Legal requirements for small online businesses

Are you ready to set up your online store or small business website? Make sure you’re clear on the laws you’ll need to follow.

We’ve written before about the permits or licenses your business may need to operate online. In this post, we focus on website-specific legal issues.

First, our disclaimer: I’m not an attorney, and you should check in with a business lawyer if you have questions.

build your website

The Fine Print: Terms of Services

Make sure your site complies with your web host’s terms of service (TOS) and acceptable use policy. For example, HostGator’s TOS requires-among other things–that site owners be at least 18 years old and not be in a country under sanction by the US government. The acceptable use policy, meanwhile, prohibits using the service for gambling, bitcoin mining, live sporting event broadcasts, and other  heavily regulated or resource-intensive businesses.

Next, it’s time to create some fine print of your own. Display your business terms and conditions about pricing, returns, shipping, and billing so customers know what to expect. This is especially important if you’re selling products or digital goods directly from your site.

Security and Data Privacy

Your customers want to know they can trust you with their information. Data breaches can wreck your business with financial losses, lost trust, and legal penalties. And with the EU’s far-reaching General Data Protection Regulation (GDPR) now in effect, even the smallest businesses need to step up their security compliance.

GDPR applies to all businesses that offer goods and services to people in the EU, no matter where those businesses are located or how many people they employ. GDPR is a huge law, but the basics for small business owners are:

  • You must have clear consent to collect consumer data. For example, you can add a GDPR-compliant cookie consent banner to your site.
  • You must delete customer data on request.
  • You need to keep customer data safe or face fines. HostGator’s SSL certificates encrypt data to and from your site, making it compliant with privacy laws and PCI-DSS security standards. HostGator’s Security and Privacy Bundle protects your website from viruses, malware, hackers, and spam by automatically scanning your website to detect and remove threats.
  • You must report serious data breaches to law enforcement within 72 hours of discovery.

Anti-Spam Laws

No one likes spam emails, and lawmakers around the world are serious about stopping it. How serious depends on the region-US anti-spam laws have looser restrictions and lower penalties than those in Canada and the EU. If your new company will do cross-border business with Canadian and European customers, or if there’s a chance you will do so in the future, your best move is to follow the strictest anti-spam protocols.

In the US

The CAN-SPAM law, which stands for Controlling the Assault of Non-Solicited Pornography and Marketing, only deals with business-to-consumer marketing emails. CAN-SPAM requires recipients to opt out of messages they don’t want to get, and the unsubscribe process can be a multi-step hassle. CAN-SPAM violations can result in fines of as much as $40,000 per incident. This law doesn’t clearly address marketing emails sent to US residents from outside the country.

In Canada

Canada’s Anti-Spam Law (CASL) created an opt-in system, which means people must sign up to get your marketing emails (or texts, voicemails, and other direct marketing digital communications) unless they already have a recent business relationship with you. CASL applies to emails sent to Canadians from outside Canada. Unsubscribing must be easy and fast. CASL violations can result in fines up to $10 million.

One more potential penalty for CASL violations hasn’t taken effect yet: the right of individuals to sue companies that spam them for as much as $1 million per day. That part of the law is under review.

In the EU

GDPR covers spam, and its provisions are stricter than the US and Canadian laws. Not only does GDPR require recipients to opt in to marketing messages, there’s no implied consent by people who are already your customers. To add people, you need to make a separate, specific request, with no pre-checked boxes, and parental consent for anyone under the age of 16. GPDR fines are roughly $11 million per incident.

In Brazil

Brazil passed its own privacy law in August 2020. The law, which is called Lei Geral de Protecao de Dados (or the LGPD), is similar in scope and effect to the European Union’s General Data Protection Regulation (GDPR). Like the GDPR, the LGPD requires businesses handling personal data to be accountable for collecting, using and managing that information appropriately. It also provides individuals with new rights. You can learn more about the basics of the LGPD here.

Anti-Spam Best Practices to Follow

  • For your existing list, only send marketing messages to people you’ve done business with within the past two years. 
  • For all new sign-ups, create a separate opt-in form that includes a tick box for recipients to indicate whether they’re age 16 or older.
  • Identify your business clearly in all your marketing messages.
  • Include an easy-to-use opt-out tool with every message you send.
  • Comply with opt-out requests quickly.

Your Intellectual Property

Technically speaking, you hold the copyright to the stuff you create as soon as you create it, but a copyright notice on your site is always a good idea. It accomplishes the obvious goal of letting visitors know that the content on your site belongs to you.

If you have registered trademarks for your business name, products, or services, include a trademark notice on your site. We talk about trademarks in our article on small business permits and licenses.

Your Website’s Accessibility

The Americans with Disabilities Act (ADA) requires that most businesses make their websites accessible for people with vision, hearing, and other impairments. The ADA requirement may not apply to your business if you’re very small or just getting started. Businesses that operate at least 20 weeks each year *and* have 15 or more full-time employees must maintain accessible web sites. 'Public accommodation' businesses like transportation and hotels must also comply.

Even if you’re not required to make your website accessible, it’s a good idea, because more than 12% of Americans have some form of disability. Not only that, accessible features like larger fonts, clear contrast between fonts and backgrounds, transcripts of videos, and written descriptions of images can be useful to everyone-think about how many people watch videos with the sound off and you’ll see why captions or transcripts are a smart move. UC Berkeley has a great guide to making your site accessible.

Make Your Small Business Website Legally Compliant

Creating a compliant site takes some work, but the payoff is a safer business web site, stronger customer trust, and a lower risk of privacy and security related fines and losses later on. If you’re a HostGator customer, contact us to add the Privacy and Security Bundle to your website now.