The long-awaited Electronic Commerce (EC Directive) Regulations 2002 came into force on 21st August. Additional sanctions for breach of the Regulations will kick in from 23rd October. The final text contains some significant shifts from the draft issued earlier in the year. In particular, some of the sanctions for non-compliance have been watered down in response to lobbying by e-tailers. The DTI has also issued a revised Guide for Business which clarifies and expands upon the provisions of the Regulations. There is also a shorter, user-friendly guide targeted at online businesses.
In March we reported on the DTI's consultation on the draft Regulations. The final version laid before Parliament on 31st July includes a number of departures from that draft. The main compliance issues which businesses need to address are as follows:
New information requirements for all sites: all commercial sites (whether transactional or not) on the web, iTV or mobile platforms must provide certain minimum information about the supplier, its products and services. If the requisite information is not provided to users "easily, directly and permanently", suppliers could face damages claims. In addition, a Trading Standards or consumer body could (from October) apply to the courts for a "Stop Now" Order to force the site owner to amend its site, or face criminal penalties.
Essential information for transactional sites: the basic details about the supplier, its products and services will need to be supplemented by a raft of new information related to the ordering process (including providing details of the technical steps a customer will need to go through to conclude a contract), the contract and whether or not a customer will be able to access the concluded contract. The customer must also be given the means to identify and correct input errors prior to placing the order and the supplier must acknowledge receipt of the order "without undue delay". Where terms and conditions are made available, it must be in such a way as to enable the customers to store and reproduce them. The revised Guide offers some helpful pointers as to what this means. These obligations apply to B2B as well as B2C transactions, although in a B2B context it is possible to contract out of some of them.
The sanctions originally proposed for failure to comply with these requirements appear to have been tempered in response to lobbying by e-tailers. The risk of inadvertently giving customers unlimited cancellation rights has largely been removed. However, website ordering procedures still need careful review. Extended cancellation rights will still arise if retailers fail to give customers the means to identify and correct input errors and a customer would be entitled to cancel the order and obtain a refund. (A retailer could in theory choose go to court to resist this, if it could show that such a remedy was "inappropriate" in the circumstances). Breaches of the other contract - related requirements still carry the risk of "Stop Now" Orders and/or damages claims.
Marketing e-mails and SMS: all "commercial communications", including all marketing and promotional e-mails (whether solicited or unsolicited) and SMS will need to be clearly identifiable as such and identify the person on whose behalf they are sent. The revised DTI Guide offers some welcome clarification on how this requirement is to be met, making it clear that this could be in the e-mail header or in the body of the message. Promotional offers, games and competitions must meet additional information requirements. As reported in our recent Updates, further provisions to regulate unsolicited e-mails are due to come into force next year under the recently-adopted Communications Data Protection Directive.
Interactive television and mobile platforms: the requirements outlined above apply equally to iTV and mobile applications. The Regulations themselves do not address the difficult issue of how suppliers should provide the requisite information within the technical constraints of such platforms. The DTI's accompanying Guide suggests that compliance may be achieved by making the requisite information accessible on another service, for example a website. This guidance, does not have any legal force. The approach to enforcing the new rules taken by Trading Standards, the OFT and other bodies remains to be seen, although some comfort may be drawn from the fact that the Guide is addressed to those enforcement bodies as well as to businesses.
Service providers' liability for third party content: the new Regulations make a number of important clarifications to the provisions on service providers' liability for transmitting, caching and hosting illegal third party content. Intermediaries have a defence to criminal liability and limits to civil liability, but this is subject to the service provider having "actual knowledge" that the content in question was illegal and "acting expeditiously" to remove it. In response to lobbying for clarification of these terms, the Regulations now set out a set of criteria by which a court may judge whether a service provider has "actual notice" (although this is not a "definition" of actual knowledge as such). This is a welcome step for ISPs - although clarification of these issues is really only likely to emerge in the form of "notice and takedown" schemes when (or indeed if) these are developed either for specific industries or across industries on a UK or Europe-wide scale.
Country of Origin: a key tenet of the Directive is the "country of origin" principle which means that it will be the laws of the state where the service provider is established (its country of origin, or home state) that apply in relation to cross-border online services for those areas covered by the Directive. The home state must ensure that service providers established in its territory comply with local laws, irrespective of the EEA state(s) where the services are actually being provided (the host state). The most significant departure from the earlier draft of the Regulations is the dropping of earlier references to private international law in favour of a fully blown "country of origin " approach. Whilst this may seem an academic point, its practical application gives UK businesses greater legal certainty when providing services to customers in other EEA states. There remain however, significant carve-outs from the application of the Country of Origin principle (which stem from the Directive itself). This means that Member States may still impose their own laws on incoming providers, for example in relation to consumer protection. The new Regulations set out these exceptions in detail.
Financial services: the Treasury has now issued a raft of legislation implementing the E-Commerce Directive in the financial services sector, and the FSA has published its final finalised guidance on the issue.