Website legal notices are becoming increasingly important. Did you know that under English law you must display certain information about your business on your website?
This document contains template wording to ensure you are up to date.
It includes the information that every company is required to provide under English law, plus
- Disclaimer Notice
- Copyright Notice
- Cookie consent
- Notices concerning links to and from the website
- Useful legal phrases for your email signature.
This document can help your business comply with the Companies Act 2006, and Electronic Commerce Regulations (EC Directive) 2002 and the EU Regulations relating to Alternative Dispute Resolution. The Privacy Notice is designed to support you in GDPR compliance regarding data collection.
You need this document if your business uses the internet or email to communicate with colleagues or clients, and you want a clear, straightforward website legal notice and email policy.
You may also find these contracts of use:
Who can use these Terms of Business for Advertising Online? Anyone who has a website or publishes a blog and accepts advertisements What are these Terms of Business for? These terms of business for advertising…
Who can use these Terms & Conditions of Sale of Goods Online? Anyone who has a website selling goods, in particular to consumers can use these e-commerce terms and conditions. What are these Terms &…
This document contains templates for information that is usually found on websites. Some of this information is required by law. The disclaimer notice and statements concerning copyright and third party links are ‘optional extras’: they may not be necessary but notices of this type are often found, in a variety of forms.
To comply with the Companies Act 2006, every company (or limited liability partnership) in the UK must clearly state:
- the company registration number
- place of registration,
- registered office address
- and, if the company is being wound up, that fact, on all of their websites.
A common place to put this information is in the “About us” Section. It does not have to appear on every page.
This rule also applies to any emails sent by a company so the same information should appear in the footer to each email.
To comply with the general information requirements of the Electronic Commerce Regulations (EC Directive) 2002 you must give recipients of your online services:
- your business name, geographic address and other contact details including your email address
- details of any publicly available register in which you are entered, together with your registration number or equivalent
- the particulars of the supervisory body if the service is subject to an authorisation scheme
- details of any professional body with which you are registered
- your VAT registration number
If your website refers to prices, these must be clear and indicate whether they include tax and delivery costs.
If you are selling online you also have to comply with the Consumer Contracts (Information, Cancellation and Additional Payments) Regulations 2013. These are not covered in this document but see our Terms & Conditions for Sale of Goods Online- Document A179 and our free guidance note, Z171.
If you provide services, either on their own, or as well as goods, you also have to comply with the Provision of Services Regulations 2009 which are in effect in a similar form throughout the EU. These Regulations oblige you to provide a lot of information to clients and potential clients including having a complaints procedure and making available your terms of business and insurance details.
Although it is common practice to include a disclaimer on a website, arguably it is not necessary and its legal effectiveness is open to question. If you want to have a disclaimer notice, then keep it short unless there is some reason to have several paragraphs of text. A website, for most online companies, is equivalent to a shop window and you would not expect to see a disclaimer notice when you go into a shop. If, however, you are providing information that might be relied on, such as legal information, then it does no harm to tell the visitors that they use it at their own risk.
Under English law the author of a document or drawing owns the copyright and, in the absence of an agreement to the contrary, no-one else has the right to make use of it. In some countries it is necessary to assert ownership of the copyright and, on the web, it is therefore sensible to make it clear that you own the copyright to the words and pictures on your website. Having said that, one purpose of a website is to allow visitors to read and copy or forward to other people information from your website. So it can be counter-productive to state, as some websites do, that nothing may be copied or used without consent, as this would, if obeyed, prevent a visitor from noting down your phone number.
Our wording tries to achieve a balance by allowing copying for personal use or for information, but prohibiting it for commercial use.
LINKS TO THIRD PARTY WEBSITES
Here again a notice is probably unnecessary under English law but it does no harm to disclaim any responsibility or liability for any third party website to which you have created a link.
LINKS TO THIS WEBSITE
It is usually in the interests of a website owner to allow links to it, since this can improve its position on the search engines. The main point here is to give notice that you may want to have the link removed – e.g. if an unacceptable site created a link to your website – and to avoid use of your trademark or logo without consent.
Our wording is only a suggested introductory sentence and we have not developed a detailed cookie statement as this will to some extent depend on the type of cookies that you use. Our wording asks for consent (for which you will need to develop a link) and it also says that consent is assumed if the visitor continues to browse the site. In any event you will need to give information on the type of cookies you use and, here, you might like to use the ICO’s example as a basis for developing your own statement. This is as follows:
“Our website uses four cookies. A cookie is a small file of letters and numbers that we put on your computer if you agree. These cookies allow us to distinguish you from other users of the website which helps us to provide you with a good experience when you browse our website and also allows us to improve our site.
The cookies we use are ‘analytical’ cookies. They allow us to recognise and count the number of visitors and to see how visitors move around the site when they’re using it. This helps us to improve the way our website works, for example by making sure users are finding what they need easily. Read more about the individual analytical cookies we use and how to recognise them [link]”
The ICO Guide also says that this is what the law (Regulation 6 of the Privacy and Electronic Communications Regulations 2003) requires:
a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment-
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
Under the UK’s Data Protection Act and the EU’s General Data Protection Regulation that is effective from 25 May 2018, any business processing data that it collects about individuals must comply with numerous obligations, including data processing principles. These principles include the requirements that personal data (i.e. information about an identifiable individual) is processed (i.e. kept & used):
- lawfully, fairly and transparently,
- it should only be collected for specific, explicit and legitimate purposes,
- the data collected should be adequate, relevant and limited to what is necessary for the purpose for which they are processed’
- be accurate and kept up to date where necessary
- be in a form that permits identification of the individual for no longer than necessary, and
- be processed in a manner that ensues appropriate security
In addition there are European Regulations on privacy and electronic communication which apply throughout the EU.
Specific comments on the paragraphs in our Privacy Notice template are set out below:
Introduction & Our Details
There is no necessity for an introduction but you must identify the data controller and provide contact details. If the controller has a representative or a data protection officer, that person must also be identified.
So you need to fill in the blanks and adjust as needed.
Our Commitment to You
It is helpful but not mandatory to have a statement of principles and to make it clear you comply with the law.
What is the purpose and legal basis for us to collect and process your personal data?
An important part of the notice. You should, in line with the principles referred to at the beginning of this note, specify clearly why you collect and process data. Those purposes should be adequate but also limited to what is necessary.
Here you should adapt the wording as necessary to explain what information you are collecting. If, for example, you do not sell anything from your website, then our paragraph about credit card payments should be omitted. If you collect and handle sensitive information about your visitors, then our wording needs to be strengthened. In this context, processing any information relating to a person’s gender, ethnicity, religion, sex life or health is generally prohibited by Article 9, although there are many exceptions.)
Broadly, you are OK if you need data for contractual or other legitimate reason – e.g. to fulfil a sale you need an address and credit card details.
When it comes to more peripheral reasons, such as sending out marketing material, you have to get consent. And you need to have a statement or box on your website that both explains what you are asking consent for and asks the individual to confirm that he/she gives their consent
What personal data will be collected and processed?
Our text needs to be adapted depending on the nature of your business
Who will receive your personal data?
When you use third parties to process data – e.g. Paypal or Worldpay to process payments or a ticketing company to sell your tickets or a bulk mailer for your newsletters, these need to be identified. And beware – some of those organizations like to use the opportunity to capture and process your customers’ data for their own purposes. They need to get consent for those uses, or you should get consent on their behalf.
If any data processor is located outside the EU, you need to tell the individual and satisfy yourself that they have adequate data protection systems. Some countries are not acceptable under GDPR.
How long will we keep your personal data?
The law says this should only be for as long as necessary. Sales information usually has to be kept for six full tax years. Contracts usually have a six year period after they are completed in which a claim may be brought. In the case of mailshots, if someone consents to receiving these, it is not unreasonable to keep the relevant data for as long as they keep receiving the emails. And be sure to let them unsubscribe on every occasion.
What are your rights?
The wording summarizes the GDPR position. It is important to have a good database so that you can easily access all the personal data for each individual with whom you deal. This is a GDPR requirement.
Changes to this Privacy Notice
This is a reminder for you as well as your visitors – if you change your policy you should inform the people whose data you hold and get their consent, when necessary.
How to Contact Us.
This is not essential if you have contact details in the opening paragraph.
If you want to send out newsletters or maintain regular (or irregular) contact with the individuals whose information you hold, the individual has to give explicit consent – so make it clear what the reasons are and set up the consent form very clearly on your website – a small tick box with inadequate explanation is no longer enough. If you have people on your mailing list already, you need to consider, and maybe get legal advice, on whether to ask them again for consent, in order to be sure you are compliant with the GDPR.
Also, you should make it clear in all your communications that they are entitled to have their details removed from your list. And do remember it is in your interests to have a procedure to do this – quite apart from the legal implications, there is nothing more irritating for someone than to keep receiving material from an organization that is of no interest after he/she has asked to be removed from the mailing list.
NB. If you run a business and process data – which can involve no more than collecting the name and email address of visitors to your website – you may also have a legal duty to register as a ‘Data Controller’ with the Information Commissioner, the Government official who administers the Data Protection Act. To find out more, there is a lot of helpful guidance on the Information Commissioner’s website:
E-MAIL LEGAL NOTICE
As mentioned above, there are legal requirements for companies in the UK which now include putting on each email sent by a company, its full name, registered office address, and company number. VAT number is also recommended.
It is also common practice to insert a Disclaimer, designed to deal with the possibility that an email is received by someone other than the intended recipient. Our wording is quite brief, but should suffice for most people.
Finally please note:
You might also consider joining our affiliate scheme when you can earn commission on sales made via your website. For more information go to this link: Become an Affiliate.
2. We recommend that you obtain legal advice before using our templates.