When creating websites and online stores, design and content are the primary considerations. While this is true, legal aspects such as terms of use, privacy policy, right of withdrawal, cookies, and copyright protection for text and photographs are often overlooked. Below, we discuss practical examples and outline the consequences of non-compliance.
Clear Information for Consumers
The Consumer Rights Directive and the Consumer Protection Act in some cases stipulate the obligation to provide information in a clear, understandable, and easily accessible form. This obligation extends to the terms of the contract as a whole (usually understood as terms of use), as well as issues related to product or service descriptions and pricing, commercial warranties, technical requirements for digital content or services, and out-of-court dispute resolution. Failure to provide complete and clear information puts a company at risk of intervention by the Consumer Protection Center, which may find the terms of use unfair.
2. Right of Withdrawal (and When It Does Not Apply)
When ordering goods or services online, the seller or service provider is obligated not only to provide the consumer with the opportunity to withdraw from the product or service within 14 days but also to provide adequate information on how to exercise this right of withdrawal. Access to the withdrawal form must also be provided. If information on the right of withdrawal is not provided, the consumer has the right to unilaterally withdraw from the contract for a much longer period – within one year after the initial withdrawal period. It is important to remember that the right of withdrawal does not apply in all cases, for example, if the product was manufactured according to the consumer's instructions or is clearly personalized. This applies, for example, to custom-printed or engraved products. The right of withdrawal also does not apply if the customer is a business other than a consumer.
3. GDPR and Privacy Policy
The processing of personal data is essential when selling goods or providing services. Even in cases where ordering and payment for goods or services is not possible on the website, a privacy policy is essential. For example, a food manufacturing company that only fulfills orders for retailers may also receive and process personal data, for example, by responding to emails, communicating on social media, or offering prizes in various contests. However, a privacy policy has a completely different meaning if a company offers goods or services online, such as on an e-commerce site offering various products. The GDPR, or General Data Protection Regulation, sets forth a number of requirements that must be included in a privacy notice—from the company's contact information, the categories of data received and processed, to the rights of data subjects. It is important to remember that a privacy policy is a company's unilateral statement about its intended data processing, but buttons are often created that invite consent to the privacy policy. This is inappropriate, as the GDPR requires information about data processing, not consent to such a statement. This applies to services provided by children. Developing a privacy policy is a complex process: on the one hand, a company must provide a wealth of information about the planned actions with personal data (e.g., data types, retention periods, potential recipients, and data subject rights). On the other hand, the GDPR requires adherence to the principle of transparency, meaning that all information addressed to the public or data subjects must be concise, easily accessible, and understandable, using clear and simple language and visualization. While it may seem appropriate to disregard the principle of transparency because "everyone doesn't understand privacy policies," the State Data Inspectorate believes otherwise—one Latvian online store was fined €15,000 precisely for an unclear and incomprehensible privacy policy. It is even more important to provide information concisely and clearly if a service is offered to children or if children can access the service. This applies to social media, gaming portals, learning platforms, and even the websites of professional sports organizations, such as football clubs. The GDPR stipulates that children are entitled to special protection, and if the processing concerns a child, the information must be provided and communication must be conducted in clear and simple language that the child can easily understand.
This solution is offered by Rockterms, a Latvian solution that helps create visually appealing, dry documents. You can see what their privacy policy looks like on their website here: https://rockterms.com/privacy-policy/
4. Cookies
It's hard to imagine a company's development without marketing activities. For websites and online stores, this means two equally important steps: analyzing previous actions and advertising to attract new customers. To achieve these goals, cookies are used to measure and analyze site traffic, popular sections, and audiences. Cookies also enable personalized advertising; for example, if a potential customer visits a product website, they are then reminded of the relevant product via targeted advertising on other websites. In the European Union, the Directive on the Protection of Privacy in Electronic Communications stipulates that the use of cookies for analytics and advertising is permitted only if the user is provided with clear and precise information about the purpose of the cookie before installing the cookie and has the opportunity to refuse the storage of cookies on their end device. Companies frequently violate this requirement, as confirmed by a preventive audit conducted by the State Data Inspectorate, which examined the use of cookies on 29 websites of 26 merchants. The results of the audit were unambiguous: all 26 merchant websites inspected were found to have at least one or more non-compliance related to the installation and use of cookies. There is no doubt that audits will continue, and fines will be imposed.
5. Sending Marketing Materials
Consent-Based Only? Advertising materials or commercial notifications may only be sent in two cases: consent-based or based on the company's legitimate interest in providing information to existing customers. In the first case, it's simple: for example, a user enters their email address on the website and expresses their desire to receive news. It's important to remember that the option to revoke consent must be equally convenient and easily accessible. In the second case, based on the company's legitimate interest, advertising materials may only be sent if all three conditions are met:
(1) the email address was obtained as part of a commercial transaction (e.g., the customer previously placed an order for a product), and the notification is about similar products or services.
(2) the recipient of the service initially did not object to the further use of their email address.
(3) each email provides a clear, free option to opt-out of further use of their email address. It is important to remember that information about sending consent-based advertising and notifications and the company's legitimate interests must be clearly stated in the privacy policy.
6. Copyright
Content—text, images, videos, sounds, and songs—is an essential element of website development. All of these works are created by someone else and are therefore protected by copyright. Therefore, using these works without consent is prohibited. When companies outsource website development (either to an agency or a freelance developer), it is essential to pay attention and verify the content used and its origin. If the images used on the website are not obtained from a stock photo agency (it is important to review the license terms), it is possible to engage a photographer (it is important to enter into a copyright agreement). However, searching for images and other content online and using them without permission should be avoided. The copyright owner will be able to easily find their images and will certainly demand compensation for unauthorized use. In practice, there have been cases where the requested amount for a single image has reached as much as 5,000 EUR.
Thanks to Ugis from Rockterms for creating this article.