Business: Ecommerce Legislation for SMEs
This Fact Sheet looks briefly at some of the implications of ecommerce legislation and how it might impact your business. This relates to all businesses, whether you have a trading presence online or just use email for communications.
Building an effective ecommerce website can take a considerable amount of time and money. It makes sense to spend some of that effort on ensuring that your website complies with relevant regulations. There are good reasons for this:
- It's the law,
- you may be subject to substantial fines if you don't comply, and
- your customers are more likely to buy.
There are four items of regulation that are particularly relevant to UK businesses trading online:
- The Data Protection Act 1988
- The General Data Protection Regulations (GDPR)
- The Consumer Contract Regulations 2013
- The Electronic Commerce (EC Directive) Regulations 2002.
To comply with the above is not too difficult although it can take some time to understand what is required. The regulations are generally sensible and practical, you just need to read through the information and apply it. There are some modest costs but these are likely to be small compared to the potential cost of non-compliance. An overview of these regulations are given below.
The General Data Protection Regulations (GDPR)
As of 25 May 2018 the GDPR replaces the Data Protection Act 1988. The GDPR is a significant "overhaul" of data protection: it strengthens individuals' rights over their data, requires greater protection, consideration and clarity from those who collect private data, and introduces hefty penalties for breaches. All businesses are likely to need to take action in order to meet their obligations.
The GDPR applies to anyone who collects personal data, and the definition of what personal data is has been updated and extended to include things such as IP Addresses, social media posts and photographs.
Of the new requirements, the following are likely to be of particular relevance to small businesses:
- you are required to keep a written record of what personal data you collect, how and why you use it
- ensure you obtain consent correctly
- ensure that the data subject can withdraw consent as easily as give it, and that you cease processing the relevant data if/when consent is revoked
- provide up-front information about how you intend to use any personal data you collect, at the point of collection
Visit the Information Commissioner's Office (ICO) website for detailed guidance on the GDPR.
The Data Protection Act 1988
Obligations under the DPA are now part of the GDPR (and still apply).
If you collect information about people (employees, customers, visitors etc), such as names, addresses, phone numbers etc then this applies to you. This applies to businesses of any size. Key points to note:
- You must state what you do with the data (and stick to it)
- You must register with the Information Commissioner's Office
- You must not export the data outside the EC without the subject's permission
- You must keep the data secure, reveal it and delete it if requested by the subject.
These obligations are straightforward, mandatory and the cost of registration is £35 per year (for small businesss). For registration or for further information about data protection and the role of the Information Commissioner's Office visit the website at ICO website.
If you are collecting your information from your customers and you are registered, then you should make this point clear on your publicity material or web site.
The Consumer Contract Regulations 2013
If you sell online, by mail order or by telephone to consumers, then this applies to your business. These regulations do not apply to business to business transactions. Key points to note:
- You should provide clear information about your offering before purchase (no extras like tax and freight after the consumer has decided to purchase). It is helpful to be very clear what your freight charges are and whether prices include VAT to avoid doubt
- You should provide a written confirmation of order following purchase
- There is a "cooling off" period of 14 working days for most goods (exclusions could include perishable or digital goods). You should inform the customers of their right to cancel (without charge, other than return freight).
The Electronic Commerce (EC Directive) Regulations 2002
Commonly refered to as the Ecommerce Directive. If your business operates online using the web or your business communicates using email, this applies to you. The Directive applies to both business to business (B2B) and business to consumer (B2C) relationships. Key points to note:
- You should display the name of your business
- We recommend you display your company registration number or proprietor's name (as you would in a letter)
- You should show your geographic address (street number etc, not just a PO box)
- You should show your contact information such as phone number and email address
- You should show your VAT number if you are VAT registered
- Refer to trade or professional recognition schemes, with registration number, if applicable
- Provide clear information on price, tax and delivery.
- Show clear Terms and Conditions and acknowledge orders.
The GOV.UK website gives a useful overview of how an online sales process should be structured in order to comply. You can read the full text of the directive on the government's legislation website at: Electronic Commerce (EC Directive) Regulations 2002.
The EU e-Privacy Directive (Cookie Law)
Websites must obtain informed consent from a website visitor before creating cookies or similar (e.g. Flash Local Shared Objects) on their computer.
You don't have to get consent for cookies that are essential to correct functioning of your website e.g. session cookies for a shopping basket. You do, however need consent for other forms of cookies such as those created by website metrics services (e.g. Google Analytics) and 3rd party advertising. Implied consent is ok for analytics-style cookies but other, more intrusive, cookies such as 3rd party tracking cookies require explicit consent.
There are lots of 3rd party providers of widgets to integrate into your website to ensure you comply with the Cookie Law requirements. Most can be integrated into existing websites and allow various configuration options for level of obtrusiveness, information provided to website visitors, and nature of consent requested i.e. implied or explicit.
We recommend you read the information produced by the Information Comissioner's Office website and their Cookie Guidance document, available in PDF format at: Cookie Guidance
A new ePrivacy Regulation is expected to replace the existing directive in late 2018/early 2019. Expect stricter requirements for consent when using intrusive cookies.
The EU Alternative Dispute Resolution Regulations 2015
All online traders must include a link to the European Commission's Online Dispute Resolution ("ODR") platform on their website. Furthermore, if your business is unable to resolve a consumer complaint about a sale or service contract, it must inform the consumer on a durable medium i.e. letter or email:
- that you cannot settle the complaint
- the name and contact details of a certified ADR provider offering services in their sector if you are unable to resolve the consumer's complaint directly with the consumer and
- whether your business is obliged, or prepared, to submit to an ADR procedure operated by that ADR entity.
Your business is not obliged to submit to the ADR procedure (unless you are required by your regulatory regime or trade association to use ADR e.g. financial services) - you are obliged only to provide the information set out above.
Fuerther information is provided in the Guidance for Businesses document published by the Department for Business Innovation & Skills.