There are lots of compliance laws that apply to websites. Not complying with them can be costly. There are so many laws that it can be confusing to know what the rules are, how to be compliant, and if you are compliant. In this overview of website compliance, we’ll look at the types of laws that websites need to comply with and see several tips and resources to help you get started.

Note – this article is not legal advice. We are only providing an overview of the information. To ensure your website is 100% compliant you should consult an attorney with experience in web compliance. 

What Data Are Websites Collecting?

Websites collect data about their visitor in several ways and for different purposes. Data collection is either through forms on the website (such as contact forms, comment forms, or email sign-up forms), or through cookies for analytics, and eCommerce platforms that share the data with payment gateways and shipping partners.

Examples include Google Analytics that collects IP addresses to monitor website interactions, Facebook Pixel collects data about pages and products that visitors have seen to show them ads on the Facebook platform, etc.

Data Collection Compliance Laws

These data collection practices have created several laws that websites need to comply with to keep that data safe. Consumer protection and privacy laws are designed to protect personal information. As a website owner, you have to disclose what information you’re collecting and what you’re doing with it.

Privacy laws vary from state to state and from country to country. This results in 23 privacy bills and several laws in the US alone.

If you build websites for clients, you need to discuss compliance laws and privacy policies with them and point them in the direction they need for solutions. You must ensure that they understand the responsibility that you are or are not taking on as a developer. Compliance products, services, or advice to seek legal help needs to be clearly identified in the contract.

Here’s a look at the major compliance laws and some tips on how to comply with them. Following this, you’ll see several tools to help.

1. GDPR Compliance

General Data Protection Regulation (GDPR) is a European Union regulation that addresses the transfer of personal data on websites. The regulation gives individuals control of their data that a website collects. It allows them to opt-out of having their data collected, see any data that has been collected, move the data, and delete it.

It doesn’t matter where your website is located. GDPR applies to everyone that solicits traffic from or has clients in the EU. This includes eCommerce, schools, etc.

The advantage of GDPR is that the EU has one law rather than individual states having their own laws. This makes it much easier to deal with and ensure that you are compliant.

Guidelines include:

• An individual or team appointed to handle GDPR processes or disclose that you don’t have one
• Provide a cookie notice with a consent option
• Include a privacy policy
• Include a data breach plan
• Disclose the data you’re collecting, who it’s shared with, and how you’re using it

2. CCPA Compliance

California Consumer Privacy Act (CCPA) is CA’s version of GDPR. It’s for large companies with more than $25 million in revenue, or 50% or more of the revenue comes from selling the information, or process data of more than 50,000 California consumers.

It gives consumers control over their personal information that businesses collect and provides several rights including:

• The right to know how it’s used and shared
• They have the right to delete it (a few exceptions apply)
• The right to opt-out
• The right to non-discrimination for exercising those rights

Information about the data must be provided as a “notice of collection.” This is a list of categories of personal information that’s collected and the purpose the data is used. Websites that sell this data must include a “Do Not Sell” link. The notice must also include a link to the privacy policy.

3. Cookies

Cookies are small scripts of code that are placed within the browsers of website visitors. They’re used to track movements through the website, help the website function, place ads, etc. This is especially helpful to know what pages or products a user has seen.

The two main types of cookies include:

Essential – these are required for the website to run. This includes pages that only logged-in users can see. They can be installed when the user goes to the site but they must be disclosed.

Nonessential – these track movements through the site for analytics, track ads, etc. You must get permission before installing them.

Websites must disclose if they’re using tracking cookies. Before installing the non-essential cookies, websites must get consent. To get cookie consent, use a plugin or service that will inform visitors that you’re using cookies and allow them to accept or reject the cookies.

4. Privacy Policy

Practically all of the compliance laws require a privacy policy. A privacy policy is a website page that identifies what information you collect, who you share it with, and whether or not you sell it. Websites of any size can be sued if they’re collecting data without the correct privacy policies. All websites must have a privacy policy and they have to be updated to keep up with the changing laws.

The policy should disclose how you use the data and who you share it with such as email marketing, your server, payment gateways, etc. It should tell if the data shared with a third-party email marketing provider and if marketing firms or other parties see the data.

If you collect information through a contact form, you need to disclose if that data is stored in your WordPress backend. If so, then the privacy policy needs to disclose that you share the data with content management systems.

5. ADA Compliance

Americans with Disabilities Act (ADA) includes places of public accommodation. APA compliance determines how accessible the content and features of your website are to those with disabilities.

This applies to public websites. If a website has a significant amount of inaccessible components to people with disabilities it can be seen as discriminatory, violating Title III of the APA.

It doesn’t matter how many employees you have.

It’s often reported that ADA doesn’t apply to companies with less than 15 employees, but in reality, it applies to every company regardless of the number of employees. Only Title I of the APA guidelines specify 15 or more employees, but Title I doesn’t apply to public website compliance. It applies to discrimination in employment. Title III applies to websites and it doesn’t specify the number of employees.

ADA doesn’t provide clear rules for compliance. Instead, we have to determine if our website is accessible to those with disabilities on our own. With that in mind, here are a few suggestions to make your website ADA compliant:

• Add transcripts for video and audio
• Add closed captioning
• Use audio descriptions for video
• Text should be scalable to 200% while keeping the content usable
• Don’t just rely on color to provide information
• Use a color contrast ratio of 4.5:1 or higher between the text and background
• Make it easy to use only a keyboard
• Use focus indication

6. FTC Affiliate Disclosure

FTC Affiliate Disclosure requires anyone endorsing a product to disclose if they were paid to promote it, received it for free for review, or get a portion of the sale. This endorsement applies to websites, social media, YouTube, etc. This follows the truth in advertising principle that endorsements should be honest and not misleading.

The disclosure must appear on the page with the product. You can’t add a button or link to another page with the disclosure notice. Place a notification within the article where it’s close to or part of the endorsement. It must be easy to see and hard to miss and be clear and conspicuous. The disclosure should be written in the same language as the article and be easily readable.

Disclosure examples:

• XYZ Company provided this product in exchange for an honest review
• Thanks to XYZ Company for this free product
• Use terms such as ad, sponsor, partner, etc., along with your content

Don’t use abbreviations or terms that are not clear, such as sp or Ambassador.

Resources

Here are a few resources for GDPR, CCPA, and cookie compliance:

• Cookiebot
• GDPR Cookie Consent
• Cookie Notice for GDPR & CCPA

Here are a few resources to create a privacy policy:

• Privacy Policy Generator
• Termly
• Privacy Policies

Here are a few accessibility tools:

• W3 Web Accessibility Initiative
• Accessibe
• WP ADA Compliance Check Basic

Ending Thoughts of Website Compliance

Through our overview of website compliance, we’ve seen several laws to be concerned about. We have to be compliant with each of them. This is one of the most important topics for website owners because failure to comply can result in tens or hundreds of thousands of dollars in lawsuits.

For developers, the compliance practices can be added to your checklist of web design best practices and be a part of the design process.

Making your website compliant does take time and effort, but fortunately, there are a lot of products that can help and the web pages for most of the laws provide good information to follow.

We want to hear from you. Have you made your website compliant? Let us know about your experience in the comments below.