Effective companies use their websites to engage with visitors, understand their market, and drive sales — but the legal landscape has grown in complexity in recent years such that maintaining a strong website for your organization can be a landmine of potential regulatory, litigation, and reputational risk. In this article, we identify some potential legal risks that may be lurking on your website.
Cookies and Other Tracking Technologies
Online tracking technologies — such as cookies, pixels or web beacons, and session replay tools — can perform a variety of functions on a website. Depending on their purpose, their use may be regulated; however, regulation can vary significantly by jurisdiction. For instance:
- In some countries, such as in the EU, businesses must obtain consent from consumers before tracking technologies collect data about the consumer’s website visit — this is often achieved through presenting an opt-in cookie “pop-up.”
- In other places, as in some U.S. states, businesses must allow consumers to opt-out of online targeted advertising or the “sale” or “sharing” of their data via third-party cookies, which can be done, at least in part, through presenting an opt-out cookie “pop-up.”
- Plus, some jurisdictions have taken issue with cookie “pop-ups” that do not present symmetry of choice, alleging that failure to provide equally prominent buttons for a consumer to either “accept” or “reject” cookies constitutes an illegal “dark pattern.”
To further complicate matters, a recent flurry of lawsuits has arisen under wiretapping statutes such as the California Invasion of Privacy Act (“CIPA”) alleging that the use of certain online tracking technologies constitutes an unlawful “wiretapping” or “pen register.” To date, courts adjudicating these lawsuits have reached inconsistent legal conclusions, creating uncertainty and a patchwork of rulings. As a prophylactic measure, some organizations have implemented opt-in cookie “pop-ups” to empower users to make informed decisions about tracking technologies and put themselves in a more defensible position vis-à-vis these sorts of suits. One thing to note about these lawsuits is that they do not discriminate based on the industry or size of an organization — if you have a website, you could be a target. To read further, see our latest update here.
Takeaway: If you have cookies or tracking technologies on your website, you should take a careful look at the jurisdictions where you operate to ensure you are meeting the various requirements for cookie/tracking technology consent in those places.
Chatbots and Online Chat Solutions
The use of chatbots on a website can also trigger a host of legal compliance considerations. For one, AI-powered chatbots carry a risk of hallucinations that may misrepresent the company’s products or services or otherwise be deceptive or harmful to consumers. Additionally, laws in various jurisdictions require a chatbot to disclose to the user that they are interacting with AI, not a live person. Companies should also note that the obligations imposed by privacy laws, including regarding notice, consent, data minimization, data security, and data sharing, apply to the information collected through chatbots and chat solutions. Where chat solutions are provided by third-party vendors, issues can arise regarding whether the vendor has access to the conversations and what it can do with that information, as well as whether the information is sufficiently secured. Some of the wiretapping lawsuits discussed above have also alleged that the use of third-party chat solutions constitutes an illegal wiretap.
Takeaway: If you have a chatbot or third-party chat solution on your website, you should understand whether it uses AI (requiring you to comply with applicable AI laws). If it is operated by a third party, you should vet it appropriately and implement contractual provisions to ensure reasonable security measures are in place to protect data collected through the chat solution.
Privacy Policies
Most companies should have a privacy policy posted on their website. Depending on the privacy laws applicable to the company, specific content may need to be addressed in the policy, including descriptions of how the company collects, uses, protects, and discloses personal information (both online and offline), and what rights are available to consumers with respect to the personal information the company maintains about them. Note that depending on the applicable laws, more than one privacy policy may be required. It is critical that these policies not only cover the legally required content, but that they do so in a way that accurately reflects the company’s privacy practices — including, as discussed above, accurate descriptions of its use of online tracking technologies and chat solutions.
Takeaway: Personal information collected on your website, including data such as IP addresses collected through cookies and other tracking technologies, should be disclosed in your privacy policy.
Website Accessibility
In many jurisdictions, websites are required to adhere to accessibility standards for individuals with disabilities. Title III of the Americans With Disabilities Act (“ADA”) requires all places of public accommodation (which is widely understood to include public websites) to be accessible to individuals with disabilities. A website is typically considered compliant with the ADA if it conforms to the WCAG 2.1 Level AA standards for websites (note that these were recently updated and there is now a version 2.2 that is recommended). These standards have been widely adopted by web developers — but note that, in the U.S., if a website is not up to standard there is a private right of action for violations and there has been an uptick in these cases in recent years.
Takeaway: Make sure your website can be used by people with disabilities.
Conclusion
It is increasingly important to ensure that your public-facing website is not only representative of your brand and supportive of your company, but also compliant with the increasingly complex legal landscape. Because websites are public-facing, their compliance issues can make for low-hanging fruit for regulators and plaintiff’s counsel alike.
For many companies, the most difficult part of website compliance is translating the law into actionable guidance for their engineering teams.
[View source.]
