Date: The 11th of November
Time: 10:00 - 11:00 AM
Website compliance is impacted by overlapping legislation, which only gets more complex the more countries your business operates in. We have therefore created this webinar to give you an overview of some of the general information you need to run your website or webshop, and stay compliant. The content in the webinar has been tailored for companies operating in Europe.
If you would like to learn more about, The GDPRs impact on the data you collect on your website, and which legal documents you need to have on your website, then register for our webinar. Stine Tornmark, Openli’s Co-Founder & General Counsel will walk you through website compliance, and be available to answer your questions.
Lawyer specialised in privacy and marketing law, with six years experience from Plesner and six years as VP for Legal and Compliance at Trustpilot.
Stine: Good morning. I am just waiting for a few more people to join before we dig in, just to make sure that everybody actually gets a few minutes to get everything going. I hope the sound is okay. If you guys can't hear me, just let me know and I'll try to fix it. In the meanwhile, while we are just waiting for people to join, I am looking forward to taking you through this webinar today, talking about website compliance, and some of the basics that we need to cover.
Stine: So, let's see. It's one minute over, so I think we should just jump right into it. If you have any questions along the way, just shoot. I am more than happy to answer any questions you might have. And it only gets more fun for me to do when people are engaging. So as mentioned, just ask and I'll be happy to answer any questions you might have. Cool. Then let's dig in and go through it. I'm going to share my screen because I think that makes the most sense. So here we go. I hope you guys can see my screen, and I'm jumping over here and I will take you through it.
Stine: So today's subject is about website compliance and we'll cover the basics. We won't dig into all the little nitty gritty details that should be on all websites, but I'll give you the main focus that you should be thinking about when you are online. So why am I talking about this? Well, my background is as an attorney from one of the big law firms here in Denmark, where I worked for six years for companies like Google and Netflix and HBO. Then I joined a startup at that point called Trustpilot, built out their legal team, there for six years and build out compliance, legal privacy, and all of that. And given my background mainly being around privacy and marketing and e-commerce, this is something that I feel very passionate about.
Stine: So that's why I love to pass on my knowledge. And it is also what we here at Openli really want to do. We want to help companies become better data citizens and give you guys the information you need to actually be compliant online, and also making it more tangible and understandable what it is that you need to do.
Stine: So today, we're going to be talking about the compliance aspects of having a website. What do you need to do? What do you need to have and why? That includes talking a little bit about the legislation. I'm also going to be talking a little bit about the legal requirements, which of course, sometimes can sound boring, I know, but I'll try to make it as painless and easy for you guys. So why is it super important? Well, the thing is, it is today easy to get a website up and running. You have great companies like Shopify, making it easy for companies, but compliance is easily overlooked. And it is super difficult to find out what you need to do unless you have big budgets, big legal teams, then you have the knowledge in-house. But otherwise, either you need to pay a lot of money for attorneys or have no clue what to do. This is what we're trying to actually achieve, making it assessable.
Stine: You should know that the legal landscape is ever changing, and that means that you might be compliant today, but in six months time, you will have a new verdict, a new guideline or new legislation coming out, which will impact the way you are set up and what you need to do. So I recommend that you try to think of this as an ongoing exercise. You don't need to do it every day, but do it once a year. Just have a look at the documents you have, what to do, and maybe use a checklist to make sure that you actually cover your basics.
Stine: It's also important to remember that the rules differ if you're B2B versus B2C. The legislation we're talking about here is a lot about sales goods. It is the e-commerce legislation, it's data protection, it's advertising and marketing law, it's cookies, and it's consumer legislation. These are the rules that regulate all the things you need to have on your website. However, please note that if you're selling alcohol, as an example, there are more rules you need to abide by. Or if you're in health, that also requires additional compliance on your part. The same goes if you're marketing towards children. We won't go into those types of areas today, but it's more just to give you some understanding of what it is you need to cover.
Stine: Well, it's also important to note what regulatory bodies that are out there that regulate the websites and what you do. In the UK it is the ICO. You also have the Advertising Standards Authority in the UK. In France, you have what is called CNIL, it's the French Data Protection Agency. In Denmark, you have Danish Data Protection Authorities and the Danish Business Authorities and the Danish Consumer Ombudsman. Why am I mentioning these? It is to give you some examples of the bodies that will be regulating your website, but it's also to tell you that these authorities actually have pretty good guidelines on their websites. So actually I would strongly recommend that if you, for example, are in the UK, have a look at the ICO's website. It's actually pretty good, and it contains really valuable guidelines. So it's definitely a good place for information that is somewhat condensed and also easy to understand. That's not the case for all authorities, just between me and you guys. Some can be really long and very complex, but the ICO's guidelines are actually pretty good, and a good wave to get started.
Stine: In general, taking the high fly of your website, the first thing you always need to remember is to have your company details on your website. It's your company name, the address, email, phone number, VAT number, your registration number. And if you're part of an authorization group or a body or authorization schemes, that should be mentioned on your website too. It all sounds pretty easy, but what is somewhat complicated is that if you have websites that are in local languages or you're marketing yourself to specific markets, you need to be aware of that there are different requirements that you might need to include. As an example, France and Poland are requiring you to have information about your share capital. In Germany, you need to note the name of the owner of your business. And this is just to name some of the things that you should be mindful of. But just FYI, always include the information that I outline, because that is a requirement, regardless of where in Europe you're operating.
Stine: The information about your company needs to be easily accessible and you need to have the ability to always find them on your website. So don't hide them seven pages below some little link where it's absolutely impossible, but make it somewhat easy for your users to figure out who you are. And just FYI, it is actually seen as a way also to build trust, because if people can see who you are and in what country you're operating, the likelihood of them mistrusting you decreases. From my past in Trustpilot, we saw a lot of Chinese web shops, just as an example. And people didn't know that they were Chinese and had a horrible experience, and afterward started distrusting more websites. So having that information available is actually also a trust builder.
Stine: Remember that the information needs to be available, for example, either on the bottom of your website, or through a link that could be about us or company details or a contact where that information is available. There are a few additional requirements in some countries, for example, in France, you need to have the information available on all your sub pages on your website. And in Germany, you're also required to have what is called an impressum. The impressum, or an imprint in English, is where you list a specific required company information that is then available. And it cannot be more than two clicks away.
Stine: So if you go in and look at one of these things that is often happening on a website, and that is, of course, you're a selling online. So if you're selling online, you need to make sure that there is a contract that your consumers or customers are signing up to. There needs to be abilities for that contract to be downloadable. And you also need to make sure that you send a receipt once that subscription or an order has been placed. I also recommend that you are keeping an audit trail of those acceptance from your customers, because if you can't prove it, it means that you actually don't have their consent. And if you don't have your consent, it means that if the user were to complain or your customer going to complain, then that will be actually a problem for you.
Stine: You need to give clear indications and instructions on how to cancel a subscription and how to correct errors. If for example, the user gave a wrong address information or something, or if they actually put five different types of shoes in the basket, they need to be able to actually change that. And remember, use a good payment provider. With Stripe on the market, that no longer is a big issue. So that is something that I just mentioned as an FYI. And then also include the minimum duration of what it is that people are subscribing to, if it's a subscription.
Stine: Another thing is more the transactional information. So when people are actually buying from you, then you need to have a clear description of the goods, services that are being ordered. The price, and remember, if you are selling to B2Cs, it needs to include VAT, and also delivery charges. You have to include information about how the payment, the delivery and the performance will be arranged, and you need to give your users a right for cancellation. There are a few exceptions, but for the majority of websites out there, there needs to be some way and information about how to cancel.
Stine: Do you provide information about whether or not the user is responsible for the return and costs of that return? Well, that is something you need to include. It doesn't mean that you have to state that that it's their responsibility. It depends on how you set it up, but you need to include information on how it actually works. You also need, as I mentioned to tell about what are the contractual rights in regards to cancellation, and remember, this is super important. Do not put obstacles in the way for customers who want to terminate a contract. So if you are a subscription, let's say you're selling newspapers online, they need to have an easy access to cancel that subscription. You can't demand that they have to be coming to your address in person or that they have to call and that they can't send an email. That's not actually legal.
Stine: Then by the way, just an FYI. Remember your business always needs to send an electronic confirmation once an order has been placed, really fast after that order has been placed on your website. And you also need to remember that they need an electronic order receipt, if it's online, which is what we're talking about today, where you're including the content of what it is that they're buying, and also a receipt for that order.
Stine: IP rights. So on your website, you have your logos and you have a lot of, let's say it could be e-guides, eBooks. It could be other types of logos from other people. What you need to do is have a policy or some kind of information to your users about the use of the copyright protected work on your website. It's something that I recommend. Of course, if you don't have it, it's not going to get fined. It's more just about protecting your own rights and your own value of your business.
Stine: And then you also need to think a little bit about your own usage of trademarks. Let's say that you actually, and this is just to give you an example. You do some kind of competition, a lot of companies do that, and you're now giving away an iPad. So if people sign up for your newsletter, they'll participate in a competition for an iPad. On your website you've placed Apple's logo, and you've also included a picture of that iPad. Well, actually now, you're using the trademarks of Apple and you're also displaying the iPad.
Stine: If you read Apple's guidelines and their terms, it actually states you can't do it unless they've given permission. So now you're actually infringing Apple's IP rights. So just be mindful of the use of others' trademarks, because it can actually cost a lot of pain and a lot of distractions. So just either double-check or minimize the use of other people's trademark on your website, unless you actually get their approval. And then of course, everything is fine. And if you get their approval, just make sure that you actually save that approval somewhere so you can find it if anybody ever were to complain.
Stine: Well, email marketing is something that everybody's doing to some extent, or at least would like to be doing. But in Europe, if you want to do email marketing to consumers, you need to obtain consent. If you're doing it toward businesses, well then the rule's different from country to country. In Europe, we actually have 20 different types of rules, meaning it can be a nightmare to figure out what you need to do in regards to email marketing, depending on where your users are coming from and in which markets you're actually marketing your goods or services towards. But in general, regardless, you need to make it possible for everybody to opt out, what we also call unsubscribe from your email marketing.
Stine: If you ask consumers to give consent to email marketing, which you should, especially if you are in the consumer market, make sure that the email marketing consent text includes the following information. It needs to include the name of your company. It needs to include what channels you're using. And you also need to think about what you will be emailing to people about because that needs to be in that sentence as well. To give you an example, Openli, the company name would like to send you email marketing via email, and that's the channel, about events, webinars and our products.
Stine: So if we jump further and just to give you a little bit of information about how the different types of email marketing rules differ from country to country, you can see in the UK, if you're doing B2C email marketing, you need to get consent. You cannot email people unless they've given their okay to it. There are no requirements for B2B. Well, if you then look at Denmark, you need to get consent regardless of whether people are consumers or businesses. The same goes for the Netherlands. France is similar to the UK. And in Germany, they have their own set of rules, of course, meaning that not only do people need to tick off the email marketing consent box, there also needs to be an email afterwards where they have to click a confirmation in that email. So it means that there are doubled opt-in. First, they click the box in the signup form. Then you send an email. That email contains a link, and the user needs to click that link to reconfirm that they want to subscribe.
Stine: I've also included some information about sole traders and partnerships because in some countries, sole traders and partnerships are regarded as being consumers, or they aren't consumers, but the same rule apply. So even though for example, in the UK, the consent isn't required for email marketing to B2Bs, well, it would actually be required if we're talking about sole traders or partnerships.
Stine: We also talk a lot about first party and third party cookies and session cookies versus permanent cookies. We have a webinar coming up about cookies and cookie compliance. So I won't dig into this in further detail, but it was just to give you guys some flavor as to what it is that you need to think about when we're talking about cookies. When we're talking about cookies in more generic terms, well, please remember you need to have a banner on your website, regardless of whether or not you're using necessary, or non-necessary or both. That banner needs to tell people in clear text what it is that you're using cookies for. They need that information before they give their consent. And by the way, the language in your cookie banner needs to be the same language as on your website.
Stine: And remember, it needs to be told in a way so that everybody understands it. You need to be able also to have the proof that you got the cookie consents. You also need to block the non-necessary cookies from working up until the users gave consent. And the users need to be able to withdraw their consent in an easy way. And it needs to be as easy to withdraw the cookie consent as it was to give it. So let's jump into more specific details of what it is you need to get consent for. You don't need to get consent for necessary cookies. Necessary cookies are the cookies that make your website work. Here we're talking about if you put something in a shopping basket, the remembrance of what was placed in the shopping basket is a cookie, and that will be necessary.
Stine: It is also for example, the Openli to help the capturing of cookie consent. Well, that will be a necessary cookie because we need to remember whether or not people gave consent. And it's also regarding security requirements for your websites, but it is not about analytical cookies and not about statistics. It's not about how people engage with your website. That is not a necessary cookie. That would be a analytical cookie. Analytical cookie you need to get consent for before they can actually be placed on the user's browser. And let's say the user actually said, no, I don't want you to use analytical cookies, or I don't allow it, well, then they can't replace them. They need to be blocked. This is super important. The same goes for marketing cookies and preference cookies. Here you need to get the user's consent before the cookies can be placed.
Stine: Third party cookies are seen as very intrusive. And my personal belief is that we're going to see more and more third party cookies being removed from websites and in the very near future, they will totally disappear also with the changes that are being rolled out by Apple and Google related to third party cookies. And I would also strongly recommend if you use third party cookies, have a look because it also have additional obligations and requirements on your part. So it's something to be very mindful of.
Stine: So just to sum up, remember that becoming and staying compliant is an ongoing process. I strongly recommend doing annual reviews. So just take a look at your website from a legal perspective once a year, it's a good way of doing it to feel safe, but also to get your basics covered. Have checklists. We actually do have some checklists, they're totally free. We haven't shared them. So let me know if that's something you are interested in. And maybe consider finding a solution that can help take some of the work off your shoulders and making you continuously compliant.
Stine: I think one thing you could always also consider is using all those efforts you put into becoming compliant as a way of branding yourself. We're seeing more and more companies actually using it as a competitive advantage because it's a way to build trust and it's thereby a way to build revenue. With the legal landscape changing and with a lot of new rules coming into place, especially GDPR, CCPA in California, more and more companies need to be compliant, but not all are. So if you've used a lot of efforts on it, why not promote it? Why not tell your consumers and your customers that you are a company to be trusted? What we've seen is it pays off. So if you guys have any questions, I'll be happy to answer them shortly.
Stine: But just to sum up, you can actually always contact us at [email protected] We love questions, we love to help. You can follow us on LinkedIn, where we are putting out information about new rulings or upcoming webinars. And then if you want to, we have a landing page for all these webinars that we're hosting. And I would definitely hope that you guys would sign up for more. I actually like doing them and I love sharing what I know and hopefully it's useful. So please don't hesitate to take advantage of some of the things we're doing. That's what we're here for.
Stine: So jumping back, and wanting to ask if there are any questions, please let me know. And if there aren't, I just want to say thank you so much for joining today. It was an absolute pleasure and I hope you found it useful. If there's anything we can do to help, just send us an email at [email protected] Sign up for a free service, that's why we have it. Have a fantastic day, and it was great seeing you guys. Take care. Bye.