The rapidly-changing world of electronic commerce continues to throw up new challenges for law-makers, for businesses, and for the lawyers who advise them. This chapter does not aim to discuss all the legal initiatives in depth, but it outlines the principal areas of legal compliance about which IT managers ought to know.
INTRODUCTION
The UK’s first conference on internet law took place in 1995, when businesses were starting to get to grips with the legal issues of doing business electronically. A frequent comment at that point was that the internet was lawless: a kind of ‘electronic frontier’, where wrongdoers were protected both by the anonymity of cyberspace and the complexities of seeking legal remedies internationally. Early commentators took the view that the law would be hard-pushed to keep up with the development of ecommerce and the new challenges to which it gave rise.
Since then, electronic commerce has entered the mainstream of business, government and personal life to an extent that even the most ardent technophile could hardly have anticipated. In the UK, 71 per cent of retailers now use ecommerce and the internet as a channel to reach their customers, according to an Office of Fair Trading (OFT) press release in July 2010. The very term ‘ecommerce’ looks almost archaic: few people draw much of a distinction now between ‘bricks’ and ‘clicks’.
Law-makers around the world have endeavoured strenuously to keep pace with the rapid developments in this field. In Europe, the broad legal and institutional framework for electronic commerce was largely in place by 2000. Ten years later, the massive growth of social networking websites, the commercial use of auction websites and technology, and the explosion of digital downloading are throwing up new challenges to conventional concepts of contract, copyright and privacy.
Against that background, this chapter will outline the following aspects of doing business electronically:
TERMINOLOGY
Information society services: ‘Any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing… and storage of data, and at the individual request of a recipient of the service’. This encompasses (amongst other things) advertising and selling goods by email or on websites, as well as network access or hosting activities. The Electronic Commerce Directive (and the Regulations that implement it in the UK) deals generally with the provision of information society services.
Service provider: ‘Any person who provides an information society service’, for example a company that sells books over the internet.
Service recipients: ‘Any person who, for professional ends or otherwise, uses an information society service, in particular for the purposes of seeking information or making it accessible’. This includes both individuals and corporate bodies. By contrast, a consumer is ‘any natural person who is acting for purposes other than those of his trade, business or profession’. The significance of the distinction is that the law imposes more rigorous requirements on service providers in relation to their dealings with consumers than in relation to dealings with other businesses.
INFORMATION TO BE PROVIDED TO CLIENTS
The starting point for any discussion of the legal aspects of electronic commerce in Europe is the 2000 Electronic Commerce Directive, which originated in the European Commission and was implemented into UK law by the Electronic Commerce (EC Directive) Regulations 2002.
One of the key aims of the Electronic Commerce Directive was to promote trust and confidence in ecommerce. One of the main ways to achieve this is by ensuring greater transparency about the identity of any service provider.
The electronic environment can make it difficult for a client to tell exactly who he is contracting with and where they are established, so the Commission proposed that certain information requirements should be imposed on all ecommerce service providers in order to help promote trust in their identity. The Directive (and the UK Regulations) accordingly set out the information that a service provider must make available to service recipients.
Besides these general information requirements, however, the law imposes an additional set of requirements in relation to consumers entering into ‘distance contracts’. These requirements arise mainly under the European Distance Selling Directive 1997 and have been incorporated into English law in the Consumer Protection (Distance Selling) Regulations 2000. These Regulations are not directed exclusively at information society service providers; they apply equally to businesses selling goods or services to consumers by mail order, telephone or fax.
However, there is a significant area of overlap between the information requirements set out in the Electronic Commerce Regulations and those of the Distance Selling Regulations. For ease of reference, a consolidated checklist of these requirements is set out in the appendix at the end of this chapter. It should be stressed, though, that certain industries may be subject to additional legal requirements or codes of practice about the information that must be provided to clients.
Information requirements under the Electronic Commerce (EC Directive) Regulations 2002
Service providers must make the following information available in a form that is ‘easily, directly and permanently accessible’ (inclusion of this information on a website should be sufficient to meet this requirement):
The Regulations also require that any statements as to prices must be ‘clear and unambiguous’ and, in particular, must indicate whether they are inclusive of tax and delivery costs. Additional information requirements apply where contracts are to be formed electronically.
Additional information requirements under the Consumer Protection (Distance Selling) Regulations 2000
Service providers must make the following information available in good time before the contract is made:
The information must be given in a clear and comprehensible manner, in a form appropriate to the means of distance communications used and with due regard to principles of good faith. The supplier must also inform the consumer if it proposes to provide substitute goods or services if those ordered are unavailable and, if so, that the cost of returning such substitutes will be met by the supplier if the consumer chooses to cancel the contract.
The Distance Selling Regulations go on to stipulate certain additional information that must be supplied either prior to the formation of the contract or, at the latest, by the time that either the goods are delivered or the services are performed. This information has to be provided ‘in writing or in another durable medium which is available and accessible to the consumer’.
The general view is that an email containing this information should suffice because the consumer can then decide whether to store the information electronically or to print it. The additional information consists of:
It should be noted that failure to provide this additional information has implications for the enforceability of the contract because the duration of the client’s right to cancel a distance contract depends primarily on the date on which this information is provided.
FORMING CONTRACTS ELECTRONICALLY
Legal structure of a binding contract
Under English law, the following elements must be present in order to create a legally binding contract:
This analysis of the elements of offer and acceptance is important for any business that sells its goods or services electronically. The general rule is that a contract is formed when an offer has been accepted. But displaying products and prices in an electronic ‘shop window’ can amount to a unilateral offer that, if accepted, can create a legally binding obligation on the part of the supplier to fulfil an unlimited number of orders on those terms. There have been numerous illustrations of retailers being caught out by this principle such as the Hoover Air Miles debacle in the late 1990s. In the ecommerce space specifically, Argos was an early casualty in 1999, when it suffered some embarrassing adverse publicity after inadvertently advertising £299 television sets on its website at a price of just £2.99, with thousands of orders being placed before the error was noticed. (Argos managed to make a similar mistake a few years later, but many other companies, including Amazon, Kodak and PC World, have experienced similar situations.)
For this reason, it is important to ensure that offerings on a website are structured not as ‘offers’, but rather as ‘invitations to treat’. In other words, the website does nothing more than invite offers from potential clients to purchase at the stated price, with the supplier then free to accept or reject the offer as it sees fit. The website should also state that no contract is formed unless and until the supplier has notified the client that it accepts the order. The risk can also be ameliorated by ensuring that the website terms and conditions include some suitable disclaimer wording, along the following lines:
‘While we try and ensure that all the prices shown on our website are accurate, errors may occur. If we discover an error in the price of goods you have ordered we will inform you as soon as possible and give you the option of reconfirming your order at the correct price or cancelling it. If we are unable to contact you we will treat the order as cancelled. If you cancel and you have already paid for the goods, you will receive a full refund.’
Other legal formalities
The Electronic Commerce Directive requires all EU member states to ensure that their national law allows contracts to be concluded by electronic means and recognises the legal effectiveness of agreements formed in this way. (This was not really in doubt in the UK, but other member states had to get to grips with new and very different rules about the form of a contract in light of the Directive.)
There are some predictable exceptions to this general rule (e.g. contracts for the sale of land or those governed by family law), but the law is clear that the majority of commercial agreements can now be formed electronically and that electronic contracts should be upheld by the courts.
The Directive (and the UK Regulations) go on to stipulate the information to be provided by service providers where contracts are concluded in this way.
Besides the general information requirements set out above, if a contract is to be concluded by electronic means, the service provider must provide the following additional information in a clear, comprehensible and unambiguous manner before the order is placed by the service recipient:
Orders placed through technological means must generally be acknowledged ‘without undue delay’ and by electronic means. (The requirements above do not apply, however, where contracts are concluded by the exchange of individual emails.) Any contractual terms and conditions provided by the service provider must also be made available in a manner that enables the service recipient to store and reproduce them.
PERFORMANCE AND CANCELLATION
As a further measure to protect consumers, the Distance Selling Directive required member states to introduce time limits for the performance of contracts by the supplier and to establish a right for the consumer to cancel the distance contract within specified time limits.
With regard to performance, the general rule is that the supplier must perform the contract within 30 days from the day following the date of the client’s order (though the parties can agree otherwise). If the supplier cannot perform the contract within that period, it must inform the consumer and reimburse any sum paid, unless the contract provided for the supply of alternative goods or services.
With regard to cancellation, the Distance Selling Regulations contain detailed provisions describing how and when the cancellation right can be invoked and the arrangements for reimbursement and the return of any products supplied. A detailed discussion of these is beyond the scope of this chapter, but the major point to note is in relation to the timing of the cancellation period. The cancellation period begins on the date of the contract and ends on a date determined as follows:
There are a few predictable exceptions to this cancellation right (e.g. contracts for the supply of goods that are likely to deteriorate rapidly, contracts where the price of the goods is subject to financial fluctuations, contracts for audio or video recordings that have been unsealed, and contracts for newspapers or magazines), but most distance contracts with consumers do now carry this statutory cancellation right. Businesses selling their goods and services electronically must therefore ensure that their staff have a thorough understanding of the cancellation rules and time limits, in order to minimise the risk of legal complaints by dissatisfied clients.
JURISDICTION
Regardless of the legality of an electronic contract, doing business across national boundaries inevitably raises questions as to whose laws apply and in which country one party may sue another. For example, Yahoo! was ordered (by a French court) to block French users from viewing an online auction of Nazi memorabilia. The website in question was hosted in the USA (and Yahoo! is, of course, a US company), but the French court decided that it had jurisdiction to rule on the application of the French law prohibiting the display of Nazi symbols.
Operating as an information society service provider
The law relating to these issues is somewhat convoluted but, in the context of ecommerce, the main rules can be found in the Electronic Commerce Directive and in the UK Electronic Commerce Regulations, which regulate the principles applicable in what is called the ‘coordinated field’ (i.e. the set of requirements that relate to information society services or service providers, concerning the taking up and pursuit of the activity of an information society service, for example requirements relating to the process of forming a contract electronically).
Under the Regulations, service providers established in the UK, whether they are selling only into the UK or also overseas, must comply with any requirements within the coordinated field. UK enforcement authorities (like the Director-General of Fair Trading) are responsible for ensuring compliance by UK service providers but have no such responsibility with regard to service providers in other member states. By the same token, the equivalent legislation in other member states means that their national enforcement authorities can take action against businesses established in their respective countries in relation to the coordinated field, but not against UK businesses. This has become commonly known as the ‘Country of Origin Principle’ or ‘Home State Regulation’.
It is important to understand the limits of this country of origin principle. It does not mean that a UK service provider is under no obligation to comply with non-UK laws. The coordinated field does not include, for example, requirements applicable to goods, so suppliers still have to be sensitive to differing national rules about quality, labelling and promotional arrangements.
The Regulations are also stated not to apply to matters such as data protection, competition law, gambling and taxation.
For companies looking to sell goods or services into non-UK markets, then, it remains as important as ever to understand the legal requirements of those overseas jurisdictions about the particular products on offer and the manner in which transactions are handled.
Consumer contracts
In terms of jurisdiction (i.e. which courts can hear a dispute), the Brussels Regulation that came into force in March 2002 provides that, in the event of a dispute based on a contract between an EU supplier and an EU consumer, the consumer will generally be able to go to his own courts to sue the supplier; or, to put it another way, the business ‘plays away’ in most cases. Any judgment given by the consumer’s ‘home’ court would be enforceable through the courts in the supplier’s jurisdiction. The other side of that coin is that a business that wants to sue a consumer also needs to do so in the consumer’s own state.
(A few non-EU countries (Iceland, Lichtenstein, Norway and Switzerland) are also covered by the Regulation and Denmark, an EU member, opted out of the Regulation.)
A website is only caught by the Regulation if it is ‘directing’ its activities at the relevant states. There is little legal guidance on what that actually means, but a site is likely to be covered if it fulfils orders to consumers in a particular state or uses a particular state’s language or currency for promoting its products.
The problem this poses for businesses is how to protect themselves against being sued in all the different territories. Businesses dealing in consumer products or services should include terms on the website clearly indicating their target markets and should ideally block orders from purchasers with a physical delivery address in other states.
Business-to-business contracts
Different rules apply in relation to business-to-business contracts, where the parties can generally exclude the operation of overseas laws and jurisdiction by clearly making the contract subject to the jurisdiction of the English courts.
MARKETING COMMUNICATIONS
The Electronic Commerce Directive (and the UK Electronic Commerce Regulations) set out strict rules as to how businesses go about marketing themselves electronically. These rules apply to a broad category of ‘commercial communications’ (practically any communication, in any form, designed to promote the goods, services or image of a business).
It is the responsibility of the service provider to ensure that any commercial communication provided by him in connection with an information society service:
The Regulations also set out special rules for unsolicited commercial communications sent by email (i.e. spam). These must be ‘clearly and unambiguously identifiable as such as soon as they are received’: the rationale being to give the recipient the opportunity to delete them immediately without troubling to open them.
The rules for dealing with spam are now contained mainly in the Privacy and Electronic Communications Regulations 2003. Under these Regulations, businesses must generally have the prior consent of the recipient before sending unsolicited commercial email to individual subscribers.
(Note that this requirement applies equally to text (SMS) messages as to email, which raises the question how a supplier can provide all the required information within the limit of 160 characters. At the time the Regulations were passed, the Department of Trade and Industry (DTI) guidance acknowledged this technological constraint, but concluded that the information requirements would be sufficiently met if the SMS message include the URL of a website where more information can be obtained.)
Companies should consult regularly and respect opt-out registers (e.g. the Email Preference Service) before sending unsolicited commercial communications.
CONSEQUENCES OF NON-COMPLIANCE
The consequences of non-compliance with the Electronic Commerce Regulations and the Distance Selling Regulations can be serious. The implications of non-compliance with the information requirements in the Distance Selling Regulations, in terms of a consumer’s rights to cancel the contract, have been outlined above.
The consumer protection aspects of the Distance Selling Regulations and the Electronic Commerce Regulations are also enforceable by authorities such as the Office of Fair Trading or local trading standards offices, who can apply for an enforcement order (also known as a ‘Stop Now Order’) from the courts, requiring the service provider to cease any breach of the Regulations that harms the collective interest of consumers. Failure to comply with a Stop Now Order can ultimately result in a fine or imprisonment.
Leaving aside consumer protection specifically, the Electronic Commerce Regulations also provide:
OTHER CONSIDERATIONS
The law relating to ecommerce and doing business online continues to change, rapidly and dramatically. This chapter has discussed the rules that are likely to be relevant to businesses generally in their dealings with consumers, but has not endeavoured to address any of the issues specific to individual sectors (e.g. there are completely separate regulations on the distance marketing of financial services) or to businesses operating as intermediary service providers or ISPs (the Electronic Commerce Directive deals at length with the liabilities of ISPs in respect of content that they ‘host’ or ‘cache’ or for which they are otherwise a conduit). Nor has it touched on some of the more advanced considerations for the service provider, such as the use of electronic signatures.
However, there are numerous other sources of information for any company seeking to establish online operations:
APPENDIX: CONSOLIDATED INFORMATION REQUIREMENTS
Information to be provided by all service providers
Note that all price indications must be ‘clear and unambiguous’ and must indicate whether they are inclusive of tax and delivery costs.
Additional pre-contract information to be provided to consumers
Additional post-contract information to be provided to consumers
18.223.21.5