Repeat after me: unless a contract says otherwise, it is the website owner’s responsibility to comply with website-related privacy regulations – It is not the web designer’s problem.
Phew, that was a close one. Now us web designers can all leave to get tacos. It’s your clients’ problem. Let them fend for themselves!
.
.
.
Ok, that was a test. If you’re still here, I’m proud of you. You passed, even when tempted with tacos. After all, DESIGNERS LOVE TACOS.
Yes, most of the time any legal action will be focused on the website owners, not the designer or the agency. However, depending on the contract, a website owner could have the right to turn around and sue their web designer (check those contracts!). Also don’t forget that most web designers have a website of their own that can be targeted directly for non-compliance (so check your own policies!).
But, for the sake of this blog, we will focus on protecting your agency when building and managing websites for clients.
So, protection from what?
A client’s website is the client’s responsibility, so why do you need to be cautious?
For one, it’s the right thing to do. If we’re building forms for clients, installing analytics tools, or updating a client site in any way that collects personal information, it’s reasonable to think that we have an ethical obligation to give the client a heads up that regulations may now apply to them for the updates we made to their site.
Additionally, what’s to stop an upset client from turning the blame on you? Maybe they withhold certain payments or write poor reviews? Maybe they even pull together a lawsuit of their own that’s directed at you.
And… who can blame them? Before I continue, just know:
Look at it like this. Let’s say you hire a contractor (a metaphor for web designer) to build your house. That contractor uses an electrician from Temu (a metaphor for free Privacy Policy Templates) to get the house circuitry up to code.
If one day you decide to use your toaster and phone charger at the same time and the whole house goes up in flames, you’re not calling the Temu electrician. You’re calling the guy/gal you paid to put the whole house (a metaphor for a website) together.
The reality is, if a small business client of an agency finds themselves dealing with a website-related fine or lawsuit, chances are the very first thing they’ll do is reach out to the agency, asking ‘what the heck!?”. This blog is designed to give you actionable steps on how to best protect your agency from this scenario… and put Kyle’s face on a dragon.
Step 1: Inform clients about how personal information getting regulated
Education is king. Why else do you think Tyrion Lannister became King of the Iron Throne in ‘Game of…’ wait, THEY GAVE IT TO BRAN?! I don’t even feel bad for spoiling it.
In a properly written, seasons 1-6, world… Education is king. It’s also up to web designers to provide that education. That’s because websites are what web designers know best, and Privacy Policies (while legal documents) are part of websites.
So here’s a quick lesson plan you can follow:
Lesson 1: Regulations apply to most websites
Major points to share:
- Privacy laws are designed to protect people’s online privacy
- More specifically a user’s Personally Identifiable Information (PII)
- Examples: names, emails, phone numbers, IP addresses, etc.
- This means simply having a ‘Contact Us’ form or Google Analytics on your website could require your website to comply with these laws
- Because they protect people, not businesses, privacy laws can apply to your website, even if your business isn’t located in a state/country where the privacy law was enacted
- More specifically a user’s Personally Identifiable Information (PII)
- It’s not just big businesses that need to comply, many laws also apply to small businesses regardless of employee count, revenue amount or amount of PII collected
Lesson 2: Regulations exist
Major points to share:
- Privacy laws existing to protect and regulate the collection of people’s Personally Identifiable Information (PII). This means that when we as website owners collect people’s personal information (such as names and emails through a contact form, or IP Addresses behind the scenes via analytics/marketing/security tools), that’s when privacy laws can start applying. When privacy laws apply to us, we have very specific disclosure requirements we must provide in a Privacy Policy.
- Privacy laws have been around for quite some time now, but recently there’s been an increase in the number of laws and the number of businesses fined and sued for non-compliance.
- Laws like GDPR have been in effect since 2018, but the number of enforcement cases have increased each year
- Nine new privacy laws went into effect across 2023 and 2024 with another eight new privacy laws coming in 2025. If applicable these new laws will requrie new disclosure requirements within your Privacy Policy
- There’s no sign of it slowing either, as dozens of other bills are currently in the works and may one day become law.
- Concluding thought: your Privacy Policy can no longer be a static page on your site; you must keep it up to date over time with newly applicable privacy laws.
Lesson 3: Non-compliance gets expensive
Major points to share:
- Fines typically start at $2,500 per violation
- Per violation is typically each user who had their rights infringed upon… meaning it can add up quickly
- Examples of privacy violations include not having an up-to-date and compliant Privacy Policy, emailing people without their consent, placing tracking cookies without their consent, tracking users via Google Analytics or Meta Pixel without consent, etc.
- The California Invasion of Privacy Act (CIPA) is back and targeting small/large business websites
- CIPA, a 30-year-old privacy law – initially created to prevent eavesdropping on phone calls – has recently been reinterpreted to include websites
- Courts have determined that a website sharing data with third parties is essentially allowing those third parties to ‘eavesdrop’ on a private interaction between the business and consumer
- We’ve seen numerous website owners (non Termageddon users) receive letters claiming their website may be in violation of CIPA.
Lesson 4: You can protect yourself via website policies
Major points to share:
- Website policies like Privacy Policies, Terms and Conditions, Disclaimers, and Cookie Policies exist to help your website comply with laws and regulations
- These policies MUST be unique to your business in order for them to work. Even a close competitor will likely have a very different set of policies. That’s because:
- Each business has different privacy practices (how they collect, share, and store data)
- Different privacy practices and business practices means different privacy laws apply
- Each privacy laws requires its own unique set of disclosures
- So, even the smallest differences in privacy practices could results in a very different looking Privacy Policy, for example
- These policies MUST be unique to your business in order for them to work. Even a close competitor will likely have a very different set of policies. That’s because:
- Some laws may also require a Cookie Consent Banner to properly obtain consent before tracking users via cookies.
Lesson 5: Their Website 101
Major points to share:
- Lessons 1-4 are great and all, but at the end of the day clients need to know how this applies to them
- List out all the technologies you’ve embedded on their website that collect or share PII in a report you send to the client
- Examples: reCAPTCHA, Meta Pixel, Google Analytics, Google Fonts, eCommerce tools, YouTube/Vimeo embeds, forms, newsletter subscription forms, etc.
- Explain why you’re sending this list to them: “I’m not a lawyer, but I think privacy should be taken seriously. To the best of my knowledge, this list compiles all the tools on your website that may be collecting, sharing or storing user PII. I recommend you pass this along to an attorney or reference it when using a Privacy Policy Generator.”
- Create a clear, visible place for policies to go:
- Usually in the website’s footer
- Listed under specific names (Privacy Policy, Disclaimer, etc.) not just ‘legal’
- Point them in the right direction to obtain these documents (more on that later)
- List out all the technologies you’ve embedded on their website that collect or share PII in a report you send to the client
Step 2: Give your client options
Remind your clients that it is THEIR responsibility to get the proper policies and consent solutions in place for their website. But, since you’re such a nice guy/gal, you won’t just leave it at that. You’ll provide options!
**LiFe HAcK**: Tell them all this over email. It’s always a good idea to have a paper trail when dealing with this stuff (more on that later). Just in case you ever need to defend your honor and a duel is out of the question.
Here are the three options to provide your clients with:
Option 1: Use your own attorney
This is the best option your client can opt for to protect their own website (and subsequently you) from any website-related legal hiccups down the road.
Not only can a privacy attorney provide your client with all the policies they need based on what laws apply to them, but they can also provide legal advice. As great as Termageddon is, we aren’t in the legal advice business… Speaking of which, this blog post with GoT references and photoshopped dragon faces is not legal advice.
While it’s the best option, it’s also a very expensive one. So it might be a difficult sell.
Option 2: Use a trusted Privacy Policy Generator
A Privacy Policy Generator (PPG) is another great option. Just be sure to get a legit one. Most don’t actually get the job done. You’ll want to suggest a PPG that:
- Has a privacy attorney on staff
- Provides a privacy law identifier
- Adapts its questionnaire and policies to match a business’ specific needs
- Monitors privacy law changes and upcoming laws
- Auto-updates policies as needed
Full disclosure: my paycheck comes from Termageddon, so I highly recommend that one.
Partial disclosure: I’m taking my kiddos to Disney World next year and it may financially ruin me. So, tell them Trevor, the blog guy and mediocre photo-shopper, sent you.
Option 3: Do nothing
At the end of the day, it’s their business and their website. They paid for your expertise and experience and you provided both of those things. It’s perfectly okay for them to say ‘no’ to all of this and take the risk.
Just make sure you have it documented that you informed your clients about their potential legal requirements, offered them options, and explained the risks involved with ignoring it.
Step 3: Get & save documentation
I’ve mentioned it a few times already and now I’m giving it its very own step: GET IT ALL IN WRITING. You provided the information. You offered the options. Now it’s time to have proof you did these things.
If a client ever gets into some kind of non-compliance trouble in the future and reaches out to you about it, you’ll have something other than a handshake to point to.
It’s like when you go rafting, you sign a waiver that says: this is risky, follow instructions, you’ve been warned, don’t blame us if you catch a rogue fish to the face. That’s mildly paraphrased, but you get the idea.
We actually liked the waiver analogy so much that we created our own Website Policies Waiver.
It’s free to use, just change the details to match your company and send it off to past, current, and future clients to make sure you’ve let them know that regulations are out there, and it’s their responsibility to do something about it. It’s not too late to get this documentation in place and saved somewhere in case you ever need it down the road.
In addition to this waiver, double-check your primary contract to make sure it doesn’t say something like, “agency will ensure that website will comply with all applicable laws, rules and regulations.”
Remember how earlier I said:
However, depending on the contract, the designer could also be fined for privacy violations (check those contracts!)
Wording like that is what I was referring to. Making statements like that could open your agency up to being sued by your clients.
Conclusion
This blog isn’t designed to scare you – even though there has been an alarming surge in agencies reporting that their previous clients have been contacted about possible CIPA violations. Don’t worry, none have been Termageddon users (you can listen to the Privacy Lawls episode about the CIPA lawsuits here).
Rather, this blog is a reminder that these laws and the fines and lawsuits associated with them are only growing in numbers. As an agency, you can either embrace it and prepare for it, or pretend they don’t exist.
Think of it like this.
Let’s say you have a giant wall made of – I dunno – ice that has been around for ages. There’s a really good chance that you and all your clients on the south side of that wall will continue to be just fine.
BUT, hypothetically, let’s say an army of regulations start multiplying like crazy and conveniently get an undead, ice dragon. They could blow through that wall of protection in a matter of seconds in a super anticlimactic that leaves you extremely frustrated.
If that were to happen, you are going to wish you had taken the time to warn all your clients that this was coming via – I dunno – physical, zombie ice man in a box. That way you can live to fight another night in another anticlimactic battle nobody can see… all I’m saying.
For those of you who haven’t seen Game of Thrones, the confusion you feel now is probably similar to how your clients feel about Privacy Policies.
I hope this helps!