Avoiding ecommerce’s legal landmines

There are numerous laws and regulations in the UK and other countries that can derail a promising ecommerce business.

By Eric Lambert, associate general counsel and Jeffrey Albertson, corporate counsel, Digital River, Inc.

In October 2012, the Office of Fair Trading announced it had written to 62 of the top online retailers ahead of the holiday period after a sweep of 156 websites and found signs that many were not in full compliance with consumer protection laws.

Here are some of the most important “legal landmines” to consider:

Online Selling Regulations 

Be mindful of regulations protecting consumers’ rights when purchasing products online. These regulations seek to ensure companies provide appropriate information to purchasers in connection with the online sale of goods and services.

They include:

•    The Consumer Protection (Distance Selling) Regulations 2000 (implementing EU Directive 97/7/EC), which requires online sellers to provide certain information to consumers before conclusion of a transaction;

•    The Electronic Commerce (EC Directive) Regulations 2002 (implementing EU Directive 2000/31/EC), which requires online sellers to identify themselves and their registration/VAT numbers; regulates the display of prices, fees, and applicable taxes; and imposes other pre-purchase obligations on e-commerce sellers;

•    The Electronic Signatures Regulations 2002 (implementing EU Directive 1999/93/EC), which governs the enforceability of electronic signatures;

•    The EU’s new Consumer Rights Directive (EU Directive 2011/83/EU), which is designed to harmonise certain rules applicable to consumer rights across EU member states (and will supersede the Distance Selling Regulations once in effect);

Online stores must have conspicuous terms of sale to ensure they are compliant with all regulations and legislation.

They may need to be “localised” to comply with the laws of each member state in which consumers can purchase products, not just the UK. Compliance with the domestic laws of each country you sell into should not be overlooked.

Consumer Protection and Product-Specific Regulations

Regulations that provide protections to consumers purchasing from a “brick-and-mortar” retailer also apply to online sales. In the UK, these include:

•    The Sale of Goods Act 1979, which covers the quality of goods received by purchasers;

•    The Consumer Credit Act 1974, protecting consumers’ rights when purchasing with a credit card; and

•    The Unfair Terms in Consumer Contract Regulations 1999, which provides consumer protections against unfair terms imposed by retailers.

Online sellers offering consumer electronics also have obligations under the UK’s RoHS Regulations 2012 (implementing EU Directive 2005/95/EC), Producer Responsibility (WEEE) Regulations (implementing EU Directive 2002/96/EC), and Battery Regulations (implementing EU Directive 2006/66/EC), and may be responsible for their suppliers’ compliance with such regulations.

Data Protection

Online sellers that collect and process personal data of their customers are responsible for ensuring that the storage and handling of such data is in compliance with the EU Data Protection Directive (95/46/EC), implemented in the UK via the Data Protection Act 1998.

The UK’s Information Commissioners Office (ICO) requires registration by every non-exempt organisation processing personal data. Online stores should have a clear and accurate privacy policy (“say what you do”), and should ensure compliance with their privacy policy at all times (“do what you say”).

Online sellers should ask for (and obtain and track) consent to their privacy policy and terms of sale prior to completing a transaction. If a third party processes consumer data for you, an appropriate controller-to-processor agreement needs to be in place.

If such third party is outside of the EEA, be aware of the conditions and exclusions under the Data Protection Directive and Data Protection Act related to such transfer. Personal data stored on systems (whether yours or your service providers’) should be protected, encrypted and have access restrictions.

There are notification laws in many countries and states/provinces that may need to be followed in the event of a security breach, and note that the EU is mulling an EU-wide data breach directive or regulation, which would replace the current voluntary disclosure obligation in the UK.

A new harmonising EU Regulation has been proposed to replace the current data protection directive, so watch for more developments in the coming months. If you use cookies on your e-commerce site, be aware of the requirements under the EU Cookie (e-Privacy) Directive (2009/135/EC) and ICO guidance on using cookies on your site.

Online sellers with operations outside of the UK may need to comply with additional local laws, and other member state implementations of EU directives may vary from the UK’s legislation.

Finally, networking among peers, reading articles on ecommerce laws, and joining online communities for online sellers and their employees are prudent steps to take towards avoiding the legal landmines of running an e-commerce business.

For more information visit www.digitalriver.com