Website Legal Requirements for UK Charities: Does Your Site Comply?

19 April 2017
Website legal requirements

If you are asking yourself what legal requirements you need to comply with when building a new charity website then this post should help. We’re not lawyers but we do build a lot of websites so we’ve done the hard work of gathering the information you need to know. Of course, the responsibility for all legal compliance is on you so please don’t just assume we’re right. But do let us know if you think we’ve missed something.

This post is written for our charity clients but it should be applicable to a wide range of organisations.

Collecting data about people

The hardest legal requirements to get your head round relate to the collection of information about users of your website. The way you manage this data is governed primarily by the Data Protection Act 1998 (DPA). In order to comply with your legal obligations and avoid costly mistakes, you must make sure the information you store is kept secure, accurate and up to date. This legislation covers all of your activities but in relation to the website, there are four specific things to consider, as follows.

1. Registration with the ICO

If your organisation processes data as defined by the DPA then you need to maintain a registration with the Information Commissioner's Office (ICO). This applies to most organisations but you can comply very quickly on the ICO website.

2. Privacy policy

If you process data then you must also show a privacy policy or data protection notice. The policy must cover how you handle private information including your approach to cookies (more on that below) that are placed on a visitor's machine when they visit your website. Typically this policy is linked to from the footer of your website. Because most sites are similar in the manner they collect information you may be able to grab this from another website and adapt it to your needs. 

3. Cookie compliance notification

Cookies are simple text files that are stored on your computer by almost all websites that you visit so they can track information about you. This can include which pages you click on or whether you visited the website in the previous few days. 

A few years ago, the ICO made it clear that if you store cookies on a user’s machine it is not sufficient to have a clause covering this buried in your privacy policy. Instead, you need to gain their ‘consent’. Quite how actively this consent is given remains slightly unclear but the relevant passage of guidance is as follows:

To be valid, consent must be freely given, specific and informed. It must involve some form of positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving you consent. You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read.

Consent does not necessarily have to be explicit ‘opt-in’ consent. Implied consent can also be valid. If you are relying on implied consent, you need to be confident that your users fully understand that their actions will result in cookies being set. However, in some circumstances (for example, collecting sensitive personal data such as health details) it is likely that explicit opt-in consent is more appropriate.

The first paragraph says ‘it must involve some form of positive action’ but the second says it does ‘not necessarily have to be ‘opt-in’. As a result of this lack of clarity, some websites resort to putting annoying pop-ups on their site that need to be dismissed (but offer the user no choice). In our view, this seems to offer a very poor user experience. We, therefore, recommend having a clearly worded notice about cookies in the website footer with a link to the privacy policy. Ultimately, you must make your own decision. 

4. Website security

It's important to be on top of this but it's a major subject so we recommend reading our post on how to keep your website secure

Showing organisational information

You need to publish a certain amount of information about your organisation on your website.

What information should be shown?

  • Name of the company or charity.
  • Registered address.
  • The part of the UK in which the company or charity is registered.
  • Registered number.
  • VAT number, if registered for VAT

Where should this information be shown?

There are no specific rules about where this information should be displayed. We recommend showing it in the footer of your website so that it appears on every page but some organisations choose to show it only on the 'about us' or 'contact us' pages. 

Regulated professions

Websites for those in a registered profession (such as solicitors or doctors) must also show the following information for each individual professional who is listed on the site:

  • Details of any professional body or similar institution with which he is registered.
  • Professional title and the place where that title was awarded.
  • A reference (ideally through a hyperlink) to the professional rules applicable to the service provider.

E-commerce sites

There are a number of additional requirements for the provision of information when concluding contracts online. To ensure these are all covered, eCommerce sites should display a page of ‘terms and conditions’ available to all users. These should be laid out clearly and written in plain English. To safeguard your interests, these should be reviewed by a lawyer.

Distance Selling Regulations

E-commerce providers should make themselves aware of the Distance Selling Regulations. Among other things, these regulations require e-commerce websites to provide the following information:

  • The main characteristics of the goods or services offered on the website.
  • The price of the goods or services, including all taxes.
  • The cost of delivery of the goods or services.
  • Payment and delivery information.
  • A notice that the consumer has the right to cancel the contract without cause during a seven-day cooling off period, other than in exceptional cases.
  • The minimum duration of any permanent or recurrent contract.

Fundraising regulations

The top 1,000 fundraising charities receive over half of all fundraising income. This represents a huge opportunity for smaller charities to increase their fundraising. But what are the dos and don'ts of fundraising? If you are intending to do more fundraising this section should give you some guidance on how to do it responsibly.

The basics

Regulations on charity fundraising in the UK are voluntary. This means that the charity sector relies on a ‘self-regulatory’ framework to ensure best practice in fundraising. The thinking behind this is that it is in charities’ best interests to maintain a good reputation for the whole sector. It also saves money and bureaucracy if the sector can effectively police itself.

Self-regulatory fundraising framework

The self-regulatory framework relies on a number of key actors and resources. 

Codes of Fundraising Practice have been produced to provide broad best practice guidance in various key areas. These are maintained by the Fundraising Regulator which also handles any complaints and works proactively with charities to improve the reputation of the sector and promote responsible fundraising practices.

Quick fundraising checklist

If you have clear answers to the following there is a good chance you are at least on the right track.

  • Are you confident of the privacy and security of data you hold on your supporters and stakeholders?
  • Are donations processed securely?
  • Do your marketing materials contain clear information about your organisation and activities that could not be seen as misleading?
  • Could any of the imagery in your materials be shocking or offensive?
  • Have you made it clear how supporters can donate in a tax efficient manner?
  • Do you have a complaints procedure? How is this publicised?

If you have any doubts about legal requirements, you should really speak to a lawyer. However, if you have any general questions about setting out information clearly on your website and creating a smooth user experience then get in touch.

This post was originally published in January 2013 and was last updated in April 2017.

Subscribe to our newsletter to get the latest tips straight to your inbox.