ava's blog

personal websites and the law

You can quickly create a website, but are there legal requirements you should be aware of?

Many of us don’t remember a time when we had to consider the legal ramifications of our online presence. We made forum accounts, then later social media accounts, and everything else was taken care of by the service. We were just users and didn’t collect any data, as the service processed it all for us.

Now we are webweavers, in control of our own websites. Depending on whether we host our websites independently on a VPS or on a platform like Neocities, Nekoweb, or GitHub Pages, the lines begin to blur - am I now responsible for fulfilling legal requirements, or am I still just a user?

The Basics

In general, having a website means you are now required to research and know about possible responsibilities, even if you’re using a service to host your website. People now visit your website directly, rather than viewing a profile embedded within a social media platform. If you collect data, it might be for you personally now, like for sending out newsletters or seeing readership numbers. Your host likely processes little if any information for themselves (compared to social media services).

But do not fret! What is applicable to you is highly dependent on location and what you offer on your website. It's good to be aware of some of the global basics, common practices as well as your local situation. The internet has no borders and privacy laws tend to have a wide scope - the General Data Protection Regulation (GDPR), for example, applies to any website that is offered to individuals in the EU.

The basic main things that might be relevant for you are cookie banners and a Privacy Policy.

Cookie Banners

Cookies are small text files that are stored by your browser. You’ve seen cookie banners as those pop-ups on websites asking for your consent for first-party and third-party cookies, often separated into allowing all cookies or only what's necessary. They usually include a link to a cookie policy that provides information about all cookies used on the site and their purposes.

Both the ePrivacy Directive and the CPRA (California Privacy Rights Act), among others, require cookie consent, especially the option for granular consent that can be revoked or added for different types of cookies and parties. Where international privacy laws tend to differ is whether the cookie banner is opt-in or opt-out.

You need the consent of your visitors (and therefore a cookie banner) if you use cookies that process personal data or track website visitors. Strictly necessary, essential cookies are okay.

If you don’t use cookies at all (for example: no logins, no analytics, no forms, etc.), you’re likely in the clear. If you are unsure whether your cookies fall under essential or non-essential, it's advised to research. A good general pointer is: Cookies like session cookies that are used to keep users logged in, keep their design preferences or keep their shopping cart are usually deemed essential, while third-party cookies (also called Tracking Cookies) are deemed non-essential. Third-party cookies happen when analytics services are used, or ads, embedded YouTube videos, Spotify songs, Last.fm activity or social media widgets are shown. These place their own cookies on your visitors' devices and you are still considered responsible for them (hence "third-party").

Wait a minute! You're probably wondering how that's supposed to work. You can’t control when those services place cookies in your visitors' browsers, and it will likely happen during page load, regardless of what the user decided in your cookie banner. So, what should you do?

YouTube offers a privacy-enhanced mode when embedding videos. In this mode, YouTube only sets cookies if the user interacts with the video (e.g., by playing it). Until the video is played, no cookies are stored. When embedding the video, use https://www.youtube-nocookie.com instead of the regular URL. Other services you want to embed may also have similar privacy modes. Then you can note on the page that when interacting with the embed, cookies by these services will be placed and by interacting, the visitor agrees to this.

Bigger, more professional websites handle this issue by preventing these elements from loading until the user opts in, either via the cookie banner or directly in the embed itself. You may have seen this on news websites, which ask for your consent before displaying an embedded tweet, for example.

If none of these options work for you, you may need to link to the resource instead of embedding it.

When you come to the conclusion that installing a cookie banner is necessary, don’t forget to write a Cookie Policy too!

If the host provides you with analytics that you have no control over and can therefore not disable upon non-consent of a viewer, it's good to mention that in a Privacy Policy.

Privacy Policy

The need for a Privacy Policy gets triggered when you collect personally identifiable information - also shortened to PII. This includes names, usernames, physical addresses, email addresses, and can also extend to IP addresses, location data and more.

It's always good to have one: It gives you a dedicated space to list specific information your website collects, how it is collected, the purpose of the collection and whether any of it is shared with a third party, plus ways to contact you as the website operator.

If you don't collect any but use services that do, it's still good to note that here. You might mention that your blog hoster gathers analytics for you, or that Cloudflare handles your DNS and protection while also collecting data about your viewers, or that you are importing a Google Font, including a link to the Privacy Policy of each of those services. If you have any similar services in connection to your website hosting or domain management, it's worth looking into and including that.

There are free Privacy Policy generators from official data protection agencies online that you may use, and it is worth looking at others' Privacy Policy to see if anything might apply to you or is missing.

Local laws

It's important to do your own research and exchange experiences and information with fellow webweavers who live in the same country and might be aware of local laws specific to you.

One such example would be the Impressumspflicht or the Anbieterkennzeichnung for websites in Germany, which is the requirement to have a legal notice on your website if you post journalistic, editorial content that gets published periodically - a fairly broad and vague scope. This necessitates a page with your name, physical address, e-mail address and/or phone number. It is unfortunately scary to expose your real address online, but there are services that lend you their address and handle incoming letters on your behalf, which would fulfill the legal requirements for the address.

Find out if any such things exist in your country.

Topic-specific laws

As you build and reiterate your website, you’ll need to decide what to put on it. What images? What font? Do you want to use music? Depending on what you’re using, there are other considerations to keep in mind.

Copyright

Copyright basics for using images, fonts and other content is one piece in the puzzle. Even personal websites like yours can infringe copyright and get takedown requests or legal trouble. Copyright rules are typically more well-known than the requirements around cookies and a Privacy Policy, largely thanks to artists who educate others and defend their works.

In practice, this means you need to ensure that the resource you want to use is either in the public domain, or explicitly licensed for reuse (for example, through the Creative Commons license), or you have permission from the creator. There is also the concept of fair use, but it's a very limited and vague concept in most cases, and hard to rely on. The best practice is to use free resources, reading their terms carefully, crediting the author, and avoiding using logos, trademarks, or characters (like fan art or Disney images) without permission.

Newsletters

Also, if you plan to send out newsletters to people - something many services allow you to embed in your website or include through your hosting provider - laws like GDPR and CAN-SPAM, along with other local regulations specific to you, apply.

These laws make sure you get clear, opt-in consent by your visitors before collecting their e-mail address, are transparent about what kind of emails you'll send, don't offer pre-checked boxes, and give users the ability to opt out and unsubscribe, and more. It can help to use a privacy-compliant provider that handles consent and subscriptions for you, like Buttondown or Mailchimp.

Conclusion

The good news is: You never have to navigate these legal waters alone. While it’s important to stay aware of your responsibilities, remember that these laws are there to protect both you as the webweaver and your visitors from data misuse and intense tracking. As you take the time to understand and possibly make some adjustments, you're not only creating a safer space for your visitors (often other fellow webweavers!), but you're also leading by example.

Don’t forget that you can always adjust things as you go, and will need to: Web compliance isn’t set in stone, and there are plenty of resources out there to help you as you continue to evolve your site and find your style.

So, take a deep breath, stay informed, and most importantly, enjoy the process of weaving your website. You've got this!

Disclaimer: Keep in mind that this overview is not intended as complete legal advice. The laws surrounding privacy, copyright, and other topics discussed here can be complex and vary by region. It’s important to do your own research and consult with legal professionals if you have specific concerns about your website. This is simply a guide to the most common and relevant issues you'll encounter in the indie web, designed to point you in the right direction and help you understand the basics. :)