Putting the Bite on e-business

March 1, 2003

Just as businesses are absorbing the full impact of Electronic Commerce Regulations that only came into force last year, they now face the prospect of having to revise their online terms and conditions once again as the UK government prepares to implement new EU legislation designed to offer further protection to e-shoppers.

The EU has recently adopted another e-business directive, this time introducing new rules on the protection and use of the personal information of consumers. Member States have until 31 October this year to implement the Directive on Privacy and Electronic Communications into their national law. The legislation has far-reaching effects for all UK businesses trading online and companies should take stock now if they want to avoid a second, and potentially costly, spate of online revisions.

The legislation

From the outset, the EU has clearly identified that electronic business would only be successful where there was both consistency and confidence in the security, integrity and authenticity of transactions made online. With this in mind, the Electronic Commerce Regulations which came into force last year apply to all businesses that trade or advertise goods or services over the Internet, by mobile phone or by e-mail.

The Regulations provide that those who conduct online business must make available information about themselves, including a host of requirements such as the name of the business offering goods or services, its geographical location, full contact details, and the clear statement of all prices, including whether or not they are inclusive of tax and delivery costs. The Regulations also build on existing distance selling regulations, introducing more categories of data to be provided to e-consumers. Prior to any order being placed, businesses must now clearly outline the different steps required to conclude the contract, whether it will be filed and accessible, the means for correcting input errors and the languages in which it may be made.

Whilst the above information must be given to consumers, e-businesses can expressly agree not to provide this information in respect of business-to-business transactions. The new information requirements will not however apply to contracts concluded exclusively by the exchange of e-mail.

The Regulations have real commercial bite for those trading electronically with consumers. If an online service provider has not complied with the information requirements, the sales transaction will be unenforceable against and may be cancelled by the consumer at any time.

Many e-businesses will need to revisit their current terms and conditions, as well as any pre-sale literature, to ensure that this extra information is now given or, in the case of b2b contracts, expressly excluded.

Spamming and other e-commercials

Both the E-Commerce Regulations and the E-Privacy Directive address the hotly debated issue of commercial communications over the Internet. The E-Commerce Regulations provide:

· any commercial communications sent by an online service provider must be clearly identifiable as a commercial message;

· if it is an unsolicited email, it must be clearly marked as such in the subject heading and identify on whose behalf it is being made;

· if it is a promotional offer or competition, it must contain eligibility criteria and clear and accessible terms and conditions.

However, the position under the E-Privacy Directive in relation to spam or unsolicited commercial messages is more complicated. After much debate, the EU has decided on an opt-in and opt-out situation, depending upon the context in which the advertisement or promotion is sent.

When marketing to the existing customer database of a business, that business may use personal data for the direct marketing of similar products and services already purchased by the customer, as long as they are given a real opportunity to object, ie ‘ opt out’, free of charge, to the receipt of any such commercial messages.

The use of SMS alerts, automated calling machines, fax and e-mail for the provision of direct marketing can only be provided on an opt-in basis, thus requiring a customer’s prior explicit consent before any commercial messages can be sent.

The E-Privacy Directive stresses the importance of safeguarding the security of personal data. The EU noted that the issue of cookies was highly relevant where a group of people use one computer. The lack of opportunity to refuse a cookie may mean that sensitive information could be stored on a computer that could be accessed and disclosed to a number of users.

The Directive states that the use of cookies and similar technology, if intended for legitimate purposes such as to allow the provision of services, is permitted but subject to recipients being provided with clear and precise information so that they’re aware of the device being placed on their computers and are given an opportunity to refuse. Cookies are therefore permitted on an “opt out” basis.

The result?

The mass of legislation leaves businesses in somewhat of a quandary. From October 2003, any advertising strategy involving spam may have to ensure that explicit “opt-in” consent is acquired before such forms of promotion can be undertaken. However, such use must already comply with the requirements of the E-Commerce Regulations as set out above.

By only allowing the electronic marketing of similar products and services to existing customers who have not opted out, the Directive has forgotten a core commercial reality – that marketing is often done in the hope that existing customers will buy different goods from those originally purchased.

Given the complexity of where opt-in and opt-out will apply, many businesses may be left vulnerable when using third-party mailing lists for marketing. In such cases, it is imperative that the necessary consents or restrictions upon the customer database are thoroughly investigated. When contracting with marketing agencies, businesses should ensure they have the relevant warranties and indemnities in relation to the exploitation of any licensed customer data fields.

Businesses should revisit the structure and content of their privacy notices. The relevant opt-in and opt-out boxes must be inserted and careful consideration given to the wording to ensure that the customers complete all relevant areas and indicate their consents appropriately. As a matter of best practice, he aim now should be to comply with both the E-Commerce Regulations and the E-Privacy Directive, to avoid further re-drafting once the Directive becomes UK law in 2003.

The rather convoluted position on commercial communications should also force many businesses to take a long, hard look at the content of their privacy notices. The notice should not only comply with legal requirements but also ensure that it allows the business sufficient flexibility to conduct any lawful marketing strategy. Therefore, where opt in is required, businesses should make clear to the data subject that, without their consent, the company may not be able to provide goods, offers or services which the customer may have been interested to pursue.

It is also clear that the new legal position will take the issue of opt-in and opt-out of the legal arena and into the world of the marketers. It is therefore important that those involved in this field should take note and familiarise themselves with the new rules.

Fiona Ghosh is a barrister specialising in Technology and e-Business at the City office of law firm Addleshaw Booth & Co.