Refreshing Your Website: Overlook the Legal Details at Your Peril
Many individuals and businesses are refreshing their websites, as COVID-19 makes our online presence more important than ever. In the process of creating a new look or updating your content, it’s important to consider some often-overlooked legal matters.
Content on the Site
Be sure you personally or your business own or have permission to use all the content on the site – text, designs, images and videos. If a third party who is not your employee designed the site for you, be sure there is a written work-for-hire agreement that gives you the copyright in their work. Copyright law has some very specific work-for-hire requirements, so, absent this writing, you may not own the rights to elements of your site. Be sure that you have digital access to the underlying files so that you have the ability to make changes in the site without relying on a third party, whether it is an employee or another third party, in the years to come.
If the site displays third-party images or other content, be sure that you have obtained permission unless the content is in the public domain. You can’t assume that an image available for free online is not subject to copyright. There are “fair uses” of copyrighted content, but especially in a commercial context it is not generally advisable to rely on a fair use defense. So best practice is to ask permission when in doubt. (See our earlier blog on the use of third-party photos online.) Lutzker & Lutzker routinely represents and obtains compensation for photographers whose images have been used online without their consent.
Copyright Notice and Registration
Your website should prominently display a copyright notice (© Jane Jones Creative LLC 2020). This provides notice to the world that you own the content, and that users infringe it at their peril. If you have a specially designed or complex website, you may want to consider registering the copyright to your website with the Copyright Office. While registration is not required, it is a prerequisite to a infringement lawsuit, and timely registration prior to infringement allows for recovery of statutory damages (that is, damages that do not need to be specifically proven) and attorneys’ fees, which often makes it feasible to bring a lawsuit. As a practical matter, it also gives visitors to your site information as to who to contact if they wish to republish your material for their own purposes.
Trademark Notice
You also want to provide notice of any valuable trademarks. If your trademark is registered, you should display the symbol ® with the mark. If you have an unregistered mark, or one with an application pending with the U.S. Patent & Trademark Office, the correct symbol is ™. In the event you have a design mark registered, make sure that any updates to the graphic elements will not cause you to lose existing trademark protections when it comes time to file your affidavits of continued use with the Trademark Office. A design refresh may provide a good opportunity to consider registering for the word trademark alone. This will provide you with greater flexibility as your website and the image you want to project evolves. You may also find that you need protection for new uses of your trademark as your business model expands.
Terms of Use
Terms of Use function as an agreement between you and visitors to your website; that is, they are the rules that apply to use of your site. They generally assert your ownership of the content on the site, as well as your ownership of your trademarks, and prohibit commercial use without your permission. They typically include a disclaimer of liability for problems in the functioning of the site or misinformation on the site. Terms of Use often specify the state whose law will govern disputes and sometimes specify the jurisdiction where you will consent to be sued. There are also provisions in the Terms of Use that are unique to your business. If you have added new services to your business offerings, the terms under which these new offerings are to be used should be reflected in your Terms of Use.
Privacy Policy
Your privacy policy describes how you collect use, share and otherwise process personal data collected on the website. If you think Privacy Policies are boring boilerplate, read up on the controversies surrounding Facebook’s privacy policies. Even if you think you don’t collect any personal data, take another look. If you invite email communications through a Contact Us feature or something similar, you are collecting email addresses, which are considered Personally Identifiable Information (“PII”). If you sell merchandise, you are collecting PII even though a third-party processor is handling the transaction. Unless you have a purely informational website, you need to have a Privacy Policy.
GDPR: If your website is visited by residents of the European Union, you are subject to the General Data Protection Regulation (GDPR) that became effective in 2018 to protect EU residents from privacy and data breaches. GDPR defines personal data very broadly and imposes preconditions to the collection of such data and imposes numerous other obligations on the collector of the data. GDPR also regulates the transfer of data to countries outside the EU. This might seem irrelevant to a U.S. business, but if the website reaches EU residents and their data is “processed” in the U.S., the provisions of GDPR will apply. See our blogs on GDPR and recent GDPR developments regarding international data transfer.
CCPA: The California Consumer Privacy Act, enacted in 2018 but effective as of January 1, 2020, was designed to give California residents more control over the personal information that businesses collect about them. It generally applies to for-profit businesses that meet one of the following requirements:
- have a gross annual revenue of over $25 million;
- buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- derive 50% or more of their annual revenue from selling California residents’ personal information.
If your business falls within the scope of the CCPA, additional user rights should be specified in your Privacy Policy.
Other State Privacy Laws: Since CCPA, many other states have introduced similar legislation to protect consumers. Nevada and Maine have enacted such legislation, and others have bills in progress. You should stay abreast of these bills in states where you have customers to remain in compliance with stricter requirements as they become effective.
COPPA: If your website is directed to children under 13 years of age, under the Children’s Online Privacy Protection Act, known as COPPA, you need parental consent to collect any PII from such users. There are specific requirements for compliance, including an online notice to parents and procedure for obtaining parental consent prior to collecting any PII. Although nonprofits are not generally subject to COPPA (with some exceptions), many choose to follow the FTC recommendations to comply as a matter of best practices.
Cookies: Websites generally employ cookies or similar technology to recognize users on return visits, to enhance the user experience as well as to collect non-personally identifiable information about users. Your Privacy Policy should disclose the use of such technologies. Many sites have a prominent “cookie notice,” requiring the user’s agreement to the use of cookies before proceeding to the content of the site.
Finally, think of your Terms of Use and Privacy Policy as organic documents. They need to be periodically revisited and updated in light of changes to your business and the laws applicable to your website. It’s important to include a “Last Updated” date at the end of each policy.
DMCA Protections
If you host any third-party content on your site, you will want to protect yourself by taking advantage of a limitation on liability available to “online service providers” under the Digital Millennium Copyright Act (DMCA), 17 U.S.C. Section 512(c).
For example, you might be hosting third-party content if you post communications from users on relevant topics. Absent the DMCA protections, if any of the user’s material infringed the copyright of another person, your website would be liable for publishing it. If in doubt as to whether you could be considered an “online service provider,” it’s best to follow the simple procedures to qualify for the exemption from liability.
The exemption treats you as the operator of the website that contains the content, but not its originator, and thus confers immunity from damages for infringing material on your site. In order to take advantage of this “safe harbor” provision, you need to designate a representative with the U.S. Copyright Office to receive notices of infringement. Your website should provide notice of the identity of this agent, either in your Terms of Use or as a separate notice. The Copyright Office designation is done electronically, with a $6 filing fee and must be renewed every three years. You also need to comply with DMCA “notice and takedown” procedures, whereby the owner of the allegedly infringing content provides a statutorily prescribed notice, and you must promptly respond by taking the material down. There are also “put back” procedures in the statute for takedowns that proved to be invalid. This step requires minimal effort for the benefits it provides. Lutzker & Lutzker is available to review your website and assist with the drafting of legal policies. We also act as the designated agent for clients to receive copyright infringement notices and can keep you abreast of changes in state privacy laws.