Click to start searching

Communications and advertising

Make sure your group understands how the law can affect what you can and can’t communicate.

Content last updated 30/10/2023

Setting up and managing a website

On this page

Setting up and managing a website

Websites are often seen as a form of advertising, similar to a brochure, which draws people to an organisation.

A website can have a much broader function, and involve more legal issues than hard copy materials.

It’s worth taking time to plan your website and to think through the legal issues that could arise in relation to your website from the start to avoid costly issues down the track.

Planning your website

Selecting and registering a domain name

View our webpage on domain name registration for information about selecting a domain name, checking the availability of a name for registration and registering the domain name.

How do you use your domain name?

Once you have registered a domain name, you need to:

  • link your domain name to your website
  • arrange for your website to be hosted
  • determine the features of your new website
  • build your website (through a building tool or web developer)
  • secure your website through implementing security measures such as SSL certifications and regular backups to protect your website and its data, and
  • promote your website

A common mistake in setting up a new website, particularly when funds are limited, is to jump to the design stage without taking time to consider what the specific requirements are for your organisation’s website.

Having a clearly articulated set of requirements from the start means that a website designer can produce a website that meets your needs. This will save you time and money in the long run.

Taking time to identify your requirements will pay off. A clear set of requirements helps ensure that the site will be useful to your clients, and that your website delivers the outcomes you want.

Engaging a website developer

If you require a simple website with basic functionality and have someone in your organisation with web development skills, you might consider creating your own website. There are several freely-available platforms, such as WordPress, Weebly and Wix, that can be used to create a website.

Otherwise, you’ll need to engage a web developer and decide on a platform for your site.

When engaging a developer, ensure the contract with the developer covers the following:


Once you have decided on the requirements for your website, ensure these are properly understood by the developer. Misunderstandings about requirements can be costly to fix, so make sure that both parties are on the same page from the start.

Timetable and allocation of responsibilities

Create a project timetable for implementation.

Responsibilities should be allocated to your organisation and to the developer to make it clear where the obligations lie at the various phases of the project.

The developer may expect you to perform a particular task at points throughout the development, such as conducting user testing or providing content, so make sure that you are clear about what you’re required to deliver, and when.

Price and payment

The contract should be clear on the overall price.

If fees are calculated based on hourly rates, try to cap them at a certain amount (which could increase if you agree to extend the scope).

The contract should set out when the price must be paid and payments should be conditional upon achievement of outcomes (milestone payments). To avoid having to pay for a website that does not work or meet your requirements, the contract should provide that the final payment will only be made once the website meets your level of satisfaction.

Handover and acceptance

Your contract with your developer should specify a clear acceptance process (sometimes called ‘acceptance testing’) which allows you to test the completed website and be satisfied that it meets your agreed requirements and functions without error. If the site fails the tests, the designer should have to fix the errors. If you have a staged payment arrangement, you can withhold the last payment until the site passes the tests. A documented acceptance process with clear criteria will save arguments at the end of the project.

Many web developers will provide a warranty, which means for a period after you have accepted the site (the ‘warranty period’) they may fix problems that arise with the site without charge if those problems mean it no longer meets the agreed criteria. If your development contract does not include a warranty period on development, ask your developer to include this.


Consider your security requirements at the outset. Ensure your developer creates a website that incorporates the necessary defences to protect against viruses and hacking (for example, using virus protection software, and the latest versions of apps) and consider using encryption technologies to protect data.

You should also consider how you will maintain security protections (for example, updating software) once the website development process is finished.

Maintenance and updating

Your web development contract may include a period of maintenance of the website by the developer. Your contract should specify whether this includes providing updates to keep functions current.

The period immediately after a website goes live is the time when adjustments are most likely to be required, so it can work well to have the person who developed the website provide maintenance during this time.

Intellectual property

Your web development contract should cover ownership of intellectual property – that is, the contract should specify who owns the website design, code, the content as well as any third party software that is used in the development process.

Indemnities and warranties

Include protection clauses in your contracts in the event that any disputes or claims arise in the agreement.

An indemnity clause requires one party to compensate the other for any losses that may have happened, while a warranty clause provides a guarantee that the service (website) provided will meet certain specifications. These clauses are important to include as they help reduce risks and ensure that both your organisation and the website developer are fully aware of the obligations and responsibilities in the event of any issues arising from the contract.

Specific items

You may want to address items that are specific to your website in the contract. These might include, for example:

  • hosting and domain registration – a clause on who is responsible for purchasing and registering a domain name and arranging for the hosting of the website
  • Content Management System (CMS) – a clause specific to the type of CMS (software that helps the user create, manage, and modify the content on a website without the need for technical knowledge) that will be used
  • Search Engine Optimisation (SEO) – any SEO requirements for the website, including keywords, meta descriptions or any other on-page optimisation elements

Developing website content

Your website may consist of content created by you, as well as material created by others. Take steps to protect your own content, and make sure that you are using any content owned by others in a lawful and respectful way.

Restricting access to content

Unless you set up restrictions, all material on your public website can be easily accessed – and potentially copied − by any member of the public.

If you want to restrict access to a limited group, you need to ensure that you use appropriate controls. This may include protecting the information with a password, and placing it behind paywalls. Talk to your developer if this is important for your site.

Protecting your content

There are ways to make information displayed on a website less vulnerable to being copied. This is important if your content is valuable, and you don’t want others to be able to ‘copy and paste’ your content.

For some sites, you may want to make it easy, rather than hard, to copy content – it depends on the purpose of your site.

Some methods to protect content include:

  • ensuring encrypted communications with secure HTTP when transferring information
  • using pdf files (scanned or generated) with appropriate locks on usage
  • using flash routines with locks on usage
  • using JavaScript routines
  • using content protection plugins to prevent unauthorised copying of your website content
  • including exclusion commands to prevent indexing of certain areas of your site by search engines, and
  • educating your website users about copyright law and the important of respecting intellectual property rights

Consider which method is appropriate, depending on the type and sensitivity of the information you wish to protect. Remember – anything displayed on the screen can be copied, even if not in a pure digital content format (someone can simply take a photo of the content).

Regardless of the purpose of your site, protect your original content by putting appropriate copyright notices on your site. This is not strictly necessary but it alerts people to the fact that the content is protected. If you find that someone is copying your content, this may be a breach of copyright, and you can ask them to stop copying your material. If they refuse, seek legal advice.

Obtaining licences and consents to use others' content

When you populate your website, you might do this using content sourced from other people. Any images, quotes, routines, fonts and other content not created by your organisation must be properly licensed to you from the owner of that content (or their licensees).

You must verify that the person giving the material to you has the proper intellectual property rights to allow your use in the manner you intend. That doesn’t necessarily mean they need to own the copyright (for example, as the original author), but if they don’t, they need to have the proper licence to allow them to sub-license you to use it, including in the way that you want to use this content.

You must have consent to use quotes from, or images of people on your website (including clients and staff). It’s not enough that an image or statement has been provided to you for another purpose – make sure the person is aware that you intend to use it on your website, and get specific consent for that use. In practice this involves:

  • checking that any designers or contractors you use to provide content have the relevant approvals and licences to use the material they include on your website, and
  • if you are developing content, checking that you have purchased any licences required and have received appropriate consents

Some material may be licensed under Creative Commons. Creative Commons licences are free licences that allow you to share and reuse material legally in certain circumstances. A content owner may choose to license their material under Creative Commons if they are interested in allowing people to use that material for free.

If you want to incorporate material licensed under Creative Commons into your own website, first check that the type of Creative Commons licence allows you to use it for your purposes.

For more information, see Creative Commons Australia’s website.

Maintain a record of all licences and consent agreements. This will help you demonstrate compliance if there is a legal dispute or challenge to your use of website content.

Referencing other websites and materials

If you want to link to another website, you can:

  • provide a link in the form of an type address, which visitors to your site can click to be taken to the site, or
  • ‘frame’ the site so that the content still appears to be on your website, but contains a mini-site within a frame showing the content of the other website

Providing a link to the other website allow visitors to access the source material. Consider highlighting to the user that they are leaving your website when they access the link.

If you choose to ‘frame’ the site on your website, ensure you get written approval from the website being framed. If you don’t have approval, you may face allegations that you tried to pass off this information as your own. Also consider whether your organisation is comfortable taking responsibility for the accuracy of the information on the framed site, as it could be seen as being adopted by your organisation.

Verifying materials and resources

When you include materials you haven’t created yourself, it’s important to verify that the material is accurate and to present it in a way that is not misleading.

Depending on how you use the materials, they may be seen as emanating from you, being endorsed by you, or you may be taken as confirming them. This could mean your organisation may be legally responsible for the content, even though you didn’t write it. Verifying the accuracy will limit your exposure.

If you are unable to verify the accuracy of material, you could simply provide a link. Be careful not to imply that you are recommending its use or adopting it. If you have doubt about its veracity or authenticity, it’s best not to use it.

Some content is more risky to link to or include in your website – for example there could be serious consequences of linking to false or misleading health or legal information.

If you are linking to potentially risky content, verify the resources, or be very careful to explain that by providing a link to the resources you are not confirming their accuracy or endorsing their content. This must be a genuine statement. If the overall impression is that, despite your disclaimer, you are really endorsing the content, you may be liable for that content.

Identifying your community organisation on your website

As with any published material about an organisation, you must properly identify your organisation’s name and ABN (if applicable).

It’s also important to include methods for people to contact you – for example, a physical or postal address of the business, at least one general email address, or a phone number. The use of live chats is an increasingly popular method of contact on websites. These allows visitors to communicated with the organisation in real time.

Links to your organisation’s social media links also provide a platform for visitors to communicate with you – through direct messaging or commenting on posts.

For more information, see our fact sheet on social media and your organisation.

Depending on your activities, you may need to display other licence numbers such as fundraising licences.

Website terms and conditions

Most websites should have a set of terms and conditions. They may range from minimal to complex, depending on the purpose and functions of the website.

If your organisation proposes to conduct fundraising, trade promotions, or e-commerce transactions through a website, you need to consider including separate terms and conditions for these functions, after seeking appropriate legal advice.

The terms and conditions need to be clear and understandable.

Terms and conditions for a not-for-profit organisation’s website should generally set out:

  • definitions of any terms or phrases contained in the terms and conditions that may be unclear to users
  • the terms of use of the website, including a limitation of your organisation's liability for the user's use of the website
  • who is entitled to seek services from your organisation via the website (if access is limited)
  • who is eligible to use the website and any age restrictions that may apply
  • any terms around provision of services that your organisation provides through the website
  • that information and materials displayed on the website are owned or licensed by you and must not be copied, and how users are entitled to use it
  • disclaimer or limitation on liability in relation to links to other websites and their content, and in connection with services provided by them
  • if you have forums or comment sections, rules around how comments can be made, behaviour expected, and that you may moderate content if it is deemed inappropriate
  • a statement of the law and jurisdiction applicable to any disputes about the site (remember that the Internet is global)
  • if you collect personal information from users, a reference to your privacy policy
  • the reservation of rights such as modification or termination of the website, and the retention of rights implied by law
  • contact information for users who have queries about the terms and conditions or the website in general

Community standards

Many websites that allow for comments and discussion establish and enforce a set of community standards. Breaches of community standards may result in the offending content being removed, or the account from which it was posted being banned.

As the operator of a discussion forum, you should ensure the conditions of posting and consent are covered in your website terms and conditions or special terms and conditions for the forum.

You will need to make sure that the page is monitored for abusive, illegal or defamatory content, as you may be liable as a publisher for defamatory content if you don’t remove it. This may be the case even if your role in allowing it to be posted was only a passive one. For this reason, it’s important to remove any content that may be defamatory quickly.

For more information, see our fact sheet on defamation laws.

If it’s important from a risk management perspective to make sure people have read your terms and conditions, you can ask users to click a button to indicate they have read and understood the terms and conditions and agree to be bound by them.


Do not simply adopt another organisation’s terms and conditions. The circumstances between organisations vary considerably.

It’s generally worth engaging someone with legal experience in this area to develop specific terms and conditions for your website to make sure you’ve covered everything relevant to your organisation and that the protections you need are put in place.

Your terms and conditions should include the date when they were last modified.

As with other information on your website, it’s important for a user to know when your terms and conditions were last updated so they know whether they have changed since they last viewed your site. Depending on the functionality of the website, it may also be advisable to retain a copy of each modified page of the website to allow you to check how the site appeared at a particular time when it was viewed by a user.

Finally, users should be able to download and print your terms and conditions.

Privacy laws and privacy policy

If your organisation is setting up a website, it may need to comply with the Privacy Act 1988 (Cth) (Privacy Act). If the Privacy Act applies, you must have a privacy policy that sets out how your organisation collects, uses, discloses and manages personal information. You will also need to provide a collection statement when you collect the personal information.

For a detailed guide to the Privacy Act requirements, including:

  • whether the Privacy Act covers your organisation
  • the definition of certain terms such as ‘personal information’ and ‘reasonably identifiable’, and
  • recent updates on privacy law that may affect you,

see our webpage on privacy.

Privacy policy

Your privacy policy should set out how your organisation collects, uses, discloses and manages personal information.

It should include information on:

  • the kinds of information you collect and hold
  • how you collect the information (including any automatic collection by the website, such as through cookies)
  • how the information is stored and secured, including any security measures or protocols that are in place to protect user data
  • the purposes for which it is collected and used (for example, to provide services or for marketing purposes)
  • whether you are likely to disclose the information overseas (and if so, where)
  • how the person may access and correct their information
  • how a person can opt out of certain types of data collection or sharing (for example, through unsubscribing from email lists or adjusting browser settings), and
  • how the person may make a complaint

You should publish a copy of your privacy policy on your website, so people can easily locate it.

If you collect personal information from website users, you should reference your privacy policy in your website’s terms and conditions.

What is personal information?

Personal information is information or an opinion about an identified person, or a person who is reasonably identifiable.

Personal Information encompasses a broad range of information – examples of personal information include a person’s name, signature, address, telephone number, date of birth, health information such as medical records, financial information including bank account details, as well as commentary or opinion about a person and photographs of a person.

Personal information does not include aggregated, de-personalised or anonymous information.

Collecting personal information

Organisations must:

  • use lawful and fair practices to collect personal information, and
  • only collect personal information if it is reasonably necessary for the organisation’s functions or activities

The information should generally be collected directly from the person, but if it isn’t, the organisation should ensure that the person is aware that the information has been collected.

At the time of collecting personal information, an organisation must make sure that the person knows:

  • who the organisation is and how to contact them
  • the purposes for collecting the information and who the organisation may disclose the information to, and
  • how to access the information or make a complaint

This can be done using a collection notice.

Note that there are greater restrictions around collection of sensitive personal information, which includes health information and information about the person's ethnic origin, political opinions, religious beliefs, sexual orientation, trade union membership and criminal record. Collection of sensitive information generally requires consent (rather than just notification through a collection notice).

Some website operators use cookie consent pop-ups to inform users about cookie use and to obtain the user's consent. These pop-ups are required under Australian law as part of complying with the Australian Privacy Principles.

If you will be collecting personal information through cookies, you must disclose this in your privacy policy.

Using and disclosing personal information

Unless consent is obtained from the person to use or disclose the information for another purpose, personal information may only be used or disclosed for the purposes for which it was collected.

Disclosure may only be made outside Australia in circumstances where the recipient is subject to substantially the same privacy obligations (ie. the overseas laws are to the same standard as Australian law).

If you store information in the cloud, or process the information using cloud based services, this might involve a transfer of the information outside Australia.

Note that using personal information for direct marketing or fundraising activities may trigger extra obligations.

Storing personal information

Organisations must take reasonable steps to ensure personal information is accurate, up-to-date and complete.

People have a right to access their personal information and to have it corrected. Personal information should be destroyed or de-identified once it’s no longer needed.

Organisations must also take reasonable steps to protect the security of personal information and prevent misuse, loss, or unauthorised access and disclosure. If your website is used to collect or store personal information, you must make sure it has appropriate security measures in place.

You need to disclose if personal information will be sent or stored overseas (for example in cloud storage). This can be done in your privacy policy (as noted above).

Refer to our Privacy Guide on our privacy webpage for more information.

Your organisation may also have an obligation to comply with the Notifiable Data Breaches Scheme. If it has this obligation and a data breach occurs that is likely to result in serious harm to people whose personal information is involved in the breach, you will have to act quickly to take certain steps. Among these, you may be required to notify affected people and the Office of the Australian Information Commissioner. You should seek legal advice about whether this scheme applies to your organisation.

See our webpage on privacy for more information.

The content on this webpage was last updated in October 2023 and is not legal advice. See full disclaimer and copyright notice.

Apply for free legal help

Provide feedback