In my website law practice, the question I'm asked the most is... "what documents and other legal mumbo jumbo do I need on my site" for website legal compliance?

The question I'm asked the least is... "what design elements should I consider when developing my site"? That's because very few website designers or ecommerce website operators think about legal compliance until their site is almost ready to go live. However, this is the question that really should be asked as you begin planning for the design and development of your website.

If you want to design your website from the ground up with a purpose of limiting your legal exposure, here are 13 mistakes to avoid. Keep in mind that I'm focusing on the design elements of your site, so I won't list such things, for example, as posting a privacy policy. Instead, I'll focus on design decisions such as where to place the links for the privacy policy, and how to design your customer database.

1.  Failure to "Conspicuously" Post Your Privacy Policy. Privacy laws require that your site's privacy policy be posted "conspicuously" on your site. "Conspicuously" means one of the following:

• the privacy policy is actually posted on your home page; or
• the home page links to the privacy policy through an icon containing the word "privacy" that is a different color form the home page's background; or
• the home page links to the privacy policy through a text link containing the word "privacy" and is distinguishable from the surrounding text.

The third option has been adopted by most sites. It's also recommended that the privacy policy link be placed on a link bar that carries over to all interior pages in addition to the home page.

2.  Designing Your Customer Database And Email Lists Without Allowing For Segmentation By Time of Registration. The Federal Trade Commission (FTC) has made it clear in recent enforcement actions against websites that if you modify your sharing policy for personal information, you're required to get the opt-in consent of those registrants who signed up under the prior policy before sharing their information under the new policy. This means that you should be able to segment registrants according to the time periods they signed up, so that you can either provide notice of the new sharing policy or not share those names under the new policy.

3.  Failure To Design Your Customer Database To Permit Registrants To Review Their Personal Information. Privacy laws require that you describe in your privacy policy how registrants may review their personal information. In addition, it's recommended that you provide the capability for registrants to login and update their personal information.

4.  Failure To Provide Notice Functionality On Registrant's Private Account Page. Given that notice is required for changes in sharing policies and for amendments to online agreements, one of the best ways to provide these notices and opt-in consent is to notify users on their private login page. It's recommended that you provide this functionality.

5.  Failure To Post Material Modifications To Online Agreements And Privacy Policy. You're required to post material modifications to your online agreements and privacy policy. A good way to do this is to provide a separate page for each agreement that describes your material modifications and their effective dates.

6.  Commercial Email Set-Up Without CAN-SPAM Compliance. The CAN-SPAM Act of 2003 imposes 2 design requirements for sites that send "commercial email":

• a functioning email unsubscribe system; and
• a system for obtaining "prior affirmative assent" (or if not, a clear indication that the email includes a solicitation).

The easiest way to comply is to outsource your site's email requirements to a service provider that strictly follows these and other requirements of CAN-SPAM.

7.  Non-Compliance With Legal Requirements For Presentation of Click-Wrapped Agreements. Your customer agreements (subscription, membership, SaaS agreements) will usually be so-called "click-wrapped" agreements because they require the customer to click on an ACCEPT button to indicate agreement. Most click-wrapped agreements are presented in a scroll box. Here's a list of requirements for a scroll box presentation:

• conspicuous presentation during registration process - the scroll box with the agreement should be presented conspicuously during the registration process;
• reasonable notice of the existence of contract terms - this is the purpose of the text that is in all caps at the very top of the agreement (ABC COMPANY IS WILLING TO GRANT YOU RIGHTS TO ESTABLISH AND USE AN ACCOUNT WITH THIS SITE ...);
• unambiguous manifestation of assent - this is the purpose of the ACCEPT button - place both the ACCEPT and the DECLINE buttons on the scroll box just under the scrollable window - set the default to DECLINE - make sure that registration cannot be completed unless the ACCEPT button is clicked;
• opportunity to review contract terms - the scrollable window should show some of the text of the agreement below the notice section without the requirement of scrolling to see it - the text should be in a legible font, clear, and readable - the scroll box should permit the user to review the contract terms easily at the user's own pace, and the user should be able to navigate up and down through the entire text of the agreement in the scroll box; and
• opportunity to print agreement - the scroll box presentation should clearly indicate an opportunity to print the agreement.

8.  Failure To Implement "Reasonable And Appropriate" Data Security measures. The FTC has been aggressive recently with enforcement actions against websites that do not implement "reasonable and appropriate" data security measures. You may gain a little insight into what is meant by "reasonable and appropriate" measures by considering the FTC's recent settlement in the Life Is Good case, where the FTC alleged that Life Is Good:

• unnecessarily risked credit card information by storing it indefinitely in clear, readable text on its network, and by storing credit card security codes;
• failed to assess adequately the vulnerability of its Web site and corporate computer network to commonly known and reasonably foreseeable attacks, such as SQL injection attacks;
• failed to implement simple, free or low-cost, and readily available security defenses to SQL and similar attacks;
• failed to use readily available security measures to monitor and control connections from the network to the Internet; and
• failed to employ reasonable measures to detect unauthorized access to credit card information.

9.  Failure To Implement And Comply With The PCI Data Security Standard. This standard, commonly referred to as PCI DSS was developed by the credit card industry to prevent credit card fraud and data security threats. There is a growing trend among states to pass legislation that would make an online retailer liable to its registrants for data security breaches, and the trend with this legislation is either to require online retailers to comply with PCI DSS or to exempt retailers from liability is they do comply with PCI DSS.

10.  Failure To Establish And Monitor "Compliance Officer" Email. Various privacy and consumer protection laws require websites to post certain notices regarding how website visitors may contact the site regarding such matters as privacy and pricing issues. We recommend posting a so-called "compliance officer" email address (complianceofficer@yourdomain.com) for this purpose. You should ensure that this address is actually set-up and functional.

11.  No Prominent Legal Notices Page. We recommend that you set up a "Legal" page on your site where you post key intellectual property notices, key disclaimers, and links to certain online agreements, including your privacy policy.

12.  Lack Of "Age Neutral" Screening Test For COPPA Compliance For Sites That Target Children. For sites that target children, the federal Children's Online Privacy Act of 1998 provides significant regulation. One of COPPA's prerequisites for collection of personal information at these sites is to determine the age of the registrant in an age-neutral manner. This rules out asking the question directly: "are you 13 years of age or older?" That's because this question would tip off the registrant that to proceed, you would answer "yes". The age-neutral approach requires a methodology that does not suggest the answer, such as "Please input your birth date". This methodology requires a calculation and functionality that would deny access if the answer indicates that the registrant in under 13.

13.  Unauthorized Framing. Liability for "framing" another's site remains an open legal issue. "Framing" takes place where one website links to another site and masks the content of the linked site or places a "frame" on top of the content of the linked site. Frequently, the linking site posts navigation tools, text, trademarks and/or advertising which the framed site is unable to control. When a frame is used, the URL visible to the user will not correspond to the framed content although such content is visible to the user. It's highly recommended that you get permission, in writing, before framing another site.

This is not meant to be an exhaustive list. I'm sure there are other design mistakes, but if you eliminate these top 13 mistakes as you develop your website, you'll be making smart decisions that will significantly reduce your legal exposure.

Copyright © 2008 Chip Cooper

This article is provided for educational and informative purposes only. This information does not constitute legal advice, and should not be construed as such.

WANT TO USE THIS ARTICLE IN YOUR EZINE OR WEBSITE? You may, as long as you reprint the article in its entirety with live links and include this blurb with it:

Leading Internet, IP and software lawyer Chip Cooper has automated the process of selecting and drafting website documents for small websites with his MyLegalFirewall website documents drafting service. Discover how quick, easy, and cost-effective it is to determine which legal compliance documents you need and to draft them online. Grab your FREE Special Reports, Determine Which Legal Documents Your Website Really Needs, Draft Your Own Website Privacy Policy, and Write Your Own Website Marketing Copy – Legally, at ==> http://www.digicontracts.com/