Website compliance basics

Openli webinar

This webinar ended, but you can watch it on demand and get slides by submitting a form below

Website compliance basics

Date: The 11th of November

Time: 10:00 - 11:00 AM

Website compliance is impacted by overlapping legislation, which only gets more complex the more countries your business operates in. We have therefore created this webinar to give you an overview of some of the general information you need to run your website or webshop, and stay compliant. The content in the webinar has been tailored for companies operating in Europe.

If you would like to learn more about, The GDPRs impact on the data you collect on your website, and which legal documents you need to have on your website, then register for our webinar. Stine Tornmark, Openli’s Co-Founder & General Counsel will walk you through website compliance, and be available to answer your questions.

Webinar speakers

image

Stine Mangor Tornmark

CEO, Openli

Lawyer specialised in privacy and marketing law, with six years experience from Plesner and six years as VP for Legal and Compliance at Trustpilot.

Transcript

Stine: Good morning. I am just waiting for a few more people to join before we dig in, just to make sure that everybody actually gets a few minutes to get everything going. I hope the sound is okay. If you guys can't hear me, just let me know and I'll try to fix it. In the meanwhile, while we are just waiting for people to join, I am looking forward to taking you through this webinar today, talking about website compliance, and some of the basics that we need to cover.

Stine: So, let's see. It's one minute over, so I think we should just jump right into it. If you have any questions along the way, just shoot. I am more than happy to answer any questions you might have. And it only gets more fun for me to do when people are engaging. So as mentioned, just ask and I'll be happy to answer any questions you might have. Cool. Then let's dig in and go through it. I'm going to share my screen because I think that makes the most sense. So here we go. I hope you guys can see my screen, and I'm jumping over here and I will take you through it.

Stine: So today's subject is about website compliance and we'll cover the basics. We won't dig into all the little nitty gritty details that should be on all websites, but I'll give you the main focus that you should be thinking about when you are online. So why am I talking about this? Well, my background is as an attorney from one of the big law firms here in Denmark, where I worked for six years for companies like Google and Netflix and HBO. Then I joined a startup at that point called Trustpilot, built out their legal team, there for six years and build out compliance, legal privacy, and all of that. And given my background mainly being around privacy and marketing and e-commerce, this is something that I feel very passionate about.

Stine: So that's why I love to pass on my knowledge. And it is also what we here at Openli really want to do. We want to help companies become better data citizens and give you guys the information you need to actually be compliant online, and also making it more tangible and understandable what it is that you need to do.

Stine: So today, we're going to be talking about the compliance aspects of having a website. What do you need to do? What do you need to have and why? That includes talking a little bit about the legislation. I'm also going to be talking a little bit about the legal requirements, which of course, sometimes can sound boring, I know, but I'll try to make it as painless and easy for you guys. So why is it super important? Well, the thing is, it is today easy to get a website up and running. You have great companies like Shopify, making it easy for companies, but compliance is easily overlooked. And it is super difficult to find out what you need to do unless you have big budgets, big legal teams, then you have the knowledge in-house. But otherwise, either you need to pay a lot of money for attorneys or have no clue what to do. This is what we're trying to actually achieve, making it assessable.

Stine: You should know that the legal landscape is ever changing, and that means that you might be compliant today, but in six months time, you will have a new verdict, a new guideline or new legislation coming out, which will impact the way you are set up and what you need to do. So I recommend that you try to think of this as an ongoing exercise. You don't need to do it every day, but do it once a year. Just have a look at the documents you have, what to do, and maybe use a checklist to make sure that you actually cover your basics.

Stine: It's also important to remember that the rules differ if you're B2B versus B2C. The legislation we're talking about here is a lot about sales goods. It is the e-commerce legislation, it's data protection, it's advertising and marketing law, it's cookies, and it's consumer legislation. These are the rules that regulate all the things you need to have on your website. However, please note that if you're selling alcohol, as an example, there are more rules you need to abide by. Or if you're in health, that also requires additional compliance on your part. The same goes if you're marketing towards children. We won't go into those types of areas today, but it's more just to give you some understanding of what it is you need to cover.

Stine: Well, it's also important to note what regulatory bodies that are out there that regulate the websites and what you do. In the UK it is the ICO. You also have the Advertising Standards Authority in the UK. In France, you have what is called CNIL, it's the French Data Protection Agency. In Denmark, you have Danish Data Protection Authorities and the Danish Business Authorities and the Danish Consumer Ombudsman. Why am I mentioning these? It is to give you some examples of the bodies that will be regulating your website, but it's also to tell you that these authorities actually have pretty good guidelines on their websites. So actually I would strongly recommend that if you, for example, are in the UK, have a look at the ICO's website. It's actually pretty good, and it contains really valuable guidelines. So it's definitely a good place for information that is somewhat condensed and also easy to understand. That's not the case for all authorities, just between me and you guys. Some can be really long and very complex, but the ICO's guidelines are actually pretty good, and a good wave to get started.

Stine: In general, taking the high fly of your website, the first thing you always need to remember is to have your company details on your website. It's your company name, the address, email, phone number, VAT number, your registration number. And if you're part of an authorization group or a body or authorization schemes, that should be mentioned on your website too. It all sounds pretty easy, but what is somewhat complicated is that if you have websites that are in local languages or you're marketing yourself to specific markets, you need to be aware of that there are different requirements that you might need to include. As an example, France and Poland are requiring you to have information about your share capital. In Germany, you need to note the name of the owner of your business. And this is just to name some of the things that you should be mindful of. But just FYI, always include the information that I outline, because that is a requirement, regardless of where in Europe you're operating.

Stine: The information about your company needs to be easily accessible and you need to have the ability to always find them on your website. So don't hide them seven pages below some little link where it's absolutely impossible, but make it somewhat easy for your users to figure out who you are. And just FYI, it is actually seen as a way also to build trust, because if people can see who you are and in what country you're operating, the likelihood of them mistrusting you decreases. From my past in Trustpilot, we saw a lot of Chinese web shops, just as an example. And people didn't know that they were Chinese and had a horrible experience, and afterward started distrusting more websites. So having that information available is actually also a trust builder.

Stine: Remember that the information needs to be available, for example, either on the bottom of your website, or through a link that could be about us or company details or a contact where that information is available. There are a few additional requirements in some countries, for example, in France, you need to have the information available on all your sub pages on your website. And in Germany, you're also required to have what is called an impressum. The impressum, or an imprint in English, is where you list a specific required company information that is then available. And it cannot be more than two clicks away.

Stine: One of the things that a website always have to include is your legal documents. The legal documents are, for example, your terms and conditions, your privacy policy, your refund policy if you're operating in the B2C market, a copyright policy or trademark guidelines, or maybe both. It depends on your site. If you're linking to third party websites, well there needs to be a statement that can be included in your privacy policy, and I will come back to that later. And then you need to have your cookie policy. I'm not going to dig deep into what is required for all of these types of documents. We do have another webinar where we'll go more in depth on the legal document, so I won't cover that today, but I'll give you some ideas of what it is that you need to encapture in these documents, or at least some of them.

Stine: So if you go in and look at one of these things that is often happening on a website, and that is, of course, you're a selling online. So if you're selling online, you need to make sure that there is a contract that your consumers or customers are signing up to. There needs to be abilities for that contract to be downloadable. And you also need to make sure that you send a receipt once that subscription or an order has been placed. I also recommend that you are keeping an audit trail of those acceptance from your customers, because if you can't prove it, it means that you actually don't have their consent. And if you don't have your consent, it means that if the user were to complain or your customer going to complain, then that will be actually a problem for you.

Stine: You need to give clear indications and instructions on how to cancel a subscription and how to correct errors. If for example, the user gave a wrong address information or something, or if they actually put five different types of shoes in the basket, they need to be able to actually change that. And remember, use a good payment provider. With Stripe on the market, that no longer is a big issue. So that is something that I just mentioned as an FYI. And then also include the minimum duration of what it is that people are subscribing to, if it's a subscription.

Stine: Another thing is more the transactional information. So when people are actually buying from you, then you need to have a clear description of the goods, services that are being ordered. The price, and remember, if you are selling to B2Cs, it needs to include VAT, and also delivery charges. You have to include information about how the payment, the delivery and the performance will be arranged, and you need to give your users a right for cancellation. There are a few exceptions, but for the majority of websites out there, there needs to be some way and information about how to cancel.

Stine: Do you provide information about whether or not the user is responsible for the return and costs of that return? Well, that is something you need to include. It doesn't mean that you have to state that that it's their responsibility. It depends on how you set it up, but you need to include information on how it actually works. You also need, as I mentioned to tell about what are the contractual rights in regards to cancellation, and remember, this is super important. Do not put obstacles in the way for customers who want to terminate a contract. So if you are a subscription, let's say you're selling newspapers online, they need to have an easy access to cancel that subscription. You can't demand that they have to be coming to your address in person or that they have to call and that they can't send an email. That's not actually legal.

Stine: Then by the way, just an FYI. Remember your business always needs to send an electronic confirmation once an order has been placed, really fast after that order has been placed on your website. And you also need to remember that they need an electronic order receipt, if it's online, which is what we're talking about today, where you're including the content of what it is that they're buying, and also a receipt for that order.

Stine: IP rights. So on your website, you have your logos and you have a lot of, let's say it could be e-guides, eBooks. It could be other types of logos from other people. What you need to do is have a policy or some kind of information to your users about the use of the copyright protected work on your website. It's something that I recommend. Of course, if you don't have it, it's not going to get fined. It's more just about protecting your own rights and your own value of your business.

Stine: And then you also need to think a little bit about your own usage of trademarks. Let's say that you actually, and this is just to give you an example. You do some kind of competition, a lot of companies do that, and you're now giving away an iPad. So if people sign up for your newsletter, they'll participate in a competition for an iPad. On your website you've placed Apple's logo, and you've also included a picture of that iPad. Well, actually now, you're using the trademarks of Apple and you're also displaying the iPad.

Stine: If you read Apple's guidelines and their terms, it actually states you can't do it unless they've given permission. So now you're actually infringing Apple's IP rights. So just be mindful of the use of others' trademarks, because it can actually cost a lot of pain and a lot of distractions. So just either double-check or minimize the use of other people's trademark on your website, unless you actually get their approval. And then of course, everything is fine. And if you get their approval, just make sure that you actually save that approval somewhere so you can find it if anybody ever were to complain.

Stine: So on your website, you might be linking to other websites. This is normal, there are a lot of benefits from it and it can also be a good customer service. If you include links to third-party websites on your website, include a little note in your privacy policy, for example, about those websites not being under your control, and actually being the responsibility of that other company. I will also include if it was me, a link to their privacy policy, if that's a possibility, but please, one thing, just make sure that they can read that it is not your responsibility.

Stine: Perfect. So data protection. Everybody has heard about GDPR and it can be somewhat of a nightmare. I know, but we try to make it as easy and as understandable as possible. That's why we're here at Openli. And one of the things that we suggest that you always have on your website, which is a requirement pursuant to GDPR is your privacy policy. So the privacy policy is actually, just to zoom out a little bit, a required document that you have on your website because you need to give people information about how you're handling their data. This is required pursuant to GDPR and the privacy policy is regarded as giving to consumers and your customers that piece of information.

Stine: In the policy, you need to include your name, your address, the email and contact details of your company. You need to tell them what personal data you're collecting from users or from them. What are you going to use it for? This is what we call purposes. Also, who you will be sharing it with. You need to include information about your security, and if data is transferred to other countries. Then you need to explain how to file a report and to whom. So in Openli's instance, we're in Denmark and the authority that is responsible for our company, because we're located in Denmark is the Danish Data Protection Agency. So in our privacy policy, we've included information about consumers or users having the right to complain to the Danish Data Protection Agency, and also linked to their website so you can easily find out their information.

Stine: Then you need to tell people about how they can exercise their rights. This is for example, how they can get their data deleted. It is about getting access to their data. And it's also about how they can change, for example, information that you hold about them. You need to make your privacy policy available in all the places where you're collecting your consumers' data. So as an example, if people are signing up to newsletters, they'll give their email address to you, right? Well, if that's the case, that is where you need to include your privacy policy, at that point in time, where people are signing up to your newsletter. And say they're signing up to your webinar. You also have to include information about your privacy policy there, because here you're also getting information about them. That could be their name. That could be their email. It can be what company they're working for, or it can simply just be, if they're purchasing from your website, you get a lot of personal information from them.

Stine: And please remember that your privacy policy needs to be easy to read and understand. This is actually a common thing that is very difficult because you get it from a law firm, and the law firm has the tendency to write in a way that it actually makes it very difficult for a user to understand what is being said and what data is being processed and why. And if that's the case, well, then you haven't really completed your required obligations of giving users the information they need. Please also remember, you need to make it possible for people to actually read their policy when they give you their information. And you should be able to prove that you did that, actually made people aware of your privacy policy when they gave you their information.

Stine: Well, email marketing is something that everybody's doing to some extent, or at least would like to be doing. But in Europe, if you want to do email marketing to consumers, you need to obtain consent. If you're doing it toward businesses, well then the rule's different from country to country. In Europe, we actually have 20 different types of rules, meaning it can be a nightmare to figure out what you need to do in regards to email marketing, depending on where your users are coming from and in which markets you're actually marketing your goods or services towards. But in general, regardless, you need to make it possible for everybody to opt out, what we also call unsubscribe from your email marketing.

Stine: If you ask consumers to give consent to email marketing, which you should, especially if you are in the consumer market, make sure that the email marketing consent text includes the following information. It needs to include the name of your company. It needs to include what channels you're using. And you also need to think about what you will be emailing to people about because that needs to be in that sentence as well. To give you an example, Openli, the company name would like to send you email marketing via email, and that's the channel, about events, webinars and our products.

Stine: So these would be the three things we could email you about. Events, webinars, they're kind of the same, but this would be good of an example, and then our products. So all of a sudden we couldn't send email marketing about a third party company's offers, or all of a sudden let's say that we started selling shoes. Given the fact that when you signed up, you signed up for, for example, a free cooking product, well, then we couldn't email you about, and if that's what we mentioned, the products we have regarding privacy policy, just so you have that.

Stine: So if we jump further and just to give you a little bit of information about how the different types of email marketing rules differ from country to country, you can see in the UK, if you're doing B2C email marketing, you need to get consent. You cannot email people unless they've given their okay to it. There are no requirements for B2B. Well, if you then look at Denmark, you need to get consent regardless of whether people are consumers or businesses. The same goes for the Netherlands. France is similar to the UK. And in Germany, they have their own set of rules, of course, meaning that not only do people need to tick off the email marketing consent box, there also needs to be an email afterwards where they have to click a confirmation in that email. So it means that there are doubled opt-in. First, they click the box in the signup form. Then you send an email. That email contains a link, and the user needs to click that link to reconfirm that they want to subscribe.

Stine: I've also included some information about sole traders and partnerships because in some countries, sole traders and partnerships are regarded as being consumers, or they aren't consumers, but the same rule apply. So even though for example, in the UK, the consent isn't required for email marketing to B2Bs, well, it would actually be required if we're talking about sole traders or partnerships.

Stine: The last thing I'm going to cover today is cookies. So everybody use cookies on their websites and different types of tracking, because it's so important to know how people are coming onto your site, what sites or sub pages they're viewing, how they're using and engaging with your website. So there is of course, a lot of different types of cookies, just from a business purpose perspective. But from a legal perspective, we also treat them differently depending on their purpose. When we're talking about purposes, we're looking at, are they used for necessary purposes or non-necessary purposes? This is important. I'll come back to that a little later, because the difference is whether or not you need to get the consumer's consent or the user's consent before you could place cookies on their websites.

Stine: We also talk a lot about first party and third party cookies and session cookies versus permanent cookies. We have a webinar coming up about cookies and cookie compliance. So I won't dig into this in further detail, but it was just to give you guys some flavor as to what it is that you need to think about when we're talking about cookies. When we're talking about cookies in more generic terms, well, please remember you need to have a banner on your website, regardless of whether or not you're using necessary, or non-necessary or both. That banner needs to tell people in clear text what it is that you're using cookies for. They need that information before they give their consent. And by the way, the language in your cookie banner needs to be the same language as on your website.

Stine: And remember, it needs to be told in a way so that everybody understands it. You need to be able also to have the proof that you got the cookie consents. You also need to block the non-necessary cookies from working up until the users gave consent. And the users need to be able to withdraw their consent in an easy way. And it needs to be as easy to withdraw the cookie consent as it was to give it. So let's jump into more specific details of what it is you need to get consent for. You don't need to get consent for necessary cookies. Necessary cookies are the cookies that make your website work. Here we're talking about if you put something in a shopping basket, the remembrance of what was placed in the shopping basket is a cookie, and that will be necessary.

Stine: It is also for example, the Openli to help the capturing of cookie consent. Well, that will be a necessary cookie because we need to remember whether or not people gave consent. And it's also regarding security requirements for your websites, but it is not about analytical cookies and not about statistics. It's not about how people engage with your website. That is not a necessary cookie. That would be a analytical cookie. Analytical cookie you need to get consent for before they can actually be placed on the user's browser. And let's say the user actually said, no, I don't want you to use analytical cookies, or I don't allow it, well, then they can't replace them. They need to be blocked. This is super important. The same goes for marketing cookies and preference cookies. Here you need to get the user's consent before the cookies can be placed.

Stine: What is also necessary to remember when we're talking about cookies is the cookie policy, and in your cookie banner, you need to have information about how you're processing people's data coming from the cookies. You need to tell what type of cookies you're using and why, and for what duration. So your cookie policy needs to include the following. Why, how and what are you using cookies for? What is a cookie? And this is something you actually need to write in your cookie policy. You need to have descriptions of the different types of cookies used on your website and how you use them. And this is where we're talking again about the necessary cookies, performance cookies, and all of those. You need to tell people if you're using third party cookies on your website.

Stine: Third party cookies are seen as very intrusive. And my personal belief is that we're going to see more and more third party cookies being removed from websites and in the very near future, they will totally disappear also with the changes that are being rolled out by Apple and Google related to third party cookies. And I would also strongly recommend if you use third party cookies, have a look because it also have additional obligations and requirements on your part. So it's something to be very mindful of.

Stine: You also need to tell users how they can control their cookie settings and opt out, and what agreement you have with the third party cookie providers and their needs to building to their cookie policy. So just to give you a few examples before we end the session today, that is related to cookie banners. So just to give you an example, this is a no-no. This is no longer a possibility to have these types of cookie banners on your websites. These aren't legal. Why? Well, they don't tell a user what type of cookies you're using. And tell me, how easy is it to actually say no? In this scenario, it's not very easy, right? Meaning it is not a legal cookie banner.

Stine: This one, these are the good old days where you have these types of long form sentences at the bottom of the page. By using this website you agree to our privacy policy and use [inaudible 00:30:19]. And this is the only cookie banner, and this isn't even a cookie banner that is on the site. This is definitely also a no-no. If you want to see a cookie banner that is totally lawful, you could go to our website and to give an idea of how you could be giving consent. There are a lot of solutions out there. What I've just showed you are the ones that you should not be implementing on your website. And if it is implemented on your website, I would maybe take another look at it.

Stine: So just to sum up, remember that becoming and staying compliant is an ongoing process. I strongly recommend doing annual reviews. So just take a look at your website from a legal perspective once a year, it's a good way of doing it to feel safe, but also to get your basics covered. Have checklists. We actually do have some checklists, they're totally free. We haven't shared them. So let me know if that's something you are interested in. And maybe consider finding a solution that can help take some of the work off your shoulders and making you continuously compliant.

Stine: I think one thing you could always also consider is using all those efforts you put into becoming compliant as a way of branding yourself. We're seeing more and more companies actually using it as a competitive advantage because it's a way to build trust and it's thereby a way to build revenue. With the legal landscape changing and with a lot of new rules coming into place, especially GDPR, CCPA in California, more and more companies need to be compliant, but not all are. So if you've used a lot of efforts on it, why not promote it? Why not tell your consumers and your customers that you are a company to be trusted? What we've seen is it pays off. So if you guys have any questions, I'll be happy to answer them shortly.

Stine: But just to sum up, you can actually always contact us at [email protected] We love questions, we love to help. You can follow us on LinkedIn, where we are putting out information about new rulings or upcoming webinars. And then if you want to, we have a landing page for all these webinars that we're hosting. And I would definitely hope that you guys would sign up for more. I actually like doing them and I love sharing what I know and hopefully it's useful. So please don't hesitate to take advantage of some of the things we're doing. That's what we're here for.

Stine: So jumping back, and wanting to ask if there are any questions, please let me know. And if there aren't, I just want to say thank you so much for joining today. It was an absolute pleasure and I hope you found it useful. If there's anything we can do to help, just send us an email at [email protected] Sign up for a free service, that's why we have it. Have a fantastic day, and it was great seeing you guys. Take care. Bye.