An important part of legal compliance for online sellers is the provision of certain information to users and customers. This post seeks to list all of the main categories of information that need to be disclosed on the seller's website.
There's no way to disguise the nature of this post: it's a list. A long list, and arguably a boring one. If you're new to ecommerce, and innocent of the nature of modern - especially EU-derived - regulatory regimes, you may well be unpleasantly surprised by its length.
I hope it's a useful list, nonetheless.
As you'll see, there is quite a bit of overlap between the different sets of rules. I have eliminated some of this overlap, where it seems to me that all online sellers would be subject to both (or all) the relevant sets of rules. However, the application of the particular rule sets depends upon the particular circumstances, so a lot of the repetition can't be eliminated.
This is part 4 in a series of posts about the law affecting online sales. If you want to read the previous posts, see:
https://seqlegal.com/blog/selling-online-and-law-part-1 - Introduction
https://seqlegal.com/blog/selling-online-and-law-part-2 - Regulation of products
https://seqlegal.com/blog/selling-online-and-law-part-3 - Product descriptions
Categories of information
There are six main categories of information that must be disclosed:
- first, all commercial online sellers are "information society service providers", and so are required to make certain disclosures under The Electronic Commerce (EC Directive) Regulations 2002 (hereafter, the Ecommerce Regulations);
- second, The Provision of Services Regulations 2009 largely repeat the disclosure obligations in the Ecommerce Regulations, but with a few additions;
- third, those selling to consumers (as opposed to businesses) must make additional disclosures under The Consumer Protection (Distance Selling) Regulations 2000 (the Distance Selling Regulations);
- fourth, those using "business names" or operating through companies must disclose information about their businesses and companies under the Companies Act 2006 and The Companies (Trading Disclosures) Regulations 2008;
- fifth, almost all online sellers collect and process personal data, and this means they need to comply with the disclosure requirements of the Data Protection Act 1998 and related legislation; and
Note: the regulations on the legislation.gov.uk site - linked to in this post - are not in amended form. In other words, they are not necessarily up-to-date.
Ecommerce Regulations disclosures
The Regulations apply to "information society service providers" and refer throughout to the "service provider": in our case, this will usually be individual, partnership or company that owns the ecommerce store. Where information has to be provided under the Ecommerce Regulations, it must generally be provided in "a form and manner which is easily, directly and permanently accessible".
The basic information that must be provided under the Regulations is as follows:
- the name of the service provider;
- the geographic address at which the service provider is established; and
- contact details, including an email address.
In addition, where the service provider is registered in a public trade register or similar, the following must be provided:
- the details of the register; and
- the service provider's registration number (or other means of identification in relation to the register).
If the service provider is subject to an authorisation scheme (e.g. FSA authorisation) it must also provide:
- the particulars of its supervisory authority.
If the service provider exercises a regulated profession, which will rarely be the case with an ecommerce operator, the following must be disclosed:
- the details of the relevant professional body or similar institution;
- the provider's professional title and the member State where that title has been granted; and
- a reference to the professional rules applicable to the service provider in the member State of establishment and the means to access them.
If the service provider is required to be VAT registered, then the provider must disclose:
- its VAT registration number.
All online shops must also disclose:
- prices, clearly and unambiguously; and
- an indication of whether prices are VAT-inclusive or VAT-exclusive (NB in the case of sales to consumers, all prices should be VAT-inclusive under domestic UK legislation).
All B2C online sellers will also have to disclose "in a clear, comprehensible and unambiguous manner":
- the different technical steps to follow to conclude the contract;
- whether or not the concluded contract will be filed by the service provider and whether it will be accessible;
- the technical means for identifying and correcting input errors prior to the placing of the order;
- the languages offered for the conclusion of the contract;
- which relevant codes of conduct the service provider subscribes to and information on how those codes can be consulted electronically;
B2B online sellers do not have to disclose this information if they "agree otherwise" with there customers (i.e. have their T&Cs drafted in such a way that these requirements are negated).
Finally (although this isn't really a substantive informational requirement):
- T&Cs should be made available in a away that allows customers to store and reproduce them.
Provision of Services Regulations disclosures
The Provision of Services Regulations 2009 apply to all services, subject to a list of exceptions. Unfortunately, ecommerce services are not amongst those exceptions. As a result, these Regulations overlap with the Ecommerce Regulations, producing a confusing set of disclosure obligations.
On the assumption that online retailing is a service, then the following additional disclosures will be required under the Provision of Services Regulations (I have not mentioned all of those that broadly overlap with requirements listed above):
- contact details for sending complaints / requests for information, including: a telephone number; and an "official address" (where the service provider has such a thing);
- the provider's legal status and form;
- the general terms and conditions of the provider (if any);
- the existence of any after-sales guarantee not imposed by law;
- the main features of the service, if not already apparent from the context;
- where the provider is subject to a requirement to hold any professional liability insurance or guarantee, information about the insurance or guarantee and in particular: the contact details of the insurer or guarantor, and the territorial coverage of the insurance or guarantee; and
- if the provider is subject to a code of conduct, or is a member of a trade association or professional body, which provides for recourse to a non-judicial dispute resolution procedure: information about fact, and details of how to access more information about that procedure.
Because these requirements are all about services, rather than goods, it is unclear the extent to which they apply in relation to contracts for the sale of goods, notwithstanding that such contracts are made through the use of "information society services" (Euro-speak for the internet).
Distance Selling Regulations disclosures
The Distance Selling Regulations apply only to B2C contracts, not B2B contracts. If you sell exclusively to businesses, you can ignore this section.
Information to be provided under these regulations must be provided in a "clear and comprehensible manner appropriate to the means of distance communication used, with due regard in particular to the principles of good faith in commercial transactions and the principles governing the protection of those who are unable to give their consent such as minors".
Where these Regulations apply, you must, in good time before the point of contracting, provide the following information to customers:
- the identity of the supplier and, where the contract requires payment in advance, the supplier’s address;
- a description of the main characteristics of the goods or services;
- the price of the goods or services including all taxes;
- delivery costs where appropriate;
- the arrangements for payment, delivery or performance;
- the existence of a right of cancellation except in the excepted cases;
- the cost of using the means of distance communication where it is calculated other than at the basic rate;
- the period for which an offer or a price remains valid;
- where appropriate, the minimum duration of the contract, in the case of contracts for the supply of goods or services to be performed permanently or recurrently;
- inform the consumer if he proposes, in the event of the goods or services ordered by the consumer being unavailable, to provide substitute goods or services (as the case may be) of equivalent quality and price; and
- inform the consumer that the cost of returning any such substitute goods to the supplier in the event of cancellation by the consumer would be met by the supplier.
Companies law disclosures
Under Regulation 7 of The Companies (Trading Disclosures) Regulations 2008, all UK companies must disclose the following information on their websites:
- the part of the UK in which the company is registered;
- the company’s registered number; and
- the address of the company’s registered office.
There is also some information under these regulations that needs to be disclosed in special cases:
- in the case of a limited company exempt under specified laws from the obligation to use the word “limited”, the fact that it is a limited company;
- in the case of a community interest company which is not a public company, the fact that it is a limited company; and
- in the case of an investment company, the fact that it is such a company.
Sections 1200 to 1206 of the Companies Act 2006 govern the disclosure of identity information by sole traders and partnerships.
The rules apply to an individual or partnership carrying on business in the UK under a business name. In the case of an individual, a “business name” means a name other than his or her surname without any addition other than a permitted addition. In the case of a partnership, it means a name other than: (i) the surnames of all partners who are individuals, and (ii) the corporate names of all partners who are bodies corporate, in each case without any addition other than a permitted addition.
The "permitted additions" for an individual his or her forename or initial. For a partnership, they are: (i) the forenames of individual partners or the initials of those forenames, or (ii) where two or more individual partners have the same surname, the addition of “s” at the end of that surname;
(iii) in either case, an addition merely indicating that the business is carried on in succession to a former owner of the business.
Where these rules apply, the information that must be disclosed is:
- in the case of an individual, the individual's name and an address at which service of any document relating in any way to the business will be effective; and
- in the case of a partnership, the name of each member of the partnership and, in relation to each person so named, an address at which service of any document relating in any way to the business will be effective.
If the individual or partnership has a place of business in the United Kingdom, the address must be in the United Kingdom. If the individual or partnership does not have a place of business in the United Kingdom, the address must be an address at which service of documents can be effected by physical delivery and the delivery of documents is capable of being recorded by the obtaining of an acknowledgment of delivery.
The Unlike the Companies (Trading Disclosures) Regulations, the Act does to not specifically say that this information needs to be disclosed on a website. However, the information must be stated "in legible characters" on all "business letters" and "invoices and receipts issued in the course of the business". Furthermore, it must be disclosed on request to "any person with whom anything is done or discussed in the course of the business and who asks for that information".
Data Protection Act disclosures
The basic information that needs to be provided to website users under the Data Protection Act 1998 is:
- the identity of the data controller;
- if the data controller has nominated a representative for the purposes of this Act, the identity of that representative;
- the purpose or purposes for which the data are intended to be processed; and
- any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.
The "data controller" is the person responsible for determining the purpose or purposes for which personal data are processed. Generally, in the case of an online store, this will be the store operator.
The Information Commissioner has published guidance elaborating on the principles in the Act. On the basis of that guidance, you should consider providing the following information to users and customers:
- if you intend to pass information on, the name of the organisations involved and details of how they will use the information;
- how long you or other organisations intend to keep the information;
- whether replies to questions are mandatory or voluntary;
- the consequences of not providing information - for example, non-receipt of a beneﬁt;
- whether the information will be transferred overseas;
- what are you doing to ensure the security of personal information;
- about their rights and how they can exercise them - for example, the fact that a person can obtain a copy of their personal information or object to direct marketing;
- who to contact if they want to complain or know more about how their information will be used; and
- about the right to complain to the Information Commissioner if there is a problem.
Regulation 6 of the Privacy and Electronic Communications Regulations (as amended) requires that certain cookie information be disclosed to users, except in relation to cookies that "are strictly necessary for the provision of an information society service requested by the subscriber or user":
- the subscriber or user must be provided with clear and comprehensive information about the purposes of the storage of, or access to, that information.
This is not a complete list of all the disclosures that may be required by a particular website. For instance, products which are subject to special regulation (e.g. toys, tobacco and pharmaceuticals) may require additional specific disclosures. In addition, I have not generally covered here disclosures that need to made in places other than on websites - e.g. in email communications with customers.
If there's anything you think I've missed, please let me know.