Business: Ecommerce Legislation for SMEs
This Fact Sheet looks briefly at some of the implications of ecommerce legislation and how it might impact your business. This relates to all businesses, whether you have a trading presence online or just use email for communications.
If you are looking for legal documents to start up or run your business we should have what you need on this website. Use the menu or search box to find your documents.
If you have spent a considerable amount of time and money developing a good website it makes sense to ensure that it complies with relevant regulations. There are two reasons for this:
- It's the law, and
- Your customers are more likely to buy.
There are three items of regulation that are particularly relevant to UK businesses trading online:
- The Data Protection Act 1988
- The Consumer Contract Regulations 2013
- The Electronic Commerce (EC Directive) Regulations 2002.
To comply with the above is not onerous: the regulations are generally sensible and practical, you just need to read through the information and apply it. There are some modest costs but these are small in relation to the likely scale of business and the grief that could conceivably follow non-compliance. These regulations are described below in more detail.
The Data Protection Act 1988
If you collect information about people (employees, customers, visitors etc), such as names, addresses, phone numbers etc then this applies to you. This applies to businesses of any size. Key points to note:
- You must state what you do with the data (and stick to it)
- You must register with the Information Commissioner's Office
- You must not export the data outside the EC without the subject's permission
- You must keep the data secure, reveal it and delete it if requested by the subject.
These obligations are straightforward, mandatory and the cost of registration is £35 per year (for small businesss). For registration or for further information about the Data Protection Act and the role of the Information Commissioner's Office visit the website at ICO website.
If you are collecting your information from your customers and you are registered, then you should make this point clear on your publicity material or web site.
The Consumer Contract Regulations 2013
If you sell online, by mail order or by telephone to consumers, then this applies to your business. These regulations do not apply to business to business transactions. Key points to note:
- You should provide clear information about your offering before purchase (no extras like tax and freight after the consumer has decided to purchase). It is helpful to be very clear what your freight charges are and whether prices include VAT to avoid doubt
- You should provide a written confirmation of order following purchase
- There is a "cooling off" period of 14 working days for most goods (exclusions could include perishable or digital goods). You should inform the customers of their right to cancel (without charge, other than return freight).
The Electronic Commerce (EC Directive) Regulations 2002
Commonly refered to as the Ecommerce Directive. If your business operates online using the web or your business communicates using email, this applies to you. The Directive applies to both business to business (B2B) and business to consumer (B2C) relationships. Key points to note:
- You should display the name of your business
- We recommend you display your company registration number or proprietor's name (as you would in a letter)
- You should show your geographic address (street number etc, not just a PO box)
- You should show your contact information such as phone number and email address
- You should show your VAT number if you are VAT registered
- Refer to trade or professional recognition schemes, with registration number, if applicable
- Provide clear information on price, tax and delivery.
- Show clear Terms and Conditions and acknowledge orders.
The GOV.UK website gives a useful overview of how an online sales process should be structured in order to comply. You can read the full text of the directive on the government's legislation website at: Electronic Commerce (EC Directive) Regulations 2002.
The EU e-Privacy Directive (Cookie Law)
Websites must obtain informed consent from a website visitor before creating cookies or similar (e.g. Flash Local Shared Objects) on their computer.
You don't have to get consent for cookies that are essential to correct functioning of your website e.g. session cookies for a shopping basket. You do, however need consent for other forms of cookies such as those created by website metrics services (e.g. Google Analytics) and 3rd party advertising. Implied consent is ok for analytics-style cookies but other, more intrusive, cookies such as 3rd party tracking cookies require explicit consent.
There are lots of 3rd party providers of widgets to integrate into your website to ensure you comply with the Cookie Law requirements. Most can be integrated into existing websites and allow various configuration options for level of obtrusiveness, information provided to website visitors, and nature of consent requested i.e. implied or explicit.
We recommend you read the information produced by the Information Comissioner's Office website and their Cookie Guidance document, available in PDF format at: Cookie Guidance
The EU Alternative Dispute Resolution Regulations 2015
From Monday 15 Feb there are new obligations on online traders selling goods/services to consumers. All online traders must include a link to the European Commission's Online Dispute Resolution ("ODR") platform on their website.
Also under the new Regulations, if your business is unable to resolve a consumer complaint about a sale or service contract, it must inform the consumer on a durable medium i.e. letter or email:
- that you cannot settle the complaint
- of the name and contact details of a certified ADR provider offering services in their sector if you are unable to resolve the consumer's complaint directly with the consumer and
- whether your business is obliged, or prepared, to submit to an ADR procedure operated by that ADR entity.
Your business is not obliged to submit to the ADR procedure (unless you are required by your regulatory regime or trade association to use ADR e.g. financial services) - you are obliged only to provide the information set out above.
Fuerther information is provided in the Guidance for Businesses document published by the Department for Business Innovation & Skills.