Outline of legislation that will begin to regulate how business is conducted on the internet

It has been and is still fashionable to characterise Internet business as an unregulated minefield where contracts are made and credit card details handed over at the peril of the consumer. Some lawyers warn that companies who post a website  invite litigation from around the globe. As in “bricks and mortar” business, the true picture is that most transactions whether B2B (business to business) or B2C (business to consumer) pass off smoothly, without litigation or resorting to Alternative Dispute Resolution (ADR). During these next 12 months a number of important new consumer rights and business obligations will have been introduced in relation to web sales. Both consumers and businesses need to keep abreast of the changes and their implications.

Data Protection Act 1998

This Act came into force on 1 March 2000, implementing the provisions of the EC Data Protection Directive (95/46/EC) into UK law, and thus replacing the Data Protection Act 1984. The old regime prevented the processing of personal data by equipment operating automatically. The new regime redefines “personal data” to include structured manual records which are part of a relevant filing system, and places an emphasis upon processing  such data with the informed consent of the individual. Businesses must review their registration obligations under the new data protection law to ensure compliance.

The new regime has greatly extended the definition of “processing” personal data to now include holding, obtaining, and recording information. It only allows such processing when  one of the conditions in Schedule 2 is met, and the processing of “sensitive” personal data (relating to race, political, sexual, religious or religious orientation) does require explicit consent.  Under the new regime, an individual has the following rights:-

  • Access to personal data (Section 7)
  • Preventing the  processing of personal data  likely to cause damage or distress (Section 10)
  • Preventing the processing of personal data for the purposes of direct marketing (Section 11)
  • Preventing automatic decision taking at work in relation to performance, credit worthiness, reliability or conduct, based solely upon data.
  • Correcting or deleting inaccurate personal data
  • Request for an assessment of an alleged breach (Section 42) - anyone who is or thinks he may be directly affected by the processing of personal data may ask the Data Protection Commissioner to undertake an assessment as to whether that processing has been carried out in compliance with the Act.
  • Right to compensation

Internet lawyers advising businesses will need to think about the steps which an online advertiser must take in order to ensure that data captured from its website is processed “fairly” and that relevant consents are obtained. If a website owner or operator is using cookies to collect personal data about customers in order to personalise the appearance of the website upon the customers next visit,  the user must be made aware of the uses to which the cookie information is going to be put. The US company Doubleclick.com was recently the subject of controversy because of its plans to link up web data with off-line personal data. Of course the Data Protection Act [and Directive] only apply to the European Union. It is still illegal to send personal data to non-compliant countries (ie outside EU). Data protection in the US remains unregulated. The EC and the US government have recently agreed the “safe-harbour” principle (March 2000) which proposes US companies register with the relevant state department to confirm that the company will adopt data protection responsibilities in line with the EC. However, litigation in the courts does continue over data protection issues, and businesses are well advised to ensure contractual obligations exist between parties to ensure EC data protection compliance.

Distance Selling Directive 97/7/EC1

Member states were required to implement the Directive by 5th June 2000. The cumbersomely titled Consumer Protection (Contracts Concluded by Means of Distance Communication) Regulations 2000 are ready and waiting in the wings. However the very latest DTI position at the time of writing is that no decision has been made, so that an “opt out” from some obligations is still posible for the United Kingdom. However, on the basis that other member states may enact legislation, it is still worth noting that key provisions of the Directive which may have been interpreted by some as rather draconian.

  • Consumers must be given prescribed information at the outset of the transaction: name and address of seller, details of product or service, information about price and payment, and the customer’s right to cancel.
  • The right to cancel is absolute - if the customer decides within 7 days not to proceed with the contract, that is the  end of the matter.  No justification or other reason need be given.  (Does not apply to perishable or made to order items).
  • The supplier must also confirm the customer’s order in writing or e-mail, and which must include conditions for exercising the right of withdrawal, address for complaint, any after sale service and guarantee, conditions for cancelling the contract where it is of an unspecified duration or exceeds one year.
  • Unless the customer agrees to the contrary, the supplier must complete the order within 30 days.
  • Sending unsolicited faxes and e-mails (“spamming”) without prior consent will be banned. The DTI is currently debating whether consumers should opt in or opt out of a consent registration scheme for unsolicited e-mails.
The Directive does not apply to business to business transactions. Under the Directive, obligations placed upon business are  ones of strict liability, and include criminal offences.  For example, failure to prove that follow-up information was sent to the consumer by e-mail or in writing, or by sending out information not prescribed to be sent out at the outset, renders the contract unenforceable against the purchaser. Several City commentators have suggested that the Directive gives the consumer, in certain circumstances, the right to treat goods purchased on the web as unsolicited, and to avoid paying for them – a remarkable innovation if the correct view.

The ISDN Directive (97/66/EC)

For the sake of completeness it should be noted that since 1st May 1999, businesses can elect to opt out of  receiving “spam” faxes and direct marketing calls - Telecommunications Data Protection and Privacy Regulations 1999 (SII999/2093).

Proposed Distance Selling (Financial Services) Directive

This proposed directive follows on from the Distance Selling Directive to include the Financial Services industry.  The proposed Directive is still under consideration by the European Commission and DTI, but proposals include:-

(a) Terms and Conditions of the distant sale of financial products must be transmitted to the consumer by a “durable medium” which unlike in the Distance Selling Directive, is defined. A durable medium could include  e- mail for this purpose,  but does  not allow an “option button” on the web site which the consumer can press to download the material.     

(b) Terms and Conditions may be transmitted by e-mail even where some other provision requires that they be in writing. On the face of it this conflicts with the Consumer Credit Directive 98/27/EC and may mean that certain existing regulations promulgated under the Consumer Credit Act 1974 may need re-writing.

(c) Terms and Conditions must be comprehensible: lawyers advising web designers may have their work cut out

Comparative Advertising Regulations 2000

New comparative advertising regulations came into force on 1 March 2000.  These are not exclusively aimed at distance selling contracts but, nonetheless are relevant to them. Website advertisements will fall foul of the Comparative Advertising Regulations if they are:

  • misleading
  • fail to compare like with like
  • fail to compare one or more material and relevant features
  • might cause confusion between the advertiser and a competitor
  • denigrate or discredit a competitor
  • taking unfair advantage of the goodwill inherent in a competitor’s mark
  • offering goods or services which are replicas or imitations of similar goods and services.

The regulations are incorporated into the Misleading Advertisements Regulations 1988 as a consequence of the EU Directive (97/55/EC) intended to harmonise the law on comparative advertising and reduce barriers to pan European advertising.

The Injunctions Directive 98/27/EC

This Directive will come into force in the UK on 1st  January 2001. The new regime will protect the consumer by allowing interested bodies, for example the Consumer’s Association (the publishers of “Which”) or the Advertising Standards Authority, to apply directly to the courts to stop infringements of, amongst others, the Misleading Advertising Directive (84/450/EEC as amended by 97/55EC). It is understood that holiday brochures can expect early attention.

Proposed e-commerce directive 

Debate is taking place in Member States as to whether Article 13 of the Brussels Convention should be amended.  At the moment, a consumer may sue in his home jurisdiction only if he has been targeted by advertising in that jurisdiction.  Otherwise, the normal rules of “domicile” apply subject to the special jurisdiction rules in relation to place of performance of contract. The proposed amendment to Article 13 of the convention would state in terms that consumers may sue in their home jurisdiction regardless of where the contract was concluded. The e centreUK  Legal Advisory Group2 is providing the DTI3 with information concerning the implications of this Directive, and are proposing to defer the implementation of the Directive until the establishment of an on-line dispute settlement regime which will assist businesses and consumers in reaching agreements with on-line disputes.


Hitherto it has been thought that the risk of doing business on the Internet rested primarily upon the shoulders of the consumer.  These new regulations will impose significant burdens upon business.  Websites will have to be very carefully worded, and adequate notice of the prescribed information will have to be provided to consumers, under peril of the contract being rendered unenforceable by virtue of the Distance Selling Directive. Websites will have to be very carefully worded in general. On the assumption that the Distance Selling Directive is given effect, adequate notice of the prescribed information will have to be provided to consumers and follow-up procedures refined considerably. How do you ensure that adequate notice is given to consumers of their various rights as set out above, if the only medium for communicating them is a two-inch square screen of the text?  At a well-attended Edinburgh seminar hosted by one of the world’s biggest telephone companies on 26 April 2000, the answer to this question was a rather disconcerting “don’t know”.  Oh what tangled webs we weave! However help may be at hand.


TrustUK, the website accreditation scheme which is being drawn up by the Alliance for Electronic Business, aims to give businesses confidence that the content of their website complies with strict codes of practice. Obviously this will give the consumer confidence when purchasing from the website.4

Paul Motion is a Solicitor Advocate and Associate with Ledingham Chalmers, Edinburgh.  He is the Scottish Legal Group Chairman for e centreUK  which advises on standards and best practice for e-business.


  1. http://europa.eu.int/eur-lex/lif/dat/1997/en_397L0007.html
  2. www.e-centre.org.uk
  3. www.dti.gov.uk
  4. TrustUK came into force for businesses in February 2000.

The consumer launch date is 18th July 2000. For further details, e-mail: secretariat@trustuk.org.uk.

Share this article
Add To Favorites