Please note that this blog post contains only basic general information and does not constitute legal advice. If you have any doubts regarding your compliance we recommend consulting a specialist in your jurisdiction.

In the European Union, there are two important aspects to web compliance:
(a) legal disclosures and
(b) data privacy.

1. Cookie Notice

Cookies are data that you store in a visitor’s browser when they visit your website. At the EU level Cookies are regulated mainly by the ePrivacy Directive. Additionally, the GDPR directive applies in cases when cookies contain personal data or can identify a specific person. If your website uses cookies, by law you are required to notify the user. This is most commonly implemented with a cookie notice bar displayed during the first visit.

2. Cookie Consent

The visitor has to give their consent before cookies can be saved in their browser. It is the obligation of every web content provider to keep proof of consent for every visitor.

There are different opinions among the digital privacy specialists about what this proof should look like. Some suggest this consent has to be stored in a database separate from the user’s computer; others deem it sufficient when the cookie is stored locally on the visitor’s browser in combination with the website’s source code which proves that no cookies could be served without the user’s consent.

If the user decides to refuse the cookies, they still have to be able to access your website without them. It is important to note that as long as no explicit consent was given, the cookies have to be handled as refused.

3. Cookie Blocking

Many websites utilize external services for statistics, advertising, or spam protection. These services often push unnecessary cookies onto your visitor’s computer automatically. Ensuring that no cookies are served without consent mostly requires an additional mechanism to block cookies from external services.

Such a mechanism often requires additional implementation on the back end and front end of your website. The documentation thereof is an important part of the proof of consent mentioned earlier.

4. Cookie Policy

The visitor of your website can give consent to cookies effectively only if they receive elaborate information about what types of cookies are in use, what data they contain, and for what purpose they are used. This information has to be easily accessible and is often summarized in the cookie policy on the website.

5. Privacy Policy

So cookies are data stored on the computer of each visitor. Of course, additionally, there is a lot of data processing on the servers providing the website. This includes technical data such as IP addresses in the security logs but also functional data such as user input in a registration form. Whenever personal data is involved, the processing is subject to the GDPR directive.

Every web content provider has the obligation to elaborate among others on what data is being collected, how it is processed, and for what purpose. This information is most commonly included in the website’s privacy policy.

6. Privacy Consent

Providing the information about data processing is however not enough. Before any personal data can be processed the user has to give explicit consent and agree to the processing in accordance with the website’s privacy policy. The web content provider has to again keep proof of this consent for each visitor and every instance of personal data processing.

7. Privacy Contact

Every person in the EU has far-reaching privacy rights, such as the right to be forgotten or the right to receive a copy of all personal data processed by any organization. These rights have to be easily executable. That is why every web content provider should have a contact dedicated to privacy matters. This contact information is often included in the privacy policy.

8. Data Retention

As part of the general privacy protection rules, every organization is obliged to safely dispose of any personal data their hold as soon as the reasons to keep the data cease to exist. Every organization should therefore periodically screen the data they hold and make sure they are still doing so lawfully.

9. Business Information

Additionally to the general EU requirements, the local law of each country has by principle its own set of rules. They often apply especially to businesses and their online presence.

Examples of disclosures that may be required by the local law are the exact business name, physical address, commercial registration number, tax identification number, or the name of the institution overseeing the commercial activity. Such disclosures can be often found on the imprint page.

Other Legal Disclosures

Needless to say, this short video doesn’t cover all compliance topics. Perhaps the most important is intellectual property. It is hopefully common knowledge that no pictures, music, or videos can be used on the web without the consent of the original creator.

Important Note: Compliance Archives

There is one very important final note I want to make. Everything you do to keep your systems compliant
should be well documented. By that, I don’t mean just the current state of your systems but also past versions of your source code, legal disclosures, and any management decisions made on the way.

When looking at the timeline of your organization’s existence, you should be able to provide documents and evidence about the state of your compliance at that particular point in time. This is important because any lawsuit or compliance audit is likely to be related to some incident in the past.

Additionally, the legal framework is in constant change. Your organization should be able to demonstrate timely adaptation to legal changes today as well as in the past.

Conclusion

The current compliance regulations for obligatory disclosure and data privacy in the EU are complex and require not only legal understanding but also technical implementation with regular testing. Any serious business should take web compliance seriously.

Failing Web Compliance? 9 Points to Think about