Cookie consents, disclaimers, and privacy policies represent a tiny fracture of the many legal requirements that websites must adhere to. In this article, we go over all the necessary components that every web creator should be aware of.

By Frank Olivo and Laura J. Neville, Esq.

As web designers, it’s important for us to have as much knowledge of the legal requirements of the websites we build as we can.

Why? As one of the main channels through which organizations communicate with the general public, there are many legal requirements for websites — many of which you are likely not aware. Your client may not even know to ask, “how do I make sure my website is legally-compliant?”

It’s only natural that given the amount of technical, design, and marketing knowledge that goes into learning web design, you may consider it burdensome to have to know the legal requirements of the websites for your clients when building their websites, but it is an extremely important aspect of running a web design business.

A misstep in the design of the website you build could land both you and your client in legal trouble. 

Trust me, you don’t ever want to get that email.

In addition to ensuring the website you build doesn’t expose your client to any legal liabilities, being able to clearly and effectively communicate that you are aware of the legal requirements of the website you are proposing to build can serve as a point of differentiation for your web design business. 

Odds are when you submit your website proposal, there will be other web designers under consideration as well. Positioning yourself as the one who can help ensure the website will comply with legal requirements may be a factor in you getting the contract.

While this is not a comprehensive overview of every legal requirement for websites in every industry, this article will go over many of the main points any web developer should know about the legal requirements for websites.

Legal Requirements That Are Virtually Universal

Cookie Consent Notices

Even though the General Data Protection Regulation (GDPR) was passed by the European Union (EU), it affects any website that gets EU traffic.

This means that your website must have a cookie policy and consent notice. GDPR requires that your website must afford a user the opportunity to opt in or opt out of the use of cookies.

Your website’s Cookie Policy can be in the header, the footer, or in a pop-up window, and it must do the following:

  • Disclose that your site stores cookies;
  • Briefly describe why your site uses cookies;
  • Disclose how the information gleaned from the use of cookies is managed through a link to your privacy policy;
  • Disclose what users are agreeing to or accepting;
  • Allow users to take some action to opt in, opt out, or customize their cookies or advertising experience..

If your site uses a checkbox to accept cookies, be sure it is not pre-ticked as that violates GDPR. 

Privacy Policies and Data Storage Disclosure

Most developed countries require that sites using cookies have a privacy policy accessible by users. 

If not required by law, third party services such as Apple and Google require sites that use their services to have privacy policies.

A privacy policy is a statement providing your users with how your site collects, handles, and processes users’ data. It must expressly state whether that data is kept confidential or shared with or sold to third parties, how that data is stored, and what measures you take to protect that data. 

A link to your privacy policy can be in the footer, under “About” or “Legal” in your main menu, or on your checkout page or account registration page.

Plagiarism and Copyright Laws

The original content of a website is inherently copyrighted, whether the owner/creator registers it or not. Plagiarism is the unauthorized and/or unattributed use of someone else’s original content.

If your client provides you with content for their website, ensure that it does not infringe upon the copyright of another website. This includes web copy that your client may have copied from another website, as well as images downloaded from Google Image Search.

Including infringing content on a website could result in a DMCA request, which would remove it from the search results, and possibly, the server it’s on. It could even result in a lawsuit.

HTTPS for Ecommerce

If you are creating an ecommerce site, it is essential to employ HTTPS (Hyper-Text Transfer Protocol Secure). HTTPS is the secure version of HTTP, which is the system used to send information between a user’s web browser and a website. 

An e-commerce website not using HTTPS could expose the credit card information of anyone attempting to make a purchase on the website, potentially exposing the customer to identity theft and maybe land your client in court.

Terms & Conditions

What are terms of use on a website? A Terms of Use & Conditions page, while not required by law, sets forth the rules for use of your site. The rules will vary according to the type of site you are creating, but can include the following:

  • Disclaimer limiting liability in case of errors. This clause will use language providing that the site owner is not responsible for providing content that is accurate, complete, or suitable for any purpose. If the site allows third parties to post, the clause should disclaim responsibility for the accuracy of third party statements, that the site owner is not responsible for offensive statements made by third parties, and that the site owner does not endorse third party statements.
  • Copyright: Any type of site should include a notice of copyright and trademark, if applicable. For example, [email protected]
  • Privacy Policy: The Terms and Conditions page may also include your privacy policy.
  • Establish the law governing disputes: You can establish what state or province and nation your website is operating from. 

Disclaimers

A savvy client may ask, do I need a disclaimer on my website? And you will have the answer.

There is some overlap between disclaimers and terms and conditions. Disclaimers can be part of the terms and conditions and should expressly disclaim any type of legal liability the site owner might experience by the use of their site. Accordingly, disclaimers will vary according to what type of site it is. 

Among other things, disclaimers can:

  • Provide that users cannot use your original content without your permission;
  • Disclaim expertise and responsibility for actions users take based on the site’s content;
  • Provide that the site owner’s opinions are solely their own;
  • Provide that the site content is informational only and not professional advice;
  • Disclaim liability for third party and advertiser content on a site.

Legal Requirements for Websites That Vary by Region — and in the U.S., by State

The legal requirements for websites vary considerably from country to country, and in the U.S. even state-by-state. While GDPR regulates data collection on websites serving citizens of the European Union (EU), as of October 2020, the only such law in the U.S. is in California (though I’m sure other states will soon follow).

Let’s give a brief overview of what you can and can’t do on your client websites under GDPR and California’s CalOPPA.

GDPR

Under GDPR, websites in the EU and drawing traffic from EU citizens must ensure that personal data is gathered and stored legally and under strict conditions. Sites are required to protect that data from misuse and exploitation and must notify users of any data breach. Sites also must respect the privacy rights of data owners. 

There are hefty financial penalties for failing in any of these obligations.

Under the GDPR sites must:

  • Provide users with a way to give consent and to withdraw consent to the collection and use of their data;
  • Notify users of a data breach within 72 hours of discovery of the breach;
  • Give users a way to access the information being collected, stored, and processed;
  • Restrict data collection and processing to only the data that is absolutely necessary for the completion of its business;
  • Limit access to the data to only those employees needing the information to complete the process consented to by the user;
  • Appoint a Data Protection Officer (DPO) to oversee GDPR compliance (required for any enterprise having more than 250 employees and any enterprise processing the personal data of over 5,000 users in any 12-month period). 

CalOPPA

The California Online Privacy Protection Act (CalOPPA) was enacted to protect the privacy rights and “personally identifiable information” of California residents. 

Accordingly, any website based in California or getting traffic from California residents must comply with CalOPPA.

In addition to having a privacy policy, a site must protect users’ “personally identifiable information,” including:

  • First and last name
  • Physical address
  • Email address
  • Telephone number
  • Social Security number
  • Any other contact information whether physical or virtual
  • Birthday
  • Details of physical appearance such as height, weight, and hair color
  • Any other information that may identify an individual

To comply with CalOPPA, a site’s privacy policy must:

  • State specifically what information is collected and stored;
  • Disclose the identity of third parties sharing that information;
  • Explain how users can change their information on your site
  • How users receive updates to the site’s privacy policy;
  • The date of the last update to the privacy policy.

Under CalOPPA, a privacy policy must also explain how users can make a Do Not Track request. However, there is no law requiring websites to respect a user’s DNT setting.

The Americans with Disabilities Act (ADA) Applies to Websites

The Americans with Disabilities Act (ADA) is a U.S. law that prohibits discrimination based on disability.

It also requires that websites be accessible to everyone, including those with disabilities. This means that the content on your website must be accessible to all, including those with hearing or visual impairments.

Any website belonging to a business with at least 15 employees that is open more than 20 weeks a year is required to comply with the ADA.

Notable ADA Lawsuits Involving Websites

There have been several notable lawsuits filed against businesses with websites that were not ADA-compliant. Among them are:

  1. Domino’s Pizza – website inaccessible to the blind
  2. Beyoncé – website was missing alt text, among other issues
  3. Nike – missing alt text, contrast issues, empty links
  4. And the list goes on… 

There are law firms whose entire practice centers on filing these lawsuits. In 2019, there were 2,256 ADA website-accessibility lawsuits filed in the U.S.

If you build a website for a client that is required to be ADA-compliant, make sure they know that and that you include that in your scope of work.

Website ADA-Compliance Resources

Elementor has a web-accessibility design guide I recommend, as well as another guide on general WordPress accessibility. One of our teammates compiled an ADA website compliance checklist you can use to check your work as you complete it.

At Sagapixel, we use the Wave Web Accessibility Evaluation Tool before launching any websites requiring ADA compliance. I encourage you to check it out to gain an understanding of ADA accessibility requirements and to test your own websites.

In the U.S., Legal Requirements for Websites Vary by Industry

My web design agency has only done websites for companies in the U.S., which has allowed us the opportunity to gain knowledge of the specific legal requirements for websites in a variety of industries—in the United States. Regrettably, we haven’t built any websites outside of the U.S., so we haven’t acquired any experience with industry-specific legal requirements in other countries that we can share with you.

Despite this, the following section should still be helpful in getting you asking the right questions about the legal requirements of a company’s website in specific industries where you operate. If you are a web designer in the U.S., I’m sure the following sections will outline some legal requirements you may not be aware of.

Here are a few examples of the types of industry-specific legal requirements of websites.

The American Bar Association Regulates Attorney Websites

U.S. attorneys are held to strict ethics rules when advertising both online and offline, and those rules apply to their websites. The ABA Rules of Professional Conduct 7.1 – 7.3 regulate what attorneys can and cannot say on their websites (and just as a sidenote, web designers and SEOs run afoul of these rules frequently without even knowing it).

If you’re interested, we have an in-depth article about attorney ethics and websites, but here are the important points you should know:

  • An attorney website cannot say they specialize in or are experts in an area of law unless they hold such accreditation from a regulated body. In other words, an attorney website can’t say they specialize in car accidents or that they are expert divorce lawyers unless they hold their state court’s recognition of this. 
  • You cannot say anything that can be seen as misrepresentation. There are many ways this can occur, but here are some of the most common offenses:
    • Passing off stock images of models in suits as attorneys
    • Making promises about legal outcomes i.e. “we will get you paid!”
    • Making unsubstantiated claims such as “Top Attorney in X City”
    • Implying that you’ll get the same legal outcomes for a website visitor that you’ve gotten in the past
  • You need an airtight disclaimer stating that any communications through the website don’t establish an attorney-client relationship. It also needs to state that the blog isn’t giving legal advice and that any past settlements do not make any claims about the likelihood of getting similar outcomes for the visitor’s case.

This is not a comprehensive list of all of the requirements of an attorney website, but they do outline the most common mistakes web designers and copywriters make when building websites for law firms.

HIPAA Applies To Healthcare Websites, Too

If you build a website for any healthcare provider in the U.S., be careful about the way it collects patient health information (PHI).

HIPAA, the Health Insurance Portability and Accountability Act of 1996, regulates the collection and sharing of patient health information. A web developer’s mistake or a hack could potentially expose PHI, exposing the healthcare provider to massive fines and a potentially devastating public relations nightmare.

The Most Common Culprit Is the Contact Form or Booking System.

The most likely scenario would be if a patient were to share anything about their health history in a contact form or booking system and that information were to become exposed through a hack. In such a case, this would be not very different than if a doctor were to leave your health files on a bus.

So, if you build a WordPress website for a healthcare provider in the U.S., make sure the contact form and booking systems are HIPAA-compliant. At Sagapixel we use this service for our healthcare website contact forms, but there are several others on the market and I encourage you to look around.

As far as booking is concerned, your clients really should be using a service like ZocDoc for booking in order to avoid the potential liability of a custom system run on WordPress.

Requirements for Contractor Websites

Many U.S. states require contractors to list their license ID on their website. Don’t forget to ask for this, as it could result in a fine.

Requirements for Financial Advisors

Financial advisors have very strict regulations about using client testimonials and claims about potential results. They are all highly aware of these regulations and will typically tell you about them, but if they don’t, make sure you ask.

A Final Note: Avoid Getting Sued

If there’s one lesson you take from this article, it should be this one: there are lots of ways you can mess up and get your client in trouble when building a website. 

If you do, they may decide to sue you.

In the U.S., Errors, and Omissions Liability Insurance will cover the costs of legal representation and any settlement arising from a lawsuit if they do. If you have any assets that could be at risk if one of your clients sued you, you should consider getting insured.

On top of that, make sure you document having asked your clients about any regulations they face in their industry. Recommend they contact an attorney if they aren’t sure and make sure you keep a record of it all. If you inadvertently get them sued, you may have some protection if they approved your work and they explicitly told you there were no legal requirements you needed to follow.