Most people might agree that it is more interesting to focus on the design elements of a website that customers see, but it is crucial to structure a company’s online presence so that the website meets the current legal requirements and can evolve with the changing legal landscape. The impact of not doing so can be staggering. An underdeveloped website structure or omitted functionality, will require far more time to fix than had the project been strategically planned from the beginning.
Given the complexities of the legal environment, there are 10 things to keep in mind as you create, or look to update, your company’s website:
- Protect the Data. Set up technical, physical and administrative controls to protect users’ personal information, and adopt policies and procedures for what to do in the event of a data breach. Data breach responses depend on the type of data involved so take the time to determine what kind of data your company will have in its possession.
- Protect Your Intellectual Property. Go through the effort of copyrighting and trademarking your company’s intellectual property assets that should be protected. Also, if you allow users to submit contributions (e.g., through a forum or comment section) or use third party content on your website, consider registering a copyright agent to protect yourself under the Digital Millennium Copyright Act’s Safe Harbor provision if someone claims content on your website is infringing their intellectual property rights.
- Payment Processing. If you operate an online store on your website, make sure you, or your payment processor, comply with applicable data security and processing standards such as the Payment Card Industry Data Security Standard.
- Electronic Transactions. If you do any transactions electronically, make sure your transactions comply with the Uniform Electronic Transactions Act (codified in California Civil Code section 1633.1 et seq.) to ensure that the transactions are enforceable. Generally, the user must be able to consent to transact electronically, to review and edit the transaction prior to submission, and to print or save a copy of the transaction.
- Vet Your Vendors. If you use a third party hosting vendor, or the “cloud,” make sure the hosting vendor’s security standards align with the kind of data you will be storing with the vendor. For example, if you will send Protected Health Information (as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)), to the vendor, make sure the hosting vendor is HIPAA-compliant and will sign a Business Associate Agreement. If you host personally identifiable information as defined in applicable law, make sure the hosting vendor has recently, and annually, undergone a security audit like the Statement on Standards for Attestation Engagement (“SSAE”) 16.) Make sure you also have written agreements with your vendors and that the vendors are obligated to protect the data.
- Website Development. If you contract with a third party to create your website or some custom functionality for the website, be sure to enter into a written agreement that clearly states who owns the work or the different parts of the work and who owns the different types of data flowing through the website (including the list of users and personal information).
- Marketing and Advertising. If you will be sending marketing or advertising communications to users, make sure you either have their permission to send these types of communications, or a process so that users can opt-out of these communications if they so desire.
- Accessibility. Consider the functionality and purpose of your website and whether accessibility features may be required to comply with anti-discrimination laws or otherwise appropriate.
As this list shows, the issues related to websites are varied and numerous. Companies should take care to become familiar with the applicable laws, regulations, and standards as well as best practices.
Nothing in this blog is intended to constitute legal advice and your interactions with this blog do not result in the formation of an attorney-client relationship. All matters are different and, as such, nothing in this blog is intended to guarantee, warrant, or predict a specific outcome.