The rapidly-changing world of electronic commerce continues to throw up new challenges for law-makers, for businesses, and for the lawyers who advise them. This chapter does not aim to discuss all the legal initiatives in depth, but it outlines the principal areas of legal compliance about which IT managers ought to know.

INTRODUCTION

The UK’s first conference on internet law took place in 1995, when businesses were starting to get to grips with the legal issues of doing business electronically. A frequent comment at that point was that the internet was lawless: a kind of ‘electronic frontier’, where wrongdoers were protected both by the anonymity of cyberspace and the complexities of seeking legal remedies internationally. Early commentators took the view that the law would be hard-pushed to keep up with the development of ecommerce and the new challenges to which it gave rise.

Since then, electronic commerce has entered the mainstream of business, government and personal life to an extent that even the most ardent technophile could hardly have anticipated. In the UK, 71 per cent of retailers now use ecommerce and the internet as a channel to reach their customers, according to an Office of Fair Trading (OFT) press release in July 2010. The very term ‘ecommerce’ looks almost archaic: few people draw much of a distinction now between ‘bricks’ and ‘clicks’.

Law-makers around the world have endeavoured strenuously to keep pace with the rapid developments in this field. In Europe, the broad legal and institutional framework for electronic commerce was largely in place by 2000. Ten years later, the massive growth of social networking websites, the commercial use of auction websites and technology, and the explosion of digital downloading are throwing up new challenges to conventional concepts of contract, copyright and privacy.

Against that background, this chapter will outline the following aspects of doing business electronically:

• The information to be made available to clients;
• The rules about forming contracts electronically (e.g. by email or via a website);
• The regulations about the client’s rights of cancellation;
• The determination of the applicable law if the service provider and the client are based in different countries;
• The rules concerning marketing or other commercial communications sent electronically; and
• The implications of non-compliance with UK regulations.

INFORMATION TO BE PROVIDED TO CLIENTS

The starting point for any discussion of the legal aspects of electronic commerce in Europe is the 2000 Electronic Commerce Directive, which originated in the European Commission and was implemented into UK law by the Electronic Commerce (EC Directive) Regulations 2002.

One of the key aims of the Electronic Commerce Directive was to promote trust and confidence in ecommerce. One of the main ways to achieve this is by ensuring greater transparency about the identity of any service provider.

The electronic environment can make it difficult for a client to tell exactly who he is contracting with and where they are established, so the Commission proposed that certain information requirements should be imposed on all ecommerce service providers in order to help promote trust in their identity. The Directive (and the UK Regulations) accordingly set out the information that a service provider must make available to service recipients.

Besides these general information requirements, however, the law imposes an additional set of requirements in relation to consumers entering into ‘distance contracts’. These requirements arise mainly under the European Distance Selling Directive 1997 and have been incorporated into English law in the Consumer Protection (Distance Selling) Regulations 2000. These Regulations are not directed exclusively at information society service providers; they apply equally to businesses selling goods or services to consumers by mail order, telephone or fax.

However, there is a significant area of overlap between the information requirements set out in the Electronic Commerce Regulations and those of the Distance Selling Regulations. For ease of reference, a consolidated checklist of these requirements is set out in the appendix at the end of this chapter. It should be stressed, though, that certain industries may be subject to additional legal requirements or codes of practice about the information that must be provided to clients.

Information requirements under the Electronic Commerce (EC Directive) Regulations 2002

Service providers must make the following information available in a form that is ‘easily, directly and permanently accessible’ (inclusion of this information on a website should be sufficient to meet this requirement):

• Name of the service provider;
• Geographic address at which the service provider is established;
• Contact details for the service provider (including email address) to enable direct and effective communication;
• Details of any trade or similar register in which the service provider is registered, together with the registration number;
• Details of any supervisory authority, where the provision of the service is subject to an authorisation scheme;
• Details of any professional body with which the service provider is registered and of how the applicable professional conduct rules may be accessed; and
• VAT registration number.

The Regulations also require that any statements as to prices must be ‘clear and unambiguous’ and, in particular, must indicate whether they are inclusive of tax and delivery costs. Additional information requirements apply where contracts are to be formed electronically.

Additional information requirements under the Consumer Protection (Distance Selling) Regulations 2000

Service providers must make the following information available in good time before the contract is made:

• The identity of the supplier and, where the contract requires payment in advance, the supplier’s address;
• A description of the goods or services;
• The price of the goods or services (including all taxes);
• Delivery costs where appropriate;
• Arrangements for payment, delivery and performance;
• The existence of a right of cancellation;
• The costs of using the means of distance communication in question;
• The period for which the offer or price remains valid;
• Where appropriate, the minimum duration of the contract (in cases where the supply of goods or services is to be on a permanent or recurrent basis).

The information must be given in a clear and comprehensible manner, in a form appropriate to the means of distance communications used and with due regard to principles of good faith. The supplier must also inform the consumer if it proposes to provide substitute goods or services if those ordered are unavailable and, if so, that the cost of returning such substitutes will be met by the supplier if the consumer chooses to cancel the contract.

The Distance Selling Regulations go on to stipulate certain additional information that must be supplied either prior to the formation of the contract or, at the latest, by the time that either the goods are delivered or the services are performed. This information has to be provided ‘in writing or in another durable medium which is available and accessible to the consumer’.

The general view is that an email containing this information should suffice because the consumer can then decide whether to store the information electronically or to print it. The additional information consists of:

• the identity of the supplier and, where the contract requires payment in advance, the supplier’s address;
• a description of the goods or services;
• the price of the goods or services (including all taxes);
• delivery costs where appropriate;
• the arrangements for payment, delivery and performance;
• the existence of a right of cancellation and information about the relevant conditions, procedures and costs associated with cancellation;
• the geographical address of the supplier to which the consumer may address complaints;
• information about any after-sales services and guarantees.

It should be noted that failure to provide this additional information has implications for the enforceability of the contract because the duration of the client’s right to cancel a distance contract depends primarily on the date on which this information is provided.

FORMING CONTRACTS ELECTRONICALLY

Legal structure of a binding contract

Under English law, the following elements must be present in order to create a legally binding contract:

• An offer: an expression of willingness to enter into a contract on certain terms, made with the intention that a contract will exist once the offer is accepted.
• An acceptance: the unqualified assent to the terms of an offer.
• Consideration: the element of value that each party gives the other under the contract (e.g. the provision of goods by one party in return for the payment of money by the other).
• An intention to create legally binding relations (which the law normally takes for granted in commercial contexts).

This analysis of the elements of offer and acceptance is important for any business that sells its goods or services electronically. The general rule is that a contract is formed when an offer has been accepted. But displaying products and prices in an electronic ‘shop window’ can amount to a unilateral offer that, if accepted, can create a legally binding obligation on the part of the supplier to fulfil an unlimited number of orders on those terms. There have been numerous illustrations of retailers being caught out by this principle such as the Hoover Air Miles debacle in the late 1990s. In the ecommerce space specifically, Argos was an early casualty in 1999, when it suffered some embarrassing adverse publicity after inadvertently advertising £299 television sets on its website at a price of just £2.99, with thousands of orders being placed before the error was noticed. (Argos managed to make a similar mistake a few years later, but many other companies, including Amazon, Kodak and PC World, have experienced similar situations.)

For this reason, it is important to ensure that offerings on a website are structured not as ‘offers’, but rather as ‘invitations to treat’. In other words, the website does nothing more than invite offers from potential clients to purchase at the stated price, with the supplier then free to accept or reject the offer as it sees fit. The website should also state that no contract is formed unless and until the supplier has notified the client that it accepts the order. The risk can also be ameliorated by ensuring that the website terms and conditions include some suitable disclaimer wording, along the following lines:

Other legal formalities

The Electronic Commerce Directive requires all EU member states to ensure that their national law allows contracts to be concluded by electronic means and recognises the legal effectiveness of agreements formed in this way. (This was not really in doubt in the UK, but other member states had to get to grips with new and very different rules about the form of a contract in light of the Directive.)

There are some predictable exceptions to this general rule (e.g. contracts for the sale of land or those governed by family law), but the law is clear that the majority of commercial agreements can now be formed electronically and that electronic contracts should be upheld by the courts.

The Directive (and the UK Regulations) go on to stipulate the information to be provided by service providers where contracts are concluded in this way.

Besides the general information requirements set out above, if a contract is to be concluded by electronic means, the service provider must provide the following additional information in a clear, comprehensible and unambiguous manner before the order is placed by the service recipient:

• The technical steps required to form the contract (e.g. ‘Click to confirm order’), so that the service recipient understands at exactly what point in the process he becomes legally committed to the contract.
• The technical means for identifying and correcting input errors prior to placing of the order.
• The languages offered for the conclusion of the contract.
• Any relevant codes of conduct to which the service provider subscribes and how these can be consulted electronically.
• Whether or not the contract will be ‘filed’ by the service provider (a legal concept that is primarily relevant to non-UK service providers and so is not dealt with further here) and, if so, how it can be accessed.

Orders placed through technological means must generally be acknowledged ‘without undue delay’ and by electronic means. (The requirements above do not apply, however, where contracts are concluded by the exchange of individual emails.) Any contractual terms and conditions provided by the service provider must also be made available in a manner that enables the service recipient to store and reproduce them.

PERFORMANCE AND CANCELLATION

As a further measure to protect consumers, the Distance Selling Directive required member states to introduce time limits for the performance of contracts by the supplier and to establish a right for the consumer to cancel the distance contract within specified time limits.

With regard to performance, the general rule is that the supplier must perform the contract within 30 days from the day following the date of the client’s order (though the parties can agree otherwise). If the supplier cannot perform the contract within that period, it must inform the consumer and reimburse any sum paid, unless the contract provided for the supply of alternative goods or services.

With regard to cancellation, the Distance Selling Regulations contain detailed provisions describing how and when the cancellation right can be invoked and the arrangements for reimbursement and the return of any products supplied. A detailed discussion of these is beyond the scope of this chapter, but the major point to note is in relation to the timing of the cancellation period. The cancellation period begins on the date of the contract and ends on a date determined as follows:

• If the supplier has complied properly with all the ‘additional information requirements’, the cancellation period ends seven working days after the consumer receives the goods (or after the date of the contract for services).
• If the supplier has not complied with those requirements, but provides the additional information (in writing or another durable medium) within three months of the contract date, the cancellation period ends seven days after the consumer receives the information.
• If neither of the above applies, then the cancellation period ends three months and seven working days after the consumer receives the goods (or the contract for services is concluded).

There are a few predictable exceptions to this cancellation right (e.g. contracts for the supply of goods that are likely to deteriorate rapidly, contracts where the price of the goods is subject to financial fluctuations, contracts for audio or video recordings that have been unsealed, and contracts for newspapers or magazines), but most distance contracts with consumers do now carry this statutory cancellation right. Businesses selling their goods and services electronically must therefore ensure that their staff have a thorough understanding of the cancellation rules and time limits, in order to minimise the risk of legal complaints by dissatisfied clients.

JURISDICTION

Regardless of the legality of an electronic contract, doing business across national boundaries inevitably raises questions as to whose laws apply and in which country one party may sue another. For example, Yahoo! was ordered (by a French court) to block French users from viewing an online auction of Nazi memorabilia. The website in question was hosted in the USA (and Yahoo! is, of course, a US company), but the French court decided that it had jurisdiction to rule on the application of the French law prohibiting the display of Nazi symbols.

Operating as an information society service provider

The law relating to these issues is somewhat convoluted but, in the context of ecommerce, the main rules can be found in the Electronic Commerce Directive and in the UK Electronic Commerce Regulations, which regulate the principles applicable in what is called the ‘coordinated field’ (i.e. the set of requirements that relate to information society services or service providers, concerning the taking up and pursuit of the activity of an information society service, for example requirements relating to the process of forming a contract electronically).

Under the Regulations, service providers established in the UK, whether they are selling only into the UK or also overseas, must comply with any requirements within the coordinated field. UK enforcement authorities (like the Director-General of Fair Trading) are responsible for ensuring compliance by UK service providers but have no such responsibility with regard to service providers in other member states. By the same token, the equivalent legislation in other member states means that their national enforcement authorities can take action against businesses established in their respective countries in relation to the coordinated field, but not against UK businesses. This has become commonly known as the ‘Country of Origin Principle’ or ‘Home State Regulation’.

It is important to understand the limits of this country of origin principle. It does not mean that a UK service provider is under no obligation to comply with non-UK laws. The coordinated field does not include, for example, requirements applicable to goods, so suppliers still have to be sensitive to differing national rules about quality, labelling and promotional arrangements.

The Regulations are also stated not to apply to matters such as data protection, competition law, gambling and taxation.

For companies looking to sell goods or services into non-UK markets, then, it remains as important as ever to understand the legal requirements of those overseas jurisdictions about the particular products on offer and the manner in which transactions are handled.

Consumer contracts

In terms of jurisdiction (i.e. which courts can hear a dispute), the Brussels Regulation that came into force in March 2002 provides that, in the event of a dispute based on a contract between an EU supplier and an EU consumer, the consumer will generally be able to go to his own courts to sue the supplier; or, to put it another way, the business ‘plays away’ in most cases. Any judgment given by the consumer’s ‘home’ court would be enforceable through the courts in the supplier’s jurisdiction. The other side of that coin is that a business that wants to sue a consumer also needs to do so in the consumer’s own state.

(A few non-EU countries (Iceland, Lichtenstein, Norway and Switzerland) are also covered by the Regulation and Denmark, an EU member, opted out of the Regulation.)

A website is only caught by the Regulation if it is ‘directing’ its activities at the relevant states. There is little legal guidance on what that actually means, but a site is likely to be covered if it fulfils orders to consumers in a particular state or uses a particular state’s language or currency for promoting its products.

The problem this poses for businesses is how to protect themselves against being sued in all the different territories. Businesses dealing in consumer products or services should include terms on the website clearly indicating their target markets and should ideally block orders from purchasers with a physical delivery address in other states.

Business-to-business contracts

Different rules apply in relation to business-to-business contracts, where the parties can generally exclude the operation of overseas laws and jurisdiction by clearly making the contract subject to the jurisdiction of the English courts.

MARKETING COMMUNICATIONS

The Electronic Commerce Directive (and the UK Electronic Commerce Regulations) set out strict rules as to how businesses go about marketing themselves electronically. These rules apply to a broad category of ‘commercial communications’ (practically any communication, in any form, designed to promote the goods, services or image of a business).

It is the responsibility of the service provider to ensure that any commercial communication provided by him in connection with an information society service:

• is clearly identifiable as a commercial communication;
• clearly identifies the person on whose behalf the commercial communication is made;
• clearly identifies as such any promotional offers or competitions, together with any related conditions.

The Regulations also set out special rules for unsolicited commercial communications sent by email (i.e. spam). These must be ‘clearly and unambiguously identifiable as such as soon as they are received’: the rationale being to give the recipient the opportunity to delete them immediately without troubling to open them.

The rules for dealing with spam are now contained mainly in the Privacy and Electronic Communications Regulations 2003. Under these Regulations, businesses must generally have the prior consent of the recipient before sending unsolicited commercial email to individual subscribers.

(Note that this requirement applies equally to text (SMS) messages as to email, which raises the question how a supplier can provide all the required information within the limit of 160 characters. At the time the Regulations were passed, the Department of Trade and Industry (DTI) guidance acknowledged this technological constraint, but concluded that the information requirements would be sufficiently met if the SMS message include the URL of a website where more information can be obtained.)

Companies should consult regularly and respect opt-out registers (e.g. the Email Preference Service) before sending unsolicited commercial communications.

CONSEQUENCES OF NON-COMPLIANCE

The consequences of non-compliance with the Electronic Commerce Regulations and the Distance Selling Regulations can be serious. The implications of non-compliance with the information requirements in the Distance Selling Regulations, in terms of a consumer’s rights to cancel the contract, have been outlined above.

The consumer protection aspects of the Distance Selling Regulations and the Electronic Commerce Regulations are also enforceable by authorities such as the Office of Fair Trading or local trading standards offices, who can apply for an enforcement order (also known as a ‘Stop Now Order’) from the courts, requiring the service provider to cease any breach of the Regulations that harms the collective interest of consumers. Failure to comply with a Stop Now Order can ultimately result in a fine or imprisonment.

Leaving aside consumer protection specifically, the Electronic Commerce Regulations also provide:

• that the service provider’s duties with regard to the information requirements and the provisions about commercial communications are enforceable by clients by means of an action for damages for breach of statutory duty;
• that failure to provide a copy of contract terms and conditions may give rise to the client seeking a court order requiring the service provider to comply; and
• that failure to provide the means for a client to identify and correct input errors at the time of placing an order results in the client having the unilateral right to rescind the contract.

OTHER CONSIDERATIONS

The law relating to ecommerce and doing business online continues to change, rapidly and dramatically. This chapter has discussed the rules that are likely to be relevant to businesses generally in their dealings with consumers, but has not endeavoured to address any of the issues specific to individual sectors (e.g. there are completely separate regulations on the distance marketing of financial services) or to businesses operating as intermediary service providers or ISPs (the Electronic Commerce Directive deals at length with the liabilities of ISPs in respect of content that they ‘host’ or ‘cache’ or for which they are otherwise a conduit). Nor has it touched on some of the more advanced considerations for the service provider, such as the use of electronic signatures.

However, there are numerous other sources of information for any company seeking to establish online operations:

• The Department for Business Innovation and Skills (BIS) provides guidance about distance selling and ecommerce, and its website includes links to the UK Regulations: see http://www.bis.gov.uk/files/file14635.pdf
• The Office of Fair Trading (OFT) website includes information for businesses about consumer protection, including a guide to distance selling: see http://www.oft.gov.uk/shared_oft/business_leaflets/general/oft698.pdf
• The Office of the Information Commissioner provides guidance about the collection and use of client data in the context of ecommerce operations, including a guide on the application of the rules concerning email and SMS marketing: see http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications_guide.aspx

APPENDIX: CONSOLIDATED INFORMATION REQUIREMENTS

Information to be provided by all service providers

• Name and geographic address;
• Contact details for the service provider (including email) to enable direct and effective communication;
• Details of any trade or similar register in which the service provider is registered, together with the registration number;
• Details of any supervisory authority, where the provision of the service is subject to an authorisation scheme;
• Details of any professional body with which the service provider is registered and of how the applicable professional conduct rules may be accessed;
• VAT registration number.

Note that all price indications must be ‘clear and unambiguous’ and must indicate whether they are inclusive of tax and delivery costs.

Additional pre-contract information to be provided to consumers

• Description of the goods or services;
• Arrangements for payment, delivery and performance;
• Existence of a right of cancellation;
• Costs (if any) of using the means of distance communication;
• Period for which the offer or price remains valid;
• Where appropriate, the minimum duration of the contract (in cases where the supply of goods or services is to be on a permanent or recurrent basis);
• Whether the supplier proposes to provide substitute goods or services (if those ordered are unavailable) and, if so, that the cost of returning such substitutes will be met by the supplier if the consumer chooses to cancel the contract.

Additional post-contract information to be provided to consumers

• The existence of a right of cancellation;
• Information about the relevant conditions, procedures and costs associated with cancellation;
• The geographical address of the supplier to which the consumer may address complaints;
• Information about any after-sales services and guarantees.