Website Law

Personal data has no easy, clear-cut legal definition.

The definition set out in the Data Protection Act 1998, enacted following European legislation in the form of Directive 95/46/EC, leaves businesses and their advisers dealing with a significant amount of uncertainty.

“Personal data” are defined in the 1998 Act as:

… data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

In short, any information which can be used to identify an individual constitutes personal data. For example, a list of customer names and addresses will count as personal data, as may a database of customer email addresses.

The broad-brush approach of the 1998 Act has proven troublesome to businesses, as they are subject to legal obligations in relation to wider range of personal data than a common sense view might suggest.

To use a simple example, “The most recent customer is called Patrick Smith, who has red hair and lives at 54 Evergreen Terrace” is personal data which clearly identifies Patrick. “The most recent customer does not have brown, blonde or dark hair and lives on Evergreen Terrace” should also be considered to be personal data as it is possible that, using this information, one could ascertain the identity of Patrick.

Incomplete data on individuals may still count as personal data. For instance, should a company have a list of reference numbers for individuals which correspond to a list of information cards relating to customers, then the reference numbers (although not on the face of it overtly personal) will be personal data.

A distinction can be drawn between personal data and sensitive personal data, a leak of the latter being much more serious. Sensitive personal data includes data relating to a person’s race, sexuality, health, criminal record or affiliations (such as political persuasion or trade union membership).

Often, we think of personal data as data belonging to customers. But the definition does not only apply to customers; it extends to all individuals including employees. Should a record be kept by an employer of their employees’ performance, this will amount to personal data, as will any record of what is intended for them.

As a general rule, and unless advised otherwise by a lawyer or other data protection professional, businesses should assume that any information relating to individuals may be considered personal data by the law, and treat it accordingly.

We have just published two new legal notice generators: a privacy policy generator and a website disclaimer generator.

These generators will be available for free on this website for a limited period (to be determined).

The legal notice generators should make creating new legal documents for a simple website even easier.  However, just because they are easy to use, doesn’t mean you shouldn’t take care over the results.  You need to read the end product carefully to ensure that it reflects your business requirements and complies with applicable laws.

If you have any criticisms, suggestions or other comments about the generators, please do let me know.

Website legal documents are like vitamins: you know they’re good for you, but you probably don’t know exactly what they do.  With a bit of research you could find out what they do – but, let’s face it, even lawyers find legal research a little boring.

There are legal aspects to all websites.  Legislation requires that specific categories of information be disclosed on most websites.  There are procedural hoops that some kinds of website must jump through.  The law also regulates the kinds of content that can be published on a website, and controls the legal nature of the publication itself.

Legal documents on a website can help deal with these issues in various ways.

A well-drafted website legal notice, policy or terms and conditions document can (amongst other things):

• help a webmaster to comply with his or her legal disclosure obligations
• ensure that the webmaster does not improperly abridge customers’ (especially consumers’) rights
• ensure that website content is licensed to users on an appropriate basis
• limit (or at least attempt to limit) the website owner’s liability in relation to the website
• set out the legal basis upon which products and services are supplied to customers
• remind a website owner of the procedural obligations that the law places upon him or her
• show that the webmaster is serious about legal compliance (important from a marketing perspective)

So, what legal documents do you need for your website?

In considering the appropriate documentation for a website, I usually differentiate between:

• the use of the website
• the sale and supply of products and services
• the collection and processing of personal data

All websites should have some kind of terms and conditions governing the use of the website.  See, for example, the range of website terms of use at Website Contracts.  At a minimum, the terms of use should deal with basic disclosure obligations, include a disclaimer of liability, and provide for the licensing of the website content to users.  Documents fulfilling these functions have many different names.  For example, they may be called terms of use, terms and conditions, terms and conditions of use, website terms, website legal notices, disclaimers, and so on.

Websites that sell anything – goods, services or licences – must also include terms and conditions governing the sale.  Where customers are consumers, the terms and conditions must comply with applicable consumer protection legislation.  Where all customers are businesses, there is greater freedom of contract.  Again, the nomenclature is not exact.  Documents governing the sale of products may be called terms and conditions of sale or terms of supply or simply terms and conditions.  Documents governing the supply of services may be called terms of service, terms of business or service agreements.  See for example: ecommerce terms and conditions.

Data protection legislation (as interpreted by the Information Commissioner) provides that website owners must disclose specific categories of information to users.  For example, they must disclose details of what data is collected, how it will be used, and how it will be kept secure.  Generally speaking, websites that process personal data should include a privacy policy for the purposes of making these disclosures.  Privacy policies can also be called privacy statements or privacy notices – or more rarely data protection policies, statements or notices. See: website privacy policy.

Whilst terms governing website use and terms governing sales can be incorporated into a single general terms and conditions document, the (non-contractual) privacy policy should be kept separate.