Do you have a privacy statement?
In order to comply with the Data Protection Acts, your website must contain a privacy statement if you:
- collect personal data (for instance, where visitors fill in web forms, feedback forms, submit orders etc.);
- otherwise collect personal data (for example, IP addresses, e-mail addresses).
A privacy statement should be placed in an obvious position and may not be just accessible from within another document on a website, such as terms and conditions of use or a disclaimer notice.
The privacy statement should set out how your business applies the data protection principles to data processed on your website and should be specific to your website. Statements to the effect that personal data will be processed in compliance with the Data Protection Acts are not sufficient on their own. They need to be accompanied by an explanation of how, in practical terms, the website complies with its obligations.
Do you have a web hosting agreement?
If your company engages a web hosting company to host or operate a website that contains or collects personal information, you are required under the Data Protection Acts to enter into a data processing agreement with that company. A data processing agreement contains certain prescribed content.
It is also important from a commercial perspective to have a web hosting agreement in place to protect your interests. For example, what happens if your website server goes down? Is there a disaster recovery process in place?
Have you checked the reliability of your web host?
The Data Protection Acts require businesses to ensure that any web hosting company it engages provides sufficient security guarantees in respect of its technical security measures and organisational measures governing the processing of personal data. You must also take reasonable steps to ensure compliance with those measures.
Is your website server located outside the EEA?
If the website server is located outside of the European Economic Area and is hosted or operated by a third party, you may need to enter into a data transfer agreement in order to comply with the Data Protection Acts. A data transfer agreement is based upon model clauses approved by the European Commission. Similarly to a data processing agreement, a data transfer agreement can be subsumed within a more general web hosting agreement.
Do you engage in direct marketing?
The ePrivacy Regulations set out certain rules in relation to the use of electronic communications for direct marketing purposes. Unsolicited commercial marketing communications (i.e. spam) to a person's private email address unless prior 'opt-in'-type consent has been given by the consumer. This has the effect of preventing a business from using information gleaned from its website given for one purpose, to then subsequently send spam, unless the consumer explicitly consents to this in advance. Significantly, a fine of up to €250,000 can be levied for each individual marketing message sent in breach of the ePrivacy Regulations.
Conclusion – The Challenge of Website Legal Compliance
Over the past three posts, we have set out a broad range of issues regarding website legal compliance. These range from e-commerce and consumer law to direct marketing and data protection compliance matters. Although it might seem a challenge, it is important to consider these issues from the outset to avoid headaches down the line as your business, and your website, grows.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.