16 Things Every Website Absolutely, Positively Needs To Know About Website Legal Compliance

I talk to a lot of owners of small websites -- entrepreneurs getting started with new businesses or re-doing existing sites on the Web -- and most of them have a profound lack of understanding regarding the scope of legal regulation they face.

What's worse, most don't have any idea of their exposure to legal liability.

I believe the lack of awareness and understanding is due to several factors:

• most small website owners don't have an Internet attorney; most don't even feel the need for one, and the ones who do, don't know how to find one they can trust;
• most website developers don't inform their clients of the need for website legal compliance;
• website regulation developed without fanfare; to date, there is no federal privacy statute of general application that would have been highly publicized at the time of passage;
• privacy and data security regulation has developed in piecemeal fashion in the form of state statutes (with California leading the way); federal jurisdiction was not created by any Internet-specific statute - the Federal Trade Commission (FTC) assumed jurisdiction for enforcement of privacy and data security violations by claiming jurisdiction (successfully) resulting from its authority to regulate false and misleading claims under Section 5 of the FTC Act; and
• despite press releases by the FTC regarding claims filed against websites, the message is just not getting through to entrepreneurs; for example, in the last 3 years, the FTC has settled with fourteen businesses over inadequate data security for personal information with substantial fines levied in some cases, and the FTC's aggressive enforcement has continued into 2009 with two new actions filed in the first two months of 2009.

So, given the factors listed above, it's understandable why most entrepreneurial website owners aren't aware of the need for website legal compliance. However, website owners won't be able to plead ignorance. The cliche you've heard before is true - "ignorance is no excuse".

There are certain website activities that are now very high risk - and indicate the need for legal compliance measures. They include:

• collection of any single element of personal information; for example, if you collect merely an email address for a sign-up form for product information, a newsletter, or a downloadable report, you have entered an area that is highly regulated - and which presents a very significant exposure to legal liability;
• collection of credit card information;
• failure to operate a secure server that stores personal information;
• failure to identify and assess internal and external risks to the security of personal information;
• failure to monitor the effectiveness of security of personal information and update security measures as indicated by changes in website operations;
• offering monthly subscription or membership payment models, or any payment scheme where payment is made over time after the delivery of the product or service;
• sharing of personal information with others for purposes of direct marketing;
• permitting third party service providers such as website maintenance and SEO service providers or hosting service providers to have access to the internals of your server;
• transmission of personal information outside the website's secure system or across public networks; Nevada and Massachusetts both have statutes regulating these activities;
• operation of a blog or forum that permits users to upload text or files;
• operating a website that targets children or at least by virtue of graphics, text, and products or services would be attractive to children under 13;
• serving third party cookies (e.g. Google Analytics);
• serving behavioral ads (e.g. Google's AdSense);
• appointment of online resellers or affiliates;
• use of a competitor's trademark in keyword-triggered ads; and
• "borrowing" someone else's privacy policy without detailed analysis of how it fits your own specific business and marketing practices.

If your website engages in any of the risk factors listed above, website legal compliance measures are required -- and compliance should become a top priority ASAP.

The legal liability for failure to comply can be significant.

Copyright © 2009 Chip Cooper