Owning a website comes with several legal responsibilities. And if you don’t know the laws, it can cost you thousands of dollars or even bankrupt your business. Here are some of the common ones for websites in the US.
How laws in other locations can apply to you
One common question asked is “Why does a law in another state apply to me?”. It’s the basics of interstate commerce, if you want to connect with people in other states, you must abide by their laws.
For example, if you have a Bed & Breakfast in Idaho, you must still comply with laws in New York if you want to be able to offer your services to residents of New York. Hence, New York residents can sue you in New York courts just because a resident of New York is able to stay at your Bed & Breakfast (even if none ever has).
New York and California are the two states that file the most lawsuits around websites, but several other states have. And New York and California are known for suing websites when the business resides in another state. It’s important to know these two states, or you could be on the receiving end of a lawsuit for $20,000 or more.
Accessibility
Website owners should ensure that their websites are accessible to individuals with disabilities, in compliance with accessibility standards such as the Web Content Accessibility Guidelines (WCAG). There are thousands of lawsuits filed each year around web accessibility. The majority of these originate in New York or California but they target businesses all over the US.
For US federal government websites & those of organizations funded by the federal government, they are subject to Section 508 accessibility requirements.
For US state & local government websites & those of organizations who receive money from state & local government, they are subject to WCAG 2.1 level AA under Title II of the Americans with Disabilities Act (ADA).
For organizations which are for profit, or receive all funds from private entities, they are still subject to the ADA, which the Department of Justice has said these websites are required to be accessible but has not set specific rules (this is Title III of the ADA). Since there are now clear rules for Title II, I would expect that courts will interpret the Title II rules to also apply to Title III entities.
There are thousands of complaints or demand letters sent to business owners in the US. These are much preferable to lawsuits since they can addressed for far less money.
The best way to protect yourself from web accessibility lawsuits is to improve your website so that all users can enjoy it. If you aren’t sure where to start, a basic audit with manual testing is the best place. The free automated checkers can only partially detect about 25% of issue types, and will miss most of the items cited in lawsuits.
FTC Rules
The US Federal Trade Commission (FTC) requires that any compensated review (including receiving free products, entries into drawings, or gift cards) be explicitly disclosed on the review.
Many online platforms do not allow compensated reviews to be posted in their Terms of Service. If you offer people an entry into a drawing for posting a review on Facebook or Google, you are violating both US federal law and the company’s terms of service. That can result in fines from the federal government and the complete loss of all your reviews on the platforms.
Terms of Service (ToS) and Privacy Laws
If a website collects any information about users (which let’s be real, they all do) then you need a privacy policy. The Privacy Policy outlines the rules and policies governing the use of the website, including how user data is collected, stored, and used. You need a privacy policy from a reputable company or from an IAPP member lawyer. I use and recommend Termageddon, and here’s a 20% off coupon to get started with them.
Most business attorneys know absolutely nothing about Internet privacy laws. Just check their own websites, very few attorneys even have a privacy policy. If you want to have an attorney write your privacy policy, make sure that the attorney is an IAPP member.
If a website allows for user accounts or user-generated content (ie, comments or reviews), then the website should have clear Terms of Service.
Healthcare Laws (HIPAA)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the US protects personal healthcare information and regulates how it can and can’t be transmitted and stored.
If a website is for an entity which falls under HIPAA such as pharmacy or health care providers, then that site needs to be very very careful about what information they allow to be transmitted through the site. HIPAA fines can be massive and bankrupted businesses.
If a website that you own or manage falls under HIPAA, you should give a listen to the Q&A that Paul Stoute did on youtube.
Cookie consent
California and several countries, such as Canada and the EU, have cookie and consent laws. To comply with their laws you need to have a cookie consent solution. Since Google also has requirements for certain websites on cookie consent solutions, it’s recommended to use a Google-approved cookie solution. We use the cookie solution from Termageddon.
Recent California CIPA lawsuits
California has a law called the California Invasion of Privacy Act (CIPA). Lawyers are using it to sue website owners in California and the rest of the US. CIPA applies to any communications with a resident of California, even if your business is not located in California. The law allows California consumers to sue businesses directly for violations and obtain damages of $5,000 per violation (aka per site visitor whose rights were infringed upon).
The best way to protect yourself is to understand CIPA lawsuits are and use a cookie consent solution that meets the law like Termageddon.
Protection of user data & eCommerce transactions
Website owners are responsible for safeguarding any personal or sensitive information collected from users and ensuring compliance with data protection laws. This includes implementing appropriate security measures to prevent data breaches.
If your website allows credit cards to be entered directly on your site, you must comply with PCI DSS 4.0 requirements from Visa and Mastercard. These require several security procedures to be in place on your site.
Website owners must comply with relevant laws governing online sales, such as providing clear product descriptions, pricing information, and refund policies. There are also several requirements from Google if you want your content to be listed on Google shopping, such as requiring that the total price be listed. For example, if you sell cups for $4 each but they are purchased in groups of 10, then you need to have the price $40 in the HTML markup for your price.
Copyright and intellectual property
Website content must not infringe on the intellectual property rights of others.
This includes obtaining proper permissions or licenses for using images. Be extremely careful with images from “free” websites. Many of those sites (including the popular unsplash) do not verify that uploaded images are free from copyrights. If you did not take the image yourself, make sure it is legally acquired and keep a receipt for the image. Numerous companies crawl the internet looking for unlicensed images.
You also need to make sure user-generated content complies with laws. For example, if you were to grab a list of reviews and post them on your website, but you modified the reviews or excluded some, then you must have a terms of service and the reviews must have violated that terms of service. For example, if you have in your Terms that profanity is prohibited, then it is completely acceptable for you to either omit reviews that have profanity or edit them to remove the language.
AI Content
Laws are coming into effect regarding what AI can and can’t be used for, and search engines are beginning to set up systems to penalize AI-generated content. If you are going to use AI for content writing, make sure you are not infringing on copyrights or breaking laws.
Defamation and libel
Website owners may be held liable for defamatory or libelous content published on their platform, including user-generated content such as comments or reviews. Implementing moderation and content policies can help mitigate this risk.
Child protection
Websites that are directed towards or collect information from children must comply with laws such as the Children’s Online Privacy Protection Act (COPPA) in the United States.
For most websites in the US, including language in your privacy policy that the site is not intended for children and addressing COPPA is the best practice.
Domain name disputes
Website owners should be aware of domain name regulations and potential disputes, including trademark infringement issues.
Businesses and people with websites must also ensure they own their domains. Many times a business has contracted a company to build them a website and that company purchases the domain. In the US, whoever purchased the domain owns in. So the business does not own their domain. Businesses have had to pay fees of over $1,000 to get their domains back from the actual owner.