists in place so that you can actually show that this is something you're working with, because that is also very important when we're talking about being compliant. Then maybe find a solution that is taking some of that focus away, so that it's maintained, and you can continue on focusing on your business.

As I mentioned in the beginning, we're here to help, so if you have any questions, just send us an email. We are also on LinkedIn, and I have regular posts about webinars or new rulings around Europe, and that is also maybe a place for you to find information. Then we also have our webinar webpage,, where you can always see upcoming webinars that is maybe of interest to you, and sign up. It's always free.

What I'll do now is I'll jump over, and hopefully still be able to see you guys, and ask if you have any questions. Okay, I have one question, and that is, "Do you need to ask for tick box opt-in consent like we do for T&Cs? Or is it okay to assume that by signing up, they automatically consent?"

Well, the thing is, your question depends on what it is you're signing up for. I'm not completely sure, because you say, "Do you need to ask for tick box opt-in consent like we do ..." Well, and maybe Daniel, you could just elaborate. Oh, Daniel just wrote, "Sorry, I think it was for the privacy policy." No, you don't need consent. This is the standard issue that I confuses a lot. You actually don't need consent for a privacy policy. If people are saying that, it's probably because they know what is required.

A privacy policy actually only requires that you give information, and it comes from the GDPR article that relates to the right to information. You have a right to be informed about how your data is being processed. You don't need to give consent for it. You need that information, and that is what the privacy policy do. What you normally would ask or state is a little sentence when you have your email marketing signup form, just as an example, where you would say, "By signing up, we'll process your data. Read more about how we'll handle it." You can word it in many ways. "Here's a link." That will be sufficient.

Then another question is, "You mentioned that there were more documents required for B2B. Which are they?" Well, it very much depends, when we're talking about B2Bs, what type of service you're selling. But if it is B2B, and you are a data processor, meaning you're for example processing data on behalf of the companies using your service ... A good example: let's say you are Salesforce, so every company signing up to Salesforce is the data controller, and they use Salesforce as their CRM system. Here, Salesforce need to tell you as a customer how they're processing your data on your behalf. That means that you need to have a data processing agreement in place.

In addition to that, they need to tell you what sub-processors Salesforce are using to be able to help you use your CRM system. Salesforce will probably use a lot of processors. That needs to be included as well. You also need to tell them about how you're handling your security as their processor. So here, that also needs to be included as well.

Typically, when we're talking about B2Bs, you would have a subscription agreement as an example. That subscription agreement of course needs to have a lot of details, and I'll be more than happy to go through what should a standard B2B subscription contract include, if that would be something you guys would find interesting. But that means that there is more documents to be mapped out that wouldn't be applicable to B2Cs. I hope that answers your question. Oh, and by the way, you would typically also have something like service level agreements when you're doing B2B sales.

Are there any more questions? I'll just give you guys a second. Well, if that isn't the case, I hope you found it useful. Oh, a question from Nathan. "Do you provide templates as part of your services?" Well, the question being short in answer is yes, we do. Not all of them. Some of the things that I was covering today is a little bit beyond what we do, because we're primarily focused on privacy and consent management, but we do have the majority of the templates that were covered today. And if you're interested, I'd be more than happy to tell and explain a little bit about the types of templates we have.

I am going to send you guys a link to the broadcast afterwards so you can view it or you can share it if you want to, with people inside your company. Other than that, I do hope you found it useful. I do hope that it gave you some insights, and if you have anything that you would like me to cover in another episode or if you have any feedback, I would absolutely love to get it, because we can't improve if we don't get the feedback, and we want to give you guys a good experience.

I just want to thank you all, and it was super nice to have you here today, and I wish you a pleasant afternoon. Thank you. Bye.