Municipal Website Regulation Guidelines

What to know about your municipal website

Having a municipal website can improve community engagement. However, there are rules and regulations that administrators should be aware of to effectively operate a website. A thorough understanding of website laws is essential for municipalities to fulfill their responsibilities effectively, protect the rights of residents, and maintain trust and credibility with the public. This is not meant to be an exhaustive list. We will try to keep it up to date with information pertinent to municipalities in Pennsylvania and beyond.

Table of Contents

• Copyright Law
• Right to Know
• State and Local Cybersecurity Grant
• Sunshine Act
• Website Accessibility
  • Sample Accessibility Statement
• Website Privacy Responsibilities
  • California Privacy Act (CCPA)
  • General Data Protection Regulation (GDPR)
  • Visitor Tracking and Cookies
  • Sample Privacy Policy

Copyright Law

Copyright law affects website owners in several ways:

• Content Creation: Website owners need to ensure that the content they create or use on their websites, such as text, images, videos, and graphics, does not infringe upon the copyrights of others. This means obtaining proper permissions or licenses for copyrighted material before using it on their websites.
• Protection of Original Content: Website owners should understand that original content they create and publish on their websites is automatically protected by copyright law. This protection gives them exclusive rights to reproduce, distribute, display, and modify their content.
• Fair Use: Website owners should be aware of the concept of fair use, which allows for the limited use of copyrighted material without permission for purposes such as criticism, comment, news reporting, teaching, scholarship, or research. However, the application of fair use can be complex and context-dependent, so website owners should exercise caution and seek legal advice if uncertain.
• DMCA Compliance: The Digital Millennium Copyright Act (DMCA) provides a mechanism for copyright owners to request the removal of infringing content from websites. Website owners can benefit from DMCA safe harbor provisions by promptly responding to valid takedown notices and implementing procedures for addressing copyright infringement claims.
• Linking and Framing: Website owners should be mindful of linking to or framing third-party content on their websites, as this may raise copyright issues if done without permission. While linking to publicly accessible content is generally considered acceptable, framing or embedding content from another website may require permission from the copyright owner.
• User-Generated Content: If website owners allow users to contribute content to their websites, such as comments, reviews, or submissions, they should have policies and procedures in place to address copyright infringement issues and ensure compliance with copyright law.

Overall, website owners must be vigilant in understanding and respecting copyright law to avoid liability for infringement and protect their own intellectual property rights.

Right-To-Know Law

Under the current Pennsylvania Right-to-Know Law, all state and local government agency records are presumed to be public. Citizens can request records from any municipality, including boroughs, townships, cities, and counties. In some cases, municipalities may have their own form. However, citizens are allowed to use the Office of Open Record’s RTK form. With a few exceptions, the municipality has five business days to respond to the request. This can be extended by an additional 30 days under certain circumstances, such as if the request is complex or requires significant effort to fulfill. Right to Know requests may involve fees, but the fees cannot be used a filing deterrent. Denied requests can be appealed by the requester to the Pennsylvania Office of Open Records.

State and Local Cybersecurity Improvement Act

A cybersecurity grant called the State and Local Cybersecurity Improvement Act is part of the Biden administration’s $1.2 trillion Infrastructure Investment and Jobs Act signed into law on November 6, 2021. This new $1 billion Department of Homeland Security (DHS) grant program was written to address cybersecurity risks and threats to local or tribal governments. The funds are to be released between 2022 and 2025. The State and Local Cybersecurity Grant Notice of Funding Opportunity’s (NOFO) total funding available for fiscal year 2023 is $374 million according to FEMA’s website. Applying for the grant is a multi-step process and can be complete on grants.gov.

Sunshine Act

The Pennsylvania Sunshine Act, 65 Pa.C.S. §§ 701-716 can pose a major compliance issue for municipal websites. Municipalities are required to provide advance public notice of meetings, including the time, date, and location, as well as an agenda outlining the topics to be discussed. The public must be allowed to attend, participate, and/or comment before the agency takes official action. If your municipality has a website, they must provide notice of the meeting as well as an agenda that lists each matter of business no later than 24 hours prior to the meeting on your website. Violations of the Sunshine Act can result in legal action, including court orders to void actions taken in violation of the law. Additionally, individuals found guilty of willfully violating the act may face fines or other penalties.

CourseVector makes it easy to keep your website up to date. More information can be found here.

Website Accessibility

While not law yet, some businesses and municipalities have been sued for having non-accessible websites. It’s difficult comply with laws that don’t exist. But there is guidance out there on creating a more accessible website. The Website Content Accessibility Guidelines (WCAG) 2.0, Levels A and AA, is recommended by many prominent groups involved in assisting American disabled people with these kinds of matters. In August of 2023, the Department of Justice issued a Proposed Rule and Call for Comments for the “Nondiscrimination on the Basis of Disability: Accessibility of Web Information and Services of State and Local Government Entities“. They feel that voluntary compliance has been insufficient in providing access to those in need. Therefore, “the Department is proposing technical requirements to provide concrete standards to public entities on how to fulfill their obligations under title II to provide equal access to all of their services, programs, and activities that are provided via the web and mobile apps“. The new legislation applies to all content conveyed to users via a web browser. The following aspects of a website are subject to these rules:

• text
• images
• sounds
• videos
• controls
• animations
• navigation
• menus
• documents
• services (like bill pay even if linking away from your site)

Sample Accessibility Statement

Once a website owner has taken steps to make their site more accessible, a website accessibility statement is a logical next step. This statement should outline steps taken to make the site accessible as well as encourage feedback on issues that may arise when differently-abled individuals use the site.

Here is a sample accessibility statement. It is a place to start. It should be edited and tailored to your website, the steps taken to make your website accessible, and how one can get in touch with your organization regarding issues.

https://coursevector.com/sample-accessibility-statement

https://coursevector.com/creating-a-website-accessibility-statement

Website Privacy Responsibility

California Privacy Act (CCPA)

If a Pennsylvania business or municipality operates a website or conducts business that involves collecting personal information from California residents, they would need to comply with certain CCPA requirements, such as:

• Providing notice as to what’s collected.
• Informing California residents of their specific rights, including the right to access their personal information, the right to request deletion of their personal information, and the right to opt-out of the sale of their personal information.
• Implementing adequate data security pertaining to the from unauthorized access, disclosure, or destruction of collected information.
• Prohibiting discriminatory treatment against California residents who exercise their CCPA rights, such as by denying them goods or services, charging them different prices, or providing them with a different level or quality of goods or services.

General Data Protection Regulation (GDPR)

Beginning May 25, 2018, the General Data Protection Regulation (GDPR) went into effect across Europe.  The European Commission has created this regulation to strengthen the protection of European citizens’ personal information by implementing rules and providing European citizens specific rights. Whether an organization collects, records, organizes, structures, or stores PII, the GDPR applies to them.  Any organization that handles European citizens’ personal data must follow this regulation including organizations based outside of the EU or risk facing substantial administrative fines.

• GDPR requires businesses to obtain clear and affirmative consent from individuals before collecting, processing, or storing their personal data. Individuals have the right to withdraw consent at any time.
• GDPR defines personal data broadly and includes any information that can directly or indirectly identify an individual, such as names, addresses, email addresses, and online identifiers.
• GDPR grants individuals (referred to as “data subjects”) certain rights regarding their personal data, including the right to access, rectify, erase, restrict processing, and portability of their data.
• GDPR mandates that businesses and municipalities implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data.
• GDPR imposes restrictions on the transfer of personal data outside the EU to ensure that such transfers meet the requirements for lawful international data transfers.
• Businesses subject to GDPR must demonstrate compliance with its requirements by maintaining records of data processing activities, conducting data protection impact assessments (DPIAs) where necessary, and appointing a Data Protection Officer (DPO) in certain cases.

Visitor Tracking & Cookies

Analytics can be useful when running a website. However, tracking users and collecting data can be considered a violation of privacy. If a visitor tracker is collecting IP addresses and storing them, you may be in violation of GDPR ,California state data laws , and/or other privacy laws. Every website, whether located in the US or abroad, that collects personal user data should have cookie consent banners or privacy notices. There are no borders on a website! It is possible to collect data responsibly.

• Transparency: Provide clear and easily accessible information about the types of tracking technologies used on your website, including cookies, and how they are used. This information can be included in a privacy policy or a separate cookie policy.
• Consent: Obtain consent from visitors before placing non-essential cookies on their devices. This consent should be obtained through a clear and user-friendly mechanism, such as a cookie banner or pop-up, allowing users to accept or decline cookies easily.
• Cookie Management: Offer users options to manage their cookie preferences, including the ability to opt-out of non-essential cookies or adjust cookie settings. This may involve providing a cookie consent management tool or linking to browser settings where users can manage cookies.
• Anonymization: Ensure that any data collected through website tracking is anonymized or pseudonymized to the extent possible, especially if it involves personally identifiable information (PII). Minimize the collection of sensitive information and use encryption to protect data in transit and at rest.
• Purpose Limitation: Only use website tracking and cookies for legitimate purposes that benefit both the website owner and the user, such as improving website performance, analyzing traffic patterns, and delivering personalized content or advertisements based on user preferences.
• Data Security: Implement robust security measures to protect data collected through website tracking and cookies from unauthorized access, disclosure, or misuse. This includes regularly updating software, using secure connections (HTTPS), and following best practices for data storage and handling.
• Periodic Review: Regularly review and audit your website’s use of tracking technologies and cookies to ensure compliance with relevant laws and regulations, as well as adherence to best practices for privacy and data protection.

Sample Privacy Policy & Plugins

A privacy policy is a critical document for any website that collects personal information, serving to inform users, comply with legal requirements, and uphold principles of transparency and accountability in data processing practices. Here is a sample privacy policy. It is only a sample. It should be edited to explain how your website collects, stores, and uses the data of its users.

https://coursevector.com/sample-privacy-policy

To take privacy a step further, website owners should (and in some cases are legally required to) collect consent to record data from their users. There are many WordPress plugins that make this task easy. Here is one that CourseVector uses:

CookieYes – Cookie Banner for Cookie Consent (Easy to setup GDPR/CCPA Compliant Cookie Notice)

Have a question? Did we miss something? Please contact us and let us know.

Note: CourseVector does not employ a team of lawyers. This is not meant to be legal advice. If you are seeking legal advice, we strongly recommend consulting your solicitor.