Business
E-commerce special report: Know your laws
Part III: Numerous e-commerce laws have been enacted over the past years, and there are more to come. Here we explain which are the most important laws that any e-commerce operation must be aware of
Any company engaging in e-commerce needs to be aware of the myriad laws now in place. If you are engaging in e-commerce then you have obligations under everything from the Data Protection Act and the Electronic Commerce Regulations, through to the latest rules on cookies and spam, the VAT directive, defamation laws and just what the best solution is when you get the price wrong on your Web site.
Pricing errors
Getting the price wrong on articles sold on e-commerce sites can be expensive: Just ask Argos, Kodak or Amazon: all have recently made the mistake of pricing articles wrongly on their Web sites, and all suffered a significant amount of bad publicity because of it. In January 2002, Kodak succumbed to public pressure and bad publicity, and offered to honour a £100 digital camera offer that it mistakenly posted on its site (the DX3700 camera normally cost £329 at the time). And in the wake of the most recent incident, when Amazon.co.uk priced a £300 iPaq PDA at £7.32, lawyers said disgruntled customers may have a case despite Amazon's claims to the contrary. When Amazon first became aware of the problem, in March 2003, it first closed the site for a short time, and then contacted customers to say the sales were cancelled, as the small print on the site states that Amazon has not entered into any contract until it sends an email saying it has shipped the products. However, law firm Beale and Company then advised shoppers to take their case to court because, it said, contract law may work in their favour. Beale and Company is not alone in this opinion. Nigel Miller, a partner at City law firm Fox Williams, points out that the small print on the Amazon site says: "No contract will subsist between you and Amazon.co.uk for the sale by it to you of any product unless and until Amazon.co.uk accepts your order by email confirming that it has dispatched your product". However, said Miller, "This may not be binding on the customer if it is not sufficiently visible or if it is unfair." Amazon's case would also be undermined by its confirmation email -- the one it said did not constitute a contract -- which includes advice on how "To cancel this contract..." Michael Archer, a partner at Beale and Company, said: "It could be argued that Amazon is stating that this is acceptance of the consumer's offer, and it would be surprising if a court were to decide that no contract existed at this point." Despite this, Miller believes that consumers would be likely to lose a long drawn-out fight, if it went to court. "If Amazon loses on [the wording of its conditions], it can argue 'mistake'. This is a most complex area of law and the cases are somewhat confusing but I suspect Amazon would win on this point in the end." Even so, Miller suggests that Amazon.co.uk may actually be better off honouring the sales at the lower price than it would be fighting individual claims and suffering the associated negative press: "You can argue about the legal position but the commercial reality is that a consumer Web site will want to maintain its customer goodwill and it will not be cost efficient for it to fight multiple claims." Now, new rules have been drawn up by the Department of Trade and Industry to help Web traders avoid costly breaches of consumer protection rules. The Code of Practice for Traders on Price Indications gives practical guidance on complying with the Consumer Protection Act 1987 (CPA). The update covers the Internet and other distance selling methods. Although the Code is not legally binding, e-tailers would be well-advised to adhere to its benchmarks, since the penalty for giving a misleading price indication (including an out of date Web page) can be a fine of up to £5,000. The revised version of the Code is expected to be finalised before the end of the year. E-tailers should keep pricing information under constant review, ensure that out of date pages can no longer be accessed, and implement an "early warning system" to draw attention to unusual site traffic. The worst thing an e-tailer could do is to follow Kodak's example. The big mistake that this company made was in the wording it used to confirm sales to users. Companies selling products over the Internet should use wording to the effect that when somebody is clicking on a product and going through the shopping cart system, that they are making an offer to the buyer that if accepted by the vendor will form a contract. "The legal consensus was that Kodak had formed a contract with the customers at the point when the confirmed acceptance of the customer's order, unless the company said something to the contrary," said Struan Robertson, a solicitor with law firm Masons. In fact, the confirmation email that Kodak sent out to customers appeared to do exactly the reverse, and actually referred to itself as a contract of sale. "If that is the case, then it sounds as if a contract had been formed and Kodak would not have had a leg to stand on," said Robertson. "I'd have been very surprised if Kodak managed to convince the court there was no contract." Kodak's blunder echoes a mistake made by Argos in 1999 when it offered television sets online for £3. Cookies
The European Union Directive on Privacy and Electronic Communications came into force on 31 July, 2002, and should be implemented into UK law and the law of other Member states by 31 October, 2003. Under the directive, there is a requirement for e-commerce sites to tell users about cookies and what you are going to use their information for; and to offer them the right to refuse the use of cookies during sessions. The Act also requires users to be provided with certain information, such as a privacy policy or a data protection notice online. You can find the EU Directive on Privacy and Electronic Communications here. Spam
Spam is covered by the same part of the Directive on Privacy and Electronic Communications that relates to cookies, and is being approached in a similar manner. An EU-wide "opt-in" approach is to be adopted, meaning that businesses will only be permitted to send marketing emails and SMS messages to individuals who have previously consented to the use of their details in this way. Existing customers may be targeted, provided certain conditions are met, although there is still some uncertainty about the precise scope of this carve-out. The golden rule with spam is, if you want to keep your customers, don't do it. Send only important information that your customers have opted-in to receive, and make it easy to opt back out again. Data protection
Businesses that use their Web sites to gather information about customers and prospective customers now need to be more attentive to compliance with data protection law than ever. Until recently the Information Commissioner's approach to enforcement was reactive, prompted by formal complaints against businesses by members of the public. Now, after the collection of data on Web sites was singled out as one area requiring particular scrutiny, the commissioner has set up an Enforcement Board and Enforcement Team. The move heralds a more proactive stance in terms of investigating and prosecuting breaches of the Data Protection Act 1998. It means for instance that initiatives such as studies into Web site compliance with the Data Protection Act will be an important source of enforcement actions. Now that the Data Protection Act 1998 is fully in force, all procedures for accepting orders online must be compliant with that law. This means not only protecting credit card information but also what your customers have ordered. The Act says that "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." It does not define appropriate measures, but a formal risk analysis should be adequate, say lawyers. BS7799 can be useful for this. A copy of the Data Protection Act is available here. E-wallets
There was a time when every other start-up was offering some form of electronic wallet. Many have now gone bust, but those companies that have survived -- or who want to being offering electronic wallets -- must now to comply with new rules created the Financial Services Authority. Although an Electronic Money Institution ("ELMI") will not be subject to the full rigours of the regime that applies to credit institutions, it will still need FSA authorisation; they cannot not make any loan or grant any form of credit nor pay interest on the e-money or issue it at a discount; and issuers must maintain minimum levels of capital. The initial threshold is one million euros. Defamation laws
Defamation cases are unlikely to affect e-commerce sites, but any site that allows users to post comments should be aware of the issues. In March 2000, the High Court found against Demon Internet and told it to pay damages of £15,000 for failing to remove defamatory remarks about Laurence Godfrey in a newsgroup it hosted. That case had implications for ISPs, but others have caught up different types of operations. More recently, Australia's highest court ruled that a defamation case sparked by a story on a US Web site could be heard in Australia, opening a legal minefield for Web publishers over which libel laws they must follow. The landmark ruling said an article published by Dow Jones & Co is subject to Australian law because it was downloaded in Australia. VAT changes
On 1 July, a new EU directive came into effect requiring all Internet companies to account for VAT on "digital sales". The law adds a 15 percent to 25 percent levy on select Internet transactions such as software and music downloads, monthly subscriptions to an Internet service provider and on any product purchased through an online auction anywhere in the 15-member bloc of nations. The VAT tax is nothing new for some Net companies. European dot-coms have been charging customers VAT since their inception. Their overseas rivals, though, have been exempt, making foreign companies an obvious choice for the bargain-hunting consumer. Freeserve has lobbied furiously for the past two years to get the loophole closed, saying its chief rival, AOL UK, saved $249.7m (£150m) in tax payments over the years. Affected companies are handling the new tax load in a variety of ways. AOL Europe, for instance, relocated its continental headquarters to tiny Luxembourg, one of the EU's cheaper tax regimes. If your company is already based in the EU then you should already be paying VAT. Follow these links for more of ZDNet UK's special feature about e-commerce: E-commerce special report Part I: What works Part II: Getting started Part III: Know your laws Part IV: Security An e-commerce toolkit
Getting the price wrong on articles sold on e-commerce sites can be expensive: Just ask Argos, Kodak or Amazon: all have recently made the mistake of pricing articles wrongly on their Web sites, and all suffered a significant amount of bad publicity because of it. In January 2002, Kodak succumbed to public pressure and bad publicity, and offered to honour a £100 digital camera offer that it mistakenly posted on its site (the DX3700 camera normally cost £329 at the time). And in the wake of the most recent incident, when Amazon.co.uk priced a £300 iPaq PDA at £7.32, lawyers said disgruntled customers may have a case despite Amazon's claims to the contrary. When Amazon first became aware of the problem, in March 2003, it first closed the site for a short time, and then contacted customers to say the sales were cancelled, as the small print on the site states that Amazon has not entered into any contract until it sends an email saying it has shipped the products. However, law firm Beale and Company then advised shoppers to take their case to court because, it said, contract law may work in their favour. Beale and Company is not alone in this opinion. Nigel Miller, a partner at City law firm Fox Williams, points out that the small print on the Amazon site says: "No contract will subsist between you and Amazon.co.uk for the sale by it to you of any product unless and until Amazon.co.uk accepts your order by email confirming that it has dispatched your product". However, said Miller, "This may not be binding on the customer if it is not sufficiently visible or if it is unfair." Amazon's case would also be undermined by its confirmation email -- the one it said did not constitute a contract -- which includes advice on how "To cancel this contract..." Michael Archer, a partner at Beale and Company, said: "It could be argued that Amazon is stating that this is acceptance of the consumer's offer, and it would be surprising if a court were to decide that no contract existed at this point." Despite this, Miller believes that consumers would be likely to lose a long drawn-out fight, if it went to court. "If Amazon loses on [the wording of its conditions], it can argue 'mistake'. This is a most complex area of law and the cases are somewhat confusing but I suspect Amazon would win on this point in the end." Even so, Miller suggests that Amazon.co.uk may actually be better off honouring the sales at the lower price than it would be fighting individual claims and suffering the associated negative press: "You can argue about the legal position but the commercial reality is that a consumer Web site will want to maintain its customer goodwill and it will not be cost efficient for it to fight multiple claims." Now, new rules have been drawn up by the Department of Trade and Industry to help Web traders avoid costly breaches of consumer protection rules. The Code of Practice for Traders on Price Indications gives practical guidance on complying with the Consumer Protection Act 1987 (CPA). The update covers the Internet and other distance selling methods. Although the Code is not legally binding, e-tailers would be well-advised to adhere to its benchmarks, since the penalty for giving a misleading price indication (including an out of date Web page) can be a fine of up to £5,000. The revised version of the Code is expected to be finalised before the end of the year. E-tailers should keep pricing information under constant review, ensure that out of date pages can no longer be accessed, and implement an "early warning system" to draw attention to unusual site traffic. The worst thing an e-tailer could do is to follow Kodak's example. The big mistake that this company made was in the wording it used to confirm sales to users. Companies selling products over the Internet should use wording to the effect that when somebody is clicking on a product and going through the shopping cart system, that they are making an offer to the buyer that if accepted by the vendor will form a contract. "The legal consensus was that Kodak had formed a contract with the customers at the point when the confirmed acceptance of the customer's order, unless the company said something to the contrary," said Struan Robertson, a solicitor with law firm Masons. In fact, the confirmation email that Kodak sent out to customers appeared to do exactly the reverse, and actually referred to itself as a contract of sale. "If that is the case, then it sounds as if a contract had been formed and Kodak would not have had a leg to stand on," said Robertson. "I'd have been very surprised if Kodak managed to convince the court there was no contract." Kodak's blunder echoes a mistake made by Argos in 1999 when it offered television sets online for £3. Cookies
The European Union Directive on Privacy and Electronic Communications came into force on 31 July, 2002, and should be implemented into UK law and the law of other Member states by 31 October, 2003. Under the directive, there is a requirement for e-commerce sites to tell users about cookies and what you are going to use their information for; and to offer them the right to refuse the use of cookies during sessions. The Act also requires users to be provided with certain information, such as a privacy policy or a data protection notice online. You can find the EU Directive on Privacy and Electronic Communications here. Spam
Spam is covered by the same part of the Directive on Privacy and Electronic Communications that relates to cookies, and is being approached in a similar manner. An EU-wide "opt-in" approach is to be adopted, meaning that businesses will only be permitted to send marketing emails and SMS messages to individuals who have previously consented to the use of their details in this way. Existing customers may be targeted, provided certain conditions are met, although there is still some uncertainty about the precise scope of this carve-out. The golden rule with spam is, if you want to keep your customers, don't do it. Send only important information that your customers have opted-in to receive, and make it easy to opt back out again. Data protection
Businesses that use their Web sites to gather information about customers and prospective customers now need to be more attentive to compliance with data protection law than ever. Until recently the Information Commissioner's approach to enforcement was reactive, prompted by formal complaints against businesses by members of the public. Now, after the collection of data on Web sites was singled out as one area requiring particular scrutiny, the commissioner has set up an Enforcement Board and Enforcement Team. The move heralds a more proactive stance in terms of investigating and prosecuting breaches of the Data Protection Act 1998. It means for instance that initiatives such as studies into Web site compliance with the Data Protection Act will be an important source of enforcement actions. Now that the Data Protection Act 1998 is fully in force, all procedures for accepting orders online must be compliant with that law. This means not only protecting credit card information but also what your customers have ordered. The Act says that "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." It does not define appropriate measures, but a formal risk analysis should be adequate, say lawyers. BS7799 can be useful for this. A copy of the Data Protection Act is available here. E-wallets
There was a time when every other start-up was offering some form of electronic wallet. Many have now gone bust, but those companies that have survived -- or who want to being offering electronic wallets -- must now to comply with new rules created the Financial Services Authority. Although an Electronic Money Institution ("ELMI") will not be subject to the full rigours of the regime that applies to credit institutions, it will still need FSA authorisation; they cannot not make any loan or grant any form of credit nor pay interest on the e-money or issue it at a discount; and issuers must maintain minimum levels of capital. The initial threshold is one million euros. Defamation laws
Defamation cases are unlikely to affect e-commerce sites, but any site that allows users to post comments should be aware of the issues. In March 2000, the High Court found against Demon Internet and told it to pay damages of £15,000 for failing to remove defamatory remarks about Laurence Godfrey in a newsgroup it hosted. That case had implications for ISPs, but others have caught up different types of operations. More recently, Australia's highest court ruled that a defamation case sparked by a story on a US Web site could be heard in Australia, opening a legal minefield for Web publishers over which libel laws they must follow. The landmark ruling said an article published by Dow Jones & Co is subject to Australian law because it was downloaded in Australia. VAT changes
On 1 July, a new EU directive came into effect requiring all Internet companies to account for VAT on "digital sales". The law adds a 15 percent to 25 percent levy on select Internet transactions such as software and music downloads, monthly subscriptions to an Internet service provider and on any product purchased through an online auction anywhere in the 15-member bloc of nations. The VAT tax is nothing new for some Net companies. European dot-coms have been charging customers VAT since their inception. Their overseas rivals, though, have been exempt, making foreign companies an obvious choice for the bargain-hunting consumer. Freeserve has lobbied furiously for the past two years to get the loophole closed, saying its chief rival, AOL UK, saved $249.7m (£150m) in tax payments over the years. Affected companies are handling the new tax load in a variety of ways. AOL Europe, for instance, relocated its continental headquarters to tiny Luxembourg, one of the EU's cheaper tax regimes. If your company is already based in the EU then you should already be paying VAT. Follow these links for more of ZDNet UK's special feature about e-commerce: E-commerce special report Part I: What works Part II: Getting started Part III: Know your laws Part IV: Security An e-commerce toolkit