Anyone who has a website, be it for business or other use, has to comply with certain legal regulations. Failure to do so can mean you are breaking the law and lead to sanctions or fines. In this post, we’ll look at the range of regulations different types of websites need to comply with and explain what you need to do to be compliant.
1. The EU Cookie Directive (2003)
If your website does leave cookies on a user’s computer, then, under the EU Cookie Directive (2003) you are obliged to inform visitors that you use them, explain how they are used and show how they can be turned off. This is usually done in the form of a pop-up which you will no doubt have seen numerous times on other sites.
2. Data Protection Act 1998
Another regulation that will apply to many websites, not just commercial ones, is the Data Protection Act (1998), which is designed to safeguard users’ personal data. Any site that collects personal data is legally required to register with the Information Commissioner’s Office (ICO) and comply with the act.
Compliance means doing the following
- limiting the data you collect to that which is important to your business
- securely storing all data within the EU and not transferring it elsewhere without user consent
- deleting personal data at the users’ request or if it is no longer needed
- clearly stating how and why you use the data in your T&Cs
- specifying if any data used by third-parties is moved outside the EU
- telling users how they can have their data deleted
3. Web Accessibility and the Disability Discrimination Act
Under the Web Accessibility and Disability Discrimination Act, websites should be accessible to users with a disability. In particular, this means providing a way for blind people to access the information you publish. To comply, you need to make sure that any written text can be made larger or voice read on a user’s device – many devices have these accessibility features built-into them. It also requires you to write alt-tags for images that describe what is in the picture. There are also some other design standards that your web developer should incorporate. Failing to provide these features could lead to you being sued for discrimination.
4. The Electronic Commerce (EC Directive) Regulations 2002
The Electronic Commerce Regulations apply to businesses which communicate with users via websites, emails, apps or other electronic means. The regulations require companies to comply with the following directives:
- Registered businesses must clearly display their name, address, registration number, VAT number and direct contact information on their website
- Your site’s terms and conditions must be clearly displayed
- If you sell goods or services, you must display their prices, tax and delivery charges
- All communication must identify the person who sent it
- All orders must be acknowledged in writing
- Marketing materials should be commercial in nature and have clear T&Cs
- If you send unsolicited emails, you must identify them as such
5. The Consumer Protection (Distance Selling) Regulations
The Distance Selling Regulations protect the rights of consumers who purchase goods and services from your website. The principal right of consumers under the regulations is that they are entitled to a 14-day period during which they can cancel any orders or contracts and return any goods they have purchased, even if they have been opened. You have an obligation to comply with this and include it in your terms and conditions. You can require them to pay the cost of returning products to you.
In addition, websites are required to:
- Display clear and concise information about products, services and shipping
- Include any VAT in the price of goods or services sold to the general public
- Send written acknowledgements of all orders
6. PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is designed to prevent credit card fraud during the processing of online payments. Compliance is required of all organisations that hold, process or pass cardholder information. There are strict regulations that organisations need to adhere to, including the encryption of data which is sent during a transaction and the protection of stored data. These are just two of a dozen key requirements.
In addition, PCI DSS also requires strict security measures to be used on your server. If you use a web host, you need to check that they can help you maintain compliance. For example, your server will need a strong firewall, anti-virus protection and secure access, and your website will need strong passwords and an SSL certificate.
7. EU anti-spam laws
To conform to EU anti-Spam laws, users must opt in to receive any marketing email communication from you. Similarly, any subscribers must be able to unsubscribe from emails. The ability to do this should be easy and is generally achieved by putting an unsubscribe link at the bottom of every email you send.
The General Data Protection Regulation comes into force in on 25th May 2018 and is designed to strengthen the rights of EU citizens, giving them greater control over how organisations use and store their data. For more information about compliance with GDPR, read our article, ‘15 Essential Facts about General Data Protection Regulation.’
As you can see, there are a lot of regulations that website owners may need to comply with. Not all websites will need to comply with all the regulations, it depends on what kind of online activities you conduct. However, those companies which sell online, gather and store personal data and take card payments are likely to have to comply with most, if not all of the regulations above.
If you are looking for web hosting that can help you with PCI DSS compliance and which provides you with the data security features you need, visit our homepage to check out our web hosting solutions.