Is Your Website Legal?
Just as a physical shop or office has legal requirements, such as insurance, so does your website.
Your website is your virtual HQ, and you want it to be as safe and secure as possible. But you also definitely want it to be legal, or else it could land you in a spot of trouble...
Do You Have a Privacy Policy?
As per the The Data Protection Act, if you are collecting data from users on your website, you must have a Privacy Policy that outlines how your business will use that data. Therefore, you need a Privacy Policy if:
You have a contact form on your website (even just a simple one!)
You have a shopping cart on your website
You collect email addresses through a newsletter sign up form on your website
You have cookies on your website (eg, if you have any kind of analytics about your website traffic, such as Squarespace metrics & Google Analytics, you have cookies)
You Privacy Policy should be accessible from any page on your website (especially your home page), so it's usually best to create a link to it in your website footer. It should include:
A basic introduction to what cookies your website uses (or you can link to a separate cookie policy as explained below)
A link to the Online Dispute Resolution Platform (this is a new legal requirement for 2016, so double check you have this in place!)
How you will be using any customer data you collect, and how you will store it
A link to and explanation of how you adhere to the Data Protection Act
I always include a basic, free Privacy Policy page for all my client websites, based on a basic template, but I would recommend a solicitor for large businesses.
Do You Have a Cookie Policy?
Cookies are small files that are stored on a user's computer when they go to a website that has cookies enabled, and these files are used to send information back to the owner of the website (eg, Google Analytics cookies will track how many pages a user has visited and other information).
Users of a website must be aware that your website uses cookies, and they must also be aware of how to remove or block cookies. There are a couple of ways you can manage this as a website owner:
You can block cookies on your website until the user consents to using them by clicking 'OK' on a pop-up asking them if they're happy to have cookies (this is called opt-in consent)
ORYou can enable cookies and have a pop-up telling the user that your site uses cookies, and link them to your Cookie policy where you explain how to get rid of them if they want to (this is called implied consent)
ORYou can display a clear link to your Cookie policy on every page of your website, making sure your policy includes how users can get rid of cookies (this is called implied consent)
I use the latter option on my website and my clients websites as I believe a pop-up would damage the user experience of a site. As long as you mention in your Cookie Policy that you are operating an 'implied consent' policy, and you include details on how a user can remove cookies on your website, this is fine.
Are You Displaying Your Company Information?
As a business owner, it is a legal requirement to clearly display company information on your website. As of 2016, it is also a legal requirement for any website owner to clearly provide an email address on your website (ie, you can't just have a contact form alone).
For registered companies (LTD/LLC, PLC etc), you must include:
The business name
The place of registration (eg, England & Wales, Scotland etc.)
Registered office address
Trade association membership (if any)
A contact email address
VAT number (if any)
For sole traders, you must include:
The business name (this may be just your name)
The registered office address
A contact email address
This information does not have to be displayed on every page of your website, but it should be clearly accessible. Some might put this information on their contact page for example.
Is Your Website Accessible?
Due to the Equality Act 2010, you must make your website accessible to all users, including the visually impaired. As laid out in the Priority 1 W3C guidelines, this means taking certain actions to make your site as readable as possible for screen readers.
You can read the guidelines yourself and talk to your website developer/designer about ensuring these are fulfilled, but the basic principles are:
There must be text equivalents for non-text elements (eg, all images & media should have 'alt tags' - in WordPress & Squarespace you can fill these in yourself when adding images/media. Graphical elements that come with themes/templates should be added already by the developer).
Your website must be able to be viewed and read as pure HTML without a CSS stylesheet (good WordPress templates and all Squarespace templates should be built with this in mind)
So imagine if all the design elements and images etc were stripped from your website; would it still be readable? (Obviously it will be harder to read, but it must be possible).
Is Your Newsletter 'opt-in' only?
As well as having a Privacy Policy that adheres to the Data Protection Act in regards to collecting email addresses, you also need to comply with the EU Anti Spam Laws. This law dictates that users must give express permission to be sent marketing emails (these include your business newsletter - salesy or not).
Any email address in your database must have 'opted in' to receive emails from you, and many email marketing services (such as Mailchimp, Convertkit, Campaign Monitor etc) will shut down your account if they find you have broken this rule.
So what counts as opt-in permission?
If people have signed up to your mailing list on your website, or have checked a box to say 'I would like to receive newsletters' (or something to that effect) at your shop checkout, that counts as permission!
If you have email addresses you have gathered yourself by online research, tradeshows or purchasing, you can only send them newsletters/marketing emails if you first contact them to ask them and get permission.
If you ran a competition or have an 'opt-in freebie' on your website and have clearly & visibly stated that by entering their email address the user is giving your business permission to send them marketing emails that is fine. But it must be clearly visible!
Campaign Monitor have a really useful guide for finding out if your list is okay or not.
Remember: As part of the same law, you MUST provide a link or instructions on how to opt-out of your newsletter emails in EVERY email.
Do you have T&Cs, Delivery & Returns Policies?
This is for ecommerce websites; you must clearly display or link to pages that include your terms and conditions of purchase, your delivery options, and returns/refunds/exchange policy.
Termsfeed has information on what to include in these policies, but if you are a large retail store or you plan to grow, it would definitely be worth having a lawyer involved to help.
Do You Have an SSL Certificate?
This is for ecommerce websites; as per the Payment Card Industry Data Security Standard law, if you are taking payments directly through your website (ie, not redirecting visitors through a Paypal link), you must take the necessary precautions to keep their bank details safe.
This obviously includes keeping your website as safe and secure as possible, but it also means you need to have an SSL certificate.
What is an SSL certificate?
SSL is an acronym for Secure Sockets Layer, and having one installed on your website will create an encrypted connection between your web server and the user's browser while they are making a payment on your website.
When you are online shopping and you get to the checkout and see the URL has changed to https:// with a padlock next to it, you know the website is using a secure, encrypted connection via an SSL certificate.
Squarespace ecommerce has SSL built in, but if you are self-hosted with WordPress, you will need to contact your hosting provider to help you install one onto your site.
* Please note I am not a lawyer, and I can only recommend the basic information that I understand to be true from my own research as a diligent website designer.
