Presentation is loading. Please wait.

Presentation is loading. Please wait.

Website development contracts and compliance—training materials

Published byAmos Morris Modified over 6 years ago

Similar presentations

Presentation on theme: "Website development contracts and compliance—training materials"— Presentation transcript:

1 Website development contracts and compliance—training materials
[Name and details of speaker] Summary: This seminar covers the principal issues to consider when developing a website, in terms of both the contract to develop the website and legal compliance issues arising from websites. The theme connecting these different elements is that legal compliance requirements have a direct impact on the functionality and specification of the site and therefore should be properly considered before the site specification or development contract is finalised. Purpose of slides/seminar: The slides are intended for a general rather than specialist audience. Additional details reflecting the particular circumstances in which these slides are used can be added as appropriate (eg to reflect commercial or regulatory issues affecting a particular company). How to use these ‘Speaker notes’: Under each slide there are ‘Speaker notes’ which summarise the point the slide is intended to address for the benefit of the person presenting the seminar. These notes are not intended for distribution to the audience as they are likely to contain more legal information than is desirable for a general audience. How to use the slides: It is anticipated that each slide may take between three and five minutes to explain. It is not intended that a single seminar should contain all these slides as it would last too long. The speaker should select slides as appropriate to reflect the particular seminar to be given. Alternatively, the speaker can use all the slides over a series of two or three separate seminars. How to insert company logo select ‘View’ from the menu select ‘Slide Master’ click on the footer on slide 1 edit the text to insert the company name and/or select ‘Insert’ from menu and ‘Picture’ to upload a logo

2 Contents—Website development
The need for a clear specification Changes to content and specification Consents Infrastructure IP ownership and use Software ownership and disaster recovery Security of personal data Delivery Warranties and liability Ancillary services Responsibility for legal compliance These slides relate to practical legal and commercial issues to consider when building or commissioning a new website, which need to be reflected in the website development agreement.

3 Contents—Contracts and compliance
Contract formation Trading disclosures Website privacy notices Consents to use of cookies International data transfers Accessibility Jurisdiction These slides relate to regulatory compliance issues to consider when operating a website, which may also affect the website specification.

4 Website development

5 The need for a clear specification
What will the finished website consist of? Consider: structure, functionality, links, payment processes, suitability for mobile applications and multimedia, security, etc Agree detailed specifications and screen shots before committing to development Before any software development takes place, it should be clear what the finished website will look like. This means that a full specification should be prepared, identifying the website structure, technical and operational functionality, relevant links between web pages, e-commerce and payment processing capabilities (if any), whether the website will also be suitable for mobile applications and/or contain multimedia content. In short, what exactly is the website that will be developed? A customer should not commit to an expensive website development project when the end product is unclear. Specifications should contain detailed screen shots of the proposed web pages that will form the site. If there is no clear specification available, any development agreement should be conditional on first agreeing a suitable specification. This can be arranged by way of an initial consultancy agreement to finalise the specification before committing to a more substantive development agreement.

6 Changes to content and specification
Change control process for minor and major changes in future Who will maintain the site? Processes for easy transfer to replacement supplier It is likely that over time the customer will want to alter the content and specifications of the website to add new features. Consider the change control process that will be required to enable these changes to take place—both minor content changes and more extensive structural changes to the site. Otherwise there is a risk that the customer could be subjected to excessive charges from the website developer for implementing future changes. The contract should provide for the website to be quickly and easily transferred to a replacement supplier if the customer wants to do so. The incumbent developer should agree to provide whatever software or support ('further assurance') is required to enable such a transfer to happen. The customer should also reserve the right to make changes to the site itself, if it wishes to do so, without incurring unnecessary additional support fees.

7 Consents Which consents are required? Consider legal terms and conditions, direct marketing and privacy statements, consents to use of cookies Avoid multiple consent boxes if possible How is evidence of consents recorded? Different consents may be required from website users to agree to legal terms and conditions, direct marketing and privacy statements, consents to use of cookies, etc. When designing the site, consider what consents precisely will be required and how evidence of those consents can most easily be recorded. As a general rule, website user consents should be obtained at the same time wherever reasonably possible. For example, if a consent to use of data for marketing is sought, then this should also be drafted to cover the consent to use of personal data or cookies if appropriate. Sprinkling consents throughout the site is likely to increase build costs and legal uncertainty and make future changes or additional consents more difficult to implement. Typically, consents are obtained through one or more checkboxes on a site in response to various statements, eg ‘We would like to notify you of other products and services you might be interested in. If you would like us to do this, please tick the following box [ ].’

8 Infrastructure Cloud computing—where will the site be hosted and by whom? Developer should take responsibility for its subcontractors Ensure third party supplier terms are subject to the website development agreement A website will not necessarily be hosted entirely on a dedicated server operated exclusively under the control of the website developer. Clarify where the site will be hosted, by whom and on what terms. Given the growth in cloud computing, a website, or parts of it, may easily be hosted anywhere in the world, by a third party with whom the customer/website owner has no direct contractual relationship. If any part of the development or hosting of a site is to be subcontracted to a third party, ensure that the developer expressly agrees to be liable for any acts or omissions of its subcontractors. If subcontracted services are provided by a third party on separate terms and conditions, ensure these are consistent with and without limitation to the developer's obligations under the development contract.

9 IP ownership and use IP rights include:
design of the 'look and feel' of the site rights in trade marks and domains text, pictures and other multimedia content underlying databases and software required to operate the site Who owns these and what are the licence terms? Intellectual property rights in a website might include rights in the design of the site, the ‘look and feel’ of the site (potentially protected by copyright and/or design rights), rights in trade marks and domains, the text, pictures and other multimedia content of the site and underlying databases and software required to operate the site. Ownership of all these different works needs to be clear between the customer, its design agency/website developer, other software companies and third parties whose rights are used to operate the site. Consider also how the IP ownership position may change as content or rights are developed in future. Ensure that any intellectual property rights that are being transferred or licensed are clearly defined (eg in terms of exclusivity, duration, licences back, etc). In particular, if the customer supplies content to the website developer but does not want this used by the developer or third parties in future (eg information relating to the structure or operation of a site), this should be expressly stated so as to avoid any licences being implied.

10 Software ownership and disaster recovery
What are website back up and disaster recovery (DR) arrangements? What anti-virus and other security measures will be implemented, by whom and when? Should software be placed in escrow and/or should the developer provide regular copies of the website? The customer needs to consider what its back up and disaster recovery arrangements will be if, for whatever reason, the website ceases to be operational. Consider what anti-virus and security measures will be implemented to protect the site against hacking and data loss. For valuable websites, the customer may wish relevant software source code to be placed into escrow so that it can access relevant code if the developer becomes insolvent or ceases to exist. A more pragmatic approach may be to require the developer to regularly provide updated versions of the website software and content so that the customer has this in its possession if the developer/host ceases to exist or fulfil its obligations in future for any reason.

11 Security of personal data
Obligation to implement appropriate technical and organisational security measures when processing personal data Physical and technical measures (eg encryption and password controls) Address in the context of wider confidentiality and information security policies Appropriate technical and organisational measures must be taken when processing personal data. Technical measures include issues such as password protection and encryption technology to prevent unauthorised access to personal data. Organisational measures include steps such as training, physical security, locking filing cabinets, etc. The aim in both cases is to ensure that access to relevant data is appropriately controlled. Consider what additional physical or technical measures need to be taken to protect personal data, especially any particularly sensitive or confidential information. This might include implementing additional physical and technological access controls (eg passwords to log into the website). The website should comply with the website operator’s stated data protection policy, as well as other information security and related policies.

12 Delivery The development project plan should include: key milestones
payment timetable acceptance testing processes Specify whether time is of the essence Customer to ensure payments are not too front- loaded Set out a clear project plan covering the key practical steps required to develop and operate the site. This might include, for example, key personnel required to provide the site, milestones and acceptance testing processes to check that the website is operating properly. Specify whether time is of the essence in relation to these delivery obligations. From a customer perspective, it is important that the contract is not too 'front-loaded' in terms of payments. The customer should ensure that a significant percentage (eg 30%) of the overall amounts payable for the website should be retained until acceptance testing has been satisfactorily completed.

13 Warranties and liability
Supplier warrants site performance meets specifications—for how long? Indemnity for third party IPR claims Consider insurance for losses over and above limitations of liability? The development contract should contain appropriate warranties and indemnities in respect of any failure of the website to perform in accordance with agreed standards or infringement of rights. It is likely that in many cases the contractual liability of the website provider will be substantially less than the losses that may arise if the website malfunctions or ceases to operate. Whatever results between the contracting parties, the website provider may prove to be a man or company of straw. In light of this, the customer may also wish to obtain insurance cover in respect of loss or damage arising as a result of failure of the website or in the event the website infringes the intellectual property rights of any third party.

14 Ancillary services Maintenance services Updating services
Hosting services Further development and consultancy services In all cases consider future price increases In addition to development of the site, it is important to clarify what subsequent maintenance, updating and hosting of the site will be required and who will do this. Consider price increases. Contracts should contain provisions enabling the customer to transition to a suitable replacement web host and service supplier in the event that the costs of maintaining the site become prohibitive.

15 Responsibility for legal compliance
Website operator will have primary responsibility for complying with the law How do compliance obligations affect design of the site? Does the site specification facilitate compliance? Which countries’ laws need to be met? Websites are subject to a myriad of legal compliance requirements. Consider what legal terms and conditions, privacy policies, statements concerning cookies, accessibility requirements under the Disability Discrimination Act, corporate and tax information, as well as sector-specific regulatory compliance requirements, etc, need to be reflected on the site and who will be responsible for producing and updating that content. Practical point: it is no good hoisting the responsibility onto a party that simply will not do it or does not have the knowledge and capability to do it well. Ensure the structure of the site (as described in the specification) reflects applicable compliance requirements. For example, if a website user will be asked to agree to a set of legal terms and conditions as a pre-condition to accessing the site, the site specification will need to reflect this. Likewise, in many cases it is desirable for there to be a process whereby a user is required to scroll through contract terms and then click an 'I accept' button, rather than simply relying on a link to 'legal terms and conditions'. These examples demonstrate how legal requirements directly affect the structure of the site.

16 Contracts and compliance

17 Contract formation Normal principles also apply online—check incorporation of terms, offer and acceptance Supplier should accept user’s offer to contract— not the other way round Specific e-commerce and distance selling regulation requirements also apply Normal contractual rules apply, but there are additional rules which apply in the online environment. 1. The Electronic Commerce (EC Directive) Regulations 2002 (SI 2002/2013) implement the EU E-Commerce Directive and apply to websites providing online information society services. This covers most sites but not gambling sites. The Ecommerce Regulations require specific information to be provided on the site including details of the site owner, its company registration number, VAT number and professional memberships. Additional information must be displayed where online contracting takes place. This includes a method for correcting errors, the technical steps involved in the transaction process and a clear explanation of the contracting process. The seller should usually accept the user’s offer to contract, rather than having an open offer to all the world. The user should also be given prompt confirmation of an accepted order. Terms and conditions should be displayed in such a way that they can be stored by the user. 2. Under the Consumer Contracts (Information, Cancellation and Additional Payments) Regulations SI 2013/3134 (the Consumer Contracts Regulations), there are additional protections for consumers where contracts are concluded remotely. Specific separate distance selling regulations apply to financial services. Under the Consumer Contracts Regulations, specified information must be provided to the consumer in a clear and prominent manner directly before the consumer places the order.

18 Trading disclosures Company information to be displayed on a site includes: name address VAT number and professional memberships There are statutory provisions governing the trading disclosures to be made by a United Kingdom company, which came into effect on 1 October 2008. Under the Companies (Trading Disclosures) Regulations, SI 2008/495, regs 1 and 6, a company’s registered name must be disclosed on its websites and on all other forms of its business correspondence and documentation. In addition to the disclosure of the company’s registered name, its websites must also disclose the following information: the part of the United Kingdom in which the company is registered the company’s registered number the address of the company’s registered office in the case of a limited company exempt from the obligation to use the word 'limited' as part of its registered name, the fact that it is a limited company in the case of a community interest company which is not a public company, the fact that it is a limited company, and in the case of an investment company (as defined), the fact that it is such a company

19 Website privacy notices
The ICO Code of Practice and checklist Map processing—identify what personal data you hold, need and what you will do with it Use a privacy notice to explain clearly and in plain English—who you are, what you are going to do with the data, and who it will be shared with Use a ‘layered’ approach, such as ‘just-in-time notices’, video, icons and symbols, privacy dashboards Gain and record consent using opt-in, giving users sufficient information to make a choice Test notices with users Review and update notices to reflect changes in collection and use of personal data Follow the Information Commissioner’s Office (ICO) Code of Practice—Privacy notices—transparency and control and implement an appropriate privacy notice when gathering data online. Map your information processing, to discover: what personal information you hold what you do with it and what you are planning to do with it what you actually need whether you are collecting the information you need whether you are creating new personal information, and whether there are multiple data controllers. Your privacy notice should tell users: who you are what you are going to do with their information, and who it will be shared with You should tell users if: you are collecting sensitive information the intended use of the information is likely to be unexpected or objectionable providing personal information, or failing to do so, will have a significant effect on the individual, or the information will be shared with another organisation in a way that individuals would not expect. Use a layered approach, such as: just-in-time notices video icons and symbols, and privacy dashboards If relying on consent, you should: display it clearly and prominently ask individuals to positively opt-in give them sufficient information to make a choice explain the different ways you will use their information, if you have more than one purpose provide a clear and simple way for them to indicate what they agree to different types of processing The ICO also recommends that you go beyond the legal requirements, by telling users: the links between different types of data you collect and the purposes that you use each type of data for the consequences of not providing information what you are doing to ensure the security of personal information information about people’s right of access to their data, and what you will not do with their data Test and review test your draft privacy notice with users and amend it if necessary keep your privacy notice under review, take account of any complaints about information handling, and update it as necessary to reflect any changes in your collection and use of personal data. To the extent company websites are specifically targeted at users in other countries, consider whether local laws in those countries apply and, if so, how those requirements will be addressed.

20 Consents to use of cookies
Prior consent required for use of cookies Clarify which cookies are used and why Limited exceptions for services requested by users Obtain prior consent before use of cookies on websites, unless the cookie is required to provide a service requested by the website user (eg to operate an online ‘shopping trolley’ before checkout). When seeking consents to use of cookies, explain properly why cookies are needed and what the technical and privacy implications of this will be. Reputable websites such as now contain extensive ‘cookies policies’, which form the basis for any cookies consent. The effect of this is that any consent to use of cookies by reference to such a cookies policy will be sufficiently comprehensive, specific and informed (and therefore enforceable). Otherwise the website operator risks facing a challenge from a website user that the user did not properly understand what they were being asked to consent to.

21 International data transfers
Restrictions on exports outside the EEA to countries without ‘adequate safeguards’ The European Commission has designated certain non-EEA countries as attaining an adequate level of protection Other adequacy solutions include: Standard Contractual Clauses/Model Clauses Binding Corporate Rules, or the EU-US Privacy Shield Finally, transfers may be permitted with consent or where there is legal necessity There is a general prohibition in the Data Protection Directive, Directive (EC) 95/46, on data controllers transferring personal data to any territory outside the European Economic Area (EEA) unless an 'adequate' level of privacy protection is ensured for the data transferred. The European Commission has designated certain non-EEA countries as attaining an adequate level of protection. For other countries, an adequate level of privacy protection may be found if there is one of a number of European Commission approved 'adequacy solutions' in place, such as: Standard Contractual Clauses/Model Clauses Binding Corporate Rules, or The EU-US Privacy Shield Finally, transfers may be permitted by consent or, in the absence of consent, other conditions in Schedule 4 to the Data Protection Act 1998 will need to be met (eg transfers necessary to perform contracts). Ensure notices and consents (where obtained from data subjects) cover international data transfers as well. For more guidance on international data transfers, see Practice Note: International data transfers.

22 Accessibility DDA 1995 enshrines right to ‘access to and use of information services’ for disabled people Website owner must take ‘reasonable steps’ to make site accessible Standards published by W3C The Disability Discrimination Act 1995 (DDA 1995) requires that disabled users can access a website. What is ‘reasonable’ depends on financial resources of the website owner. Standards of web accessibility are published by the World Wide Web Consortium (W3C) ( In practice the precise rules in this area are not clearly understood and these requirements are routinely flouted by website developers and operators, except for those operating very large or significant sites (who stand to lose the most in terms of reputational damage for failing to comply with disability anti-discrimination legislation).

23 Jurisdiction Websites targeted at other countries may be subject to local consumer protection, language and contract law requirements If doing substantial business in other countries, seek local law advice! The UK E-Commerce Regulations, Consumer Contracts Regulations and other consumer protection rules implement EU directives, so similar laws apply in other EU jurisdictions. However, laws are implemented differently in other countries and additional local law requirements may apply. Therefore, if the website is used to trade in a number of countries then consider obtaining local law advice and/or establishing local versions of a site (eg in local languages).

24 Final comments Any questions?

Download ppt "Website development contracts and compliance—training materials"

Similar presentations

Tradition innovation Online Branding Kate Legg Solicitor.

Tradition innovation Online Branding Kate Legg Solicitor.
© 2013 Sri U-Thong Limited. All rights reserved. This presentation has been prepared by Sri U-Thong Limited and its holding company (collectively, “Sri.

© 2013 Sri U-Thong Limited. All rights reserved. This presentation has been prepared by Sri U-Thong Limited and its holding company (collectively, “Sri.
IMPORTANT READ CAREFULLY BEFORE USING THIS PRODUCT LICENSE AGREEMENT AND LIMITED WARRANTY BY INSTALLING OR USING THE SOFTWARE, FILES OR OTHER ELECTRONIC.

IMPORTANT READ CAREFULLY BEFORE USING THIS PRODUCT LICENSE AGREEMENT AND LIMITED WARRANTY BY INSTALLING OR USING THE SOFTWARE, FILES OR OTHER ELECTRONIC.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
Research Development for Android Coopman Tom. What is Android?  Smartphone operating system  Google  Popular  ‘Easy to develop’  Open-Source  Linux.

Research Development for Android Coopman Tom. What is Android?  Smartphone operating system  Google  Popular  ‘Easy to develop’  Open-Source  Linux.
Consumers Online: Privacy, Security and Identity Professor Margaret Jackson and Marita Shelly Presentation to the RMIT Financial Literacy, Banking & Identity.

Consumers Online: Privacy, Security and Identity Professor Margaret Jackson and Marita Shelly Presentation to the RMIT Financial Literacy, Banking & Identity.
Time for a new standard - AS General Conditions of Contract

Time for a new standard - AS General Conditions of Contract
ISO 9001 Interpretation : Exclusions

ISO 9001 Interpretation : Exclusions
Copyright © 2004 by Prentice-Hall. All rights reserved. PowerPoint Slides to Accompany BUSINESS LAW E-Commerce and Digital Law International Law and Ethics.

Copyright © 2004 by Prentice-Hall. All rights reserved. PowerPoint Slides to Accompany BUSINESS LAW E-Commerce and Digital Law International Law and Ethics.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Per Anders Eriksson

Per Anders Eriksson
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Legal Audits for E-Commerce Copyright (c) 2000 Montana Law Review Montana Law Review Winter, 2000 61 Mont. L. Rev. 77 by Richard C. Bulman, Jr., Esq. and.

Legal Audits for E-Commerce Copyright (c) 2000 Montana Law Review Montana Law Review Winter, Mont. L. Rev. 77 by Richard C. Bulman, Jr., Esq. and.
Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The Data Protection Act 1998. What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.

The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.

Similar presentations

Ads by Google