This question, or at least a version of the first part “Is my website legal?”, is something we were asked recently.
Taking the “decent, honest and truthful” bit first, we do assume our clients will be all these things, and have not set out to trick or defraud their customers. Like most website and hosting providers, we have a section in our Terms & Conditions which excludes the use of our services for anything which is discriminatory, illegal and the like.
Going back to the initial question, they wanted to know if their website conformed to the various pieces of legislation in the UK. The simple answer was “No”.
If you search, it’s unlikely you will easily find a single point of reference which will tell you what is required of a website to fully comply with the law.
There used to be, a marvellous resource called Business Link. The Business Link website was well organised, full of useful information and essential reading for anyone in or starting a business … especially a small business. After a change of government in 2010, the website was closed in 2012. The content was said to have been migrated to Gov.uk, but I’ve never been able to find any of the original information there.
But … there is good news! Because of a quirk of the way the UK is governed, Northern Ireland chose to retain and continue to update the old Business Link website. There are some differences in law between Northern Ireland and the rest of the UK, but most of the information is valid. And I’m reasonably sure the laws which govern websites and privacy apply UK-wide.
So let’s have a look at the link which gives us information about website legality, privacy and cookies. It’s not ‘chapter and verse’ but the best summary we’ve found anywhere on the internet.
Is your business website legal?
The rules are much more stringent if your business is a registered legal entity (LTD, PLC, LLC etc.). Somewhere on your website all the relevant registration details must be shown, including a VAT number if appropriate. Registered charities have different but similar rules.
If you’re a sole trader or partnership, instead of the registration details, you should be showing the address of your principal place of business.
You should provide contact details including an email address – how many large businesses don’t give you an email address? The email address should be provided, even if there is a contact form. Non-electronic forms of contact should include phone numbers and postal addresses.
If you’re a small business operating from home, you might not want to publicise your address … that’s unlawful, so it’s a decision you’ll have to make.
Before we go any further … is your website legal?
I wouldn’t mind betting quite a few of you reading this will find you’re outside the law.
This is probably the area most people think of when they consider the legality of their website. It is confusing and complex, and hasn’t been helped by the Information Commissioners Office, the legal guardians of these regulations in the UK. ICO have consistently under-performed when it comes to advice and interpretation of privacy, cookies and GDPR.
Every website must have a privacy notice, period. If you haven’t, you’re breaking the law.
The original legislation was contained in the Data Protection Act of 1998, which was revised in 2018. Alongside the DPA there is the PECR of 2003 (Privacy and Electronic Communications (EC Directive) Regulations). The legislation was added to, but not replaced, by GDPR 2018 (General Data Protection Regulation). This is why privacy is complex and confusing for most of us.
Your original Privacy Statement should have said what data and information you collected, and what you did with it. Now with GDPR, you have to establish the legal basis for your collection of data, and give your website visitors rights of access and redress.
The point about GDPR, not always appreciated, is that it doesn’t just cover information you collect via a website – it covers ALL information about individuals however it is collected or recorded or stored.
It also covers every business from a hobby business upwards. It covers every club and society, whether or not it has any legal standing or existence. The ICO guidance on GDPR assumes a business with employees … not much help for sole traders or informal clubs.
When you produce your GDPR Policy Statement, it must be on your website, and individuals must have access to if BEFORE you collect their information, even if it’s collected via a paper form.
Cookie information and consent
This was another ‘fine mess’ thanks to the ICO. As from 26th May 2011, the legislation required websites to have a statement of cookies placed and their purposes, and a mechanism to get visitors’ consent. Unfortunately, the ICO wasn’t ready, and so everyone in the UK was given 12 months grace. Almost predictably, the final guidance document from ICO was only released a few weeks before the May 2012 deadline.
The impossibility of the original interpretation soon because apparent, and “implied consent” became the consent of choice – “you’re using my website, and that implies you consent to all the marketing and tracking cookies I use”.
Since then, with some fine tuning and re-interpretation of the original regulations, we have a more workable cookie environment. Most websites don’t use these marketing and tracking cookies anyway … certainly none that we’ve built in all the time we’ve been designing websites.
There are still some grey areas threatening to trip the unwary, mostly around the use of statistical and analytical cookies. For example, your IP address is not personal information (according to GDPR) if the website you visit has no way of linking it to other information, and thus identifying who you are. Companies like Google and Facebook can do this, which is one reason we never install Google Analytics.
For a small website owner, and anyone who isn’t a programmer, fully implementing ‘no cookies without consent’ is technically difficult. It requires the website’s code to be modified. This is not straightforward if the website is built from plug-ins and modules, as many are these days. How do you find out which small piece of code sets the cookie, and can you remove it without completely breaking the website? Although we design and build websites, we are not coders.
To make matters worse, the mantra for any software is to immediately update to the latest version when it is released. Every time you do this, any changes made to the code are over-written, and the changes have to be made again.
With a little ingenuity, and careful explanation of cookie use, we are able to navigate the minefield, and provide websites which are 99% legal. Are the web police going to quibble about the odd 1%? No, of course not … there are too few of them.
Why are there so many illegal websites?
Many businesses have decided for operational, time or financial reasons to ignore some or all of the regulations. This is particularly so with small and micro businesses, but it doesn’t stop some of the large corporations conveniently forgetting parts of the law too.
There’s another large swathe of websites, businesses and organisations who are oblivious of the regulations and just don’t know they are breaking the law. Not that it will be any defence if ICO catches up with them.
We always discuss the legalities with new clients so they are at least informed. We also point out that we are not qualified to give any legal advice. We are able to share the benefit of extensive research and discussion over many years. If they decide not to have full compliance, that is their decision.
So … how close to 100% compliance is your website?