Website development – a practical approach to legal pitfalls

Introduction

An important aspect in protecting your website is to ensure that the website development is carried out under an appropriate agreement.

Typically, an agreement will be presented to you by the developer in a standard form. But many issues which are important to you are of little benefit to the developer and therefore are simply not covered in the agreement. Website development companies are often relatively small and do not have a legal document which would be acceptable to a sophisticated client. In such cases it is often in your interest to reject the developer’s standard form and put together your own form of agreement.
This article focuses on the main issues to be addressed in the agreement from your point of view, concentrating on areas which may be contentious or require more careful consideration.

Services

A key aspect of any agreement is to define clearly the services which the developer is to provide. In a website development contract, there can be a range of potential services apart from pure development work. For example, the developer may also be providing some or all of the following:

• Hosting – typically, an SME will not host its own website. The developer may host your website on its servers. The developer will then be responsible for managing those servers. Often, your website will be one of a number of websites which are hosted on the same servers. While this is a cost-efficient solution, it can raise questions regarding the performance of the website and the bandwidth which is made available. These are issues which should be addressed in the contract. See further below under “Hosting services”.

• Domain name registration – often the developer will register and manage your domain names. But this can be risky. You must ensure that the details of the registration are correctly set out. For example, while the developer may register your domain names, they must be in your name and not in the developer’s name as otherwise it may be difficult to recover the names if you fall out with the developer or they go out of business. You also need to make sure that your contact and billing details are provided with the domain name registration. These details are used to provide reminders and invoices when renewal fees are due. If the developer’s name is used and the renewal fee is not paid, the domain name may be lost and can then be difficult and expensive to recover.

• Training – where the content on the website is to be maintained by you, your personnel may need some training from the developer in uploading and updating. The nature and extent of this training should be clearly specified. 

• Support services – it may be beneficial for you to enter into a support agreement under which the developer agrees to maintain the website following the initial development. This includes fixing any bugs, making changes as required from time to time and providing support to your staff managing the content.

• Marketing services – this may include registration of the website with search engines, promoting the website and providing to you periodic website statistics and analysis with recommendations for action.

Specification

The specification is an important document and should describe the aims and objectives of the website, its functionality and content, the “look and feel”, and how data are to be collected and processed. It can also specify in more technical detail such matters as performance levels, capacity, response times and browser compatibility.

Where the website is involved in e-commerce, the specification will need to address data-processing at a more detailed and technical level as well as any interfaces with your back-office systems.
Contractually speaking, the website is specified in sufficient detail, it will be difficult for you to reject the website, withhold payment or make any claim or complaint. On the other hand, it may be impossible to develop a specification which contains every last detail. To do so could take too long.

• Phasing – Often, the specification is a rather general and inadequate document from a contractual point of view. Sometimes, it is part of the developer’s brief to write the specification and design concept for the website. In this case, no technical work will commence until the specification has been agreed. In these circumstances, the contract may need to be written in phases so that the parties only move to phase two if the specification being written in phase one is agreed.

• Pricing and IP ownership – Until you have finalised the details of the specification, it may be not be possible to agree the price for developing the website, as the precise scope and extent of the website will not have been agreed. It is unsatisfactory to enter into a contract on a purely time and materials basis. Accordingly, one of the prerequisites for entering phase two of the agreement may also be an agreement as to price for the website development.   Commercially, however, your negotiating position may be weakened at this point as it will be psychologically committed to the developer who has developed the specification and its concepts. A point to be borne in mind here is the ownership of the intellectual property in the specification where this is written by the developer. If you and the developer part company, will you be able to take the specification forward with another developer?

• Technical issues – The specification should address technical issues relating to the website, for example the compatibility of the website as between platforms and browsers.

• Feature creep – Often, as the development proceeds, you may have new ideas and wish to add new features which were not contemplated in the original specification. If the developer seeks additional payment for features not specified in the original specification, you may be aggrieved if it had not pre-agreed any increase in the price or believed that all work was included in the original price. This is chiefly a matter of contract management, but it can be assisted by a “change control” provision, so that if the original specification changes, the developer must provide a price proposal for this which must then be accepted by you before being progressed.

Legal Compliance

Website are becoming increasingly regulated and it is essential to ensure that legal compliance is “designed in” to the website.

• Cookies – many websites use cookie technology. Generally, this is a good thing; for example, it enables a website to recognize a user on his or her return to the site and to personalize the content accordingly. However, the use of cookies by websites is regulated by the Privacy and Electronic Communications (EC Directive) Regulations. The Regulations provide that cookies cannot be placed on a user’s computer unless the user: is provided with “clear and comprehensive information” about the purposes of the cookie, and is given the opportunity to refuse the cookie. Generally, this is addressed in a privacy or cookies policy on the website, which sets out the required information. It is important to ensure that you understand what use the web developer proposes to make of cookies so that you can ensure compliance with these Regulations through publication of an appropriate cookie privacy policy.

• Accessibility – under the Disability Discrimination Act (“DDA”), website owners are under a duty to take reasonable steps to make their websites accessible to disabled persons. The website development contracts should contain appropriate warranties regarding compliance with the DDA and the World Wide Web Consortium’s Web Content Accessibility Guidelines.

Timetable

An essential aspect of the agreement is an implementation timetable, setting out milestones during the development. These could include agreement on the specification, delivery of a pilot website for assessment of the general look and feel for client feedback, content loading, delivery of website for testing, acceptance and going live.

It is also useful to link the payment schedule with the achievement of the milestones. This avoids a situation in which the developer is entitled to payment regardless of the stage he is at.

What if the developer fails to deliver in accordance with the plan? This is not about rejection of the website following acceptance testing, but failure to deliver the website before acceptance testing in line with a timeframe. Depending on how critical the timeframe is, you may wish to consider any or all of liquidated damages for delay, bonus payment for achievement of the target dates (stick and carrot approach) and, ultimately, termination of the agreement and recovery of monies paid for failure.

Acceptance testing

Provisions relating to acceptance testing, acceptance and the consequences of non-acceptance are crucial, particularly as acceptance usually involves a final or substantial payment. Following acceptance the website moves from the development stage into a warranty period or support contract.

It may not be possible to test all aspects of the website, but acceptance tests must test the major functionality of the website and overall conformity with the specification, including, for example, verification of response times, veracity of links, correct handling of input data, cross-browser compatibilities, printing and so on.

If the website fails acceptance tests, the developer should be required to correct the problems as quickly as possible so that the tests can be repeated. You should have some control over how many times they can be repeated. After, say, two rounds of acceptance testing, you should have more serious remedies. This might include accepting the website as is, albeit deficient, with some retention or reduction in price. In serious cases, where the website is unacceptable, you should have the ultimate remedy to withdraw from the agreement and recover monies paid.

In the case of failure and rejection, you may want to be able to pick up the pieces so that another developer can continue the work without intellectual property problems. This sounds fine in theory, but in practice it will be difficult for a third party developer to pick up someone else’s work. Also, an incoming developer will not want to provide any warranties regarding work which it had taken over. In some cases, therefore, the only solution may be to start again. This right of termination is, therefore, a last resort.

Intellectual property

The question of IP ownership often generates more heat than light. On the one hand, if you are paying for development work to be carried out, you should own the IP in the work.
On the other hand, from the developer’s point of view, the position is more complex. He will not wish to give away his stock in trade, which may be elements of coding or design tools which he would wish to re-use in other website developments.

The legal point is that you must either have ownership of, or a secure licence in relation to, your website so that you have the necessary rights to use it.

In practice, the elements on a website may be broken down into the following main constituents:

• Content – this may be provided by you and be your intellectual property.

• Developer tools – These may represent the developer’s stock in trade and remain the intellectual property of the developer.

• Third party software – the developer may use third party software or components. In this situation, you will want a licence from third party. It is best if the licence for third party elements is direct from the third party to you as otherwise your position will be uncertain if the relationship with the developer terminates.

• Client-bespoke work – These may be elements of the website which have been specially created by the developer for you. These could include graphical images and look and feel. Here, the developer should be able to assign copyright freely to you.

In relation to materials used or created by the developer, you will want warranties and indemnities that nothing the developer uses in the website will infringe any third party intellectual property rights.

Hosting services

Where the developer or some other party hosts your website, there may be data protection issues if your website captures personal data of users or people who register their details on the site. In this situation, the Data Protection Act requires that “appropriate technical and organisational measures” are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. In order to comply with this Act, you must ensure that you have a contract with the website host under which the host undertakes to comply with these minimum technical and organisational measures.

A key aspects of hosting agreements relate to the performance levels of service which the provider offers. Service level warranties could include:

• Service response and bandwidth – if a website is slow to respond, then it may be to do with its design or it may be to do with the servers or the bandwidth being made available to it.

• Server downtime – inevitably, servers will need to be maintained and backups taken and this can lead to short periods of server downtime. Minimum levels of downtime can be contractually committed. If you can tolerate no downtime at all then it may be necessary to consider mirrored servers.

If, for whatever reason, you wishes to migrate the website from one provider to another, it will need the support of the developer and the host service provider. Contractual commitments in terms of the timetable for co-operating in any migration can be included to prevent you becoming locked into a single provider in circumstances where the service levels are poor but for technical reasons it may be difficult to migrate the website without assistance from the developer.

Escrow

If it is agreed that you will acquire ownership of bespoke software, you must also acquire ownership of the source code to enable you to amend the software in the future. The contract should therefore require the developer to deliver the source code and the design documentation.

Where you are only granted a licence of software, the developer will want to retain control of the source code because it gives the developer a practical means of preserving his rights in the software. As long as you are obtaining maintenance services from the developer, you will not need access to the source code. What is essential for your protection is that you should have access to an up-to-date copy of the source code if the developer is unwilling or unable to support the website any longer (for example, because of insolvency). This is normally achieved by means of an escrow agreement.  This is a tri-partite agreement under which the developer agrees to deposit a copy of the source code with an escrow agent, and the escrow agent undertakes to the developer and the customer that he will deliver a copy of the source code to the customer in certain events normally limited to the developer’s insolvency and/or its refusal or inability to provide maintenance.

Warranties and liability

Apart from warranties relating to intellectual property, discussed above, the website owner will want warranties relating to the development and performance of the website.

A warranty of conformity with the specification is a cornerstone but may not be the complete picture, as the specification will not be exhaustive. There are other warranties that are web-development-specific, including that graphics have a consistent cross-platform appearance and that the website and associated programs can handle the maximum load that you anticipates. A general warranty that the website will be free of material defects is a useful sweeper.

For many websites, particularly those engaged in some form of e-commerce, security is an important issue. Warranties should be extracted in relation to security, together with undertakings to install and keep up to date patches for the web server and associated software to fix any security holes and to keep them up to date within, for example, 12 hours of release. In the event of a security breach being identified, the developer could be committed to take the website offline within, say, one hour of being notified. Ultimately, in the event of a serious security difficulty, you may wish to have the right of termination of the agreement, coupled with a requirement on the developer to assist in the migration of the website to a more secure server.

As regards liability, the usual debate is about the extent of any limitation of liability provisions.
As in many commercial contracts, financial loss will be the main item of loss which the website owner may suffer in the event of a breach of warranty on the part of the developer. Standard clauses which seek to exclude liability for loss of profits and economic loss, where this is a direct loss, as opposed to an indirect loss, will not be acceptable.

When considering any overall limit on the developer’s liability, an important consideration will be the developer’s professional indemnity insurance. An alternative approach is a limit equivalent to the total price paid – or a multiple of the price – for the website.