Digitally Thinking

​I made a website, now what?

So, you or your developers have made a brand-new website. Well done, very shiny! But now you’re stuck trying to figure out what laws you need to comply with. There isn’t really anything called a “website law” specifically, but there are certainly specific laws that apply to websites.

In reality, the laws that apply to the internet are so varied, and specific laws will apply to specific industries and even specific products (not to mention different countries). Getting the right advice early on in your business lifecycle is crucial to securing revenue (and not losing it to fines or refund requests) and building goodwill and value in your business.

Please note that this guidance is provided for just that, guidance only, and shouldn’t be relied upon as a substitute for your own independent legal advice that is tailored to your business and the precise industry you operate in.

We often deal with clients who are setting up their first e-commerce site having started out with a basic “this is what we do, contact us here” website. More often than not, we see the same things being overlooked or clients placing too much reliance on their developers for legal things, and they tend to be fairly straightforward and often things you can do quite easily yourself. The consequences of getting some of this stuff wrong can be as bad as committing a criminal offence! Below are some useful pointers to consider when setting up your site.

When does a website need a privacy policy?

Simply put, you need a privacy policy in place before you start to process any personal data at all. This likely means you need a privacy policy from day 0. Failing to have a proper notice or policy in place would mean your collection and use of personal data is against the law and you might end up having to delete all the data you collected prior to having a policy in place. This isn’t something you can correct later, and a stitch in time doesn’t just save nine here; it saves everything.

What are you using the website for?

"If you are using the website to sell or advertise any kind of product or service, then, just like with any other offline equivalent, you’ll want to ensure your terms of business protect you. Whilst having a contract in place isn’t strictly just something you need for a website, there are additional considerations when switching to online, like: How do you form a contract through a website?; Can you agree things online without signatures?; When is the contract signed, or maybe it isn’t going to be signed, either way how can you tell when both parties have accepted it? This can cause very serious issues given the speed at which business operations can scale in an online environment and it is crucial to get advice in this area as to the best process for your particular business. One of the requirements for contracting online in many cases is to create a record of each transaction in a “durable electronic medium” – so an email order confirmation containing your terms might work or you could create a PDF document and save that somewhere. It isn’t enough to rely on silence as acceptance of your terms, and if you can’t prove that someone agreed to a specific term at a specific point in time you might run into issues later down the line and you might find it’s not enforceable at all."

Consumer laws that apply to your website can be tricky

If you are selling anything to consumers (and remember that businesses might be classed as consumers if their purchase is wholly or mainly outside of their usual business activities/normal procurement) then there are a raft of additional regulations and laws you need to comply with. In many cases this will require additional wording, notices and preserving certain rights that could crucially impact your business. The main, most serious operational risk in my experience, is the cooling off period for distance contracts. If you get any of the numerous requirements wrong then instead of the usual 14 day cooling off period, you might be looking at a cooling off period that lasts for potentially over a year (yes – 12 months and 14 days within which to cancel for any reason and receive a full refund). The Consumer Credit Act and laws regarding zero percent buy now pay later arrangements can be even more tricky to comply with and you will almost always want to get legal advice if they apply to your business.


You may not be aware, but the Equality Act 2010 (which is one of the major anti-discrimination laws in the UK) applies to websites. Depending on who you are and what you do, you might be required to comply with the Web Content Accessibility Guidelines. WCAG 2.1 is the most recent version at the time of writing in March 2022. These guidelines provide for best practice recommendations regarding colour blindness (orange and blue colours tend to work best for most common types of colour blindness) and other disabilities including requiring you to consult with such persons in your user research in some instances. The internet needs to be accessible to everyone and so you need to consider how you can utilise things like assistive technologies to aid users in their navigation and use of your content.

Digital content and intellectual property

  • If you make content available online, you’ll want to ensure you have rights to own or use that content in the way you want to use it, or to remove content that other people have posted if you don’t like it. If you are an artist or a coder, then what license if any do you give to the rest of the world to use your art? Should they pay for it, or do you want them to use it only if they also share it for free? If that sounds like what you need then maybe an open-source license is something you’ll need.
  • Regardless of what you are actually doing, it is almost always going to be better if you have some kind of basic terms of use for your website. If you need examples, the internet is full of them, and lawyers can often produce them for you at very little cost because of their now mostly generic nature.
  • Don’t forget that copyright can exist even where it isn’t registered, so an idea written on a napkin can attract copyright and so can posts on your site. You need to get people to give you permission to use their content on your site and be clear about how (if at all) they might be credited or remunerated if you do decide to use it. Many social media companies say that they own all rights to any content you make available via their services and can use it for any purpose without paying you anything and don’t even have to tell you if they do. I’m sure you might be surprised if your display picture ended up being the central part of an international advertising campaign. This position hasn’t really been tested yet, but various regulators have commented that they don’t like that companies are taking this position as they feel it takes advantage of the unfair bargaining position that social media providers are in when compared with users who have little choice in the matter and no ability to negotiate those terms. 

Disclose who you are! Sole trader, LLP or Limited Company (or C.I.C)?

  • It seems a straightforward thing, but if you are operating a business on the internet you need to let people know who you are and if you don’t, you technically commit an offence. If you’re a business and you haven’t published any kind of information on your site about your contact details and who the business is, then you’re going to be in breach of at least a few regulations. For example, if you are a company then, in most normal circumstances you are legally obliged to state your full registered company details as they appear on Companies House on your website and emails and other correspondence in a way that can be read with the naked eye. I would take that to mean that on a normal 100% zoom setting in most browsers, the font should be relatively greater than standard font size 8.
  • If you get it wrong without a reasonable excuse? Well, up to a £2,000 fine which will continue to be applied daily until you fix it.
  • Remember that if you are a member of a trade union or you have some sort of professional governing body or similar, you might be legally required to disclose that on your website too, and it’s worth checking with the relevant governing body if you aren’t sure because they will usually know whether that’s required. For example, all Solicitors who are regulated by the Solicitors Regulation Authority have to display the SRA logo on their firm’s website in a prominent place.

Privacy – does every website need a privacy policy?

  • If you have been in hibernation for the past ten years, you may not have heard about the GDPR. Everyone else has though, and you will look pretty silly if you get caught out, not to mention the potentially massive fine!
  • If you collect any information at all that identifies a living person through your website, or if it would be possible for someone to input personal data into some sort of free text box, you almost always need a privacy policy. It would be very rare and unusual for a website not to capture some sort of personal data and that means in most cases you probably need a privacy policy. Even if you think you don’t need one, you should still be making it clear to people that you don’t capture any of their personal information because otherwise you run the risk of them thinking you might be processing their data which could lead to some unhappy customers or users avoiding your site because they aren’t sure if you comply with privacy laws or not.

When is it personal data and not just data?

  • Personally identifiable information might be someone’s name, their home address, their device ID (MAC or IMEI for example), or their IP address. All of these things are personal data by themselves so collecting any one of them should be setting off alarm bells for you. But what about other information? Well, no matter what data you collect, if your data is varied enough and you have enough data to compare it to, then any data when taken together has the chance to become personal data and you need to take that into account as well.
  • In the UK, the Information Commissioner’s Office are responsible for monitoring and enforcing compliance with data protection laws and if you visit then you’ll find a wealth of resources to put you on the right track.
  • If you are processing any data that is classed as a special category of data, we would always suggest seeking specific legal advice as you are likely to need consent and that can be tricky to implement properly because the bar for consent is usually pretty high!


  • As above, IP addresses are personal data by themselves! This is because it can identify the user’s router and from that information you could possibly use that information to find an address. Whilst the data protection guidance says this is enough to identify an individual, other court cases have held that this is not enough to identify a single person rather than a household. However, when you consider what your site is used for, or combine that IP address with any other information then you’re probably looking at personally identifiable information. For that reason, full IP addresses should be treated in exactly the same way as first and second names. It is good practice to ensure that if you are capturing IP addresses that you hash out the last few digits so that you can just identify the general post-code/region of the end user.
  • The laws on cookies are, currently, complex and not altogether clear. Some guidance indicates that you can capture first party analytical data without consent, even though consent is technically required (generic heatmaps and usage data for your own site would be a good example of this). Other guidance seems to indicate that as long as you hash out the last few digits of an IP address, or you anonymise visitor data in some way, that you can capture as much data as you like as long as it can’t be tracked back to a person. The problem there is that you’re quite often automatically sharing data with the third parties who provide that cookie functionality and so that third party might have more information than you which would enable them to know who the user was – which means that data becomes personal data despite the fact you can’t tell who the person is yourself.
  • The legal position that we are currently supposed to adhere to always is “strictly necessary cookies” don’t require consent, but still require you to inform people about their use. That means only session cookies to keep you logged in to a portal or to keep a shopping basket open if required, and no more than that without specific opt-in consent. Any cookies which are not strictly necessary in order for the basic functionality of a site or service to operate, will require consent to be placed. So, all use of Google Analytics requires consent, in almost every case without exception, yet the market reality is that this does not occur. In fact, the French data regulator CNIL has recently declared Google Analytics to be illegal.

So, what should you do? 

  • Some of the best advice when it comes to privacy compliance is to do what your gut tells you is right and then consider again how you can minimise that data down as far as possible to only the data you need to make sure your services operate. If you wouldn’t like someone else processing your own data in that way, chances are it isn’t OK, and if you’re in any doubt then make sure you explain in as much detail exactly what you are doing in a way that is clear and concise. The grey-area examples that are generally lower risk include things like tracking video and audio synchronisation or measuring how much of a particular video/audio file users have played before navigating away, as long as the purpose of this collection is to monitor for bugs or desyncs or disconnections relating to that content and not used for any other purpose. 
  • In the video example you could use cookies to track how long anonymous users play a certain video for before leaving, in order to investigate whether or not the video content becomes broken at that point, such as the audio becoming desynced or the video simply turning into a black screen or spewing lorem ipsum, so long as you’ve given people enough information to understand why you need to do those things and what you plan to use the data for.
  • You might think that anti-fraud tracking of pay-per-click ads would be strictly necessary, but it isn’t, so tread carefully with any of those kinds of arrangements and only use providers who can give you enough guarantees around their compliance (and who should be able to demonstrate how they collect consent for that kind of processing).

How do you comply with website laws?

The simple and best answer is to seek professional legal advice in every case, unless you are yourself an expert, and even then, you often need a team to get every issue right. Do not place blind trust in your developers to provide you with template privacy policies or to audit your GDPR compliance as they just won’t be properly equipped (or insured) to provide such advice without specific qualifications and don’t rely on free online documents without doing extensive checks to ensure that what those documents say is accurate, even then they could be missing something that you wouldn’t have thought of yourself.

Sam Crich is a Commercial and Digital Solicitor at Berwins. If you need any advice on any of the above, please don’t hesitate to call Sam on 07595 650226, or email

speech bubbles

We'd love to tell you more...

We're passionate about supporting digital businesses to thrive - find out how we can help you get where you need to be

Get in touch   right arrow