Details, offer, acceptance, order confirmation, user agreement, consent to the processing of personal data, notification of the collection of cookies, consent to receive advertising.
Details. Must be posted on all websites. On any, including landing pages for advertising and business card websites. Details are information about the website owner and how to contact them. At a minimum, you must indicate the name of the company, the full name of the entrepreneur or self-employed person, and email. Organizations must add a legal address, and individual entrepreneurs and self-employed people must add an address where they can receive correspondence. On a website that is used to advertise or sell goods, works, or services, additionally indicate the company’s OGRN, the OGRNIP of an individual entrepreneur, or the TIN of a self-employed person. Post them where the visitor can easily find them. A common practice is to publish the details in the “footer” of the website, a section at the bottom of each page. Or you can create a separate page called “Contacts,” “About Us,” or “Legal Information.” There is no fine for the absence of details, but Roskomnadzor can issue an order to comply with this requirement. If it is ignored, businesses may be fined: citizens – 300-500 ₽, individual entrepreneurs – 1000-2000 ₽, small businesses – 5000-10,000 ₽, medium and large organizations – 10,000-20,000 ₽.
Offer. Post in online stores and paid services, i.e. where the client makes a deal with the business. An offer is not needed if the site is informational and you can’t buy anything on it. This is an offer to make a deal on certain terms. The site owner is obliged to fulfill the terms of the offer if the visitor agrees to them. According to the law, an offer must be posted on the websites of online stores that are focused on retail trade. But it is better to publish an offer wherever the business makes a deal: on the pages of paid services, on websites with wholesale sales, or where you can order work or a service. The offer specifies the terms of the deal, and it also replaces a separate written agreement with each client – this simplifies the conclusion of deals. The text of the offer depends on what product, work or service is being sold. The offer is usually published on a separate page in the public domain. The page is called so that the site visitor understands its purpose, for example, “Terms of Sale” or “Offer”. When selling a product, work or service to a retail buyer – a fine: for individual entrepreneurs – 3,000-4,000 ₽, for small businesses – 15,000-20,000 ₽, for medium and large organizations – 30,000-40,000 ₽. There is no fine for the absence of an offer when selling to another entrepreneur or company.
At a minimum, the offer must include:
– the name of the company, full name of the entrepreneur or self-employed person;
– a phrase stating that this document and the information on the website about the object of sale are a public offer;
– a description of what the business sells as a whole, while it is not necessary to indicate the specific parameters of each product in the offer – you can write that the description of the product, work – or service is posted in the catalog;
– how to place an order and how to cancel it;
– how to pay;
– delivery conditions, shelf life of the product at the pick-up point, other rules for interaction between the client and the business.
Place the acceptance wherever there is an offer. To conclude a contract, the client must respond to the offer with consent – acceptance. Usually, this is a button with an explanation: if the client clicks on it, he agrees to the terms of the offer. It happens that a separate button for acceptance is not created, instead, a form with a notification is made: if the client places and pays for an order, he agrees to the terms of sale. You can display the acceptance form when creating an order or when registering an account. If you do not place it, the client may claim that he accidentally transferred money and demand its return. For example, in Saratov, an organization went to court with a claim: allegedly, money was mistakenly withdrawn from their account in favor of a website developer with whom the company did not conclude any contracts. The court did not agree with the plaintiff: the defendants posted an offer for the provision of development services on their website. The customer registered on this website, “signed” the agreement by clicking on the “I agree to the terms” button, and then transferred the money. According to the court, this was a legal offer and acceptance, so the claim was dismissed.
Place an order confirmation in online stores aimed at retail customers. The online store must confirm the conclusion of the contract under the terms of the offer after the customer places an order. You can send an email, SMS notification, or display a pop-up window on the site. It is important that the client understands that this is his purchase. Therefore, the notification must contain a number or other way to identify the order. Any form can be used for placement, the main thing is to confirm the order immediately after its placement or payment. If you do not place. The fine for individuals is 1,500-2,000 ₽, for individual entrepreneurs – 3,000-4,000 ₽, for small businesses – 15,000-20,000 ₽, for organizations – 30,000-40,000 ₽.
The user agreement should be posted on websites with a personal account, forums, neural networks, graphic editors and other services useful for visitors. The document describes the rules for using the site. The user agreement helps to clearly state what responsibility the business is ready to take on itself and what it is not. For example, an entrepreneur has a website with a calculator for the approximate cost of apartment renovation work. The user agreement of such a resource indicates that the final calculation is not final, and the consumer cannot demand that the repair be performed only on the basis of the price offered by the calculator. This also includes rules for using content – for example, in the user agreement you can specify how it is allowed to copy articles and how it is not. You can place it on a separate page of the site in the public domain. A link to it will be placed under each significant service of the resource, on the page with the offer or in the footer. There are no fines for the absence of a user agreement, but it will help resolve disputes with clients. For example, if a buyer demands something in court, you can refer to the agreement: here are the rules, and when the client used the service, he agreed to abide by them.
The rules for using the site include:
– the rights and obligations of visitors;
– a description of the functions of the service;
– rules for posting or copying content;
– conditions for using content;
– rules for registering and using your personal account;
– conditions for subscribing to content, if any.
The personal data processing policy is posted on any website where users leave personal data: last name, first name, middle name, date of birth, delivery address, place of work. Typically, such data is collected by online stores and forums. If the site has a feedback, subscription, authorization or registration form, then there should also be a personal data processing policy. In the document, the site owner informs visitors in what ways, for what purposes and to what extent their personal data will be processed on the site. For the processing policy, you can make a separate page with the text of the personal data processing policy. You can add a link to the footer of the site. Under each form that collects personal data, you should place the text “By clicking the “Submit” button, you agree to the “Personal Data Processing Policy”” and leave a link to the document. If not posted. The fine for individuals is 1,500-3,000 ₽, for individual entrepreneurs and small businesses — 10,000-20,000 ₽, for organizations — 30,000-60,000 ₽. The policy must indicate:
– a link to the website to which it applies;
– the full name of the entrepreneur or the name of the organization that receives the consent of the site visitor;
– the purposes of processing personal data, that is, why the data is collected. For example, to sell a product, consider applicants for employment, – provide access to a program;
– a list of processed data, that is, what exactly the site collects;
– if users post data on the site that is available to all other visitors, then it is necessary to indicate that “publicly available personal data is processed”;
– if information is collected about race and nationality, political, religious and philosophical views, health status, details of intimate life, – information about criminal records, then it is necessary to indicate that “special categories of personal data are processed”;
– data processing periods — a period of time or an event, such as before expulsion from an online school;
– data processing methods, such as: “collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, depersonalization, blocking, deletion”;
– the procedure for destroying personal data, such as “erasing from a storage medium without the possibility of recovery”.
Consent to the processing of personal data is posted on any resources where users leave personal data, such as last name, first name, middle name, date of birth, address for receiving goods, place of work. If the site collects personal data, you need to get consent from the user. Consent can be given in any form, the main thing is to confirm the fact of its receipt. For example, you can make a page with the consent text and provide a link to it in each form with data collection, and also add a confirmation button – until the user indicates that he agrees to the collection and processing of data, he will not be able to use the service. If you do not post. The fine for citizens is 10,000-15,000 ₽, for individual entrepreneurs – 100,000-300,000 ₽, for small businesses – 150,000-350,000 ₽, for other organizations – 300,000-700,000 ₽.
The consent text must include:
– the name of the company or the full name of the website owner;
– a list of personal data for which consent is given for processing;
– the purpose of processing;
– the validity period of the consent;
– ways to refuse consent to data processing, for example, fill out a refusal form on the website or send a refusal notice to the company’s legal address.
Consent to the processing of personal data permitted for distribution must be posted on websites where users not only leave data, but also post it for public viewing: for example, forums, social networks, corporate portals and stores with reviews. A separate consent must be obtained for the distribution of personal data. Distribution is when the data can be seen by any visitor to the site. For example, publishing the last name and phone number of the manager or a customer review on the company’s website. You can create such consent in the Roskomnadzor service. The designer offers to fill in the fields, after which the template is sent to the department’s specialists for verification. If necessary, the operator is given recommendations for finalizing the document. The final result is sent by e-mail. Consent can be on a separate page. Next to each form in which a visitor leaves their data, there must be a link to the consent text and a button confirming that the visitor has granted permission. If not posted. The fine for individuals is 10,000-15,000 ₽, for individual entrepreneurs – 100,000-300,000 ₽, for small businesses – 150,000-350,000 ₽, for other organizations – 300,000-700,000 ₽.
In this case, the consent must give the site visitor a choice of what data he:
– allows to be distributed;
– prohibits publishing for general access – such information can only be processed by the site owner;
– determines the processing conditions, for example, a ban on the use of information for statistical research. If the visitor has specified the conditions for the distribution of personal data, the site owner is obliged to publish such conditions within three working days.
Ideally, you need to provide the visitor with a list of their personal data that will be processed. From this list, the visitor must select the information that can be distributed.
The website owner must be the operator of personal data and comply with the law. According to the law, you can collect personal data and transfer it to someone for processing. The website owner can transfer customer data to the webmaster, and the online store can transfer it to the mailing service. The person to whom he transfers the data for processing does not have to receive separate permission, but must comply with the law. The owner of the site will be responsible for compliance with the law to visitors. Roskomnadzor and the court will determine the owner of the site based on the totality of the data. If the site contains information about a specific legal entity or individual entrepreneur, they will ask them. If there is no such data, they will ask the domain administrator.
According to the law, operators are required to store personal data on Russian servers. There are several exceptions, but these are details. Any online store or subscription service must store a database of personal data of citizens in Russia. Then you can transfer this data abroad. This is legal, but under certain conditions. Otherwise, it would be impossible to book hotels and buy plane tickets abroad.
Roskomnadzor may require proof of where the databases are stored. For example, an agreement with a data center, hosting, or documents for your own server. If it turns out that personal data is stored in violation of the law and not in Russia, there will be problems. In addition to the law on personal data, there are requirements of the Federal Service for Technical and Export Control and the FSB. The prosecutor’s office may also join the inspection. They have enough authority to find out where the data is actually stored and deal with violations.
The law on personal data must be observed if the site is used to work on the territory of the Russian Federation. In theory, Roskomnadzor has the right and can block it. Here are the signs used to understand this:
– the domain name is associated with the Russian Federation or a subject;
– there is a Russian-language version of the site;
– payment for goods or services is made in rubles, delivery is possible to the territory of the Russian Federation;
– consumers of the site content are Russians;
– there is advertising in Russian that leads to this site.
If there is any combination of these factors, the personal data operator must comply with the law, even if it is a foreign company. This means that the documents must be accessible and understandable in the Russian Federation. It is enough to have them in Russian so that Roskomnadzor and Russian citizens can understand them. Our personal data law does not apply to non-residents outside the country.
The law did not explain how to determine the visitor’s citizenship. Operators were offered to solve this problem on their own. And if there is no clear position and tools, it is worth complying with the law in relation to all personal data collected in Russia.
Duplicating the same documents in foreign languages for Russians. But these rules were not invented in Russia. There is the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. So, if you collect data from foreigners, think about how you comply with the law of the country of which they are residents.
In Europe, a single violation of the rules for processing personal data is fined hundreds of thousands of euros. In Russia, the maximum fine since July 1, 2017 is 75 thousand rubles.
The law on personal data protects the data of individuals only. It does not apply to data about companies. But what is indicated in the feedback form is a formality. It is important what data and for what purpose the site owner collects.
If this is actually the name of the company and the office phone number, such information is not covered by the law. But if a site collects email addresses and phone numbers of company employees in order to then send them out or pass them on to third parties, there may be problems both from these employees and from Roskomnadzor.
All operators of personal data must register with Roskomnadzor. Exceptions are only for the cases listed in paragraph 2 of Article 22 of the Law on Personal Data.
Almost any site can be recognized as an organizer of information dissemination. To do this, it is enough to give users the opportunity to comment, exchange messages and write reviews about products.
All owners of websites, blogs and forums need to understand how the law works for organizers of information dissemination. Most likely, you do not even think that it concerns you and you have additional obligations. But if you do not fulfill them, there is a risk of a fine. For example, 300 thousand rubles for not notifying Roskomnadzor about the start of work. Or a million rubles for not storing data about users and their messages or storing them outside of Russia.
A cookie collection notice should be posted on all resources that collect cookies, i.e. information about user behavior that is stored in browsers. This is usually done by sites that are connected to statistics and CRM services, online stores, and resources that have user authorization. You can find out if your site collects cookies using your browser. For example, on a Windows computer, go to the site through Chrome, then press Ctrl+Shift+I, select the Application→Storage→Cookies section. Or check with the site administrator. And although the law does not directly indicate that users must be notified of this, there is case law that equates this technical information with personal data, which means that its collection requires notification. For example, the American Internet speed measuring service Speedtest was fined 1 million rubles for refusing to store the personal data of its users in Russia. When considering the case, the court acknowledged that cookies collected by the service are also such data. Services begin collecting cookies immediately after the user enters the site, so a standard notification about data processing is not suitable – otherwise, you will have to first obtain consent and only then let the person onto the main page of the site. A separate form is made for cookies, often with a button that appears immediately after the site page loads. When you go to the site, a pop-up window should immediately appear with a notification that cookies are being collected on the site. There is a risk that the court will consider the collection of cookies without prior warning to be the processing of personal data without consent. Then the website owner will be fined: citizens – 10,000-15,000 ₽, individual entrepreneurs – 100,000-300,000 ₽, small businesses – 150,000-350,000 ₽, medium and large organizations – 300,000-700,000 ₽.
Consent to receive advertising must be placed where an entrepreneur or company collects user contacts for advertising mailings. Advertising content includes SMS, push notifications, letters that attract and sell goods, works and services. For example, a letter with a selection of goods from an online store is considered advertising, but a notification about the delivery of goods is not. When distributing advertising using mobile communications and the Internet, you need to obtain the user’s permission. To do this, prepare a form with text indicating:
– who will send the advertisement – the name of the company or the full name of the entrepreneur;
– what will be sent – information about events, product selections, notifications about promotions;
– how the information will be sent – for example, via SMS or email;
– rules for refusing consent – usually this is clicking on the “Unsubscribe from mailing” link.
The consent text is placed on a separate page. A link to it is left under the form for collecting user contacts. The entrepreneur needs to make sure that the contact information was left by their owner. For this, for example, an SMS with a unique code is sent to a mobile number, and the user must enter it in a separate form on the site. If not posted. For citizens, the fine is 2,000-2,500 ₽, for individual entrepreneurs – 4,000-20,000 ₽, for small businesses – 50,000-250,000 ₽, for other organizations – 100,000-500,000 ₽.
