Privacy Policies, Copyright Infringement, Spam, Oh My!
You took your business online because technology made it easier. While a lot of the tutorials and “User-Friendly” applications make it sound like the whole business of running a business online can be accomplished by anyone. You’ve figured out there’s a bit more to it than that. Whether you’re running a strictly online venture or you’ve added social media and a web presence to your real-world business, there are some legal requirements for websites that you might not know. We’ve compiled an easy-to-read list as you manage your website.
Legal Requirements for Websites
Like most things in the legal realm, the wording of the actual statutes are lengthy, often confusing, and not the most exciting read. So, we’re going to give you an overview of a few important points to keep your website on the right side of the law. Note: we’re not attorneys, so we strongly encourage you to consult one to apply these concepts to your business.
- GDPR. General Data Protection Regulation is a European law protecting the rights of EU citizens. GDPR specifically looks at how a website records a visitors information, and what it does with it. You might be asking why you should care about laws in Europe. Well, if you have any customers, or website visitors, in the European Union and your company does not comply with their data laws, you could face prosecution.
- CCPA. The California Consumer Privacy Act is California’s version of GDPR. It is designed to protect the data of customers interacting with businesses in California in much the same way as the European legislation. CCPA specifically focuses on companies of a certain size, or businesses that make money from selling customer information. As a reference, read through our CCPA article to better understand if your business is implicated. If you’re not based in California, don’t breathe a sigh of relief just yet. Other states are also considering bringing in their own online privacy legislation.
- eCommerce Considerations. This is a wide topic. Any online transaction is governed by the same laws which govern an in-person transaction. Your online presence may also include public user boards and your user terms of service should be in place. You should also have a “take down” policy for items that are deemed defamatory or in violation of copyright or trademark laws. If you’re selling on your website make sure you have encrypted personal information via HTTPS.
Essentially, all websites should have HTTPS protection. Google has been pretty clear about web and privacy. It’s even more important for sites handling financial transactions.
- Collection of Personal Information. There are specific laws which govern the collection of personal identifiable information (PII), such as IP addresses. If you’re collecting PII with analytics or through the function of your online presence, make sure you’re aware of all of the laws that apply.
- Copyrighted Content. Your own content should be protected from copyright infringement through use of symbols and notices of conditions of any reproduction of content. You should also research safe harbor laws to make certain you’re protected from claims of copyright infringement. From an SEO point of view this is also important because if you are caught with content that is not unique on your website, your content may be subject to a Google penalty.
- Content Attribution. It’s important to include attribution for any work not created or purchased by your company. This applies to both written content as well photography and graphics. Creative commons images can be easy on your wallet; yet there are differing levels of attribution. Be aware of what usage rights and follow them.
If you’re using primary photography, such as employees or customers interacting with your brand, make sure you have the appropriate release forms signed before uploading to your website.
- The CAN-SPAM Act. You’re probably aware of CAN-SPAM. Even so, it’s worth a mention. Misuse any type of email marketing can lead to fines. We recommend using tools like MailChimp or other email service providers (ESPs) to send out mass emails. MailChimp automatically flags any spammy tactics you might inadvertently use. But it won’t catch everything. Make sure you’re in compliance with the FTC’s rules and regulations. Getting permission from your leads before you email them is vitally important, and not just because of the FTC risks and related fines. Permission-based marketing is a much better way of nurturing customers than spray-and-pray spam tactics.
- Accessibility. This is exactly what it sounds like. You might be surprised to know that there are rules guiding your websites accessibility for the disabled. In 2019 we saw a number of lawsuits over the Americans with Disabilities Act (ADA). If you’re not familiar with the Supreme Court and Domino’s, it’s worth a read. In 2020 we anticipate rising awareness on making websites accessible to everyone. The more visitors that can use your site the better.
Reasonable Levels of Protection
The following information was written by Jessica Merlet a privacy and internet law expert, from Merlet-Law.
Even though they are different in many respects, all privacy statutes require companies to employ “reasonable” levels of personal data protection. There is some official guidance on what all companies can do, at the bare minimum, to meet reasonable security requirements. The California Department of Justice published the California Data Breach Report, comprehensively reviewing 657 data breaches between 2012 and 2015 and citing twenty data security controls published by the Center for Internet Security (CIS).
The DOJ cited these controls as the “minimum level” of information security that all organizations that collect or maintain personal information should meet and further stated that “the failure to implement all the controls that apply to an organization’s environment constitutes a lack of reasonable security“. Although published by California authority, the 20 CIS controls cited by the California DOJ have continually been relied upon as the benchmark to meet all “reasonable” security requirements, even for GDPR and NY SHIELD Act compliance. Whether your company should implement more than the CIS controls is, again, a matter of what is reasonable for your company. Further discussion with an attorney can help delineate what additional security measures your company should put in place.
An additional security measure that companies should implement is data mapping. Data mapping is a process that:
- Identifies the type of private data that is collected and stored in networks
- Delineates the purposes for which the data is being collected and stored
- Accordingly implements safeguards to control access to the data based on its type and the purpose for which it was collected and stored
This ‘mapping’ is a great first step in tracking data based on relevance to privacy compliance so that further security measures can be effectively implemented. With data mapping, restrictions and controls can be applied appropriately to only the data that needs to be protected.
This list is in no way complete. Yet it’s a good start as you research your website’s compliance requirements. If you’ve read through the laws and aren’t sure how to implement them, we highly recommend hiring legal counsel.
What other legal requirements for websites would you add to our list?
How can we help?
Want to implement schema markup on your WordPress website? Looking to improve how you appear in organic search?
We are The Spectrum Group Online, and we offer strategic and tactical consulting so you can monetize your online presence. Call us for a complimentary 30-minute consultation to discuss your website’s user experience and translate that into sales.
photo credit – top: Michael Coghlan
photo credit – body: Rohan Kar