Legal Policies for Websites (USA)
What You Need To Know!
Disclaimer:
This information is for educational purposes only and not a substitute for legal advice.
We’re a web design firm sharing legal policy best practices for service-based, small business website owners specifically in the United States.
Every country has its own legal requirements. If you need specific legal advice, please contact a business attorney in your country.
Do you own a website? You need legal policies!
Researching legal requirements for your website probably doesn’t make your “Top 10 Exciting Things to Do This Year!” Admittedly, as website designers, making sure our client’s websites are legally compliant with online business laws and regulations isn’t the most fun part of designing and building a website.
But like business taxes, it’s a necessary evil to be aware of the requirements to avoid being sued, paying fines, or having your website shut down. We’re here to give you some baseline insights and inform you about general laws applicable to online service-based businesses in the U.S. – Let’s dig in!
U.S. Online Business Laws
According to TermsFeed, there isn’t a federally mandated law that requires a business to have a privacy policy, with the exception of COPPA (Children’s Online Privacy Protection Rule). However, there are federal and state laws that have “provisions on data” and laws with “privacy implications” that you may need to comply with.
6 new data privacy laws go into effect in 2023 and we don’t see this trend stopping anytime soon.
Your legal responsibilities are dependent on your business, industry, and location. Not all laws apply to every business/website. And a lot of the rules are conditional, meaning for the law to apply the business/website must meet one or more of certain criteria (ie: business of a certain size, # of site visitors per year, surpass a certain threshold of revenue, etc.).
It’s a good idea to implement the standard legal policies on your site (more on these below). In general, policies should be written in plain language and easy to understand which makes them more accessible and transparent for everyone making a positive user experience on your website.
It should be noted that policies need to be regularly reviewed and updated as needed in order to ensure compliance with laws and regulations.
You may also want to consult with an attorney to make sure your policies are up to snuff. However, if you don’t have the budget for one, and online data privacy laws aren’t your bailiwick, we’ve got a suitable policy-generating software explained near the end of this post that we use and implement for most of our clients.
Personal Identifiable Information—What is it?
Personal Identifiable Information (PII) is any information that could be used to identify you. “But my website doesn’t collect personal information”… Are you sure? When a user visits your website you’re likely collecting their data.
There is a lot of information that can fall into this category, and here are some examples:
IP address (geolocation)
Email address
Name
CC info
Shipping/billing address
If your site has features like:
Contact/Scheduling Form
Newsletter Signup
eCommerce Store
Membership/Account Login
Comment/Posting
Cookies
Analytics Software
Then it’s definitely collecting PII data.
Understand what personal info and data your website collect and how it’s being used. You’ll need to disclose all of this information in your privacy policy.
Why Data Privacy Matters
Consumers have become more interested in the privacy of their personally identifiable information (PII) online.
What’s the big deal if companies can track you and build a profile based on your browsing history, specific Google searches, geolocation, know your name, home address, and credit card number?!
Privacy is a human right. Users should have some control (opting out) over their personal info because much of the data being collected is highly sensitive.
Businesses and governments rely on surveillance of your personal data to target you with hyper-personalized ads, control the content you see, influence your purchasing and political decisions, sell your data for profit, and may accidentally leak it in a cyber attack.
It’s important to ascertain what info you’re willing to share, how, when, where, and with whom. More than often though we quickly check boxes and agree without reading the fine print. We don’t have the attention span to read all those online service and application terms and even if we do read them, it isn’t clear what they mean and how it applies to us.
Many state privacy laws are in effect to protect the PII of users such as the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA). Many more states have proposed their own privacy bills with unique requirements and penalties for failing to comply.
Fines and penalties can be quite steep (for example, $2,500 per violation) because they are per violation, meaning per visitor, so even if your site has low traffic per month penalties could add up.
Legal Policy Pages
Don’t consolidate all your privacies on one “legal page”. Your policies such as Privacy Policy, Terms of Service and Disclaimer need their own dedicated page because a user must be able to clearly distinguish between all of your policies.
It’s also important to not bundle your policies on one page due to GDPR and other state privacy policy acts. Not only is it legally required to conspicuously post each policy, but it’s also best user experience to use a descriptive hyperlink (ie: Privacy Policy) listed in the footer of the site so it’s accesible from every page of your site.
Privacy Policy
A privacy policy is a legal agreement that outlines how a website gathers personal data (PII), uses, and discloses it. It’s all about transparency.
It’s recommended and legally required every website have a privacy policy when collecting personally identifiable information—which your website likely does.
This type of policy states a company’s approach to the collection, storage, use, and disclosure of personal data. Additionally, it outlines security measures put in place (if any) to protect collected data.
Other information included is about the use of analytics software, consumer rights, and the use of cookies. A privacy policy gives users assurance their data is kept safe, only used for legitimate purposes, and aware of their rights to access and control their data.
Lots of state laws require a website to have a privacy policy and be more transparent about data collection and use.
You may have even noticed an uptick in privacy policy update notification emails from large companies in the last month of 2022 and that’s because 6 new privacy laws go into effect in 2023 with many more state laws and federal bills on the horizon.
Beefing up legal protections for users became front and center during the Facebook-Cambridge Analytica data scandal and massive settlement. Also in 2018, the European Union implemented the General Data Protection Regulation (GDPR) which is now the global standard for internet data privacy and redefines consent.
Navigating compliance with these laws can be challenging and confusion can happen especially since there’s not one overarching federal privacy law that encompasses all states.
As a website design agency, we help our clients to understand to the best of our ability the importance of privacy policies so they’re not sued for privacy law non-compliance on their website because ultimately it’s up to the website owner to make sure their site is legal.
Depending on your business type, you might want to contact a business attorney to help navigate the process of creating a bulletproof policy. We recommend a cost-effective policy generator service to make sure your site is compliant and remains updated.
Terms of Service
Also called Terms and Conditions, the terms of service is a legal contract between the website and the user which the user must agree to in order to use the website and states the rules of use. It’s recommended but not legally required every website have terms of service.
The terms of service policy define the rights and responsibilities of both parties, outlining the use of the content, expectations for users, acceptable behavior, and what actions are prohibited on the site.
They help protect your intellectual property (IP), spell out who to contact, choose where you’d like to resolve disputes, and lessen the number of damages you may be responsible for.
Terms are really important if you own an eCommerce site or do any kind of selling on your website (ie: consultations, membership, digital products, etc.).
You’ll want to state the rules around offering cancellations, refunds, warranties, etc. Not surprisingly, there are a bunch more legal requirements around selling online that are dependent on your business type, industry, location. For more info on eCommerce laws, check out this guide from BigCommerce.
Terms help protect you (the site owner) and also assist potential clients to answer their questions before they buy or use your services.
Disclaimer
A disclaimer states the limitations of the website and liability for the use of the site and the info it contains.
We all read disclaimers—they’re everywhere…
From the “This medication can help with your symptoms but may cause moderate to severe pain or even death” pharmaceutical commercials to the statement under a YouTube exercise video “Always consult a physician prior to starting a new exercise routine” to the "Caution: Contents Hot" label found on most disposable drink cups.
Heck, we included a disclaimer at the top of this blog post stating “This information is for educational purposes only and not a substitute for legal advice.”
These types of disclaimers are important and serve to reduce your liability by outlining risks associated with the use of the website. They protect your business if someone gets injured or something goes awry.
They’re relevant to you if you:
provide information that seems like legal advice;
provide health and fitness information and advice;
provide affiliate links and participate in an affiliate marketing program and or;
advertise, display, or sell health or third-party products and services.
Making users aware of the potential risks, helps ensure a safe and secure experience for all. Plus, if someone takes legal action against you due to injury the damages can be expensive. Get yourself a disclaimer and implement it ASAP if the above conditions apply to you.
Accessibility Statement
Designing and building websites that are easy to use, understand and helpful to every visitor, including those with disabilities, is something we strive for. Although web accessibility is the right thing to do it’s also a liability.
Depending on your business and industry your website might need to comply with Web Content Accessibility Guidelines (WCAG) and there are different levels of conformance.
The ADA (The Americans with Disabilities Act) doesn’t provide guidelines on making a website compliant. The Web Accessibility Initiative (WAI) does provide clear guidelines, has lots of tips, has an accessibility statement generator, compliance testers, and more.
We include a general statement about accessibility on our website with a disclaimer that despite our efforts to make all content accessible, some content may not have been fully adapted to the strictest accessibility standards due to the result of not having identified the most appropriate technological solution.
Accessibility is essential and we wrote a lengthy blog post for you to learn more about website accessibility standards.
General Data Protection Regulation (GDPR)
GDPR is a European Union law that protects the privacy of EU residents. It says users must give consent to a website before the site can collect and process their personal data.
Users can also withdraw their consent at any time and request how their PII is being used and for their data to be completely deleted. GDPR also requires websites to post and enforce an accessible privacy policy.
GDPR applies to websites that offer goods and services to and/or monitor the behavior of EU residents (ie: with cookies/analytics) regardless if the business/website is located in the EU.
There are exceptions that do allow for the processing of personal data (ie: the user has consented, data processing is necessary to perform service, etc.), but they must be disclosed in your privacy policy. There are also very specific requirements on what a privacy policy must contain.
GDPR applies to businesses both small and large and if it applies to your business/website it’s important to comply with this law to avoid fines. Here’s a complete GDPR compliance guide.
Cookie Policy and Cookie Consent Tool
Cookies are small pieces of data sent from a website and stored on a user’s computer browser. They’re used to track browsing behavior and help a website run more efficiently.
If you use cookies (most websites do), you’ll need to disclose that information in your privacy policy due to privacy laws.
It’s also a good idea to get a cookie policy that explains to users what cookies will be placed on their devices by your website and for what purposes. Everyone’s cookie needs are unique because every website might use different cookies and analytics tracking technologies.
For example, Squarespace has essential built-in cookies and marketing analytic cookies to enhance the browsing experience. Add in third-party tracking software like Google Analytics or Facebook pixel and your cookie files start adding up.
There are different types of cookies:
Functional and required; these are necessary cookies for key features on your site
Analytics and performance; these are optional and give you information about how visitors interact with your site
Marketing; these are optional cookies and are usually placed by third parties
In addition to a cookie policy, you also need a cookie consent solution such as a banner or pop-up. This is used to inform users of cookies in use, link to your cookie and privacy policy, and depending on the laws applicable to you ask users to consent to cookies (opt-in or out) before running them.
But not all cookie consent tools are created equal. For example, Squarespace has a built-in cookie banner to inform visitors that cookies are being used with an option to accept or decline. It is a good tool, but in order to be GDPR compliant you have to receive a visitor’s affirmative consent to use non-essential cookies, which restricts your analytic cookies until a user has clicked accept on the cookie banner. This can make analytics info inaccurate.
Keep in mind that the built-in SQSP cookie banner doesn’t disable or restrict third-party cookies so if you use those, you’ll need a better cookie consent tool.
In our aim to become more transparent and compliant, we recently started implementing the Usercentrics Consent Management Platform (CMP) cookie consent solution in partnership with Termageddeon (our policy generator).
Instead of using the built-in Squarespace cookie banner, we will start implementing this upgraded cookie consent tool on all future website builds. Usercentrics is an EU-based CMP and helps websites with GDPR compliance.
Copyright
Copyright is the legal protection of the expression of ideas such as writing, music, and graphics. All materials published after 1964 are under copyright protection.
A copyright notice makes users aware that your content is legally protected and that they don’t have the right to use it without your permission.
It’s not legally required but we highly recommend it and it’s easy to add. Place a copyright designation in your site’s footer. Use the copyright symbol ©, enter your business name, and the year, done.
If you do want to grant permission for people to use aspects of your content (written or visual) you need to state the terms of usage clearly. This is typically done with creative commons licenses that allow for sharing and distribution of intellectual property (IP) with limited or no restrictions while retaining the rights the creator wants to retain.
When using any content on your site that’s not yours you’re not only plagiarising but you may also be liable for copyright infringement which people can sue you for.
End User License Agreement (EULA)
EULA is a legal contract between a website and the user which the user typically has to consent to (click “I accept”) before they can use the website because they’ve agreed to comply with the restrictions in the EULA.
This is usually for businesses that offer mobile apps or license software. It’s not typical for most online small businesses to need a EULA.
Policy Generators
You have some options when it comes to getting policies for your website. Privacy attorneys can write a policy for you and this is a great option if you are a medium–large company or if you need special compliance.
You can also use a generator, which is faster and more cost-effective. This is what we use and recommend.
The good news is there are tons of policy generator vendors to choose from to fill your website's legal privacy policy needs and these companies keep up with all the changing privacy laws and auto-update the policies for you.
After sign-up and implementation, all you need to do is go back into your policies and answer any new questions to potentially make new disclosures on your policies.
Even with these policy generators that are supposed to make things easier for you, you still might be confused with the questions they ask, and that’s when you might need to seek additional help.
Our preferred vendor is Termageddon. It’s run by Hans Skillrud, a former agency owner who struggled with the difficulties of finding suitable privacy law options for websites that are affordable, and comprehensive. His wife and co-founder Donata is a licensed attorney. We love their service because they’re extremely responsive and no they didn’t pay us to say this about them!
There are also Termly, TermsFeed, Shopify, Iubenda and many more.
FAQS
How can I keep up with all the changing laws?
There is paid software you can use to track changes in bills such as Legiscan or you can check the International Association of Privacy Professionals (IAPP) website for updates. We rely on our policy generator software to update the policies before laws go into effect.
Is my company too small for compliance?
No. There’s no business size requirement for a privacy policy—you need one. However, not all laws will be applicable to your business depending on certain qualifiers, your location, business, revenue, etc.
Can I copy and paste a template?
We don’t recommend it because this is copyrighted material. Plus you don’t know if that contract fits your business and static documents don’t stay up-to-date.
Who can sue me?
The Federal Trade Commition (FTC) is responsible for data protection for all consumers in the USA so you could be sued by the FTC or your state’s Attorney General. A consumer might also be able to sue you for violations.
Can my web designer take care of this legal stuff for me?
No, because you are the only one who knows your business inside and out. They can help give you general resources and get you set up with a policy generator, and implement the embed codes into your site, but it’s up to the website owner to make sure you are fully compliant with laws and regulations.
Conclusion
All website owners should carefully consider the PII of users and legal policies on their website to avoid privacy-related fines and lawsuits.
Not only will this help to protect you and your visitors, but it can also provide peace of mind. It’s essential for site owners to create comprehensive and up-to-date legal policies before launching their site.
FAQS
-
Every website owner should have key legal policies in place, including a Privacy Policy, Terms of Service, Disclaimer, Accessibility Statement, Cookie Policy, Copyright Notice, and sometimes an End User License Agreement (EULA).
These policies outline how personal data is collected, used, and protected, the terms of service for using the website, limitations of liability, accessibility standards, cookie usage, copyright protections, and software licensing agreements.
-
Changing laws and regulations constantly impact the legal requirements for website owners. Staying compliant requires vigilance and regular updates to policies. Paid software, such as Legiscan, or resources like the International Association of Privacy Professionals (IAPP) can help track changes in laws. Policy generator software, like Termageddon, can automatically update policies before new laws go into effect. It's crucial for website owners to stay informed about legal changes to ensure ongoing compliance.
-
Not having proper legal policies on a website can lead to privacy-related fines, lawsuits, and potential damage to the website owner's reputation. The Federal Trade Commission (FTC) and state Attorney Generals can enforce compliance and sue website owners for violations. Additionally, consumers may have legal recourse if their privacy rights are infringed upon.
While web designers can offer guidance and assistance with policy implementation, ultimate responsibility for compliance rests with the website owner, as they are the ones most familiar with their business operations and legal obligations.