As a design agency, we see every day how complex website law has become – from imprints to consent mode. Small mistakes – theoretically, significant consequences. The following guide shows what is essential for designing websites that are aesthetic, functional, and legally compliant – from conception to ongoing compliance.
The internet is no longer a legal vacuum. What used to be a simple homepage with a contact address is now subject to clear legal regulations – even small websites must meet numerous requirements.
The most important laws to know include the Austrian Commercial Code (UGB), the Trade Code (GewO), the E-Commerce Act (ECG), the General Data Protection Regulation (GDPR), and the Media Act (MedienG).
The crucial difference lies between private and commercial websites. As soon as a page is used for business purposes – for example, through an affiliate link, an advertising banner, or your own products – comprehensive information obligations apply.
Private blogs or personal homepages have fewer requirements. Still, the GDPR also applies here: As soon as personal data is processed – for example, via contact forms, newsletters, or cookies – the GDPR applies.
The financial risks should not be underestimated. An incorrect imprint can result in warning costs of between €500 and €5,000. GDPR violations can result in substantial fines.
For online shops, the requirements of the E-Commerce Act (ECG) also come into play – violations here can quickly become costly. In short, those who ignore legal details risk not only reputational damage but also significant costs.
We know from experience: Implementing legal requirements retrospectively is usually more complex and expensive than considering them from the outset. Clarifying the applicable legal framework during the concept phase saves time, money, and hassle later on. This applies not only to the technical implementation but also to the design, such as cookie banners, forms, or tracking solutions. A legally compliant website, therefore, doesn't start with a lawyer, but with the initial concept draft.
The imprint is the legal heart of every commercial website. It creates transparency and enables visitors to clearly identify the site operator – a fundamental prerequisite for trust in the digital space.
The imprint requirement arises in Austria from several laws:
The technical implementation is just as important as the content. The imprint must be accessible from every subpage in a maximum of two clicks. It is best placed clearly in the footer or header. The name should be clear – for example, "Imprint," "Provider Identification," or "Contact." The link must not be hidden or nested. Users and search engines should be equally easy to find it.
Since the General Data Protection Regulation (GDPR) came into force, stricter requirements have applied to the handling of personal data. Every website that collects or processes user data – for example, via forms, cookies, or tracking – requires a transparent and understandable privacy policy.
Every form of data collection must be clearly documented and explained in the privacy policy – from simple contact forms to newsletter registrations. Data transfers to third countries are particularly sensitive, for example, with tools like Google Analytics, cloud services, or embedded media platforms.
A data processing agreement (DPA) is required for every tool, plug-in, or external service provider – even with your own hosting provider. Failure to do so constitutes a violation of the GDPR, which can lead to heavy fines.
Cookies are small text files that websites store in users' browsers – and since the GDPR, their use has been strictly regulated. How they are handled often determines whether a website is considered legally compliant.
Not all cookies are the same. Technically necessary cookies may be set without consent because they are required for the operation of the website – for example:
All other cookie types require active consent from the user:
A legally compliant cookie banner must meet several conditions:
Important: Regularly check which cookies the website actually sets. Many WordPress plugins or integrated tools store data without the operators' knowledge. Only those who maintain an overview can configure the consent banner in a legally compliant manner and build trust.
Copyright is one of the most common warnings online. Even the unauthorised use of a single photo can lead to claims for damages in the four-figure range – regardless of whether the violation was intentional or not.
Stock photo providers offer various licensing models – from standard to extended.
Read the terms carefully: Not every license allows commercial use, social media reuse, or large-scale campaign deployments. Creative Commons licenses can be a good and cost-effective alternative – but they have pitfalls:
Copyright also applies to texts, translations, and editorial content. If you work with ghostwriters or external authors, ensure that all usage rights are transferred contractually.
When translating, the copyright of the original text must be observed – translations themselves are considered independent works. Clear rules should also apply to user-generated content – such as comments, reviews, or community contributions:
Your terms of use or terms of use can specify:
Web accessibility is becoming increasingly important – both from a legal and a societal perspective.
The Web Content Accessibility Guidelines (WCAG) 2.1 define international standards for accessible web content. The most important technical requirements are:
In Austria, the Equal Opportunities for People with Disabilities Act (BGStG) regulates the obligations for public service providers. At the EU level, the Web Accessibility Directive applies to public bodies. Private companies are not yet obligated, but the trend is clearly toward accessibility for all.
Choosing a domain and hosting provider is not only a technical decision, but also a legal one. Later risks can be avoided during registration and server selection.
Before securing a domain, a thorough trademark search should always be conducted.
Check the registrations with the
Trademark infringements can quickly lead to cease-and-desist letters, claims for damages, or even the loss of the domain. Also, be aware of the naming rights of prominent individuals or companies – even seemingly harmless combinations can trigger legal conflicts.
The server location plays a key role in GDPR compliance. Hosting within the EU offers the greatest legal certainty. Those using servers outside the EU (e.g., in the US) require additional guarantees such as standard contractual clauses (SCCs) or data protection agreements in accordance with Art. 46 GDPR.
SSL encryption (HTTPS) is now mandatory – it protects visitors' data and is considered a ranking factor by Google. If the little lock icon in the browser is missing, not only does trust suffer, but visibility also suffers.
Online shops are subject to special legal requirements that go beyond the general website rules. Anyone who sells products or services online must fulfil several additional information obligations – in a transparent, comprehensible, and GDPR-compliant manner.
The E-Commerce Act requires that you, as an online retailer, provide your customers with comprehensive information, including:
This information must be easy to find and clearly worded – ideally directly in the Order process and in the footer of your website.
Customers generally have a 14-day right of withdrawal in online retail. Clearly define which exceptions apply – for example, for perishable goods, digital content, or custom-made products.
The ordering process itself must be clearly designed. A clearly labeled button such as "Order with payment" is mandatory and prevents misunderstandings. In the event of disputes, you are obligated to link to the EU's ODR platform for online dispute resolution.
In addition, warranty rights may not be restricted in the terms and conditions – otherwise, you risk warnings or invalidation of the contract.
Social media is an essential component of modern websites – but also a legally sensitive topic. Buttons, feeds, or embedded content from platforms such as Facebook, Instagram, LinkedIn, or YouTube often transfer personal data to servers in the USA – often as soon as the page loads.
The easiest way to integrate social media in compliance with data protection regulations is the so-called 2-click solution. The actual social media buttons are only loaded after the user actively clicks them.
Before that, you only see a neutral placeholder with a brief privacy notice. This way, you decide when data is transferred – and at the same time comply with GDPR requirements.
For YouTube videos, you should activate the enhanced privacy mode. Here, too, data is only transferred when the video is actually started.
If you use social media plugins or embedded content, you need data processing agreements (DPA) with the respective platforms. Companies like Meta (Facebook & Instagram), Google (YouTube), or LinkedIn provide these agreements online – but you must actively conclude them and document them in your privacy policy. This is the only way to ensure that data transfer is legally secure and that your online presence complies with the requirements of the GDPR.
Email marketing is one of the most effective, but also most strictly regulated, marketing tools. Anyone who sends newsletters or campaign emails must comply with clear legal requirements – otherwise, they face warnings or fines.
You need verifiable consent for each newsletter subscriber. The double opt-in process is standard here: After registration, the person receives a confirmation email with a link – only after clicking on it can you actually send the newsletter.
Carefully document each registration, including the timestamp, IP address, and confirmation email. This evidence is vital in case of legal disputes or complaints.
Every marketing email must contain a functioning unsubscribe link – visible, clearly worded, and easily accessible. Don't demand a reason for unsubscribing, and don't hide the option in the depths of the footer. In your emails, also refer to your privacy policy and explain transparently which data is processed for what purpose.
Legal compliance is not a state, but a process. Laws, tools, and tracking technologies are constantly changing – if you want to stay on the safe side, you need to regularly review and update your website.
Ideally: a quarterly compliance audit. You should check:
Such audits help identify risks early, before they become real problems.
Even with the most excellent care, something can happen. You must defined clear procedures for emergencies:
Yes – even for the smallest commercial activity, an imprint is mandatory according to Section 63 of the German Trade Regulation Act (GewO). This also applies to freelancers, consultants, or sole proprietors. You can replace your private address with rented business premises – however, virtual addresses or PO boxes are not permitted.
Whenever something changes – for example, due to new tools, plugins, or service providers. We recommend a quarterly review, but at least once a year is necessary. This way, you stay legally on the safe side and ensure that your privacy policy is always up to date.
Technically necessary cookies do not require consent, but must still be documented in the privacy policy. However, as soon as you integrate analytics tools, chat widgets, or social media elements, additional cookies are set – these require active consent via a consent banner.
In principle, yes, but with caution. Always read the specific license terms and check for model releases. For example, Unsplash has restrictions on large-scale commercial use. Reputable stock providers like Shutterstock or Adobe Stock generally offer more legal certainty.
Don't panic – but react quickly! Under no circumstances should I ignore the cease and desist letter, as doing so risks expensive legal proceedings. Check whether it's justified, correct any deficiencies immediately, and seek legal advice. In many cases, an out-of-court solution can be found, which is significantly cheaper than litigation.
The legal requirements for websites will continue to change in the coming years. As a design agency, we experience daily how crucial legal compliance has become for a digital brand presence. It's not an annoying add-on, but a quality feature that builds trust and saves costs in the long run. If you invest in a professionally designed, legally compliant website from the start, you'll benefit twice: through trust with your customers – and peace of mind on the legal side.
