Legal guide to eCommerce

When thinking of starting a new business venture or growing a current retail operation, many people look to the internet as the most effective and cost efficient route to market. In many instances, it allows for the flexibility of being self-employed and working from home to minimise start-up or expansion costs and address issues such as work-life balance.

There are many e-commerce options available regarding the design of products, holding and supplying stock and working with third parties such as wholesalers in the fulfilment/drop shipping of products. Each approach has its challenges and merits; it is important you research which one is right for you and your personal and financial circumstances. 

In addition to the practicalities and commercial considerations of e-commerce and whether it suits your business, there is also a considerable amount of legislation you will need to comply with to ensure your business is operating within the law. You should make sure you understand the impact of such legislation before you start to sell online.

This guide gives you an overview of the key points to consider when you are setting up an e-commerce operation.

Intellectual property

Intellectual property is not usually one of the first things people think about when launching an e-commerce venture but it is very important from the outset to protect your brand and reputation, particularly in the age of social media. By protecting your intellectual property rights so far as possible from the outset, it can help minimise any risk to your business, its value, goodwill and reputation.

Copyright

Most content you create for your website will automatically be capable of being protected by copyright. It is an unregistered right – so you get copyright protection automatically without registering it or paying a fee. This includes whether it is the actual code for the website (such as HTML) or the written or graphic content on the website. If you use a particular e-commerce platform or Content Management System (CMS), you will have a licence to use this copyrighted code but then (typically speaking!) anything you create in terms of content will be owned by you (this is subject to the terms of any licence from the provider and/or your web developer).

• A basic guide to copyright law
• How copyright protects your work
• BBC: A guide to music copyright

Copyright exists in the following:

• literary, dramatic, musical and artistic work, including illustration and photography (provided that they are original)
• non-literary written work, such as software, web content and databases (again, provided they are original)
• sound and music recordings
• film and television recordings
• broadcasts
• the typographical arrangement of written, dramatic and musical works (i.e. the layout)

You can indicate whether something you have created is copyrighted by you using the © logo, usually together with the name of the owner/year of creation, although whether you do so doesn’t amend the level of protection.

If something is protected by copyright, it prevents the following from being done without the author’s permission:

• copying your work
• distributing copies of it, whether free of charge or for sale
• renting or lending copies of your work
• performing, showing or playing your work in public
• making an adaptation of your work
• putting it on the internet

Trademarks

In the ever crowded digital and e-commerce space, a trademark can be a valuable asset that makes you and your business stand out and above your competitors. There is a certain trust associated with having a trademark that could be the difference between consumers shopping with you or a rival website.

A trademark is any sign which is capable of:

• being represented graphically; and,
• distinguishing the goods or services of one business from those of another.
• A trade mark attaches a business’ reputation to the goods to which it is applied or the services carried out under it.
• You can register a trademark yourself through the online portal. However, it is advised to seek the advice of a solicitor to ensure you register your trademark in the rights classes and follow the correct procedures to avoid additional costs.

• A basic guide to trademarks
• Register a trade mark 
• How to protect your ecommerce brand online

Passing off and counterfeits

If you are selling goods online, it is important to make sure you know that the goods you are selling are legitimate and are not seeking to pass themselves off as a competitor’s goods. Counterfeit goods fraud involves goods passed off as originals which are actually fake. You may not be aware that you are selling counterfeit goods, but you could still be penalised for selling them, so it helps to know your supply chain (if you are sourcing goods from a third party wholesaler/manufacturer)

Counterfeit goods include fake designer clothes, bags and perfumes as well as pirate DVDs, CDs and computer games. Fake goods are often sold online through sites like eBay, although eBay has strict anti-piracy/counterfeiting measures. Selling counterfeit goods can land you in hot water with Trading Standards but also result in fines and possibly even a prison sentence, so it pays to make sure your supply chain is legitimate.

Usually, if a price from a supplier is too good to be true, it’s because the product is too!

Passing off is more difficult to distinguish and is the action of ‘piggybacking’ on a business’s goodwill that they have built up in a particular product, brand or trade name. Passing off is often relied upon when a something is unregistered as a trade mark (but there is a recognisable ‘mark’ which is subject to the passing off).

The goods or services suspected of passing off must be attempting to take from goods or services that have goodwill attached to them in order for there to be an offence. For example, the goods and/or services will have a particular identifying feature(s) or specifics that will enable members of the general public or a specific section of the general public to associate with those particular goods or services.

Similarity alone will not constitute a passing off offence. There must be a misrepresentation on behalf of the infringing product/service that will lead or be likely to lead members of the general public to believe that the goods/services supplied by the infringing product/service are in fact the goods or services of the other company. Intention to deceive is not relevant: if the product has the effect of misrepresenting the good/service, then passing off will apply.

• Report counterfeit goods
• ActionFraud – Counterfeit goods fraud
• A guide to copyright, trademarks, passing off and unregistered design rights

Privacy and data protection

The issue of privacy is regularly highlighted in the media. We all have had our inboxes spammed with junk mail from websites and companies (sometimes companies we have never heard of). Most of us have also been the victim of a “silent call” or automated messages regarding services we did not enquire about.

It is well recognised that using the data of customers to send them relevant special offers, related products or new launches is a great way of marketing to an already engaged audience. The key point for you as the business owner is to ensure you have the permission of customers and that you’re sending relevant and timely communications.

By law, you are not allowed to send electronic marketing materials without consent. You also need to have a proper opt-out procedure in place. By owning an e-commerce shop, you will (potentially) have access to customer email addresses as part of the ordering process or through sign-ups for newsletters and offers. You need to ensure you know the correct and legal way of using the data so you comply with relevant privacy and data protection legislation. Failure to comply can be a very expensive mistake. Currently, fines of up to £500,000 can be levied by the Information Commissioners Office or ICO (the UK regulator in respect of data protection), but this is due to increase significantly in 2018 when the General Data Protection Regulation comes into effect.

How can you avoid being accused of spamming?

The most important thing is to make sure people “opt-in”, and you have their consent to send them marketing materials by email. For it to be a genuine “opt-in” people, need to be aware what they are signing up to. You must have a way of storing a record of the fact they opted in.

You also need to ensure they can “opt-out” of your communications at any time with a simple unsubscribe. This needs to remove their details from your marketing database. You can still send emails that relate to their orders or accounts.

There are a couple of instances where opt-in consent is not needed; this includes if the email address was given in the course of a transaction (part of the buying process) or if the promotional message relates to something previously bought.

However, an ability to opt-out always needs to be present.

A typical route used to address consent and give assurances to customers about how their personal data is used to add details to the privacy policy on your website or e-commerce store.

Data protection

The Data Protection Act 1998 (the “DPA”) applies to any business that stores customer information; this includes their identifiable personal information which is held either electronically or in a paper-based format.

The DPA covers how you store and use that data so is relevant to all e-commerce businesses. As you will be handling personal information about individuals, you have a number of legal obligations to protect that information under the DPA.
If your e-commerce shop processes personal information about individuals, it will normally need to be registered with the ICO. You can take a self-assessment on the ICO website to see if your business needs to register. Registering with the ICO is called “notification”, and it tells the ICO what personal (and if applicable sensitive) data will be processed, the groups of people whose data will be processed, and who that data may be shared with.

In addition, you need to ensure that the following eight principles are followed in order to ensure that the personal and sensitive data is sufficiently protected:

• Principle 1
  all data should be processed fairly and lawfully. In order to ensure fairness you should be clear, open and transparent when it comes to how and why data is being collected. This can usually be achieved by having a Privacy Policy on your website setting out how personal data will be used.
  
  
• Principle 2
  states that personal data must only be used for the purpose for which it was intended. Again, types of use can be detailed in a Privacy Policy.
  
  
• Principle 3
  makes sure that the data collected is adequate for the purpose that has been specified. This ensures that data collected is relevant for the specified purpose and is not excessive in nature. For example, you would not expect an online retail shop to collect information about a users health or political preferences – it wouldn’t be suitable for the purpose which the data is required.
  
  
• Principle 4
  personal data must be accurate and up to date. The more personal or sensitive the data, the more steps need to be taken to ensure that it is accurate. This may be more difficult to achieve if customers can make one-off purchases on your site.
  
  
• Principle 5
  if the data collected for a specified purpose is no longer needed; it should either be archived or securely deleted. You should have a data retention/destruction policy for dormant accounts/data.
  
  
• Principle 6
  subject to satisfying certain conditions, your customer or subscriber has the right to access a copy of the personal data that you hold relating to them. They also have the right to, amongst other things, have inaccurate personal data rectified, blocked, erased or destroyed, and claim compensation for damages caused by a breach of the DPA. Under the DPA, data subjects that have information held about them can request information using a “subject access request”. Your privacy policy should set out information relating to a Privacy Policy and how customers can access their data.
  
  
• Principle 7
  states that the nature of the security should match the level of sensitivity of the data. It is vital that you have in place the correct physical and technical security, reinforced by robust policies and procedures, followed by dependable well trained staff that are able to respond to any breach of security quickly and precisely. This will of course depend on the nature of your business, the types of data you store and how big your operation is in terms of workforce.
  
  
• Principle 8
  is concerned with the exporting of data outside the European Economic Area (EEA). This principle states that personal data should not be transferred outside the EEA unless that country or territory possesses adequate levels of protection for the rights and freedoms of the data subjects. This will be a concern if you have a webhost that is based outside the EEA, such as in America. It is always preferable to source your web hosting from within the EEA as this will be less of a regulatory burden on your business.

• What is Data Protection?; Your Questions Answered
• A brief guide to data protection for small businesses
• A Guide to Data protection for small businesses and start-ups 

Cookies

You will have no doubt seen the “Cookie” pop ups that appear on many websites. You will have probably clicked to agree just to get the popup off the screen. Cookies are small data files that store information via a web browser regarding your visit to the website.

• The ICC Cookie Guide describes cookies as “text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user’s device.” 
  
  
• The Cookies Regulations (as they are commonly known) came into effect in May 2011. The Regulation requires websites to inform users about cookies used on the website and obtain consent from all visitors to store and retrieve information on their device including computers, tablets and smartphones. 
  
  
• There are several categories of website cookies: 
  • “strictly necessary cookies” which are needed to perform many ecommerce functions such as shopping baskets and secure areas of the website;
  • “performance cookies” that are needed for website analytics used by almost every website on the internet and affiliate tracking which is often a requirement of ecommerce websites;
  • “functionality cookies” which remember some of your details like username or location which allows the website to offer you a more personal shopping experience 
  • “targeted advertising cookies” allow for more targeted and relevant advertising based on your search history, products viewed and browsing preferences.
    
    
• If you are unsure which cookies your website uses and for what purpose you can ask your design agency or web developer to perform a cookie audit. There are also some free and low budget tools to help you with this process.

Legal requirements

There is a raft of consumer-friendly legislation to allow individuals a full range of rights and entitlements when purchasing online. Some of these also have to be made available to other businesses (as well as consumers). These commence from the very outset of the shopping experience, being given clear information before contracting with the seller, through to rights if they change their mind and/or have a dispute with the trader.

These are summarised in brief below. Complying with consumer rights legislation is extremely important when selling goods online (as it is where you are selling your products in a physical store). The majority of e-commerce websites out there are selling to consumers (or at the very least could be accessed and used by consumers), so you need to make sure you are aware of the law and what you need to do to comply.

Consumer Rights Act

The Consumer Rights Act 2015 (the “CRA”) is the primary piece of legislation in respect of consumer law and applies to the sale of goods as well as the provision of services, digital content and downloads so includes products such as software, games and music.

The CRA states that all goods (regardless of whether sold online/in store) must be of a certain standard:

• be of satisfactory quality;
• be fit for purpose;
• match the description, sample or model; and
• be installed correctly (if part of the contract).

What rights does a consumer have to return the goods?

If the goods received by the consumer are not of the standards set out above, the consumer will have the following remedies:

• Initial rights to reject the goods – an automatic 30 day period to return the goods if they do not meet the implied terms unless the expected life of the goods is shorter than 30 days.This right entitles the consumer to a 100% refund.
  
  
• Repair or replacement - If the 30-day period has lapsed or during that time, the consumer chooses not to exercise their right to reject goods, they will be entitled in the first instance to claim a repair or replacement. This remedy will be deemed a failure if, after one attempt at repair or replacement, the goods still do not meet the necessary requirements.
  
  
• Price reduction and final right to reject - If repair or replacement is unavailable or unsuccessful to the consumer, then they can claim a price reduction or a final right to reject the goods. The reduction or refund can be up to 100% of the product value.
  
  
• The rules for digital content differ slightly as digital content cannot be returned; there is also no need for the consumer to delete the content from their device. 
  
  
• Businesses can have more than one attempt to repair digital content, even after 30 days.
  
  
• There is no way to return digital content, so the right of rejection does not apply. Consumers do not need to delete content from their device unless the content comes alongside physical goods.
  
  
• If any digital content damages a device, even if it is free content, consumers can claim compensation.

For a more comprehensive overview of the Consumer Rights Act, please see:

• Summary Guide to the Consumer Rights Act 2015

E-commerce regulations and information disclosure

The specific e-commerce regulations apply to all businesses that sell a product or advertise online, via email or SMS to either a business or consumer.

To comply with certain elements of the e-commerce regulations, it is important to display vital information on your website or online shop. This includes:

• The name and email address of the service provider
• VAT Number
• Prices on the website must be clear and unambiguous

Further to this, any company in the UK who trades online must also be aware of the Company, Limited Liability Partnership and Business (Names and Trading Disclosures) Regulations 2015 (SI 2015/17) which specifies the information below should be visible on websites:

• The registered office address
• Company registration number
• Place of registration (such as England, Wales, Scotland or Northern Ireland)

There are some different requirements for email and SMS advertising and selling; the following information should be provided:

That the communication is a commercial one

• The name of the person on whose behalf the communication is being sent
• If the communication is a promotional offer or promotional competition

• How do I ensure that my business complies with the Ecommerce Regulations?

Online Dispute Resolution

Under the Alternative Dispute Resolution for Consumer Disputes (Competent Authorities and Information) Regulations 2015, all traders selling to consumers are required to provide consumers with details of a Certified Alternative Dispute Resolution (ADR) provider. They also need to inform the consumer whether they intend to use ADR as a way of resolving a dispute, as well as providing consumers with access to an online dispute resolution platform.

The platform will help consumers who have bought goods or services online and then subsequently have had a problem with that purchase.

• Are you prepared for the launch of the EU Online Dispute Resolution Platform?

Marketing and advertising

There are over 100 pieces of legislation that affect advertising in the UK alone. Thankfully, not all of these will apply specifically to your business although the following will almost always apply:

• Consumer Protection from Unfair Trading Regulations 2008
• Electronic Communications (EC Directive) Regulations 2011

Key legal provisions

Affiliate marketing

Affiliate marketing is an approach used by most e-commerce stores to generate sales via other websites who may have a larger target audience. Some websites’ entire business model is to be an affiliate and earn commission on the sales of other businesses products and services, the most well-known of these is in the insurance sectors, such as with popular websites like Compare the Market and Go Compare who don’t actually sell a product or service of their own (unless you count stuffed meerkat toys). Affiliate marketing is well regulated, not just under the standard marketing legislation but also under good practice guides from the Internet Advertising Bureau.

Behavioural advertising

Behavioural advertising is tailored to the individual, usually by adding a cookie to their device; information is gathered about behaviour by looking at their browsing patterns, history and searches, this enables advertisers to push relevant content out to them. Behavioural advertising relies on data collection and use. Therefore it is governed a variety of regulations and codes as set out in Chapter Five.

Display advertising

Display advertising refers to adverts being displayed on websites and pages; these are often in the form of a banner spanning the top, bottom or sidebars of a page. They are used to sell your brand’s message and values, to offer consumers a chance to interact with your brand, and to bring consumers to your website. Because the content in the display is creative, it is regulated by the Advertising Standards Authority (ASA) which state adverts must be legal, truthful, decent and socially responsible (cannot provoke illegal or anti-social behaviour).

Email marketing

Email marketing can be used to advertise to potential customers, usually by advertising on another website email marketing or to develop your relationship with current customers and up-sell or cross-sell your products to them. There are multiple regulations to adhere to when using email marketing; both statutory legislation and industry specific codes of practice. 

• Consumer Protection from Unfair Trading (EC Directive) Regulations 2008
• Data Protection Act 1998
• Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013

Search marketing

Search marketing is the process of using technical good practice and content on your website to help you rank higher on search engines when people search for keywords or words that are deemed related to your products. Like any other forms of marketing communication, search marketing is regulated by the Committee of Advertising Practice (CAP Code). Each search engine also has its own policies regarding search engine optimisation.

Unsurprisingly, Google is by far the most popular search engine so it is worth looking at their webmaster guidelines and avoiding trying to ‘cheat’ the search engines, as this may prove a very costly mistake if they remove your website from their search engine altogether.

Social media marketing

Social media marketing encompasses a company’s own social media presence, such as a Facebook page or Twitter feed managed by the company, which is referred to as owned; any advertising a company pays for on social media, which is referred to as paid; and anything like a unprompted review of your product or service in a blog, which is referred to as earned. All of these social media marketing practices are bound by the CAP Code which is enforced by the ASA.

The Competition and Markets Authority also regulate social media marketing, and can prosecute or fine if regulations aren’t followed.

Video advertising

Video marketing is marketing your product or service via a video. The regulation does depend, however, on what format you present these videos. A video which is in a display, as covered above in display advertising, is covered by the CAP code and must adhere to the same rules as any other display advertising. A video advertisement within an on-demand service (such as 4 On Demand or ITV Player) has different regulations, however, as it’s now the on-demand service provider, who in this case would be Channel 4 or ITV, who are responsible for the video advert complying with the CAP code.