Ecommerce and the Law

This page is part of our Resources section. The aim of this section is to provide useful information to support clients interested in our ecommerce order fulfilment services.

Introduction

E-commerce is all about selling goods and services via the internet. The trader and customer are not face to face at any point, with business conducted remotely, regardless of location. This can pose a number of challenges to the formation and enforcement of contracts.

A number of legislative initiatives affect business conducted online - these can be complex and change regularly.

As far as e-commerce transactions are concerned, the legislation is primarily intended to ensure that online contracts are legally binding.

The ways in which electronic marketing can be undertaken to promote the services of e-commerce providers are also regulated.

This guide introduces you to the various regulations and provides practical advice on how to ensure that you comply with your legal requirements. However, it is not a substitute for professional legal advice.

E-commerce Regulations

The E-commerce Regulations came into force in August 2002. They implement the European E-Commerce Directive into UK law and one of their main aims is to ensure that electronic contracts are legally binding and enforceable throughout Europe.

The Directive broadly follows a 'country of origin' approach to regulation where services are provided across borders within the European Economic Area. The principle is that an online service provider is subject to the law that applies in the country where they are based, rather than where their customers are. Enforcement authorities are responsible for ensuring compliance with the national law.

The regulations apply to businesses that:

• sell goods or services to businesses or consumers on the internet, or by email or Standard Messaging Service (SMS), ie text messages
• advertise on the internet, or by email or SMS
• convey or store electronic content for customers, or provide access to a communications network

They do not cover direct marketing by phone or fax.

Information requirements

The E-commerce Regulations identify specific information about your business that you must provide to recipients of online services, and set down guidelines regarding advertising and promotions.

Contracting online

If you form a contract online by electronic means, your customer should be able to print and store a copy of the terms and conditions. To find out about what information you must give the customer and other practical advice on how to comply, see the page in this guide on tips for complying with the E-commerce Regulations.

Advertising

If you intend to advertise on the internet, or by email or SMS, the regulations stipulate that "commercial communications" must be clearly recognisable as such. They must clearly identify the person on whose behalf the marketing communication is sent, together with any promotional offer.

The regulations also cover "unsolicited commercial communications", commonly referred to as spam. They require that these communications are identifiable from the subject line of the email, without the need to read the rest of the message. SMS messages are not covered for these purposes.

Tips for complying with the E-commerce Regulations

To comply with the general information requirements of the E-commerce Regulations 2002 you must give recipients of your online services:

• your business' name, geographic address and other contact details including your email address
• details of any publicly available register in which you are entered, together with your registration number or equivalent
• the particulars of the supervisory body if the service is subject to an authorisation scheme
• details of any professional body with which you are registered
• your VAT registration number

If your website refers to prices, these must be clear and indicate whether they include tax and delivery costs.

You must also ensure your website complies with the Companies Act 2006. From 1 January 2007 all companies in the UK must clearly state the company registration number, place of registration, registered office address and, if the company is being wound up, that fact, on all of their websites. A common place to put this information is in the 'About us' or 'Legal info' page of the site - it does not have to appear on every page. This rule also applies to any electronic communications sent out by your company, such as emails.

How to comply when contracting online

If your business forms contracts online you must provide your customers with information about:

• all technical steps required to conclude the contract, eg 'click this box'
• whether the concluded contract will be filed by you and whether it will be accessible
• the languages offered for the conclusion of the contract
• any relevant codes of conduct to which you subscribe, and information on how these can be consulted electronically

You must make sure that your website allows customers to go back and correct any mistakes made in their order before the order is placed.

Once a customer has placed an order electronically, you must acknowledge receipt without undue delay.

Enforcement of regulation breaches

If a business or service provider breaches the regulations they may face a claim for damages. Where the breach affects the collective interest of consumers, a service provider may also be subject to a 'stop now' order - this will allow the Office of Fair Trading and other consumer protection bodies to apply to the courts for an enforcement order. The courts will also be able to order service providers to publish corrective statements to minimise the continuing effects of any infringements.

Failure to comply with an enforcement order is treated as contempt of court, punishable by fines and/or imprisonment.

The regulations limit the liability of intermediary service providers, eg Internet Service Providers (ISPs), who unwittingly transmit or store unlawful content provided by others in certain circumstances.

The regulations do not impose a general obligation on intermediary service providers to monitor the information that they transmit or store, or to actively investigate any suspected illegal activity.

Regulations applying to telephone and fax marketing

Businesses frequently promote their services via telephone and fax. There are a number of regulations that apply to this area and it is important that your business is aware of them. This will ensure that you are acting legally if you undertake a marketing campaign using these media.

The Privacy and Electronic Communications Regulations 2003 govern direct marketing by telephone and fax. This includes the regulation of the Telephone Preference Service (TPS) and the Fax Preference Service (FPS), which are monitored by the Information Commissioner. For more information, see the page in this guide on the Privacy and Electronic Communications Regulations.

TPS and CTPS

The TPS is a list of telephone numbers whose subscribers have indicated that they don't want to receive unsolicited marketing calls on that number. Initially the regulations only gave individuals the right to opt out of direct marketing by registering with the TPS.

However, in June 2004 the Corporate Telephone Preference Service (CTPS) was launched. This is the central opt-out register that enables corporate subscribers to register their wishes not to receive unsolicited sales and marketing telephone calls to any of their organisation's telephone numbers, including mobile numbers.

A corporate subscriber includes corporate bodies such as a limited company in the UK, a limited liability partnership in England, Wales and Northern Ireland, or any partnership in Scotland. It also includes schools, government departments and agencies, hospitals, public limited companies and other public bodies.

FPS

The FPS includes a requirement to obtain individual consent prior to direct marketing by fax. It also offers an 'opt-out' for corporate bodies which register with the FPS.

So, if you are already engaged in, or planning to undertake direct marketing via phone or fax then you must make regular checks with the TPS, CTPS and FPS, or risk committing an offence.

Subscriber requests

Under the Privacy and Electronic Communications Regulations, you must also respect the wishes of any subscriber who asks you not to contact them on a particular phone or fax number, whether or not they are registered with the TPS or FPS.

Privacy and Electronic Communications Regulations

E-marketing activities are regulated by the Privacy and Electronic Communications Regulations that came into force in December 2003. The Privacy and Electronic Communications Regulations superseded the Telecommunications (Data Protection and Privacy) Regulations. The new regulations include additional rules which legislate against unsolicited emails or Standard Messaging Service (SMS), ie text messages, commonly referred to as spam.

They prohibit sending direct marketing communications by email where the identity of the person who sent it is disguised or concealed. They also prohibit marketing emails that do not provide the recipient with a valid address they can use to request such communications cease.

Addressing the problem of spam

The Privacy and Electronic Communications Regulations require that an individual's consent is obtained prior to sending them unsolicited advertising by email unless they have already 'opted-in' or expressly consented to the receipt of such emails.

Existing customers can be sent unsolicited advertising, on the condition that the direct marketing relates to products and services similar to those they have already purchased. This is known as a 'soft opt-in'. However, the recipient should also be given the option to 'opt-out' of receiving such emails when their details are collected, and in every future message they are sent.

It is important to remember that it is also a requirement of the regulations that unsolicited advertising emails must contain both the identity and the contact details of the sender.

The Privacy and Electronic Communications Regulations provisions on unsolicited emails do not apply if you are marketing to corporate bodies, though you are still required to include your identity and contact details. However, it is good practice to respect the wishes of any companies that ask you not to email them.

Cookies

The Privacy and Electronic Communications Regulations also cover the use of 'cookies'. These are files downloaded from a web server to the website visitor's computer. They can provide the owner of the website with personal details about the visitor such as what purchases were made from the site, what files were downloaded and the information viewed.

The aim of the regulations is to allow the visitor to choose whether they want cookies on their computer. In practice this is likely to involve providing them with information about cookies, and how to disable them should they wish to do so.

Tips for complying with the Privacy and Electronic Communications Regulations

The Privacy and Electronic Communications Regulations are enforced by the Information Commissioner's Office (ICO). If the Information Commissioner finds a business to be in breach of the regulations, an Information Notice requesting further information, or an Enforcement Notice will be issued. A fine may be imposed for breach of an Enforcement Notice. Criminal sanctions may also be imposed.

All of these actions can damage the reputation of your business and adversely affect the goodwill of your customers. So, if you use electronic communications as a marketing tool, you should ensure that each communication is clearly identifiable as relating to the advertising or marketing of a product.

This means that any commercial communication sent by email or text message should be clearly identifiable as such through its header - other required information can then be set out in the main body of the communication.

Electronic communications as a marketing tool should also:

• identify the person on whose behalf it is sent
• clearly identify any promotional offer - including any discount, premium or gift - and any conditions that must be met to qualify for it (these must be easily accessible, clear and unambiguous)
• provide the recipient with 'opt-out' rights

You should obtain prior individual consent from your customer through them 'opting in', though there are some limited exceptions for existing customers

E-commerce and the Data Protection Act 1998

The Data Protection Act 1998 governs the use of personal information by businesses and other organisations. It requires anyone who handles personal information to comply with a number of important principles.

Corporate email addresses

Under the Privacy and Electronic Communications Regulations, you do not have to get permission to send unsolicited advertising by email to corporate bodies. For more information, see the page in this guide on the Privacy and Electronic Communications Regulations.

However, if you are contacting a corporate email address which uses a real person's name - for example This e-mail address is being protected from spambots. You need JavaScript enabled to view it - the individual has the right, under the Data Protection Act to ask you to stop communications to that address. This request must be made to you in writing, but if you receive one you must act on the request in a reasonable period of time, usually no longer than 28 days.

Buying databases

If you buy databases for marketing purposes that contain customers' personal information, you must comply with the Data Protection Act. Under the Act, businesses generally may not sell personal information held in a database if the individuals weren't warned that their information may be passed on.

A business that is insolvent, bankrupt, being closed down or sold may sell its database under certain circumstances.

Providing personal information to a third party

Under the Data Protection Act, you may provide personal information about individuals to a third party:

• if they are obtaining personal information on behalf of the individual in question - for example, a solicitor
• if your business outsources the processing of personal information - for example, payroll

You need to take reasonable steps to protect the information and make sure that the third party is genuine and trustworthy.

Distance Selling Regulations

The Distance Selling Regulations 2000 are designed to protect customers who are not physically present with the seller at the time of purchase. They cover purchases made via email and the internet, together with telephone and mail order.

They only apply to transactions between businesses and consumers (individuals acting outside the course of their business) and do not include business-to-business contracts and auctions.

Under the regulations, consumers have the right to:

• details in writing about the supplier and the terms of the transaction
• written confirmation of their orders
• further information, including a notice of cancellation rights, the complaints procedure, after-sales services and guarantees
• delivery within 30 days unless otherwise agreed

Consumers have a cooling-off period of seven working days in which to cancel the contract, starting from when the goods are received, without having to give a reason. If no details of the cooling-off period have been given by the supplier to the consumer, it is extended to three months.

The right to withdraw can be exercised by the consumer even after the goods have been delivered, or the services have been provided. The consumer is entitled to receive a full refund for a cancelled contract within 30 days.

There are some exceptions to these rights of cancellation, including:

• contracts for the provision of accommodation, transport, catering or leisure services, where these services are supplied on a specific date or for a specific period
• the sale of customised goods or perishable goods
• sealed audio or video recordings, or software, which have been opened
• sales by auction

Provision of Services Regulations

The Provision of Services Regulations 2009 removed many of the barriers to the international trade in services with the aim of making it easier for individuals and businesses to provide services to, or from, anywhere in the European Economic Area (EEA).

UK and EEA authorities can no longer make the access to, or the carrying out of, a service subject to an authorisation scheme or requirement unless it can be objectively justified. Businesses can also access a 'Point of Single Contact' in each EEA country where they can securely apply for any authorisations they require in order to trade in that country.

Under the regulations almost all service providers offering services in the UK (including those from other EEA countries) are required to provide certain information to the recipients of their services. For example, you must provide:

• your business name, legal status and form
• your business and email address
• details of any UK or EEA authorisation schemes or professional and regulatory bodies you are regulated by or must belong to (if applicable)
• details of any trade or other similar public registration (if applicable) 
• your VAT number, if the service is subject to VAT
• details of any terms, conditions and after-sales guarantees
• the price (where it is pre-determined) and details of the service to be provided
• details of any professional indemnity insurance and contact details for the insurance company (if applicable)

If requested, you may be required to provide further information such as information on your complaints and dispute resolutions procedures. For detailed information on the provisions, download a guide to the Provision of Services Regulations from the Department for Business, Innovation & Skills (BIS) website (PDF, 814K) - Opens in a new window.

You must also make sure you do not discriminate on the grounds of nationality or location when providing services, unless it can be justified by 'objective criteria'. For example, increased costs due to the extra distance involved when providing a service internationally.