Contact: Boodle Hatfield (London, England)
The design, structure, functionality and content of a website will inevitably vary depending on the size, reach and industry sector of the business it represents. However, there are a number of commercial, financial and legal risks connected with each and every website. Whatever the size of your business, if you are unsure about the answer to any of the following four questions you are probably exposed to higher legal risks than you should be:
Whose site is it anyway?
Very few businesses will have all the resources and skills that are required to set up, design and maintain a website in house. Web designers and other third parties are therefore frequently engaged to provide some or all of the relevant services. It is a common misconception that the copyright and related intellectual property rights in the various aspects of a webpage created or added to by a designer (such as design and graphics, specially written text, the coded version of the pages etc) automatically belong to the business that engages the designer. By law, it is in fact the designer who owns these rights unless they are expressly transferred to the business in writing. Accepting a designer’s terms and conditions unread or proceeding without any written agreement in place at all can accordingly be a very costly decision, in particular at times when the business comes under close scrutiny by potential investors and/or buyers. Similarly, do ensure that where the initial registration of your domain name is undertaken on your behalf by a third party the registration is either made in your business’ name or the domain name is formally transferred to you as soon as possible after registration. Finally, legal ownership of a website does not automatically equate to portability; unless you have a fairly up to date, full set of your webpages in electronic form the transfer of your website to another service provider can involve unexpected costs and delays if the relationship with your previous service provider does not end on good terms.
Whose site is it anyway?
Very few businesses will have all the resources and skills that are required to set up, design and maintain a website in house. Web designers and other third parties are therefore frequently engaged to provide some or all of the relevant services. It is a common misconception that the copyright and related intellectual property rights in the various aspects of a webpage created or added to by a designer (such as design and graphics, specially written text, the coded version of the pages etc) automatically belong to the business that engages the designer. By law, it is in fact the designer who owns these rights unless they are expressly transferred to the business in writing. Accepting a designer’s terms and conditions unread or proceeding without any written agreement in place at all can accordingly be a very costly decision, in particular at times when the business comes under close scrutiny by potential investors and/or buyers. Similarly, do ensure that where the initial registration of your domain name is undertaken on your behalf by a third party the registration is either made in your business’ name or the domain name is formally transferred to you as soon as possible after registration. Finally, legal ownership of a website does not automatically equate to portability; unless you have a fairly up to date, full set of your webpages in electronic form the transfer of your website to another service provider can involve unexpected costs and delays if the relationship with your previous service provider does not end on good terms.
How do I maintain my domain?
Choosing and registering an appropriate domain name will inevitably be the first step in the set up and operation of a website. It is however easy to forget that a domain name needs to be maintained, i.e. the registrant only has a right to use the domain for a certain number of years and then needs to renew the domain for it not to expire and therefore become available to third parties again. Some domain name registrars run an auto-renewal service where the registrar guarantees to renew the domain name in good time at the end of that fixed number of years. Others notify the domain holder of a forthcoming renewal by e-mail, mostly about 30 days before the renewal date. Some do not offer either service. The applicable policies for maintaining domain names can therefore vary substantially between the more than 1,000 companies accredited with ICANN (Internet Corporation for Assigned Names and Numbers) to register generic top level domains. If you are not aware of the date on which your domain name registration will expire and the maintenance policy of your registrar already do check these points so that your organisation can then put appropriate measures in place in order not to miss the renewal date. In any event, whether in relation to renewal dates, disputes or administrative matters, your domain name registrar will only be able to reach you if it is in possession of up to date contact details so do ensure that these are updated where necessary.
What legal information does my website need to display?
If you are a company incorporated under the laws of England and Wales, your website (just like all of your letters and order forms) must display the company’s registered name and company number, registered office and the part of the UK in which it is registered.
Additional obligations may apply by law depending on the nature of the business being carried out and you should ensure your business is not in breach of these obligations. For example, if your business provides online services, the following information must also be available on your website:
- Your business’s name and physical address.
- Contact details, including an e-mail address. Before any contract is concluded, the consumer must also be given another direct and effective method of communicating with you (e.g. a telephone number).
- Where provision of the service is subject to an authorisation scheme, details of the relevant supervisory authority.
- If your business undertakes an activity that is subject to value added tax, its VAT registration number.
- The name of the company’s trade registry (if any), together with its registration number or equivalent.
Similarly, if your business is a member of a regulated profession (e.g. solicitors, doctors or accountants), your website should also contain the following:
- The name of any professional body or similar institution with which the business is registered.
- A reference to the professional rules applicable to the business and a means of accessing them (e.g. by way of a hyperlink).
- If the business is a sole practitioner, its professional title and EEC member State which granted such title.
Further rules will apply to public limited companies. For example, the AIM rules prescribe that the website of an AIM listed company must include certain information and documentation (including copies of its current articles of association and its most recent annual report, details of its nominated advisor and other key advisors, copies of all RNS announcements made by the company in the last 12 months, and certain information regarding the securities in issue in the company) and this information must be up-to-date and free of charge.
Cookies, Privacy and Permitted Use – What policies do I need?
Privacy - Getting up close and personal
Not only social networking sites have to be mindful of data protection legislation. Nearly all commercial websites have to comply with the principles contained in the Data Protection Act 1998 (the “DPA”) if they are deemed to process personal information. In addition to bad publicity, failure to comply with the DPA can lead to the company and any neglectful officer of the company being fined up to £5,000.
Privacy - Getting up close and personal
Not only social networking sites have to be mindful of data protection legislation. Nearly all commercial websites have to comply with the principles contained in the Data Protection Act 1998 (the “DPA”) if they are deemed to process personal information. In addition to bad publicity, failure to comply with the DPA can lead to the company and any neglectful officer of the company being fined up to £5,000.
‘Personal information’ includes any information which allows a living individual to be identified, which will include something as little as someone’s name, address or email address. The ambit of ‘processing’ is even wider and covers, amongst other activities, the consultation, organisation and dissemination of such information. In the words of the regulator, “it is difficult to envisage any activity involving data which does not amount to processing”.
Businesses which process personal information are obliged (subject to limited exceptions) to register with the Information Commissioner before they start processing it. This can be done online at: http://www.ico.gov.uk/for_organisations/data_protection/notification/notify.aspx.
If you collect personal data via your website your website should include a link to a suitable privacy policy and this will need to be displayed in an intelligible and prominent way. In cases where sensitive personal data is being collected it is also normally necessary to get the individual’s explicit consent, which is unlikely to be satisfied by the presence of a ‘pre-ticked’ box.
There are some useful exemptions to the above rules, most pertinent where the information is only used for internal administration. However, even if one of the relevant exemptions can initially be relied upon, businesses need to monitor regularly whether this remains the case as their commercial activities evolve.
It should also be stressed that where a business collects data for a particular purpose and then wants to use it for another purpose, the individuals concerned will have to be notified before the information can be used for this new purpose. Relying on an out of date privacy policy is accordingly almost as bad as having no privacy policy in place at all.
Cookie Policy – The new kid on the block
Cookies are small files implanted on a user’s hard-drive which collect information about that user, e.g. to remember their log-in details. Nearly all commercial websites use at least simple cookies so chances are that your website does as well. From 25 May 2012, all websites were required to be compliant with Article 5(3) the E-Privacy Directive which was implemented into UK law by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (amended in 2011) and requires informed consent of the website user prior to the instalment of a cookie.
In what was seen as a u-turn, on 24 May 2012 (the day before compliance became mandatory) the Information Commissioner published guidance stating that implied consent, meaning relying on users understanding that cookies are being set, can, in certain circumstances, constitute informed consent. This means that there is no longer going to be a strict requirement to have a pop-up box or similar technique to make users accept a website’s cookies policy before accessing the page (active consent).
The current guidance from the Information Commissioner does state, however, that implied consent cannot be read as simply doing nothing, but that a business must satisfy itself that the users of its website understand that their actions will result in cookies being set.
In practice this is likely to mean having a clear, comprehensive and easy to understand cookie policy which is easily accessible to your website's users. This should include (but should not be limited to) the type of cookies used (whether by you or by any third parties whose content you display on your website, including in particular advertising networks), how the site uses them and how intrusive the relevant cookies are.
Furthermore, the more sensitive the data collected, and the more intrusive the cookies used are, the clearer a cookie policy will need to be, so there are many situations in which it will remain wise to obtain active consent.
While the Information Commissioner has indicated that a proportionate approach will be used in enforcing the new law provided that the website owner can show it is working towards compliance, businesses should be aware that fines of up to £500,000 can be imposed for a breach of its requirements.
If you have not already done so earlier this year do therefore speak to your IT Team and/or website designer to ascertain the cookies set by your website and then consider the necessary steps to bring your website into compliance with the Regulations.
Terms of Use – Visitors’ dos and don’ts
Terms and conditions dealing with the access to and use of a website may not be a must for all websites (they clearly are for websites that are used to process orders for the supply of goods and services!) but are nevertheless advisable for most websites to assist the underlying business in preventing unauthorised reproduction of materials from and unauthorised linking to the site and in restricting its potential liability to visitors.
Terms of use normally deal with some or all of the following key issues: what a visitor may and may not do with the content of the website, rules for content posted to the website by visitors, linking (conditions on which third parties are allowed to link to the website), security (password confidentiality and sharing of user accounts) and disclaimers (for any liability for the content or performance of the website). This is, however, not all. Where visitors use the website to place orders for the supply of goods and services, additional provisions dealing with the terms on which such goods and services are supplied are necessary together with provisions dealing with various other applicable legal and regulatory requirements (such as those relating to distance selling).
As in the case of privacy policies, terms of use should be checked regularly to ensure that they properly reflect the underlying commercial reality and, of course, the relevant legislative and regulatory environment in which they are applied.