E-commerce special report: Know your laws
Published: 07 Jul 2003 13:32 BST
Cookies
The European Union Directive on Privacy and Electronic Communications came into force on 31 July, 2002, and should be implemented into UK law and the law of other Member states by 31 October, 2003.
Under the directive, there is a requirement for e-commerce sites to tell users about cookies and what you are going to use their information for; and to offer them the right to refuse the use of cookies during sessions.
The Act also requires users to be provided with certain information, such as a privacy policy or a data protection notice online.
You can find the EU Directive on Privacy and Electronic Communications here.
Spam
Spam is covered by the same part of the Directive on Privacy and Electronic Communications that relates to cookies, and is being approached in a similar manner. An EU-wide "opt-in" approach is to be adopted, meaning that businesses will only be permitted to send marketing emails and SMS messages to individuals who have previously consented to the use of their details in this way. Existing customers may be targeted, provided certain conditions are met, although there is still some uncertainty about the precise scope of this carve-out.
The golden rule with spam is, if you want to keep your customers, don't do it. Send only important information that your customers have opted-in to receive, and make it easy to opt back out again.
Data protection
Businesses that use their Web sites to gather information about customers and prospective customers now need to be more attentive to compliance with data protection law than ever. Until recently the Information Commissioner's approach to enforcement was reactive, prompted by formal complaints against businesses by members of the public. Now, after the collection of data on Web sites was singled out as one area requiring particular scrutiny, the commissioner has set up an Enforcement Board and Enforcement Team.
The move heralds a more proactive stance in terms of investigating and prosecuting breaches of the Data Protection Act 1998. It means for instance that initiatives such as studies into Web site compliance with the Data Protection Act will be an important source of enforcement actions.
Now that the Data Protection Act 1998 is fully in force, all procedures for accepting orders online must be compliant with that law. This means not only protecting credit card information but also what your customers have ordered.
The Act says that "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." It does not define appropriate measures, but a formal risk analysis should be adequate, say lawyers. BS7799 can be useful for this.
A copy of the Data Protection Act is available here.
E-wallets
There was a time when every other start-up was offering some form of electronic wallet. Many have now gone bust, but those companies that have survived -- or who want to being offering electronic wallets -- must now to comply with new rules created the Financial Services Authority. Although an Electronic Money Institution ("ELMI") will not be subject to the full rigours of the regime that applies to credit institutions, it will still need FSA authorisation; they cannot not make any loan or grant any form of credit nor pay interest on the e-money or issue it at a discount; and issuers must maintain minimum levels of capital. The initial threshold is one million euros.
Defamation laws
Defamation cases are unlikely to affect e-commerce sites, but any site that allows users to post comments should be aware of the issues. In March 2000, the High Court found against Demon Internet and told it to pay damages of £15,000 for failing to remove defamatory remarks about Laurence Godfrey in a newsgroup it hosted. That case had implications for ISPs, but others have caught up different types of operations.
More recently, Australia's highest court ruled that a defamation case sparked by a story on a US Web site could be heard in Australia, opening a legal minefield for Web publishers over which libel laws they must follow. The landmark ruling said an article published by Dow Jones & Co is subject to Australian law because it was downloaded in Australia.
VAT changes
On 1 July, a new EU directive came into effect requiring all Internet companies to account for VAT on "digital sales". The law adds a 15 percent to 25 percent levy on select Internet transactions such as software and music downloads, monthly subscriptions to an Internet service provider and on any product purchased through an online auction anywhere in the 15-member bloc of nations.
The VAT tax is nothing new for some Net companies. European dot-coms have been charging customers VAT since their inception. Their overseas rivals, though, have been exempt, making foreign companies an obvious choice for the bargain-hunting consumer. Freeserve has lobbied furiously for the past two years to get the loophole closed, saying its chief rival, AOL UK, saved $249.7m (£150m) in tax payments over the years.
Affected companies are handling the new tax load in a variety of ways. AOL Europe, for instance, relocated its continental headquarters to tiny Luxembourg, one of the EU's cheaper tax regimes.
If your company is already based in the EU then you should already be paying VAT.
Follow these links for more of ZDNet UK's special feature about e-commerce:
E-commerce special report Part I: What works
Part III: Know your laws
Previous
Did you find this article useful?
33 out of 67 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
