This guide is based on UK law. It was last updated in September 2010.
Whether your business is trading on-line or not, it is almost certainly affected by the E-Commerce Regulations which came into force in the UK on 21st August 2002. They cover more than just e-commerce.
The Regulations, properly called the Electronic Commerce (EC Directive) Regulations 2002, implement the EU's E-commerce Directive into UK law. The Directive was introduced to clarify and harmonise the rules of online business throughout Europe with the aim of boosting consumer confidence. The Directive was passed in June 2000. The UK missed its implementation deadline by over eight months.
This article explains the rules with reference to the Regulations, which follow closely the terms of the E-commerce Directive itself.
What is covered?
Virtually every commercial website is covered by the Regulations.
The Regulations refer to an "information society service." This is defined as "any service normally provided for remuneration at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, at the individual request of a recipient of the service."
This is believed to cover more than just e-commerce businesses. In 2002, the UK's Department of Trade and Industry (which later became the Department for Business, Innovation and Skills) said that, in its view, it is not restricted to buying and selling online.
The DTI guidance on the Regulations (30-page / 262KB PDF) states:
"The requirement for an information society service to be 'normally provided for remuneration' does not restrict its scope to services giving rise to buying and selling online. It also covers services (insofar as they represent an economic activity) that are not directly remunerated by those who receive them, such as those offering online information or commercial communications (e.g. adverts) or providing tools allowing for search, access and retrieval of data."
A UK business cannot escape the terms of the Regulations by locating its servers in, say, California. The Regulations look at where a business is based, not where its equipment is based.
The Directive applies to the Member States of the European Economic Area (EEA), which includes the 27 Member States of the EU plus Norway, Iceland and Liechtenstein. The EU is obliged to re-examine the Directive every two years.
Exclusions and omissions from the Regulations
The Directive and Regulations do not address where you can sue or be sued, although they do provide for the law which applies in the event of a dispute in some circumstances.
Further, the Directive and Regulations do not apply to tax, gambling or lotteries and do not affect data protection laws or cartel laws. So, for example, if content is the subject of a complaint under the Data Protection Act, it may be possible to argue that the host cannot enjoy the intermediary protections described below. (See: Google convictions reveal two flaws in EU law, not just Italian law, OUT-LAW News, 03/03/2010)
The Regulations only apply in relation to Acts of Parliament passed before the date on which the E-Commerce Regulations were made (i.e. 30th July 2002) and in relation to "the exercise of a power to legislate" on or before that date. For legislation that post-dates the E-Commerce Regulations, the Directive needs to be implemented on a case-by-case basis. Consequently, some Acts, like the Equality Act 2010, contain relevant provisions of the E-commerce Regulations. Others include relevant provisions in supplementary laws. For example, the Terrorism Act 2006 was followed by the Electronic Commerce (Terrorism Act 2006) Regulations 2007.
Whose laws apply?
The Regulations apply a "country of origin" principle. In its simplest form, this means that as long as a UK business complies with UK laws, it can "ignore" the laws of other Member States. If this rule applied throughout the EEA it would be good news for businesses, because it lets them target consumers in all EEA Member States without needing to follow the rules of 30 different countries. However, recognising that such an approach could discourage consumers from shopping across national borders, this basic rule is qualified.
Most significantly, the Regulations do not apply the country of origin principle to the terms of consumer contracts. In practical terms, this means that a UK-based e-commerce site's terms and conditions should meet the laws of every Member State in which consumers can buy its products, not just UK laws. As a result of the consumer contract exception, any site selling to French consumers must provide its terms and conditions in French, to comply with French consumer laws (though compliance with all French consumer laws will require more than just a translation).
Despite this significant qualification, there are still advantages in the Regulations' country of origin principle that can benefit a UK-based business. For example, the UK's retail laws are among the most relaxed in Europe. This can give UK businesses advantages over, say, German competitors. A German e-tailer must comply with any German restrictions on promotional offers; its UK rival escapes such restrictions, even when selling to German consumers.
Other exceptions to the country of origin principle
Copyright and certain other intellectual property rights are excluded from the scope of the country of origin principle. So are electronic money (e-money), real estate transfers and unsolicited commercial email (i.e. spam).
A Member State can override the Country of Origin principle and impose its own laws against a supplier in another Member State for reasons of:
- public policy;
- protection of public health;
- public and national security; and
- protection of consumers.
However, measures must be proportionate.
Minimum information to be provided
Service providers, whether involved in e-commerce or not, should provide the following minimum information, which must be easily, directly and permanently accessible:
- The name of the service provider must be given somewhere easily accessible on the site. This might differ from the trading name and any such difference should be explained – e.g. "XYZ.com is the trading name of XYZ Enterprises Limited."
- The email address of the service provider must be given. It is not sufficient to include a 'contact us' form without also providing an email address.
- The geographic address of the service provider must be given. A PO Box is unlikely to suffice as a geographic address; but a registered office address would. If the business is a company, the registered office address must be included in any event.
- If a company, the company's registration number should also be given.
- If the business is a member of a trade or professional association, membership details, including any registration number, should be provided.
- If the business has a VAT number, it should be stated – even if the website is not being used for e-commerce transactions.
- Prices on the website must be clear and unambiguous. Also, state whether prices are inclusive of tax and delivery costs.
- Finally, do not forget the overlapping information requirements of other laws:
- The Distance Selling Regulations contain various information requirements for businesses that sell to consumers over the web. For details of these requirements, see our guide, The UK's Distance Selling Regulations.
- If the service provider is a company, the Companies Act 2006 requires that the place of registration should be stated (e.g. "XYZ Enterprises Limited is a company registered in England and Wales with company number 1234567").
If your business uses text messaging to promote its goods and services, you are still subject to the information requirements.
SMS messages are limited to a maximum of 160 characters. So how can you comply with all the information requirements? The DTI guidance on the Regulations (30-page / 262KB PDF) acknowledged this problem:
"The Regulations do not prescribe how the requirement to make information 'easily, directly and permanently accessible' should be met. The Government recognises that technological constraints (e.g. the 160-character limit on mobile text messages) mean that the information may not readily be accessible by the same means by which the service provider transacts with recipients of his services. The Government envisages, however, that these criteria should be capable of being met if the information is accessible by other means (e.g. inclusion on a website)."
So, at the end of a message, it may be sufficient to give the URL of a website where more information can be obtained. However, you should be aware that while the DTI's guidance, which was published in 2002, may influence a court, it will not be binding.
Marketing by email or text messaging, whether solicited or unsolicited, must clearly identify:
- that it is a commercial communication;
- the person on whose behalf it is being sent; and
- if appropriate, that the communication is a promotional offer (including any discount, premium or gift) or promotional competition or game, and make conditions clear, unambiguous and easily accessible.
Unsolicited commercial email (spam)
The Regulations state: "A service provider shall ensure that any unsolicited commercial communication sent by him by electronic mail is clearly and unambiguously identifiable as such as soon as it is received."
The Regulations are silent on how to identify such messages. A US federal law, the CAN-SPAM Act charged a task force with preparing a plan to require spam to include the characters 'ADV' in the subject line. Such requirements existed already in some states. The Federal Trade Commission later concluded that the labelling plan would fail. It was not added to the federal law.
The UK's main law for dealing with spam is the Privacy and Electronic Communications Regulations 2003, which implemented an EU Directive. It requires businesses generally to have prior consent before sending unsolicited commercial email to "individual subscribers". In effect that bans spam to addresses like firstname.lastname@example.org but does not ban spam to email@example.com, the latter being a "corporate subscriber". These issues are explained more fully in OUT-LAW's guide on Email marketing: the UK laws.
The E-commerce Directive gave Member States discretion to allow or forbid spam. This area of law is also excluded from the country of origin principle. So, while some spam is lawful in the UK, it is not lawful in, for example, Italy. A UK business cannot rely on UK law to justify the spamming of Italian consumers.
The Directive also says that businesses must consult regularly and respect opt-out registers before sending unsolicited commercial communications. The UK decided to omit this provision when implementing the Directive. The Government at the time considered that industry self-regulation and codes of conduct already gave effective protection to the recipients of spam.
Making contracts online
The Directive requires all Member States to ensure that their legal system allows contracts to be concluded online and to ensure that it does not deprive contracts of validity just because they are electronic. There are a few exceptions, such as property sales and guarantees.
The UK did not make any specific regulation on this because the Government considered that it already complies. This followed the conclusions of a report on e-commerce by the Law Commission for England and Wales (44-page / 131KB PDF) in December 2001. This report found that, in England and Wales, statutory requirements for "writing" and a "signature" are generally capable of being satisfied by email and by website trading.
Information to be given before orders are placed 'by electronic means'
In addition to the requirements above, certain other information must be given where a contract is concluded by electronic means (typically on a website). These overlap with the provisions of the Distance Selling Regulations. But unlike those rules, the E-commerce Regulations' provisions apply to sales to either businesses or consumers.
Before an order is placed, the seller must provide the following, "in a clear, comprehensible and unambiguous manner":
- the technical steps to follow to conclude the contract;
- whether or not the concluded contract will be filed and whether it will be permanently accessible;
- the technical means for identifying and correcting input errors prior to placing orders;
- languages offered for the conclusion of the contract;
- provide a link to any relevant codes of conduct to which you subscribe (unnecessary if the contract is concluded by email); and
- terms and conditions of the contract must be made available in a way which allows a user "to store and reproduce" them (again, unnecessary if the contract is concluded by e-mail).
Placing of the order
When selling to consumers, when orders are being placed online, you must give shoppers the ability to identify and correct input errors before completing their orders. Also, you must acknowledge receipt of the order as soon as possible by electronic means (though the acknowledgement may take the form of the provision of the service paid for where that service is an information society service, such as a song download).
Note that you are not required to accept the order at this point. It is sufficient – and prudent – to say that "Your order has been received and is now being processed" or words to that effect, rather than "Your order has been accepted."
It is important that you explain fully in your terms and conditions how contracts are formed and your site's procedure for taking payment or refunding payments from customers' credit cards. Otherwise, in the event of pricing errors on your website, you may find that you are bound to sell items below cost. For more on this subject, see our article, How to protect your site against pricing errors.
If the transaction is completed by email (as opposed to being completed on a website), the acknowledgement need not be immediate. Also, in selling to other businesses, the terms and conditions can be worded to vary these rules.
Liability of intermediaries
As is explained in more detail below, provided a service provider that acts as an ISP, network operator or web host complies with the Regulations, it is generally not liable for any material where it:
- acts as a mere conduit;
- caches the material; or
- hosts the material.
Further, compliance with the Regulations will act as a defence to a criminal prosecution being brought against the service provider (though the expectations change when the service provider gains 'actual knowledge' of unlawful content, as explained below).
Where the service of a business consists of either a transmission in a communication network of information which has been provided by a recipient of the service (e.g. an ISP transmitting a customer's email) or where the service consists of the provision to access to a particular communication network (basically, a telco or ISP) then the service provider will not be liable for damages or for any other pecuniary remedy or for any criminal sanction:
- if it did not initiate the transmission;
- did not select the receiver of the transmission; and
- did not select or modify the information in the transmission.
The DTI guidance on the Regulations (30-page / 262KB PDF) said that manipulations of a technical nature that take place in the course of the transmission, for example the automatic adding of headers and the automated removal of viruses from emails, do not mean that a service provider will fail the 'modification' part of the test. It will only do so if it in some way modifies the information itself.
The main purpose behind this regulation is to give protection to businesses which cache copies of sites in the provision of their access services.
The service provider will not be liable in damages (or other remedy or criminal sanction) where the caching is "automatic, intermediate and temporary for the sole purpose of providing a more efficient service".
Further, the service provider must not modify the information and must comply with all access conditions imposed with regard to the site. This in itself means that it may be difficult to fall within this exception.
For example, many website copyright notices provide that the information may not be stored in an electronic retrieval system – which, on the face of it, precludes being cached by ISPs for the provision of a more efficient service. Obviously, whilst it will not be in most websites' interests to prevent ISPs from doing this, it nonetheless makes it difficult for the ISP to have complied with the strict obligations under the regulation. OUT-LAW's copyright notice addresses this problem by saying:
"For the avoidance of doubt, caching of this site is permitted by a service provider acting in the normal course of its business as provided for in the Electronic Commerce (EC Directive) Regulations 2002."
In order to avoid any liability for unlawful material, the service provider must, upon gaining 'actual knowledge' that the initial source has been removed or access to it has been disabled, act 'expeditiously' to ensure that the information is deleted from its cache or ensure that access to it is disabled.
The Regulations state that for the purposes of determining whether a service provider has actual knowledge a court should consider:
- whether the service provider has received a notice via the contact options on its site;
- the extent to which that notice includes
- the full name and address of the sender of the notice;
- the details of the location of the information in question; and
- details of the unlawful nature of the activity or information in question.
The Directive does not include this guidance on how to determine whether a service provider has actual knowledge. Web companies have said that even the UK Regulations could go further.
In 2005, Yahoo! called for a clear notice and takedown procedure (13-page / 94KB Word doc) in response to a UK Government consultation on the liability of internet intermediaries.
"It should provide clear and workable rules on when a company is deemed to have received notice and the form that such a notice must take," it wrote. "It is impossible for a company to make sure that all its employees are properly trained to handle such notices, and therefore a rule or guidance stating that notice must be delivered to a person designated by the company would be welcomed by Yahoo!"
That proposal was not implemented in UK law, though the notice provisions of the Regulations were applied by the High Court the following year in the case of Bunt v Tilley (in which a complaint sent by email did not amount to actual notice because none of the information listed in the Regulations was included).
When a web host stores information provided by a user, the host is not liable for any criminal sanction as a result of that storage provided:
- the service provider "does not have actual knowledge of unlawful activity or information";
- upon obtaining such knowledge, it acts expeditiously to remove or to disable access to the information; and
- the recipient of the service was not acting under the authority or the control of the service provider.
A host is more exposed in some civil proceedings because a lower level of knowledge is required. The Regulations say that where a claim for damages is made, the host must act expeditiously to remove or disable access to the information if it is "aware of facts or circumstances from which it would have been apparent to the service provider that the activity or information was unlawful" – i.e. constructive knowledge, rather than actual knowledge, will suffice.
Consequently, whilst there is no obligation to monitor the content of a website, a service provider should not turn a blind eye to how its services will be used. There is very little guidance from European courts on what will or will not constitute constructive knowledge.
The hosting exemption does not apply in civil proceedings that do not seek damages or another pecuniary remedy. So if a lawsuit seeks an injunction only, such as a court order telling the web host to stop doing something, the host cannot rely on the exemption.
No obligation to monitor
The E-commerce Directive states that Member States must not impose a general obligation on service providers to monitor the information which they transmit or store. It is normally accepted that if you do monitor the content on your servers then you are at greater risk as you will be treated as a publisher of that information.
The issue came up in a Belgian case, SABAM v Tiscali. See: Belgian ISP will appeal order to block file-sharing, OUT-LAW News, 20/07/2007
The UK Regulations do not include the Directive's prohibition on a monitoring obligation. However, a UK court would have to have regard to the Directive's provisions if a case like SABAM v Tiscali came before it.
As mentioned at the start of this guide, the Regulations generally apply only in relation to Acts of Parliament passed before the date on which the E-Commerce Regulations were made. For legislation that post-dates the E-Commerce Regulations, the Directive needs to be implemented on a case-by-case basis. Some of these implementations have caused problems for intermediaries.
The Electronic Commerce Directive (Terrorism Act 2006) Regulations 2007 provided specific exemptions for ISPs from offences made under the Terrorism Act 2006. The Regulations ensure that the key provisions of the Terrorism Act 2006 apply on a country-of-origin basis and exempt service providers from liability where they act as mere conduits, caches or hosts of information.
While the Regulations were welcomed by ISPs, they raised a number of uncertainties, particularly in relation to the extent to which ISPs should monitor content provided to them by their users. The hosting exception suggests that in order to establish whether or not it has "actual knowledge", an ISP must effectively carry out a legal evaluation of the information in question, including the correct interpretation of the definition of "unlawfully terrorism-related information" contained in section 3(7) of the Terrorism Act. Therefore, it would seem that ISPs will now be required actively to monitor their services for offending content.
The Electronic Commerce Directive (Racial and Religious Hatred Act 2006) Regulations 2007, which came into force on 1 October 2007, created further exemptions from liability for ISPs in relation to stirring up religious hatred offences under the Racial and Religious Hatred Act 2006 where service providers act as mere conduits, caches or hosts of information. Religious hatred is defined as hatred against a group of persons defined by reference to religious belief or lack of religious belief.
These Regulations raised similar concerns to the Electronic Commerce Directive (Terrorism Act 2006) Regulations 2007 in respect of the language used (which differed markedly to that used in the Directive) and the differences in the conditions imposed on ISPs, which will substantially increase the administrative and legal burden on ISPs to ensure compliance with the different Regulations.
What you should do next
- Examine your website.
- Do you need to amend your terms and conditions?
- Do you have suitable disclaimers in place?
- Does your order process take advantage of the Regulations' flexibility to "acknowledge" rather than "accept" orders?
- Do you have insurance in place?
- Have you assessed your international exposure?