Whether your business is trading online or not, it is almost certainly affected by the E-Commerce Regulations which came into force in the UK in 2002. They cover more than just e-commerce.
The Regulations, properly called the Electronic Commerce (EC Directive) Regulations 2002, implement the EU's Electronic Commerce Directive 2000 into UK law. The Directive was introduced to clarify and harmonise the rules of online business throughout Europe with the aim of boosting consumer confidence. The Directive was passed in June 2000.
This article explains the rules with reference to the Regulations, which follow closely the terms of the E-Commerce Directive itself.
What is covered?
Virtually every commercial website is covered by the Regulations.
The Regulations refer to an "information society service". This is defined as "any service normally provided for remuneration at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, at the individual request of a recipient of the service".
This covers more than just e-commerce businesses. In 2002, the UK's Department of Trade and Industry (which became the Department for Business, Innovation and Skills in 2009) said that, in its view, it is not restricted to buying and selling online.
The DTI guidance on the Regulations (DTI Guidance) (30-page / 262KB PDF) states:
"The requirement for an information society service to be 'normally provided for remuneration' does not restrict its scope to services giving rise to buying and selling online. It also covers services (insofar as they represent an economic activity) that are not directly remunerated by those who receive them, such as those offering online information or commercial communications (e.g. adverts) or providing tools allowing for search, access and retrieval of data".
In Google France SARL, Google Inc v Louis Vuitton Malletier SA and others (2010), the Court of Cassation (of France) asked the Court of Justice of the European Union (CJEU) whether Google Search fell within the definition of an 'information society service'. The CJEU found that "An internet referencing service constitutes an information society service consisting in the storage of information supplied by the advertiser".
The court also emphasised that for a service to fall within the definition of an information society service there must be evidence "that that service features all of the elements of that definition".
The UK High Court in 2009 asked the CJEU to provide a preliminary ruling on a number of questions in L'Oreal v eBay (2011). L'Oreal commenced litigation against eBay and sellers on eBay for selling L'Oreal products without L'Oreal's consent. One question considered by the court concerned eBay's potential liability. The UK High Court accepted that eBay as the operator of an online marketplace was an information society service.
The Directive applies to the Member States of the European Economic Area (EEA), which includes the 27 Member States of the EU plus Norway, Iceland and Liechtenstein. The EU is obliged to re-examine the Directive every two years.
Exclusions and omissions from the Regulations
The Directive and Regulations do not address where you can sue or be sued, although they do provide for the law which applies in the event of a dispute in some circumstances.
The Directive and Regulations do not apply to: taxation; betting, gaming or lotteries; data protection; the activities of a public notary; the representation of a client and defence of his or her interests before courts; or cartel laws. So, for example, if content is the subject of a complaint under the Data Protection Act, it may be possible to argue that the host cannot enjoy the intermediary protections described below. (See: Google convictions reveal two flaws in EU law, not just Italian law, OUT-LAW News, 03/03/2010.)
The Regulations only apply in relation to Acts of Parliament passed before the date on which the E-Commerce Regulations were made (i.e. 30th July 2002) and in relation to "the exercise of a power to legislate" on or before that date. For legislation that post-dates the E-Commerce Regulations, the Directive needs to be implemented on a case-by-case basis. Consequently, some Acts, like the Equality Act 2010, contain relevant provisions of the E-commerce Regulations. Others include relevant provisions in supplementary laws. For example, the Terrorism Act 2006 was followed by the Electronic Commerce (Terrorism Act 2006) Regulations 2007. Most recently supplementary provisions have been applied in the Electronic Commerce Directive (Trafficking People for Exploitation) Regulations 2013.
Whose laws apply?
In general, the Regulations apply a "country of origin" principle. In its simplest form, this means that as long as a UK business complies with the provisions of the Regulations, it can "ignore" the laws of other Member States that touch upon the same subject matter.
A UK business cannot however escape the terms of the Regulations simply by locating its servers outside the UK. The Regulations look at where a business is established, not where its equipment is based and state that they apply "... irrespective of whether that information society service is provided in the United Kingdom or another [EU] member State".
If the country of origin principle applied throughout the EEA it would be good news for businesses, because it lets them target consumers in all EEA Member States without needing to follow the rules of 30 different countries. However, recognising that such an approach could discourage consumers from shopping across national borders, this basic rule is qualified.
Most significantly, the Regulations do not apply the country of origin principle to the terms of consumer contracts. In practical terms, this means that a UK-based e-commerce site's terms and conditions should meet the laws of every Member State in which consumers can buy its products, not just UK laws. As a result of the consumer contract exception, any site selling to French consumers must provide its terms and conditions in French, to comply with French consumer laws (though compliance with all French consumer laws will require more than just a translation).
Other exceptions to the country of origin principle
Copyright and certain other intellectual property rights are also excluded from the scope of the country of origin principle. So are real estate transfers and unsolicited commercial email (i.e. spam).
A Member State can override the country of origin principle and impose its own laws against a supplier in another Member State for reasons of:
- public policy;
- protection of public health;
- public security, including the safeguarding of national security and defence; and
- protection of consumers, including investors.
However, measures must be proportionate.
The UK has overridden the country of origin principle in the Regulations by providing UK enforcement authorities with powers to take measures against information society service providers established outside of the UK but within the EEA if any of these circumstances apply and the service provider has been found by the UK authority to have behaved in a manner inconsistent with "any requirement" of the Regulations. Before taking action however, the UK authority must have first asked the Member State in which the service provider is established to take measures against the service provider and given it time to take measures itself and notified the European Commission of its intention to take such measures.
Significantly this means that UK regulators can take measures against service providers located elsewhere in the EEA if they felt it was necessary in order to "protect consumers". Non-UK service providers therefore should not conclude that they can deliver online services into the UK in a manner that is inconsistent with the Regulations. It seems that a best practice approach for non-UK established service providers would be to ensure compliance with the Regulations at least to the extent to which they are not inconsistent with the laws of the country in which they are established.
In the combined case of eDate Advertising DmbH v X and Martinez v Mirror Group (2011) the CJEU gave the instruction that it is only in circumstances where the derogations provided for apply that the provider of an e-commerce service can be "made subject to stricter requirements than those provided for by the substantive law applicable in the Member State in which that service provider is established".
Minimum information to be provided
Service providers, whether involved in e-commerce or not, should provide the following minimum information, which must be easily, directly and permanently accessible:
- the name of the service provider must be given somewhere easily accessible on the site. This might differ from the trading name and any such difference should be explained – e.g. "XYZ.com is the trading name of XYZ Enterprises Limited";
- the geographic address of the service provider must be given;
- the details of the service provider including his or her email address, so long as it allows rapid contact and direct and effective communication. The CJEU in Bundesverband v Deutsche Internet Versicherung (2008) confirmed that in order to be able to respond to consumers promptly, a company may need to provide other methods of communication beyond its postal and email address. A 'contact us' form without also providing an email address in not sufficient;
- details of a register, including any registration number, should be provided;
- if the business is a member of a trade or similar register available to the public, confirmation of that. For example, if a company, the company's registration number should be given;
- the particulars of the relevant supervisory authority if the services are subject to an authorisation scheme;
- details of any professional body or similar institution with which the service provider is registered, his or her professional title and the Member State where that title has been granted besides reference to the applicable professional rules where the service provider exercises a regulated profession;
- a VAT number, if a business has one should be stated – even if the website is not being used for e-commerce transactions; and
- prices on the website must be clear and unambiguous and, in particular, state whether prices are inclusive of tax and delivery costs.
The DTI Guidance commented that the geographic address "is not necessarily his principal or registered office, nor the usual address that he cites for the purpose of sending communications. Rather, it is the address that derives from the definition of “established service provider” and so indicates the member state whose laws will, in general, apply to the provision of the service in question". The Regulations define "established service provider" as "a national of a member state or a company or firm ... who effectively pursues an economic activity by virtue of which he is a service provider using a fixed establishment in a member state of an indefinite period".
Finally, do not forget the overlapping information requirements of other laws:
- The Consumer Rights Directive of 2011 gave consumers increased rights when distance selling is involved, such as online or phone sales. They are implemented in the UK by 2014’s Consumer Contracts Regulations.
- If the service provider is a company, the Companies Act 2006 requires that the place of registration should be stated (e.g. "XYZ Enterprises Limited is a company registered in England and Wales with company number 1234567").
If your business uses text messaging to promote its goods and services, you are still subject to the information requirements.
SMS messages are limited to a maximum of 160 characters. So how can you comply with all the information requirements? The DTI guidance on the Regulations (30-page / 262KB PDF) acknowledged this problem:
"The Regulations do not prescribe how the requirement to make information "easily, directly and permanently accessible" should be met. The Government recognises that technological constraints (e.g. the 160-character limit on mobile text messages) mean that the information may not readily be accessible by the same means by which the service provider transacts with recipients of his services. The Government envisages, however, that these criteria should be capable of being met if the information is accessible by other means (e.g. inclusion on a website)."
So, at the end of a message, it may be sufficient to give the URL of a website where more information can be obtained. However, you should be aware that while the DTI's guidance, which was published in 2002, may influence a court, it will not be binding.
There are now more mobile messages sent via 'over the top' chat apps, such as WhatsApp, iMessage and BlackBerry Messenger, than by SMS. While such message services are presently used primarily for social messaging, businesses may, in time, take advantage of these free to use apps or develop similar ones and use them to send commercial communications. In adopting such practices it is foreseeable that the Regulations will apply although this has not yet been formally tested in the courts.
Marketing by email or text messaging, whether solicited or unsolicited, must clearly identify:
- that it is a commercial communication;
- the person on whose behalf it is being sent; and
- if appropriate, that the communication is a promotional offer (including any discount, premium or gift) or promotional competition or game, and make conditions clear, unambiguous and easily accessible.
Unsolicited commercial email (spam)
The Regulations state: "A service provider shall ensure that any unsolicited commercial communication sent by him by electronic mail is clearly and unambiguously identifiable as such as soon as it is received".
The Regulations are silent on how to identify such messages. A US federal law, the CAN-SPAM Act, charged a task force with preparing a plan to require spam to include the characters 'ADV' in the subject line. Such requirements existed already in some states. The Federal Trade Commission later concluded that the labelling plan would fail. It was not added to the federal law.
The UK's main law for dealing with spam is the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). It requires businesses to have prior consent before sending unsolicited commercial email to "individual subscribers" unless the recipient's contact details have been obtained in the course of the sale or negotiation for the sale of a product or services. In effect the PECR bans spam to addresses like firstname.lastname@example.org but does not ban spam to email@example.com, the latter being a "corporate subscriber". The Committee of Advertising Practice Code (CAP Code) allows the marketing of business products without explicit consent only to corporate subscribers and their named employees.
The E-commerce Directive gave Member States discretion to allow or forbid spam. This area of law is also excluded from the country of origin principle. So, while some spam is lawful in the UK, it is not lawful in, for example, Italy. A UK business cannot rely on UK law to justify the spamming of Italian consumers.
The Directive also says that businesses must consult regularly and respect opt-out registers before sending unsolicited commercial communications. The UK decided to omit this provision when implementing the Directive. The Government at the time considered that industry self-regulation and codes of conduct already gave effective protection to the recipients of spam. However, under the PECR an individual subscriber must be informed that they can opt-out of future marketing when their details are initially collected and in every subsequent communication they receive. Similarly the CAP Code states that such opt-out details are to be given to corporate subscribers including their named employees.
Making contracts online
The Directive requires all Member States to ensure that their legal system allows contracts to be concluded online and to ensure that it does not deprive contracts of validity just because they are electronic. There are a few exceptions, such as property sales and guarantees.
The UK did not make any specific regulation on this because the Government considered that it already complies. This followed the conclusions of a report on e-commerce by the Law Commission for England and Wales in December 2001. This report found that, in England and Wales, statutory requirements for "writing" and a "signature" are generally capable of being satisfied by email and by online trading.
Information to be given before orders are placed 'by electronic means'
In addition to the requirements above, certain other information must be given where a contract is concluded by electronic means (typically on a website). These overlap with the provisions of the Distance Selling Regulations. But unlike those rules, the E-commerce Regulations' provisions apply to sales to either businesses or consumers. For business to consumer contracts the requirements are compulsory, while in a business to business contract businesses may agree otherwise.
Before an order is placed, the seller must provide the following, "in a clear, comprehensible and unambiguous manner":
- the different technical steps to follow to conclude the contract;
- whether or not the concluded contract will be filed by the service provider and whether it will be accessible;
- the technical means for identifying and correcting input errors prior to the placing of the order; and
- the languages offered for the conclusion of the contract.
A service provider needs to indicate which relevant codes of conduct it subscribes to (if any) and give information on how those codes can be accessed electronically. Where possible, it would be best practice to link to the code.
The requirements set out in the above two paragraphs however are not necessary if the contract is concluded exclusively by email or equivalent one to one private communications.
In addition, where a service provider sends terms and conditions applicable to the contract to the recipient, the terms and conditions must be made available in a way which allows a user "to store and reproduce them". The DTI Guidance states that "the Government envisages this being met if the terms and conditions are provided in a form other than was the case during the original transaction (e.g. via a printed receipt sent with the goods rather than downloaded or copied from a website)".
Placing of the order
Consumers who place orders online must be provided with "appropriate, effective and accessible technical means" to allow them to identify and correct input errors before completing their orders. Receipt of the order must also be acknowledged without undue delay by electronic means. The acknowledgement of receipt may take the form of the provision of the service paid for where that service is an information society service, such as a song download. These provisions are compulsory for business to consumer orders but may be otherwise agreed for business to business orders, where the terms and conditions can be worded to vary these rules.
For transactions completed exclusively by exchange of email or equivalent one to one private communications, as opposed to being completed online, these provisions do not apply.
Note that suppliers are not required to accept the order at this point. It is sufficient – and prudent – to say that "Your order has been received and is now being processed" or words to that effect, rather than "Your order has been accepted".
It is important that you explain fully in your terms and conditions how contracts are formed and your site's procedure for taking payment or refunding payments from customers' credit cards. Otherwise, in the event of pricing errors on your website, you may find that you are bound to sell items below cost. For more on this subject, see our guide, How to protect your site against pricing errors.
Liability of intermediaries
As is explained in more detail below, provided a service provider that acts as an ISP, network operator or 'web host' complies with the Regulations, it is generally not liable for any material where it:
- acts as a mere conduit;
- caches the material; or
- hosts the material.
As also explained in more detail below the hosting exception for liability has been interpreted expansively and may apply to any online service provider which stores information.
Further, compliance with the Regulations will act as a defence to a criminal prosecution being brought against the service provider (though the expectations change when the service provider gains 'actual knowledge' of unlawful content, as explained below).
Where the service of a business consists of either a transmission in a communication network of information which has been provided by a recipient of the service (e.g. an ISP transmitting a customer's email) or where the service consists of the provision to access to a particular communication network (basically, a telco or ISP) then the service provider will not be liable for damages or for any other pecuniary remedy or for any criminal sanction if it did not:
- initiate the transmission;
- select the receiver of the transmission; and
- select or modify the information in the transmission.
The DTI guidance on the Regulations (30-page / 262KB PDF) said that manipulations of a technical nature that take place in the course of the transmission, for example, the automatic adding of headers and the automated removal of viruses from emails, do not mean that a service provider will fail the 'modification' part of the test. It will only do so if it in some way modifies the information itself.
The main purpose behind this regulation is to give protection to businesses which cache copies of sites in the provision of their access services.
The service provider will not be liable in damages (or other remedy or criminal sanction) where the caching is "automatic, intermediate and temporary for the sole purpose of providing a more efficient service". Further, the service provider must not modify the information and must comply with all access conditions imposed with regard to the site. This in itself means that it may be difficult to fall within this exception.
For example, many website copyright notices provide that the information may not be stored in an electronic retrieval system – which, on the face of it, precludes being cached by ISPs for the provision of a more efficient service. Obviously, whilst it will not be in most websites' interests to prevent ISPs from doing this, it nonetheless makes it difficult for the ISP to have complied with the strict obligations under the regulation. OUT-LAW's copyright notice addresses this problem by saying:
"For the avoidance of doubt, caching of this site is permitted by a service provider acting in the normal course of its business as provided for in the Electronic Commerce (EC Directive) Regulations 2002".
In order to avoid any liability for unlawful material, the service provider must, upon gaining 'actual knowledge' that the initial source has been removed or access to it has been disabled, act 'expeditiously' to ensure that the information is deleted from its cache or ensure that access to it is disabled.
The Regulations state that for the purposes of determining whether a service provider has actual knowledge a court should consider:
- whether the service provider has received a notice via the contact options on its site; and
- the extent to which that notice includes:
- the full name and address of the sender of the notice;
- the details of the location of the information in question; and
- details of the unlawful nature of the activity or information in question.
The Directive does not include this guidance on how to determine whether a service provider has actual knowledge.
When a website operator stores information provided by a user, the operator may fall within an exception from liability available to online 'hosts' and not be liable for any criminal sanction as a result of that storage, provided that the service provider:
- does not have actual knowledge of unlawful activity or information; and
- upon obtaining such knowledge, it acts expeditiously to remove or to disable access to the information.
The defence will only apply to circumstances where recipients of the service were not acting under the authority or the control of the service provider.
A host is more exposed in some civil proceedings because a lower level of knowledge is required. The Regulations say that where a claim for damages is made, the host must act expeditiously to remove or disable access to the information if it is "aware of facts or circumstances from which it would have been apparent to the service provider that the activity or information was unlawful" – i.e. constructive knowledge, rather than actual knowledge, will suffice.
In L'Oreal v eBay the CJEU gave guidance as to the circumstances in which a website operator would not be able to rely on the host defence for reason of having gained an "awareness" of an unlawful activity or information.
A website operator may lose its defence, according to the CJEU, where it:
- performs an "active role" in an illegal activity; or
- is aware of facts or circumstances from which an illegal activity or information become apparent.
Has the website operator played an active role?
While the CJEU left it to the UK High Court to determine whether eBay performed an active role in the selling of counterfeit goods via its site in L'Oreal v eBay, the court instructed that the following factors should be taken into account – before allowing a website operator to rely on the host defence a court will determine whether or not the provider can be said to:
- have had 'control' over the data the subject of the illegal activity;
- in the case of an illegal online sale, have provided "... assistance intended to optimise or promote certain offers for sale".
It therefore will likely be that if a website operator provides assistance in optimising illegal sales or promoting offers or in some manner takes control over data relating to those sales, it will not be able to rely on the hosting exemption from liability afforded to information society service providers.
An awareness of facts or circumstances of illegal activity
In L'Oreal v eBay the CJEU also provided a standard or test by which one can measure whether or not a website operator could be said to have acquired an 'awareness' of an illegal activity of illegal information in connection with its services. In order to determine whether a website operator has obtained such an awareness courts must ask whether "a diligent economic operator would have identified the illegality and acted expeditiously". The CJEU also instructed that an awareness of illegal activities or information may become apparent as the result of an investigation by the operator itself or where the operator receives notification of such activity.
Accordingly, while there is no obligation to monitor the content of a website, a service provider should not turn a blind eye to how its services will be used. When it gains awareness of any unlawful activity or information it must act expeditiously to remove or disable access to affected content.
The hosting exemption does not apply in civil proceedings that do not seek damages or another pecuniary remedy. So if a lawsuit seeks an injunction only, such as a court order telling the web host to stop doing something, the website operator cannot rely on the exemption.
No obligation to monitor
The E-commerce Directive states that Member States must not impose a general obligation on service providers to monitor the information which they transmit or store. It is normally accepted that if you do monitor the content on your servers then you are at greater risk as you will be treated as a publisher of that information.
The UK Regulations do not include the Directive's prohibition on a monitoring obligation. However, in Twentieth Century Fox Film Corp v British Telecommunications plc (2011) BT in response to an application for an injunction by Twentieth Century argued that granting the injunction would contravene the Directive. The injunction Twentieth Century Fox requested called for BT to prevent its subscribers from accessing "Newzbin2", which provided links to pirated films of Twentieth Century Fox. The injunction was granted. The order did not require BT to actively monitor content but block access to Newzbin2 via automated methods, which BT was already utilising to prevent access to child pornography. The Court said "to the extent that this amounts to monitoring, it is specific rather than general".
The Regulations apply only in relation to Acts of Parliament passed before the date on which they were made. For legislation that post-dates the Regulations, the Directive needs to be implemented on a case-by-case basis. Some of these implementations have caused concern for online intermediaries.
The Electronic Commerce Directive (Terrorism Act 2006) Regulations 2007 provided specific exemptions for ISPs from offences made under the Terrorism Act 2006. The Regulations ensure that the key provisions of the Terrorism Act 2006 apply on a country of origin basis and exempt service providers from liability where they act as mere conduits, caches or hosts of information.
While the Regulations were welcomed by ISPs, there was some initial uncertainty, particularly in relation to the extent to which ISPs should monitor content provided to them by their users. The hosting exception provides that a service provider is not guilty of a relevant offence if:
- the service provider did not know when the information was provided that it was unlawfully terrorism-related; or
- upon obtaining actual knowledge that the information was unlawfully terrorism-related, the service provider expeditiously removed the information or disabled access to it.
At the time of its coming into force, there was some concern that ISPs would be required to actively monitor their services for offending content and legally evaluate whether the information was "unlawfully terrorism-related information" as explained in section 3(7) of the Terrorism Act. Subject to the relevant criteria, material can be held to be "unlawfully terrorism-related information" if it is understood or useful to "any one or more ... persons".
In practice ISPs are not monitoring information but are waiting until they receive a take down notice. This has led a Home Office Committee to recommend that a code of conduct be produced requiring ISPs to proactively remove radical extreme content posted online, which would necessitate that material is monitored. See Out-Law article New code of conduct should require ISPs to take down radical extremist content, MPs say.
In 2010 the Electronic Commerce Directive (Hatred against Persons on Religious Grounds or the Grounds of Sexual Orientation) Regulations came into force repealing the Electronic Commerce Directive (Racial and Religious Hatred Act 2006) Regulations 2007. These Regulations also create further exemptions from liability for ISPs who act as mere conduits, caches or hosts of information that is threatening and has been provided with the intention of stirring up religious hatred or hatred on the grounds of sexual orientation.
These Regulations initially raised similar concerns to the Electronic Commerce Directive (Terrorism Act 2006) Regulations 2007 in respect of the language used (which differed markedly to that used in the Directive).
What you should do next
- Examine your website:
- do you have the appropriate terms and conditions and disclaimers in place?;
- does your order process take advantage of the Regulations' flexibility to "acknowledge" rather than "accept" orders?;
- do you have insurance in place?; and
- have you assessed your international exposure?
- Ensure that you are familiar with which countries allow unsolicited email to be sent and in what circumstances.
- Ensure you are fully complying with the conditions for making online contracts.
- If applicable to your business, understand how to avoid liability when acting as a conduit, cache or host.