So, you’ve got a new website. You’ve got some T&Cs and a policy or two. What now? What should you do with your legal documents? How should the documents be incorporated into the website?
It would be nice if there were simple answers to these questions. Something like: you should do X with your T&Cs and Y with your policies. But if the law worked like that, lawyers wouldn’t have any work.
The appropriate way to incorporate the documents into your site will depend inter alia upon:
- the nature and content of the legal documents
- the content, functionality and user-base of the website
- the types and degrees of legal risk associated with the website
In this post, I’ll look at the question of how to incorporate two typical website legal documents – T&Cs of use and privacy policies – into a website. As usual, the perspective taken is that of English law. Other legal systems may emphasise other considerations.
Terms and conditions of use
In the typical T&Cs of use, some of the provisions will be of a contractual nature, and others will be definitely or potentially non-contractual. This distinction is important. Fundamental to the English law idea of the contract is the process of “offer and acceptance”: users need to accept contractual T&Cs for them to be enforceable.
What elements of T&Cs of use are non-contractual? First, such T&Cs are the usual place for the making of certain statutory disclosures. Those disclosures are entirely non-contractual. Second, T&Cs of use commonly include a licence to use the website. Such a licence (of copyright) may be contractual or non-contractual. Third, they commonly include a disclaimer of liability. Again, a disclaimer may or may not be contractual.
Other elements of T&Cs of use will be contractual.
So what to do with the T&Cs?
They should always be published on the website in such a way that they are reasonably prominent for all users. Typically, this means including a link to the T&Cs on every page of the website, often somewhere in the website footer.
The T&Cs should also be in a save-able and printable form. Under Regulation 9 of the Ecommerce Regulations: “Where the service provider provides terms and conditions applicable to the contract to the recipient, the service provider shall make them available to him in a way that allows him to store and reproduce them”.
If the T&Cs include contractual provision, you will need to go beyond this. You will need to get users – those users who are contracting with you – to accept the T&Cs. There are many methods for doing this:
- statements that acceptance takes place when the user takes some action on the website, such as submitting a form;
- mechanisms requiring users to tick a checkbox before using the website or the relevant areas of the website;
- mechanisms requiring users to scroll through the T&Cs and press an “I agree” button before using the website or relevant areas of the website.
The above methods are in ascending order of desirability from the point of view of legal certainty – and arguably descending order from the point of view of usability: a common tension.
Whatever method you choose, it is best if some record of each particular acceptance is kept, so that you can link a particular user to a particular acceptance on a particular date and at a particular time.
Different websites use different forms of words to indicate acceptance. There is no generally prescribed formula. Acceptable examples might include “Tick here to indicate your acceptance of our terms and conditions” or “By clicking “submit” you agree to the provisions of our terms and conditions”. It is generally considered to be bad form to ask users to confirm that they have read the T&Cs, when you know full well that 99% will have done no such thing.
If your T&Cs contain any particularly onerous or unusual provisions, it is sensible to highlight those somewhere on the website – e.g. on a sign-up page – so that all reasonably observant users affected by them will be aware of them.
Privacy policies
Privacy policies are different from T&Cs. They are generally concerned with statutory disclosures, and are entirely non-contractual.
You may be tempted to put them on the same page as your T&Cs, but the guidance from the UK’s Information Commissioner is that they should be kept separate.
Usual practice is to put a link to the privacy policy on every web page, typically in the web page footer. In addition, where practicable, there should be a prominent link to the privacy policy in the body of web forms and other pages that collect personal information.
In some cases, specific consent requirements may be associated with the use of personal data, for example for direct marketing purposes. However, there no general need to get users to agree or accept the terms of the privacy policy.
If there are any unusual provisions in the privacy policy, particularly provisions allowing the data controller to do unexpected things with personal data, then they should be summarised in the body of the relevant web page – usually the one on which the data is collected.
Add a new comment