UK Home >  Legal Info About... >  E-commerce >  The UK's E-Commerce regulations

The UK's E-commerce Regulations

This guide is based on UK law. It was last updated in September 2008.

Introduction

Whether your business is trading on-line or not, it is almost certainly affected by the E-Commerce Regulations which came into force in the UK on 21st August 2002. They cover more than just e-commerce.

The Regulations, properly called the Electronic Commerce (EC Directive) Regulations 2002, implement the EU's E-commerce Directive into UK law. The Directive was introduced to clarify and harmonise the rules of on-line business throughout Europe with the aim of boosting consumer confidence. The Directive was passed in June 2000. The UK missed its implementation deadline by over eight months.

This article explains the rules with reference to the Regulations, which follow closely the terms of the Directive itself.

What is covered?

Virtually every commercial website is covered by the Regulations.

The Regulations refer to an "information society service." This is defined as "any service normally provided for remuneration at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, at the individual request of a recipient of the service."

This covers more than just e-commerce businesses. The UK's Department of Trade and Industry (DTI) (now known as the Department for Business Enterprise & Regulatory Reform) has previously explained that it is not restricted to buying and selling online but also covers those offering online information or commercial communications (e.g. adverts) or providing tools for search, access and retrieval of data. Also covered is video on demand, web hosting or operating a communications network.

A business cannot escape the terms of the Regulations by locating its servers in, say, California. The Regulations look at where a business is based, not where its equipment is based.

The Directive applies to the Member States of the European Economic Area (EEA), which includes the 25 Member States of the EU plus Norway, Iceland and Liechtenstein.

Exclusions from the Regulations

The Directive and Regulations do not address where you can sue or be sued, although they do provide for the law which applies in the event of a dispute in some circumstances.

Further, the Directive and Regulations do not apply to tax, gambling or lotteries and do not affect data protection laws or cartel laws.

Whose laws apply?

The Regulations apply a "country of origin" principle. In its simplest form, this means that as long as a UK business complies with UK laws, it can "ignore" the laws of other Member States. If this rule applied throughout the EU, it would be good news for businesses, because it lets them target consumers in all Member States without needing to follow the rules of 28 elect different countries. However, recognising that such an approach would be bad news for consumers, this basic rule is qualified.

Consumer Contracts

Most significantly, the Regulations do not apply the country of origin principle to the terms of consumer contracts. In practical terms, this means that a UK-based e-commerce site's terms and conditions should meet the laws of every Member State in which consumers can buy its products, not just UK laws. As a result of the consumer contract exception, any site selling to French consumers must provide its terms and conditions in French there are many other differences.

Despite this significant qualification, there are still advantages in the Regulations' country of origin principle that can benefit a UK-based business. For example, the UK's retail laws are among the most relaxed in Europe. This can give UK businesses advantages over, say, German competitors. A German e-tailer must comply with any German restrictions on promotional offers; its UK rival escapes such restrictions, even when selling to German consumers.

Other exceptions to the country of origin principle

Copyright and certain other intellectual property rights are excluded from the scope of the country of origin principle. So are electronic money (e-money), real estate transfers and unsolicited commercial email (better known as "spam").

A Member State can override the Country of Origin principle and impose its own laws against a supplier in another Member State for reasons of:

  • public policy;
  • protection of public health;
  • public and national security; and
  • protection of consumers.

However, measures must be proportionate.

Minimum information to be provided

Service providers, whether involved in e-commerce or not, should provide the following minimum information, which must be easily, directly and permanently accessible:

  • The name of the service provider must be given somewhere easily accessible on the site. This might differ from the trading name and any such difference should be explained – e.g. "XYZ.com is the trading name of XYZ Enterprises Limited."
  • The email address of the service provider must be given. It is not sufficient to include a 'contact us' form without also providing an email address.
  • The geographic address of the service provider must be given. A PO Box is unlikely to suffice as a geographic address; but a registered office address would. If the business is a company, the registered office address must be included in any event.
  • If a company, the company's registration number should also be given.
  • If a company, the place of registration should be stated (e.g. "XYZ Enterprises Limited is a company registered in England and Wales with company number 1234567") though this is a requirement of the Companies Act as from 31st December 2006, not the E-commerce Directive.
  • If the business is a member of a trade or professional association, membership details, including any registration number, should be provided.
  • If the business has a VAT number, it should be stated – even if the website is not being used for e-commerce transactions.
  • Prices on the website must be clear and unambiguous. Also, state whether prices are inclusive of tax and delivery costs.
  • Finally, do not forget the Distance Selling Regulations which contain other information requirements for on-line businesses that sell to consumers (B2C, as opposed to B2B, sales). For details of these requirements, see our article, The Distance Selling Regulations - An Overview.

Text messaging

If your business uses text messaging to promote its goods and services, you are still subject to the information requirements.

SMS messages are limited to a maximum of 160 characters. So how can you comply with all the information requirements? The Department of Trade and Industry said in its guidance notes that you can comply by making the information accessible by other means. So, at the end of a message, it will be sufficient to give the URL of a website where more information can be obtained. However, this guidance provides little comfort. The guidance notes are not binding, so could be discarded if presented to a court.

Commercial communications

Marketing by email or text messaging, whether solicited or unsolicited, must clearly identify:

  • that it is a commercial communication;
  • the person on whose behalf it is being sent; and
  • if appropriate, that the communication is a promotional offer (including any discount, premium or gift) or promotional competition or game, and make conditions clear, unambiguous and easily accessible.
    Again, problems are presented by the 160 character limit of SMS.

Unsolicited commercial email (spam)

There are rules which control the use of unsolicited commercial email (or spam). The Privacy and Electronic Communications Regulations 2003, which implemented an EU Directive, require businesses to gain prior consent before sending unsolicited commercial email to individuals. 

Email includes text, voice, sound or image messages and also applies when a website collects email addresses and mobile telephone numbers.

"Consent" is the test required to allow email marketing. Most people interpret this as meaning opt-in ie you are obtaining their permission, rather than giving them an opportunity to deny it.  However, "consent" can be any positive action including:

  • clicking a "Submit" button;
  • sending an email; or
  • subscribing to a service.

You can there use "opt-outs" when collecting email marketing provided you follow three rules:

  • you draw attention to the fact that you are collecting email addresses/mobile numbers;
  • you use an appropriately worded "Consent" statement; and
  • you give the opportunity to opt-out.

You should also include an "unsubscribe" option with every subsequent marketing email.

The E-commerce Directive allows Member States to make their own laws on such email. It also excludes it from the country of origin principle. So, while spam may be currently legal in the UK, it is not legal in, for example, Italy, and a UK business cannot rely on UK law to justify the spamming of Italian consumers.
The Directive and Regulations state that spam must be clearly and unambiguously identifiable as such as soon as it is received. Arguably, this is not very helpful. A rule on how to identify spam would make it easier to filter. Such rules exist in US laws (for more information, see our article on Spam Law).

The Directive also says that businesses must consult regularly and respect the opt-out registers before sending unsolicited commercial communications. In fact, the UK decided to omit this provision when implementing the Directive. The Government considers that industry self-regulation and codes of conduct already give effective protection to the recipients of spam.

Making contracts online

The Directive requires all Member States to ensure that their legal system allows contracts to be concluded online and that it does not deprive contracts of validity just because they are electronic. There are a few exceptions, such as property sales and guarantees.

The UK did not make any specific regulation on this because the Government considers that it already complies. This follows the conclusions of a report on e-commerce by the Law Commission for England and Wales (44-page / 131KB PDF) in December 2001. This report found that, in England and Wales, statutory requirements for "writing" and a "signature" are generally capable of being satisfied by email and by web site trading. See also our guide Selling online: an overview of the rules.

Information to be given before orders are placed online

In addition to the requirements above, certain other information must be given where you are selling online, whether to businesses or consumers:

  • the technical steps to follow to conclude the contract;
  • whether or not the contract will be filed and/or permanently accessible;
  • the technical means for identifying and correcting input errors prior to placing orders;
  • languages offered for the conclusion of the contract;
  • provide a link to any relevant codes of conduct to which you subscribe (unnecessary if the contract is concluded by email); and
  • your terms and conditions must be made available in a way which allows a user "to store and reproduce" them (again, unnecessary if the contract is concluded by e-mail).

When selling to consumers, when orders are being placed online, you must give shoppers the ability to identify and correct input errors before completing their orders. Also, you must acknowledge receipt of the order as soon as possible. Note that you are not required to "accept" the order at this point. It is sufficient – and prudent – to say that "Your order has been received and is now being processed" or words to that effect, rather than "Your order has been accepted."

It is vital that you explain fully in your terms and conditions how contracts are formed and your site's procedure for taking payment or refunding payments from customers' credit cards. Otherwise, in the event of pricing errors on your website, you may find that you are bound to sell items below cost. For more on this subject, see our article, How to protect your site against pricing errors.

If the transaction is completed by email (as opposed to being completed on a website), the acknowledgement need not be immediate. Also, in selling to other businesses, the terms and conditions can be worded to vary these rules.

Liability of intermediaries

As is explained in more detail below, provided a service provider that acts as an ISP or virtual ISP (VISP), host, network operator etc. complies with the Regulations, it is generally not liable for any material where it:

  • acts as a mere conduit;
  • caches the material; or
  • hosts the material.

Further, compliance with the Regulations will act as a defence to a criminal prosecution being brought against the service provider. However, there is one important exception to this.

Mere conduit

Where the service of a business consists of either a transmission in a communication network of information which has been provided by a recipient of the service (e.g. an ISP transmitting a customer's email) or where the service consists of the provision to access to a particular communication network (basically, a telco or ISP) then the service provider will not be liable for damages or for any other pecuniary remedy or for any criminal sanction:

  • if it did not initiate the transmission;
  • did not select the receiver of the transmission; and
  • did not select or modify the information in the transmission.

The DTI in its guidance notes makes it clear that manipulations of a technical nature that take place in the course of the transmission, for example the automatic adding of headers, does not mean that the service provider will fail the latter part of the test. It will only do so if it in some way modifies the information itself.

Caching

The main purpose behind this regulation is to give protection to businesses which cache copies of sites in the provision of their access services.

The service provider will not be liable in damages (or other remedy or criminal sanction) where the caching is "automatic, intermediate and temporary for the sole purpose of providing a more efficient service".
Further, the service provider must not modify the information and must comply with all access conditions imposed with regard to the site. This in itself means that it may be difficult to fall within this exception.
For example, many website copyright notices provide that the information may not be stored in an electronic retrieval system – which, on the face of it, precludes being cached by ISPs for the provision of a more efficient service. Obviously, whilst it will not be in most websites' interests to prevent ISPs from doing this, it nonetheless makes it difficult for the ISP to have complied with the strict obligations under the regulation. For an example of how to address this, see OUT-LAW's copyright notice.

The industry rules on updating are not specified in the Regulations. The most important point under this is that in order to avoid any liability for unlawful material, the service provider must, as soon as it has actual knowledge that the initial source has been removed or access to it has been disabled, ensure that the site is deleted from its cache.

The Regulations state that for the purposes of determining whether a service provider has "actual knowledge" a court should consider whether notice was given to the service provider via the contact options on its site and the extent to which that notice includes the full name and address of the sender of the notice, the details of the location of the information in question and details of the unlawful nature of the activity or information in question.

Hosting

This exception applies in respect of any information which is stored by a service provider where that information has been provided to the service provider by someone using the service.

In such circumstances, the service provider will not be liable where it does not have actual knowledge of unlawful material (see the test above) and, where a claim for damages is made, is not aware of fact or circumstances from which it would have been apparent to the service provider that the activity or information was unlawful.

This means that, whilst there is no obligation to monitor the contents of a web site, a service provider should not merely turn a blind eye. This is particularly important when it is borne in mind that this is the one exception to the defence in criminal proceedings. The Regulations provide that the service provider cannot rely on the fact that it did not have constructive knowledge as a defence. Once again, the service provider must act immediately upon gaining knowledge that the material is unlawful by either removing or disabling access to the material.

Finally, the person who has posted the material must not be under the authority or control of the service provider.

No obligation to monitor

The E-commerce Directive states that Member States must not impose a general obligation on service providers to monitor the information which they transmit or store. It is normally accepted that if you do monitor the content on your servers then you are at greater risk as you will be treated as a publisher of that information.

Further exemptions

The Electronic Commerce Directive (Terrorism Act 2006) Regulations 2007 provided specific exemptions for ISPs from offences made under the Terrorism Act 2006. The Regulations ensure that the key provisions of the Terrorism Act 2006 apply on a country-of-origin basis and exempt service providers from liability where they act as mere conduits, caches or hosts of information.

While the Regulations were welcomed by ISPs, they raised a number of uncertainties, particularly in relation to the extent to which ISPs should monitor content provided to them by their users. The hosting exception suggests that in order to establish whether or not it has "actual knowledge", an ISP must effectively carry out a legal evaluation of the information in question, including the correct interpretation of the definition of "unlawfully terrorism-related information" contained in section 3(7) of the Terrorism Act. Therefore, it would seem that ISPs will now be required actively to monitor their services for offending content.

The Electronic Commerce Directive (Racial and Religious Hatred Act 2006) Regulations 2007, which came into force on 1 October 2007, created further exemptions from liability for ISPs in relation to stirring up religious hatred offences under the Racial and Religious Hatred Act 2006 where service providers act as mere conduits, caches or hosts of information. Religious hatred is defined as hatred against a group of persons defined by reference to religious belief or lack of religious belief.

These Regulations raised similar concerns to the Electronic Commerce Directive (Terrorism Act 2006) Regulations 2007 in respect of the language used (which differed markedly to that used in the Directive) and the differences in the conditions imposed on ISPS, which will substantially increase the administrative and legal burden on ISPs to ensure compliance with the different Regulations.

New E-Commerce laws

There is likely to be a new set of consumer contract laws proposed in autumn 2008 to harmonise the rules that govern online selling across the EU. This will aim to create a single framework for Europe's Internal Market, meaning that consumers and businesses should find it easier to buy and sell across Europe. However, concrete proposals are yet to be published.

What you should do next

  • Examine your website.
  • Do you need to amend your terms and conditions?
  • Do you have suitable disclaimers in place?
  • Does your order process take advantage of the Regulations' flexibility to "acknowledge" rather than "accept" orders?
  • Do you have insurance in place?
  • Have you assessed your international exposure?

The UK's Regulations closely reflect the EU Directive. The EU is obliged to re-examine the Directive every two years.

Contacts

Jon Fell

Jon Fell
Biography
email Jon
+44 (0) 121 626 5719

Struan Robertson

Struan Robertson
Biography
email Struan
+44 (0) 141 249 5422

Links

Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please contact us. See also: our full disclaimer

OUT-LAW Recommends

This week's podcast
Bribery law extended

Advert: Pinsent Masons works with forensic accountants to help you to manage the costs of litigation. Our approach is called Reaching Solutions.
OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility Logon
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.