Legal information
Legal notices on a website are compulsory. Failure to do so may result in prosecution. The way they are written will vary according to the type of organisation you are and your personal data management practices. Over and above the obligation, careful drafting of your legal notices will demonstrate your professionalism and reduce the risk of legal action.
They contain a wide range of information, the content of which varies from case to case. They should therefore not be drafted lightly. How should they be written? What cases are possible? What penalties apply in the event of failure to comply? Find out everything you need to know about legal notices.
Please note: the legal texts may have been amended subsequent to the publication of this article. We therefore advise you to look at the date of publication and check whether the information in the article is still up to date.
Legal information: what is it and what is it for?
All websites must include a certain amount of information, in accordance with the French law on confidence in the digital economy (LCEN) of 21 June 2004. This information must enable those responsible for the site to be easily identified. This desire for transparency ensures that everyone can contact the owner in the event of a problem or dispute.
This set of information, known as the Legal Notice, must therefore be visible, complete and easily accessible to all website users. In general, all that is required is to make it accessible via a link placed in the footer of the site’s home page. In this way, any Internet user can report problems with a site or the publication of illegal content.
The obligation to include legal notices applies to both personal sites (blogs and other sites that do not have a commercial objective) and professional sites (linked to a business or commercial activity).
Failure to comply with these obligations can result in penalties of up to one year’s imprisonment and a fine of up to €375,000.
This article deals with the obligations for professional websites. For personal websites, where the obligations are less stringent, see the article Terms and conditions on your website: obligations to be met.
Legal notices for the website of a sole trader or a company can be grouped into two categories:
Identification information
Information relating to the use and management of cookies
Identification details
These are used to identify the owner of a website, as well as the website host. For a natural person, a sole trader, the following must be included:
- Full name,
- Home address,
- Telephone number and e-mail address
For a legal entity, a company, you must display :
- the company name: company name and SIRET number,
- its legal form,
- the amount of its share capital,
- the address of the registered office.
In addition to the information identifying your organisation, you must add the details of your website host:
- name of the host
- company name ;
- address ;
- SIRET number ;
- telephone number.
Information relating to intellectual property
If you use images, illustrations or photographs, you must indicate their intellectual property. For texts that are not your own, you must obtain the author's permission or at least quote the source of the text.
The purposes of collecting data via cookies
To analyse the behaviour of users, such as their browsing habits, their consumption habits, their movements... the sites use a small file deposited on the computer of the user: the cookie. We distinguish: The «necessary» cookies for the proper functioning of the website. They allow, for example, to save a shopping cart, login credentials or to track the actions of a user on the website which collect personal data of the user to track the user’s behavior and serve advertising purposes With the exception of cookies necessary for the functioning of the website, The use of all other cookies must be explained clearly and precisely to all users of the website. In addition, it is mandatory to obtain prior consent for the processing of such personal data. This is the window that appears when you first visit a site and asks if you accept the conditions (related to the management of your personal data) of the site. On this subject, the CNIL insists on the need for the collection of consent from users to offer the same simplicity for refusal as for approval. For more information on the compliance of the use of cookies on a website, you can visit the following sites: Cookies and tracers: how to bring my website into compliance? (Cnil.fr) Cookies and tracers: what does the law say? (Cnil.fr) Use of personal data: your information obligations towards the user (Economie.gouv.fr) To refuse cookies must be as simple as to accept: balance of the second notice campaign and future actions (Cnil.fr)
Recipients of personal data
These are the people who have knowledge of the personal data collected. In the case of a professional website, this is usually the company that publishes the site and the site host. This section of the legal notice should also indicate whether personal data is transferred outside the European Union. This is particularly the case when the website is hosted by a foreign host with servers outside the European Union. This may also be the case if you use tools offered by companies outside the EU, such as Google Analytics.
In which language should the legal notices be written?
If your customers are consumers or end-users of goods, products or services, you need to draw up your legal notices in French.
The Toubon Act of 4 August 1994 on the use of the French language stipulates that ‘the use of the French language is compulsory in the description, offer, presentation, instructions for use or use, and the description of the scope and conditions of guarantee of a good, product or service’ (art. 2).
However, it is not compulsory between French and foreign professionals and private individuals.
The circular implementing this law (Circ. 19-3-1996 art. 2.1.1, 1) specifies that ‘invoices and other documents exchanged between professionals, persons under French and foreign private law, who are not consumers or end users of goods, products or services, are not covered’ by the obligation to use the French language. Find out more about the use of the French language on the DGCCRF website.
A few tips from a lawyer to make sure you don't forget anything
Laurent Latapie, a lawyer at the Draguignan bar, lists the points not to forget when drafting legal notices, which can also serve as a good basis for drafting: Creating a website or an application: what must the legal notices contain?
Obligations specific to certain activities
Depending on the type(s) of activity involved, the professional website must also contain the following information: Commercial activities: registration number in the Trade and Companies Register (RCS) and, if you have one, an intra-Community VAT number Artisanal activities: registration number in the Trade Register (RM) Editorial activities: for all sites offering articles, blogs and other information: name of the director, co-director or person responsible for publication Activities subject to an authorisation scheme: name and address of the authority that issued the authorisation to operate.
Information on the use of personal data and cookie management
Since the General Data Protection Regulation (GDPR) came into force on 25 May 2018, websites (and, more broadly, any person or organisation collecting personal data) must identify the processing carried out and implement the rights guaranteed by the GDPR. Personal data is any information relating to a natural person: surname, first name, address, telephone number, etc. The RGPD distinguishes between two situations: The natural person is identified directly: direct collection of the user's data, by the user for example by filling in a form or through observation of his or her activity (geolocation, IP address, etc.) The natural person is identifiable indirectly: data recovered from commercial partners or collection of data which indirectly makes it possible to find the personal data of users In these two cases, the website must contain a certain amount of information. Please note: in order to inform Internet users about how their data is processed and stored, you may choose to make this information available after the identification details, on the same page, or on a dedicated page that you could call a Privacy Policy or Privacy Charter, for example.
The legal basis for data processing
The legal notice must specify, in accordance with the GDPR, on which legal basis the data processing implemented on your site is based. It is permissible to process personal data when the processing is based on one of the 6 legal bases mentioned in article 6 of the GDPR: consent: the person has consented to the processing of his or her data; the contract: the processing is necessary for the execution or preparation of a contract with the data subject; the legal obligation: the processing is imposed by legal texts; the public interest mission: the processing is necessary to carry out a public interest task; legitimate interest: the processing is necessary to pursue the legitimate interests of the body that processes the data or of a third party, in strict compliance with the rights and interests of the persons whose data are processed; safeguarding vital interests: the processing is necessary to safeguard the vital interests of the person concerned, or a third party. Where the same data processing pursues several purposes, that is to say, several objectives, a legal basis must be defined for each of these purposes. However, it is not possible to «cumulate» legal bases for the same purpose: one must be chosen. The most common legal basis is consent. It ensures that data subjects have a strong control over their data, allowing them to: understand the processing that will be done of their data; to choose without constraint whether or not to accept this processing; to change their opinion freely. You can consult, for example, the page dedicated to the Charter of respect for privacy of Legalstart, a platform of legal services online for small and medium-sized businesses/SMEs. Understanding the RGPD - The legal bases Taking account of the legal bases in technical implementation The lawfulness of processing: the essentials of the legal bases provided by the RGPD
Users' rights to their personal data
In accordance with the RGPD, legal notices must inform users of their rights (right of access, rectification, opposition, deletion, etc.). Users may, for example, decide to withdraw their consent. It is also important to provide an email or postal address that users can use to exercise their rights. Certain uses of personal data (Cnil.fr) require you to indicate the contact details of the Data Protection Officer (DPO) (Cnil.fr) that you will have had to appoint. In most cases, small organisations whose data processing is limited in volume can simply indicate the address of an e-mail box dedicated to exchanges relating to personal data. To find out more: Businesses: how to implement users' rights in accordance with the RGPD? The rights to control your personal data! (Cnil.fr)
Other additional information that may be required
To prevent potential disputes with users of your site, you can draw up general terms and conditions of use (GTCU). They constitute a contractual document. By accepting them, users agree to abide by a certain number of rules. To find out more, read our article: Drawing up general terms and conditions of use (GTCU) for your business website Merchant websites, particularly e-commerce websites offering online sales and payment services and goods delivery services, must display their general terms and conditions of sale: to find out more, read our article: Drawing up general terms and conditions of sale (GTCS) for your business website.
Find out more
What information must be included on a professional website? Mandatory information on your website Need help. Ask your question and the CNIL will reply
