To be compliant of various regulations, business owners must ensure that their websites provide certain key information, comply with data protection and privacy requirements, and meet minimum standards relating to security and accessibility.
Although this article covers the basics it does not provide a comprehensive list of legal requirements. Appropriate professional advice should always be taken to ensure that a business website complies with the law.
Providing information about the business
Anyone who visits a website will need to know some basic information about the business or organisation behind it. The information a business owner must provide depends on the legal structure of their business, their trade or professional status, and the activities they carry out online. There are several overlapping pieces of legislation that govern these areas.
Generally, a business website must display:
- The business name.
- Trading address.
- Business e-mail address and phone number.
Sole traders
The business website of a sole trader whose business name is different from their own name must provide the trader's own name in addition to the business name.
This is a requirement under the Electronic Commerce (EC Directive) Regulations 2002.
It is good practice for a sole trader to clarify who they are on the 'About' and 'Contact' pages of their website.
Limited companies
The business website of a registered limited company must also display:
- The company's registered name.
- Where in the UK it is registered (i.e. England and Wales, Scotland or Northern Ireland).
- The company registration number.
- The address of its registered office.
If the company is exempt from using the word 'limited' in its name, the website must state that it is a limited company.
These are requirements under the Companies (Trading Disclosures) Regulations 2008.
Limited liability partnerships
The business website of a limited liability partnership must display similar details to those required for limited companies.
The legislation governing requirements for limited liability partnerships is the Limited Liability Partnerships (Application of Companies Act 2006) Regulations 2009.
VAT-registered business
A VAT-registered business must display its VAT registration number on its website.
This is a requirement under the Electronic Commerce (EC Directive) Regulations 2002.
Specific requirements for certain trades and professions
In certain circumstances, small business owners who are affiliated to or are members of particular trade or professional bodies must display additional information on their business website, as follows:
- Anyone who is a member of a trade or professional association and is listed in a publicly available directory of members must state this on their business website. Trade and professional associations generally provide guidance to members about how they should display their membership status on their website.
- The website of a business providing a service that is subject to an authorisation scheme must display details of the relevant supervisory authority. For example, an insurance broker authorised by the Financial Conduct Authority must display information about it on their website, such as 'Authorised and regulated by the Financial Conduct Authority'. Similarly, solicitors in England and Wales must display information about the Solicitors Regulations Authority.
- Members of a regulated profession, such as accountants or chartered surveyors, must display on their business website details of any professional body or institution with which they are registered. They must also display their professional title and the country where that title was granted. Some regulated professions are exempt from this requirement, including doctors, dentists, pharmacists, veterinary surgeons and architects.
These are legal requirements under the Electronic Commerce (EC Directive) Regulations 2002.
Data protection and privacy
When customers interact with a business website they are often asked to submit personal data, for example when they place an order, sign up to a mailing list or register to access member-only areas of the website.
Any business that collects or processes personal data must comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Personal data means information relating to a living person who can be identified. It includes basic information such as name, address, contact details and payment card details, as well as any other information that is held about an individual.
Before collecting personal data, a business website must display a privacy notice, which must be clearly and concisely written in plain language that is easy to understand. It must also be easily accessible on the website.
The information that must be provided in a privacy notice includes the purposes for which personal data is collected and processed, how long it will be kept it and who, if anyone, it will be shared with.
A template privacy notice and more details about what the notice must include are available from the ICO at https://ico.org.uk/for-organisations/in-your-sector/business/.
For more information about complying with data protection legislation, see BIF536 A Guide to the General Data Protection Regulation (GDPR) and BIF003 A Guide to the Data Protection Act 2018.
Consent to use cookies
Many business websites use cookies. These are small files that are stored on the website visitor's computer or mobile device. Cookies 'remember' data, such as the user's preferences, browsing or buying habits. Cookies can be used for different purposes - to improve user experience or target advertising messages, for example.
A business website that uses cookies must notify users and provide a clear explanation of what these cookies do. This explanation must be easily accessible and should be included in the privacy notice displayed on the website.
Website users' consent must be obtained before storing cookies on their devices. Consent must be given by a clear positive action, such as ticking a box or clicking an 'accept cookies' button, and it must be easy for website users to withdraw their consent and disable cookies.
These are legal requirements under the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the GDPR.
The Information Commissioner's Office (ICO) provides guidance on how to comply with this legislation at https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/. See also BIF410 A Guide to the Privacy and Electronic Communications (EC Directive) Regulations 2003.
Accepting online orders
When customers order goods or services through a website, they must be provided with information to help clarify what they need to do.
The website must provide:
- Information about the different steps they need to follow to complete the transaction.
- A way to identify and correct any input errors before they place their order.
- Information about the languages the website can be translated into to complete the transaction.
These are legal requirements under the Electronic Commerce (EC Directive) Regulations 2002.
When consumers (meaning individuals acting outside of their trade or profession) place an order online, and the order process involves activating a button or similar function, the button or function must be labelled with wording that clearly indicates that ordering implies an obligation to pay - for example, 'Order and Pay Now' and 'Confirm Your Order and Pay'.
A business that sells goods or services online must also provide consumers with certain pre-contract information and access to a cancellation form. A model cancellation form is available at www.legislation.gov.uk/uksi/2013/3134/images/uksi_20133134_en_003.
These are legal requirements under the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013.
Under the Alternative Dispute Resolution for Consumer Disputes (Competent Authorities and Information) Regulations 2015, the website of a business that sells goods or services to consumers online must include a link to the Online Dispute Resolution Platform, which is a service provided by the European Commission to help traders resolve disputes with their online customers without going to court. For further information, go to https://ec.europa.eu/consumers/odr/main/?event=main.trader.register.
More information about selling goods online is available in BIF509 Legal Requirements for Selling Goods to UK Consumers Online.
Website security
Business websites that collect or store personal data must have adequate cybersecurity measures in place to prevent unauthorised access to that data. As well as being a legal requirement under the GDPR, this is also required by the Payment Card Industry Data Security Standard (PCI DSS), which must be complied with by any business that processes payment card details.
Examples of security measures that should typically be taken to meet the PCI DSS and to comply with the GDPR include the following:
- Use of a firewall and anti-virus software.
- Updating all website software and passwords regularly.
- Restricting and monitoring staff access to data and website administrative functions.
- Implementing HTTPS security encryption on the website, which involves purchasing and installing an SSL certificate.
The ICO provides information about measures that should be taken to ensure website security at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/.
Accessibility
The design of business websites must make reasonable allowance for the needs of people with disabilities (for example visual impairment, learning difficulties or problems with using a mouse). This is to ensure that they can access the website without being impaired by their disability.
This is a legal requirement under the Equality Act 2010.
Resources for working out what measures must be taken to comply with the Act include:
- Information and guidelines published by the World Wide Web Consortium (www.w3.org/WAI/fundamentals/accessibility-intro).
- BS 8878:2010 Web Accessibility Code of Practice, published by the BSI (https://shop.bsigroup.com/ProductDetail/?pid=000000000030180388).
Best practice
Although not required by law, it is best practice for all business websites to take adequate security measures, even if they do not process personal data or handle payments, and to display the following information:
- A disclaimer. This can help protect the business from claims for loss or damages as a result of someone using the website or relying on the information provided on it.
- A copyright notice. Most types of original work are automatically protected by copyright. However, a copyright notice states clearly how website content and images and the business logo may be used. This can be useful evidence in the case of a dispute.
- Terms of website use. This can include the legally required information outlined in this factsheet and cover other issues such as acceptable and unacceptable use of the website.
Useful contacts
Companies House provides registration and filing services for companies and partnerships, as well as guidance about company information that must be made publically available.
Tel: 0303 123 4500
Website: www.gov.uk/government/organisations/companies-house
The Information Commissioner's Office (ICO) is an independent authority concerned with information rights and data privacy. It provides information and guidance on data protection and privacy of electronic communications.
Website: https://ico.org.uk