As the owner of a website, you have a legal obligation to make sure that your site fully complies with all current legislation. Legal requirements apply to businesses of all sizes, from the tiniest start-up to an established store selling millions of products, so it’s important to get clear on exactly what you need to do to stay legal.

Unless you’ve been living under a rock, you’ve probably heard a lot about the GDPR data protection laws that came into force in May 2018. But while this has garnered all the attention over the last year, it is actually just one piece of legislation you need to comply with.

Disclaimer: This information is provided for informational purposes only and does not constitute professional legal advice. We are not liable for your use or reliance on this information.

Company Information

Under the Companies Act 2006, your website is required to disclose certain information about your company:

• The full company name, including ‘Ltd’ or ‘Limited’ if it is a Limited company
• Company registration number
• Registered office address
• Location of registration (England and Wales, Scotland or Northern Ireland)
• Your VAT number
• The name of any trade bodies or associations you are part of

This information should be displayed prominently, like in the footer or on the Contact page. 

Data Protection Regulations

Data protection laws place restrictions on exactly how you can collect, store and use people’s personal data. Under the latest General Data Protection Regulation (GDPR) introduced in May 2018, users are granted full control over their personal information, including the ‘right to be forgotten.’ 

To comply, organisations must ensure that information is:

• Used fairly, lawfully and transparently
• Used for explicitly specified purposes
• Used in a way that is adequate and relevant
• Accurate and up to date
• Limited to only what is necessary, and kept only for as long as is necessary
• Not processed or accessed unlawfully, or without authorisation
• Kept securely

The implications for websites and eCommerce sites are wide-ranging, including having in place a clear privacy policy and always gaining permission from the user for any data you collect. For example, all contact, registration and sign-up forms should state the purpose of collection and have a tick box to gain permission from the user for each communication method (e.g. phone, email, post, etc).

Read more about GDPR here.

Consumer Protection Regulations

To sell online, your business will need to comply with the Consumer Contracts Regulation. This stipulates a number of rules on the information that needs to be provided to the consumer in order for a sale to be considered “valid,” including:

• A clear description of the goods or services
• The total price of the goods
• Details of additional costs like delivery charges
• Cancellation policies and procedures
• Contact information and details of any third-party traders

Electronic Commerce Regulations

As part of the EU’s eCommerce Directive, the Electronic Commerce Regulations provide rules concerning online trading and state that you must comply with consumer legislation in every European country you sell to. To comply, your website should provide the following information:

• The name, email address and geographic address of the service provider
• Clear pricing information, including whether tax or shipping costs are included
• The technical steps needed to place the order
• The terms and conditions of the sale
• Electronic acknowledgement of the order and information on how to correct any errors made during the order process
• The company’s registration number and place of registration
• Details of memberships or associations the business is part of 

Web Accessibility Guidelines

The Equality Act 2010 states that your website must be accessible to anyone who needs it. The Web Content Accessibility Guidelines outline a number of principles and recommendations for improving web accessibility, with an explanation of how to make digital services like websites accessible to everyone, including users with vision, hearing, mobility and cognitive impairments.

In practice, you should make sure you meet at least level AA of the WCAG 2.1 guidelines and ensure that your site is compatible with assistive technologies like screen magnifiers, readers and speech recognition tools. You should also include an accessibility statement. 

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS stipulates twelve key requirements for companies that accept or process card payments, including strict rules on data security and access. You won’t necessarily need to worry too much about these requirements if you use a third-party payment provider like PayPal, but it’s still a good idea to be aware of the rules as some parts may still apply to your business.

Anti-Spam Laws

The E-Privacy Directive is designed to prohibit unsolicited emails and other forms of electronic communication. Amongst other things, you should gain consent from the user to contact them and include clear opt-out instructions in every communication.

Cookie Laws

The EU Cookie Law is a piece of legislation that stipulates websites must get consent from visitors before storing or retrieving any information from the device. You must tell visitors how you use cookies and obtain their consent for doing so.

Legislation is constantly changing, so it’s important to keep track of the latest developments in order to stay compliant. If in doubt, contact your website developer and seek professional legal advice.