Anti-spam, Contract, Copyright, Privacy, Tort
comments 2

Legal checks when building a content-driven WordPress website


Recently I’ve built two blogs (both running on WordPress of course). The first is this one and the second is a blog for a group of lawyers in the United Kingdom. The purpose of the second blog is to enable the lawyers to share their knowledge and thoughts on a particular area of practice with clients, potential clients and the wider legal community. As well as building the site, I also attended to the usual legal and related issues that arise with a content-driven website like a blog, just as I did for this site which is similar in many ways.

I’ve done this sort of thing many times in the past, for myself, for colleagues and for clients. Each time I do it, I run through a range of legal and related checks in my mind that ought to be covered off. I thought it might be useful to document the checks for others building similar sites. The purpose of this post, then, is to do exactly that.

The checklist covers the kinds of legal and related issues that arise for a content-drive site that:

  • runs on WordPress (or, to be fair, any other CMS);
  • is rich in original content;
  • uses third party images;
  • allows other people to add comments, posts or other material;
  • uses an email service like MailChimp for email newsletter purposes;
  • collects personal information and therefore may need a privacy policy;
  • expresses views on the law or some other topic of expertise and so should, ideally, have an appropriate disclaimer;
  • generates cookies and so may, depending on where you’re based (e.g., Europe), need to have a separate section on cookies;
  • resyndicates, in say a sidebar, headlines or more from another site’s web feed; and
  • allows others to re-use the posted content under a specified Creative Commons copyright licence.

(I don’t get into hosting issues in this post. Personally I use WPEngine for my newer sites and am happy with the uptime, speed and service I receive.)


Here’s a quick-fire checklist. Afterwards I discuss each topic in more detail for those who’d like to go deeper:

Checklist of legal and related checks for those building content-driven WordPress sites

Textual post content

  • Do you own the copyright in the content of your proposed posts or are you otherwise permitted to reproduce it?
  • If you’re posting an article that has been published elsewhere (e.g., in a commercial publication), do you have the right to publish it on your blog?

Third party images

  • Are you entitled to use, in your posts, the images that you propose to use?
  • If you’re licensed to use them (e.g., under a Creative Commons licence), are you complying with the licence’s attribution requirements?

Comments or other user-generated content

  • Will you let others add comments or other content to your site?
  • If so, do you need to obtain a licence to re-use content posted to your site by others for purposes other than reproduction on the site itself?
  • Do you propose to moderate users’ comments/content and, if so, when? Have you considered the administrative burden that moderation can entail if you receive voluminous comment?
  • Do you need or wish to protect yourself from liability arising from material posted to your site by others that infringes third party rights?
  • If you’re seeking rights and obligations from your users, have you put a mechanism in place (e.g., a browsewrap or clickwrap mechanism) that secures their agreement?

Email services like MailChimp

  • If you’re using a service like MailChimp, does the service or the way you’ve configure it comply with the anti-spam laws (if any) that you need to comply with? (Solid services like MailChimp are great on this front.)
  • If you’re using such a service and are in Europe (for example), is personal information transferred outside the European Economic Area and, if so, is that lawful under your data protection laws?

Privacy policies

  • If your site collects or enables the provision of personal information, should you or must you have a privacy policy?

Disclaimer and exclusions of liability

  • Is it desirable to add a disclaimer and liability exclusion to your site?


  • Does your site, or third party services you use in conjunction with it, generate cookies?
  • If so, does your country have cookie laws (such as those in Europe) that require disclosure of the use of cookies and some form of user consent to their use?
  • If so, have you complied with those laws?

Republishing another site’s web feed content

  • If you propose to republish content from another site’s web feed on your own website, have you checked whether there are governing terms of use?
  • If the site in question does not expressly grant permission to republish, have you sought permission from the site owner?

Creative Commons licensing of your content for re-use

  • Do you wish to license your post content for re-use by others?
  • If so, which of the six Creative Commons licences best serves your purposes and is there any third party content in your posts that needs to be excluded from the scope of the licence you grant?


In the remainder of this post, I discuss the above topics in more detail. Before doing so, I should perhaps note that not every WordPress site owner will think about or be concerned about such issues (someone writing a blog about cats, for example, is unlikely to run into too much trouble). I suggest, however, that the more commercial your site is or the more important it is to you, the more important it is to take these issues into account.

Textual post content

Is the textual content of posts your own original content? Usually the answer will be yes, in which case you’ll own the copyright in it and no issue arises. But if you’re using all or a substantial part of someone else’s textual content for a post, you’ll need to make sure you have their permission to reproduce it (otherwise you could well infringe their copyright and make them unhappy).

There’s also another scenario that can catch people out sometimes. That’s where you’ve written a story for another site and the terms you’ve agreed to in submitting the story include an assignment (transfer) of copyright in the story to the other site owner. If you’ve assigned copyright in your story to someone else, you can’t reproduce it on your own site unless permitted to do so by the other person, as you’ve handed over the reproduction right to them. Sometimes the terms of the arrangement will grant you a licence back but in many instances they won’t. This can be the case where you’ve written a story for a commercial publication. If you have assigned/transferred copyright, you’ll need to check whether you were granted a licence back that allows you to reproduce the story on your own site or seek permission from the other site owner. And if you’re about to post an article to another site, you might want to check if there any terms that would prevent you from publishing it on your own site. If there are, you might want to try to negotiate an alternative position with the site owner.

Third party images

It’s fairly commonplace for people to do a Google image search for an image they’d like to use in their post, save that image to their computer and then use that image in their post. Legally this is a no-no because, unless the owner of the image has licensed it for re-use (as people sometimes do, for example, on Flickr) or the image is in the public domain (being on the Internet doesn’t mean it’s in the public domain), your reproduction of it will almost certainly be an infringement of someone else’s copyright. If the owner finds out, you could find yourself on the receiving end of a stroppy email or phone call or a cease and desist letter from a lawyer. It’s much better, I suggest, to use images that are Creative Commons licensed (e.g., on Flickr; and make sure the licence in question gives you the rights you need in your circumstances and that you comply with the attribution requirements) or for which you’ve purchased a licence (from the likes of iStock, Bigstock, Shutterstock, etc) or which are in the public domain after having CC Zero applied to them (as is the case with Unsplash).

This is an example of an image from Unsplash to which CC Zero has been applied. It's now in the public domain. (It's true, I love old VWs, particularly Beetles.)

This is an example of an image from Unsplash to which CC Zero has been applied. It’s now in the public domain. (It’s true, I love old VWs, particularly Beetles.)

Comments or other user-generated content

Whether to allow comments on a site isn’t a legal issue (of course) but a decision to allow comments or other user-generated content does give rise to legal considerations.


If you allow others to post content to your site, three broad issues arise:

  • whether you need to obtain a licence to re-use content posted to your site by others for purposes other than reproduction on the site itself (e.g., you might want to publish helpful comments in an ebook);
  • whether to moderate content and, if so, when; and
  • how to protect yourself from liability arising from material posted to your site that infringes third party rights.

Licence to re-use others’ content

As to the first issue, if you wish to use comment or other content posted by others for purposes other than reproduction on your site, it’s advisable to obtain a licence from them prior to their submitting the content. Otherwise they could complain later on that they never allowed you to use their content for any purpose other than the site to which they posted the content. Sometimes the risk here will be small, but better to be safe than sorry I reckon. I set out some sample provisions further below.


Turning now to the question of moderation, you’ll want to consider whether to review and approve the content before it goes live or to let it go live without review (with or without post-publication review on your part). In either case, there is always the potential for content that infringes another person’s copyright or is defamatory of another person to be posted to your site without you recognising it. (Note that in some countries there are statutory defences to copyright infringement and defamation where another person posts copyright infringing or defamatory content to your site without your active involvement and knowledge; the defences usually apply until you know the content is infringing or defamatory, upon which you must take it down or expose yourself to the risk of legal action). Spam can also slip through, even when you use a plugin like Akismet. Personally I don’t let comments go live without reviewing them first. There’s too much spam and other crud floating around the Internet that might otherwise make it on to your site. That’s just me, of course. You may be less concerned about that sort of thing.

Legal protections

Regardless of whether and when you’ll moderate content posted by others, you may wish to include terms of use on your site, that contain legal protections for you, to which people must agree when posting content. I set some of them out shortly.

Sample clauses

The kinds of clauses that provide you with a licence for subsequent use of user-submitted content and that protect you to some extent from the consequences of infringing, defamatory or other offensive material being posted to your site are as follows (note that these sample clauses cannot insulate you from an action by the true copyright owner or a person defamed; rather, they seek to give you a right of action against the person that posted the offending content in the event that you were to be sued by the copyright owner or person defamed):


My copyright: Unless indicated otherwise in specific posts or pages, I or my licensors own the copyright in material on WP and Legal Stuff. You may download, print and store the textual content of my posts and pages for personal or internal organisational purposes. Except where I grant you broader rights in relation to specific content, either on the site or when you ask, all other rights are reserved.

Your copyright: You retain any copyright in contributions you post to the site or send me by email, such as lengthy comments on posts and articles (by the way, these contributions will be considered non-confidential). You grant me a non-exclusive, royalty-free, transferable and irrevocable licence to copy, adapt and print your contributions and to publish them in any media and in any format, including on this website and any related website, and in any podcast, web feed, book, ebook or email newsletter.

Other people’s copyright: If your contributions to the site include all or a substantial part of another person’s copyright work (or any other third party intellectual property), you promise that you have the right to submit it to the site for publication and to grant me the licence mentioned in the previous paragraph.

Unacceptable use

You agree that you will not post or transmit to or from the site any material that is illegal, obscene, defamatory, threatening, infringing of intellectual property rights, confidential, invasive of privacy or otherwise injurious or objectionable. If you do, you agree that you’ll indemnify me against all losses, damages and costs (including legal costs) I may suffer as a result of your breaching this term.

Agreement mechanism

It’s important to include a mechanism on your site by which people will be taken to have agreed to such terms. Putting the terms in a footer.php file that displays small text at the bottom of each page is unlikely to suffice. It’s far better and safer to use either an appropriate “browsewrap” or “clickwrap” mechanism.

A browsewrap mechanism can consist of a link to the terms of use with an accompanying statement, in close proximity to the comment or post ‘submit’ button, along the lines of:

In submitting comments to this site, you will be taken to have agreed to the terms of use [“terms of use” is linked to the actual terms of use, which will open in a separate window/tab or pop-up when clicked]

The standard clickwrap mechanism is a check box that must be clicked before a comment (for example) can be submitted. Some consider this approach to be the ‘gold standard’, if you will.

Including a browsewrap mechanism for those who submit comments can be achieved in various ways. One way is to add some code to the relevant file in your theme, along the lines referred to above, to produce something like this:

Sample agreement text above submit button

If you’re allowing people to add posts to your site using a forms plugin like Gravity Forms, again, inclusion of a browsewrap mechanism is fairly simple. You can just add an appropriate field before the submit button, like this:

Agreement text in a Gravity Forms field

If you’d prefer a clickwrap mechanism for those who submit comments, various plugins exist to make this possible: I Agree, Agreeable and no doubt others. (I’ve not tested these because, in the past, I’ve usually used a browsewrap method for comments forms). If you’re allowing people to add posts to your site using a forms plugin like Gravity Forms, again, inclusion of a clickwrap mechanism is fairly simple. You can, for example:

  • include a checkbox and some appropriate text before the submit button, and set up conditional logic for the submit button so it’s only clickable when a ‘click to agree’ checkbox has been selected (you’ll find the conditional logic option for the submit button in the “Form Settings” for the form); or
  • purchase and install the Gravity Perks plugin which includes a GP Terms of Service Perk (it helpfully adds a “Terms of Service field to the available Advanced Fields”).

This is what the Gravity Perks Terms of Service Perk can produce:

GP Terms of Service Perk

(I really like the look of the Gravity Perks solution. Must grab myself a copy of that one day. The developer behind it has done some work for me in the past. Top notch.)

Email services like MailChimp

If you use a service like MailChimp, you’ll probably want to ensure it complies with your local anti-spam laws (if you have them) and that transmitting personal information to MailChimp and having MailChimp store it on its servers is consistent with your local law (this latter issue can arise in Europe given its fairly strong Data Protection Directive that is implemented in the local laws of Member States). In some countries, like mine, the focus of the anti-spam is on unsolicited commercial electronic messages. Sometimes your messages won’t be commercial but they could be if you’re promoting goods or services.

MailChimp is the service I use. I’m comfortable it complies with the anti-spam laws that apply to me and, given its focus on legal compliance, I suspect it complies or can be configured to comply with the spam laws of most countries.

If you’re in Europe (and to cut a long story short), personal data can be transferred to a US-based service (like MailChimp) if those to whom the personal data relates consent to the transfer or if the US entity receiving the data has signed up to and complies with the US-EU Safe Harbor Framework. MailChimp, for example, complies with the Framework (see clause 12 (Safe Harbor Certification) of its Privacy Policy), so there’s no problem there. In a privacy policy I drafted for the UK blog I mentioned earlier, I included this clause for completeness:

Who holds the information

We will hold the information. You can contact us via [email address].

This website is hosted by WP Engine and we use MailChimp to manage our mailing list so these services will also hold certain information on our behalf. They are based outside the European Economic Area (EEA) but comply with the US-EU Safe Harbor Framework. In supplying any personal information to us, you consent (1) to our transferring the information to these services (and therefore outside the EEA), (2) to our use of these services to store and process your information and (3) to the collecting, processing and storing of that information in accordance with the privacy policies of WP Engine and MailChimp respectively, to the extent relevant. The privacy policy of WP Engine is available at and the privacy policy of MailChimp is available at

Collection of personal information

If you collect personal information from people who use your site (e.g., their names, email addresses, physical addresses, attributes, etc) it may be either good practice (in some countries) or a legal requirement (in others) to have a privacy policy, the purpose of which is to explain to people what information you collect, how you will use it, whether you’ll transfer it to others and so forth. This enables people to make informed choices and to understand how you will handle their personal information. The privacy policy on this site illustrates what (I hope) a user-friendly privacy policy can look like and, if you like, you can auto-generate your own one based on mine through the form in the post Would you like a privacy policy like mine?

Disclaimer and exclusions of liability

If you’re writing posts on which people could rely, you may wish to include a disclaimer and exclusion of liability. In many countries, particularly common law countries like the United Kingdom, Australia and New Zealand, the primary purpose of a disclaimer is to defeat an argument by a would-be litigant, who has suffered loss through relying on what you’ve said, that it was reasonable for that person to rely on what you’ve said on your site. Defeating that argument will usually mean that the disgruntled reader will be unable to establish the tort of negligence. Essentially, readers act on what you’ve said on your site at their own risk.

This is the term I’ve used on this site:

No legal advice, disclaimer and exclusion of liability

The material on this site is for general informational purposes only. It does not take into account your specific requirements or circumstances, does not constitute legal or other advice to you or anyone else and you rely on it at your own risk. I’ll try to write helpful content but I disclaim and exclude all liability for any claim, loss, demand or damages of any kind (including for negligence) arising out of your use of the site or any information on it or any other website to which it links. You agree that I will not be liable to you for any such claim, loss, demand or damages.

Some will say this is overkill but, let’s face it, there are some litigious folk out there in some countries. Because I’m discussing legal matters on this site, I’d rather be safe than sorry.


Cookies are small text files that are stored on your computer or mobile device when you visit or undertake certain activity on some websites (for further information about cookies,  see

Many countries don’t have laws that require disclosure of cookies. The laws that apply to me don’t but I disclose the existence, nature and names of cookies as best I can anyway (within privacy policies), as I consider it good practice to do so.

By contrast, in Europe, for example, there are specific (and controversial) cookie laws. Following an amendment to the European E-Privacy Directive in 2009 and its subsequent implementation into local law by Member States, website owners in European Member States are required to:

  • provide clear and comprehensive information about any cookies they are using; and
  • obtain consent to store a cookie on a user or subscriber’s device.

There are some narrow exceptions, namely, where the use of a cookie is:

  • for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

The United Kingdom’s Information Commissioner has produced excellent guidance for UK website operators. That guidance explains the rationale for the cookie rules as follows:

“The rules in this area are essentially designed to protect the privacy of internet users – even where the information being collected about them is not directly personally identifiable. The changes to the Directive in 2009 were prompted in part by concerns about online tracking of individuals and the use of spyware. These are not rules designed to restrict the use of particular technologies as such, they are intended to prevent information being stored on people’s computers, and used to recognise them via the device they are using, without their knowledge and agreement.

WordPress site operators will often used third party services on their site that set their own cookies. In relation to these sorts of cookies, the UK’s Information Commissioner says this:

“… we would advise anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device.”

The Information Commissioner recognises (rightly in my view) that this is “one of the most challenging areas in which to achieve compliance with the rules”.

How a website operator in a European Member State complies with the rules will depend on the nature of the site and the cookies used, together with any specific requirements of their local laws and regulators. You do, of course, need to know what cookies your site sets, either itself or through the use of third party services, to be able to comply. A particularly thorny issue is whether prior consent is required, i.e., whether a user needs to give active consent before a cookie is set, or whether some proximate form of implied consent will suffice, e.g., by using a pop-up that says something like:

“This site uses cookies to [improve your user experience]. By using this site you agree to these cookies being set. To find out more see our cookies policy”.

This is of huge practical significance for many site operators. In its guidance, the UK’s Information Commissioner suggests that implied consent may suffice in some cases and, significantly, in recent times the Information Commissioner has taken precisely that approach for its own website (see Changes to cookies on our website).

Cookie controlAs you can see from this screenshot, the Information Commissioner’s website informs users that the site has (already) set cookies and then gives them the option of saying they’re fine with this or to use a tool to change the settings. This is good news for those in the UK as it’d probably be mighty difficult for the average website operator to use certain third party tools, like Google Analytics, if it had to obtain informed consent before the cookies were set. It’s also useful to look at the approaches taken by European law firms. Take a look, for example, at the websites of TaylorWessing, Ashurst and Olswang.

There are many WordPress plugins that seek to enable those in European Member States to comply with the European cookie laws. In the past I’ve used Creare’s WP Cookie Banner plugin which can be configured to do a pretty good job, along the lines of the approaches linked to above.

Resyndicating content from another site’s web feed

Some people like to resyndicate/republish, on their own blogs, content from the feeds of other sites and channels. They may do so by publishing (e.g., in a sidebar) the post headlines with links to the source site or they may publish excerpts from the posts or the entire post content (with or without links back to the source). There are numerous WordPress plugins and widgets that enable you to do this. Some, like FeedWordPress, allow you to parse the feed and create posts on your own site from the content. Others just check a feed’s content when your site is loaded and display a list of headlines, without writing to your database. The real question, though, is whether this is a good idea? Well, it depends (don’t you hate it when lawyers say that).

Taking and republishing others’ feed content without their permission (i.e., without a licence) is not a good idea, as more often than not the feeds will comprise copyright content. If such permission is not obvious from terms on their site or from the feeds themselves and there is any risk of adverse action upon re-use, the safest bet is to request permission and, if granted, obtain written confirmation. Failing to do so could prompt the content owners to complain of copyright infringement.

Equally, even where a general consent to resyndicating feeds is apparent from an organisation’s site, you may need to take care that you comply with any terms accompanying that consent. To give you an example, the New Zealand Herald news site expressly “encourage[s] the use of NZ Herald RSS feeds as part of a website or weblog”.  At the same time, its RSS licence terms require, among other things, that NZ Herald’s headlines are displayed in the exact form received, are not modified without their consent and that the resyndicating website stipulate that the headlines are supplied by

Allowing others to re-use your posted content under a Creative Commons licence

Sometimes it may be in your interests to allow other people to republish your post content, with attribution back to you and your site as the source, so as to further promote your knowledge and brand. The Creative Commons licences provide the perfect means to do this.


Thanks to Kristina Alexanderson for sharing this photo under a Creative Commons Attribution 2.0 Generic licence.

For those not familiar with Creative Commons, here’s a short intro: Creative Commons is a non-profit organisation founded in the United States in 2001 by proponents of reduced legal restrictions on the sharing and use of copyright works. Headquartered in California, it also has affiliate organisations around the world. It aims to establish a middle way between full copyright control and the uncontrolled uses of intellectual property. To do so, it provides a range of copyright licences, freely available to the public, which allow those creating intellectual property to mark their work with the freedoms they want it to carry. As Creative Commons puts it on its website:

“Our tools give everyone … a simple, standardized way to keep their copyright while allowing certain uses of their work — a “some rights reserved” approach to copyright — which makes their creative, educational, and scientific content instantly more compatible with the full potential of the internet. The combination of our tools and our users is a vast and growing digital commons, a pool of content that can be copied, distributed, edited, remixed, and built upon, all within the boundaries of copyright law.”

There are six Creative Commons licences. The licences all confer a set of baseline rights on licensees (e.g., as to copying, use and distribution) and a set of baseline obligations and restrictions (e.g., licensees cannot sublicense the licensed work and they must not falsely attribute the work to someone else). All of the licences also contain one or more “licence elements”. There are four Creative Commons licence elements: Attribution, NonCommercial, NoDerivatives and ShareAlike. The Attribution element is common to all of the licences. The other three elements are used in different combinations across five out of the six licences. Here’s a handy video produced by the New Zealand Creative Commons affiliate (Creative Commons Aotearoa New Zealand) that explains the licences in more detail:

Before you license your content for re-use, you’ll want to consider whether doing so could conflict with your commercial or other interests and if one form of Creative Commons licence is preferable to another. For example, if you’re going to monetise your content, you may wish to choose the Creative Commons Attribution NonCommercial 4.0 International licence, which lets others remix, tweak and build upon your work non-commercially with credit to you (their new works must also be non-commercial). I’ve taken this approach before on lawyer websites. For example:


Unless otherwise indicated, copyright in material on the Site is owned by us or our licensors.

Your re-use of copyright material on this Site

Unless otherwise indicated, copyright material on this Site is licensed under the Creative Commons Attribution-Noncommercial 4.0 International licence. In essence, you are free to copy, distribute and adapt such material for non-commercial purposes, as long as you attribute the material to us and abide by the other licence terms. To view a copy of this licence, visit Please note that this licence does not extend to resyndication of the Site’s web feed(s) on third party websites. Such resyndication without express permission is prohibited.

Exclusions from licence

The licence above does not apply to the [name of business] logo or to photos and design elements on the Site, which may not be reproduced without our express written consent.

If you decide to go ahead and license some or all of your post content, you’ll want to make sure that you only license content or portions of content whose copyright you own or are authorised to sub-license under the chosen Creative Commons licence. For example, if you use third party stock images in your posts (from Shutterstock or the like) you’ll need to exclude them from the scope of the licence you grant as you won’t be permitted to sub-license the re-use of those images by others under a Creative Commons licence.

You can learn more about Creative Commons and its licences, and how to apply them, at the Creative Commons website. Feel free to ask about this topic if you like, as I do quite a bit of work in this area.

Summing up

So there you have it: a range of legal issues that you may wish to consider when setting up a content-driven website. Many WordPress site owners, like other site owners, don’t consider these kinds of issues. For example, those with personal blogs often won’t be aware of all the issues or want to bother with them. As I’ve suggested above, though, the more commercial your site is or the more important it is to you, the more important it is to take these issues into account. Good luck!


  1. Pingback: Weekly WordPress News: January Recap, Post Status Membership, Negative SEO & More. – Designer News

Leave a Reply

Your email address will not be published. Required fields are marked *