Date: The 9th of November
Time: 03:00 - 04:00 PM
During this webinar, we’ll take you through the documents and tell you why you need them and what they should include.
Lawyer specialised in privacy and marketing law, with six years experience from Plesner and six years as VP for Legal and Compliance at Trustpilot.
Speaker 1: Good afternoon, everybody. Before we jump into this webinar for today about the legal documents you need on your website, I will just let people join and give it a few minutes. No, not minutes. Just a few seconds. I hope you're all well, and that the sound and the video is going through clearly. Oh, you can't hear me? Can you hear me now? Okay, give me a second. Oh, you can ... Okay, thank you [Aliyah 00:00:47]. Nathan, maybe it's on your end, unless everybody else is having some issues. Oh, good. Thank you. For one second, I thought it was my headset. It's not my best-performing headset, but hopefully Nathan, you will figure out how to get the sound going. A webinar ... Oh, good. Fantastic. It's a good way to start.
That actually gives me a good way to actually ask you guys to give any questions you may have along the way. Shoot them off. It makes this conversation for me a little bit more fun, and feel that I'm not just talking to myself. What I'll do now is I'm going to share my screen, and I'll take you through the legal documents you need on your website. I'm not able to see all your questions all the time, but I will try to check in and see what you might have of questions, and otherwise I will cover them at the end.
Let's jump into it and share my screen now. Okay, you should be able to see it now. Good. We're jumping over here, and doing a presentation. Today's subject for this webinar is about the legal documents you need on your website.
Why am I talking about this? Well, my background is an attorney, both from a law firm and from a company called Trustpilot. I have been working for a [inaudible 00:02:22] law firm here in Denmark for six years, where I have big clients like Google, Netflix and HBO, and help them with their e-commerce and data privacy and marketing. I then jumped over to a company called Trustpilot, where I built out their legal team and compliance team and privacy teams. From there on, I got a sense of I'd really love to be a part of a startup, and take that journey where you're building something from the ground up and really making a difference.
So I started Openli together with two co-founders a few years ago now. What we've been building is compliance software to make it easier for companies to be compliant online. Given the fact that I'm very much driven about making a difference, very much driven about actually helping smaller companies or a mid-size company be compliant, because the bigger ones, they can afford it, right? Our purpose has been to share some of all that knowledge that I have from my past and give it onwards, and that's what we're doing today.
Today, we're going to be jumping into the legal documents you need on your website. We're going to go through just in brief terms overall the legislation you need, what authorities you can maybe find guidance from. A lot of them have some really good guides out there, some really good advice on what you need to focus on. Then we'll cover the legal documents you need, and some of the requirements related to those documents. That's what we'll be jumping into now.
Firstly, the challenge as you all know, is that having a website isn't just having a website. It's not just adding stuff on it and making some really, really impressive and well-working web shops and landing pages. There are a lot of more details that come with that, and a lot more requirements coming from ... You have to have your payment gateways up and running, but there's also all these legal requirements that are impacting you of course as well. So it's not easy, and we know that.
In addition to that, the landscape is ever-changing. The legal rules never just remain the same. New rules come out, new verdicts, new guidelines. To make it even more complicated, of course just in Europe, it's not the same if you are working in France as if you have customers in Belgium, or if you are from the UK or in Denmark. On top of that, the rules differ if you are selling to businesses compared to if you're selling to consumers.
When I'm going through these slides that will come up, I will outline the generic rules that apply, regardless of whether or not you're selling to businesses or consumers. But it's important just also to remember that will be some rules, and there will be something that I haven't covered because they're so specifically related to a segment or a specific small little type of industry. But if you're doing what I'm going to be going through, you're in a pretty good spot, just FYI.
The legislation we're going to cover today is sale of goods. It is e-commerce, it's data protection, it's advertising and marketing laws, it's cookies and it's consumer legislation. All of these types of legal subjects are all regulating how and what type of documents you should have on your website. When I'm meaning how, it's also how you're going to be presenting those documents, in what language, in what form ... Should they be presented as a link? Should it be possible to download them? There are so many small tweaks here and there that is impacting the legality of your legal documents on your website.
If we jump into it, the authorities where you can find guidance, but where you are also of course in trouble if you don't do it the right way, is of course the ICO, just as an example in the UK. They're governing everything related to data protection and cookies. The reason why I'm referring to the ICO, because I know that a lot of you might not be from the UK, but the UK data protection office, which is the ICO, is one of the strongest and most powerful data protection authorities in Europe. Together with the French, these guys are actually setting the standards in many ways, and they have really good guidelines, and they have really good explanations of what are the requirements that you need to abide by. So if you need to find some kind of inspiration, or if you're in doubt what applies, this is actually a good place to find that type of information.
The Advertising Standards Authority in the UK is also of course an important body to keep in mind if you're in the UK. This is more UK-specific. In Denmark, just as an example, you have the Danish Data Protection agencies, you have the Danish Business Authorities, and you have the Danish Consumer Ombudsman. The Danish Consumer Ombudsman are the authority that is regulating if you send out spam emails. If consumers complain, they are also the ones that would tell if you can use influencers, just as an example, in your marketing, and they will also be the ones that are giving you guidelines on how to draft your terms and conditions toward consumers et cetera.
You have CNIL in France, and you have the Dutch Data Protection Agency as well, also having really good guidelines. If you need inspiration, those are some of the bodies that you can go to and find some advice.
One of the things that I was kind of contemplating on whether or not we should cover in this little webinar was whether we should go through all the documents you need if you're selling to B2Bs. I had a look at some of all you guys joining, and there was a bit of a mix between whether or not you're B2C or B2B. So I've excluded that, but if that is something you could be interested in, just let me know and I'll be happy to cover that as well. But if you're doing B2B software, and if for example you're a data processor, so you're helping your customers with ... it can be software, it could be like Openli. We're helping companies collect compliance consents online. Well, then we're a data processor, and here, we need even more documents, and there needs to be even more information available on our website about what we do.
That could also be turned into some really strong selling documents and arguments for you in your sales processes, but that's something we won't be covering in this session. It's just so you guys know.
Before we dive into the different types of legal documents you need, I just wanted to outline something that is generic across all your documents, and that is, they need to include the following information. You need to include your name, and by name, I mean full company name, the address, so people can actually see where you're located, the street number and city and country. There needs to be an email, and this can be a [email protected] It can also be to support. It doesn't have to be a person, but there needs to be an email that you can write to.
There also needs to be a telephone number, and this is where many people actually are non-compliant. But you actually should be including a telephone number on your website. You can't, just FYI, in many of your documents, actually just link to a Contact Us page or About Us page where you include this type of information. But in some of the documents, you actually need to include this piece of information. Now when I say "piece", I mean this list of information.
Then you need to include your VAT number, your company registration number, and if you're a part of a specific group or a body. For example if you're a doctor, you need to have that type of badge and approval stamp that you would have if you are an accredited doctor. It could also be that you are part of a certification, so you would need and include that information as well.
Just to give you a bit of flavor of the differences, in France and Poland, just as an example, you need to include information about your share capital. Many of you joining this webinar today aren't in Poland or in France, but if you're selling to French people, and you have a French website directed towards the French audience, well, then you actually need to include this information on your French website.
In Germany, as another example, you need to include information about the owner. So it isn't as easy, but it's at least manageable and it's not that difficult. It's more just actually having the information available.
Another thing you need to also be mindful of in regards to the information that you need to include on your website: it needs to be easily accessible, and there needs to be continuous access to them. So you can't just put it in a hidden link where nobody is able to find it. You can give it on the first page, or as I mentioned, on an underlying page, but for example where you on your front page have your About Us or a Contact Us type of link, so that it's very obvious where you could find the information.
When I say that, you need be mindful again that France has a rule that the information must be accessible on all sub-pages on a company's website. So here, you can't really just link to another sub-page. You have to include the information on that specific sub-page again and again and again, because it needs to be on all of them. In Germany, it's a requirement that you have an imprint, or an Impressum as they call it in Germany, where you include a lot of this information, and it has to be very easy to find, and it can't be more than two clicks away from all pages of the company's website.
If we then dive into the first document, this is the T&Cs or the contract. When we're talking about this, this is very relevant if you can sign up to a service, if you can buy something online, so here there is some kind of contract that is put in place between you and a customer. One of the things you need to be very mindful and think about when we're talking about the overall scope of these T&Cs, I'm not diving into the specifics, is that it has to be approved by the consumers or the customer. You need their acceptance. It can't be that you just by saying, "If you want access to our site or to our account, you need to accept the terms," and then they can't actually select them. That would be non-compliant. There needs to be a tick box. That tick box can be mandatory so that people can't get access to your account unless they accept the terms, but there needs to be an active consent from the customer's side.
Then you need to be mindful that the terms should be downloadable. You have to be able to prove that they accepted your T&Cs, so you need to have some kind of audit trail or approval. You have to send a receipt of an order or a subscription. You need to give instructions on how to cancel the subscription or correct any errors. Let's say that they added in a wrong VAT number, or their address was incorrect. There needs to be a way to change it. It doesn't have to be that can go back and edit the form once submitted, but if you for example have an account, make sure that it's possible for the user to edit their contact details, or at least have a very clear description/instruction on how you can do so.
Then payment, always ... In the past, it was more complicated, but with companies like Stripe, it's become much more easy to actually collect payment. When you have Shopify and all those types of providers, well, then it becomes a bit more easy than it was in the past. Then also remember you need to tell for how long they're signing up. It might be that they can sign up forever, and there's a month termination. Or if it's for a 12-month term and you can't cancel in the meantime, make sure that you write that very specifically.
Just once again, it is super important that consumers need to give active consent to your terms and conditions. So does the B2Bs. If you can't prove that they actively gave consent to your document, it could actually mean that your contract isn't valid, and you don't have that to rely on.
Then the T&Cs when we're talking about consumers, they have to be available in all local languages of the country where you're promoting your services in. If you have a French website, everything is in French. You're maybe from the UK, then you actually have to have your T&Cs in French. It's not good enough that they're in English.
When we're talking about the contract and the transactional information that you have to have in the contract, well, then you have to have a clear description of what it is that they're buying. You have to have a clear description of the price and whether or not it's with VAT. You have to state how they can pay when the goods/services subscription is being delivered and performed. If it's a consumer, there needs to be a right of cancellation, and it needs to be outlined. It should also be done in the same way for businesses.
You need to explain how you're dealing with customer complaints. You need to write details of whether or not you or your customer would be responsible for a return or refund. This is only for consumers, by the way. Then we're talking about contractually ... being able to cancel a contract.
Well, I would definitely recommend that you have information about breach of contract if we're talking about B2Bs. So for example, let's say that there is a breach of a contract. Well then list that you have a 14-day right to actually remedy any type of wrongdoing or fault on your end, otherwise you could be in a situation where they would be able to cancel immediately, and nobody is interested in that.
Then there needs to be information about law and venue. There are very specific requirements related to B2C, but in B2B settings, you can actually decide what type of law and what type of venue you prefer. So if you are from Germany, you could state that German law applies, and it would be a German venue, which definitely would be in your interests, so make sure that you have that in your T&Cs. Then again, as I mentioned, make sure that your contact details are in the documents as well.
Then there is some additional documents you need to think about when we're talking about T&Cs and buying online, and that is you need to send an order confirmation without undue delay after the conclusion of an agreement. This is regarding consumers, but it is also good practice to do when we're talking about selling to businesses. You also need, especially for consumers, to send an electronic receipt of an order confirming that you've received it and what the contract is actually about.
Then we need to tell you what information are we sharing, and who are we sharing it with. In this regard, we aren't sharing it with anybody, but we're actually using sub-processors. The sub-processors we're using are Crowdcast, because they're helping actually to serve this webinar. So when we're talking, they have actually on our behalf, collected the email, because you've got access to it and you signed up, and your name.
What we did, and just to give you guys as an example, is that as part of our compliance, we make sure that Crowdcast have all their data processing activities approved by us. So we took a look at their security settings. We took a look at the contract that we entered into with Crowdcast. Given the fact that they're located in ... let's say just as an example, in a country outside of the EU, we couldn't send them that information unless we had a data transfer in place, a legal basis for it.
Then we are telling you how you can get access to the information we're processing about you, that you have a right to be deleted, and how you can make changes or edits to the data that we collected about you.
Now, Crowdcast is located in the US, just as an example, so you guys get a sense of what it is we're meaning. When a company is located in the US, we had a verdict in July that is very important to be aware of, called Schrems II.
That decision actually have a big impact on European companies, but even bigger impact on American companies, because you're not allowed to transfer data to companies in the US unless you've done the following. You have to do an audit. You have to review the company, their security standards, their data practices and processing activities. You have to do a risk assessment of that company, and you have to make sure that you have a data processing agreement in place, and you have to make sure that you also have a legal basis for sending that information to the US.
Previously, everybody, or a lot of companies ... Not everybody, but a lot of companies in the US relied on what is called the privacy shield. A privacy shield is some kind of authorization certification meaning that you live up to the European standards for data protection. But in July, that was totally overruled and couldn't be used any more. So the only way that you can actually transfer data today to the US, there are some exceptions, is with the use of what is called standard model clauses or standard contractual model clauses. That is called an SCC, and that is what you need to have in place with the vendors you have in the US.
But it's actually also about building that trust to consumers. It is about actually caring and doing the right thing. So it's a lot about actually being accountable, and describing on your website what you do and why you do it, so that people can feel confident that when they're using your service, that you have it under control.
Jumping into the next area, that is related to trademarks or copyright, you might call it. It's not the same, by the way, but regardless of that, you should on your website, have a copyright policy stating restrictions of the use and copying of copyright-protected material on your website. You should also have guidelines on how people are allowed to use your logo, your name, your trademarks, what's authorized to use and what's unauthorized to use. And if they want to use it, should they notify you in advance? Or do you just want to give them free access to use your logo, for example in regards to some kind of customer statement, just as an example?
Then in both regards to the copyright policy and to the trademark guidelines, make sure that you include information about when you updated it, and that you can make changes to it along the way, so that it's not a static document.
That means make sure that people understand what you're saying, and also have it in the language of that country where you're located/established. But if you're also offering your services to specific countries, and you have targeted websites for those markets, you need to make sure that your policies are translated and compliant in that market.
Just a few little tips before we close off, and I'll be happy to answer any questions you have. I would strongly recommend that you do annual checks, kind of like reviews of your documents, that you have some checklists in place so that you can actually show that this is something you're working with, because that is also very important when we're talking about being compliant. Then maybe find a solution that is taking some of that focus away, so that it's maintained, and you can continue on focusing on your business.
As I mentioned in the beginning, we're here to help, so if you have any questions, just send us an email. We are also on LinkedIn, and I have regular posts about webinars or new rulings around Europe, and that is also maybe a place for you to find information. Then we also have our webinar webpage, openli.com/webinar, where you can always see upcoming webinars that is maybe of interest to you, and sign up. It's always free.
What I'll do now is I'll jump over, and hopefully still be able to see you guys, and ask if you have any questions. Okay, I have one question, and that is, "Do you need to ask for tick box opt-in consent like we do for T&Cs? Or is it okay to assume that by signing up, they automatically consent?"
Then another question is, "You mentioned that there were more documents required for B2B. Which are they?" Well, it very much depends, when we're talking about B2Bs, what type of service you're selling. But if it is B2B, and you are a data processor, meaning you're for example processing data on behalf of the companies using your service ... A good example: let's say you are Salesforce, so every company signing up to Salesforce is the data controller, and they use Salesforce as their CRM system. Here, Salesforce need to tell you as a customer how they're processing your data on your behalf. That means that you need to have a data processing agreement in place.
In addition to that, they need to tell you what sub-processors Salesforce are using to be able to help you use your CRM system. Salesforce will probably use a lot of processors. That needs to be included as well. You also need to tell them about how you're handling your security as their processor. So here, that also needs to be included as well.
Typically, when we're talking about B2Bs, you would have a subscription agreement as an example. That subscription agreement of course needs to have a lot of details, and I'll be more than happy to go through what should a standard B2B subscription contract include, if that would be something you guys would find interesting. But that means that there is more documents to be mapped out that wouldn't be applicable to B2Cs. I hope that answers your question. Oh, and by the way, you would typically also have something like service level agreements when you're doing B2B sales.
Are there any more questions? I'll just give you guys a second. Well, if that isn't the case, I hope you found it useful. Oh, a question from Nathan. "Do you provide templates as part of your services?" Well, the question being short in answer is yes, we do. Not all of them. Some of the things that I was covering today is a little bit beyond what we do, because we're primarily focused on privacy and consent management, but we do have the majority of the templates that were covered today. And if you're interested, I'd be more than happy to tell and explain a little bit about the types of templates we have.
I am going to send you guys a link to the broadcast afterwards so you can view it or you can share it if you want to, with people inside your company. Other than that, I do hope you found it useful. I do hope that it gave you some insights, and if you have anything that you would like me to cover in another episode or if you have any feedback, I would absolutely love to get it, because we can't improve if we don't get the feedback, and we want to give you guys a good experience.
I just want to thank you all, and it was super nice to have you here today, and I wish you a pleasant afternoon. Thank you. Bye.