Legal requirements for an eCommerce website
A recent report stated one quarter of small and medium businesses were in breach of website legal requirements to trade online. Regardless of whether your business is trading millions, thousands or nothing at all, your website needs to adhere to certain requirements.
Here is our guide to trading legally online:
- Company information
- Web accessibility
- Data protection
- Consumer protection
- Electronic commerce regulations
- PCI DSS
- EU anti spam laws
- Cookie law
As of 1st January 2007 all business stationery (which includes your website) must display the following in legible text:
- The company’s registered number.
- The office address registered.
- Where the company is registered (England and Wales, Scotland or Northern Ireland).
- If it’s a limited company. Usually by stating the company name followed by ‘Limited’ or ‘Ltd’.
This information needs to be displayed on all letters, emails, order forms, parcels, invoices, receipts, credit notes and website. We generally add these to the website footer.
Your website should be accessible to as many people as possible. The World Wide Web Consortium (W3C) is an international organisation that develops web standards. As part of their remit they create specifications to ensure websites follow best practices so people with disabilities can use the internet.
The web accessibility guidelines are split into three checkpoints – priority 1, 2 and 3. Each of these checkpoints has a list of requirements a website must meet. The checkpoints are:
- Priority 1
A Web content developer must satisfy this checkpoint. Otherwise, one or more groups will find it impossible to access information in the document. Satisfying this checkpoint is a basic requirement for some groups to be able to use Web documents.
- Priority 2
A Web content developer should satisfy this checkpoint. Otherwise, one or more groups will find it difficult to access information in the document. Satisfying this checkpoint will remove significant barriers to accessing Web documents.
- Priority 3
A Web content developer may address this checkpoint. Otherwise, one or more groups will find it somewhat difficult to access information in the document. Satisfying this checkpoint will improve access to Web documents.
The UK Government and the Royal National Institute of Blind People (RNIB) advise that websites must satisfy priority 1 and should satisfy priority 2 of the guidelines. If both these priorities are satisfied then it will allow people with disabilities to use your website.
Keep in mind the guidelines are not just for web developers but for those who manage content too. For example all images must include alternative text using the ALT attribute. This will allow screen readers to interpret the contents of an image.
These guidelines are taken very seriously. In January 2012 the RNIB served legal proceedings against Bmibaby over the failure to make their website accessible for blind and partially sighted customers.
The Data Protection Act outlines the UK law for processing and storing peoples information. It’s the main legislation that governs the protection of personal data in the UK. The act gives people the right to know what information is stored and provides a framework for how that information should be handled.
Companies and organisations should notify the Office of the Information Commissioners that they are collecting data.
The data protection principles state that organisations, businesses and the government should make sure information is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection
Website legal requirements now also contain stronger legal protection against sensitive information. This includes ethnic background, political opinions, religious beliefs, health, sexual health and criminal records.
From the 13th June 2014 the Consumer Contracts Regulation were enforced. This implemented the European Consumer Rights Directive into UK law. This legislation replaces the distance selling regulations. For any sales prior to 13th June 2014 the distance selling regulations still apply.
The Consumer Contracts Regulation covers distance selling, face-to-face sales that are not on a businesses premises and in-store sales. We’ll be focusing on distance selling. For a sale to be valid you must provide the following information:
- A description of the goods, service or digital content. This should include how long any commitments will last on the part of the consumer.
- The total price of goods, service or digital content. If this cannot be determined you must provide the manner it will be calculated.
- How to pay for goods when provided.
- Any additional costs such as delivery charges.
- If the customer has the right to return or cancel an item. Detail who pays for the cost of returning that item. Goods purchased online can be cancelled by the customer up to a minimum of 14 days after the day on which the last of the goods come into physical possession. For businesses selling digital content, expressed permission is required by the consumer to wave these rights.
- A standard cancellation form should be provided to make cancelling easy.
- Information about your business including address, contact information and any third party traders you are using.
- Information on compatibility you are aware of regarding digital content with hardware or other software.
Any failure to meet these regulations could result in cancellation rights being extended up to one year.
Electronic commerce regulations
This came into force in 2002 and implements the European Union’s eCommerce directive into UK law. It is designed to achieve clarification and harmony of the rules concerning trading online.
One major part of the legislation is the country of origin principle. This states that a website only needs to follow the legislation of the country it is based in, regardless of whether sales are made to other EU countries. However, there are certain qualifications to this principle.
- You must comply to consumer legislation in each and every European country that you sell to.
- Exceptions to the country of origin principles include copyright law, electronic money and unsolicited emails.
There are benefits to the country of origin principles. UK laws are generally much more lax compared to other countries in the UK, particularly around promotions. If your company is based in the UK you only need to follow UK law.
The Electronic Commerce Regulations states that a website should provide the following information:
- The name of the service provider.
- The email address of the service provider.
- Details of any trade association which the business is part of.
- VAT Number.
- Prices on the website must be clear and unambiguous.
These are in addition to the company information that must be provided as part of the Companies Act that we spoke about earlier.
When an order is placed online the Electronic Commerce Regulations states the following information should also be provided:
- Any technical steps to follow to complete a contract.
- Whether or not the contract will be filled and how to access it.
- The technical means to identify and correct any errors prior to placing an order.
- If the website is subject to any code of contact.
- The terms and conditions of the sale.
You’ll notice that many of these stipulations are also part of the Consumer Contracts Regulation.
The Payment Card Industry Data Security Standard (PCI DSS) was created to help prevent fraud for companies who process payments. PCI DSS ensures there are increased controls around data to help reduce the possibility of being compromised.
These standards apply to companies who hold, process of pass card information. Many eCommerce sites take payment using a third party service such as PayPal or SagePay. In this case the majority of the burden is on these services but some parts will still apply to you. The level you are required to comply will vary based on transaction volume, how much you’re taking and whether payments will be taken over the telephone.
There are 12 key requirements for companies who accept or process card payments:
- Use a firewall to protect data.
- Do not use vendor supplied defaults for passwords or other parameters.
- Protect stored data.
- Encrypt the transmission of data and sensitive information.
- Use antivirus software.
- Maintain a high level of security.
- Restrict access to data.
- Assign unique ID to each person with access.
- Restrict physical access to cardholder data.
- Track and monitor all access to the network.
- Regularly test security.
- Maintain a policy that addresses security.
Remember that PCI DSS also extends to where your website is hosted. Make sure you have secure passwords, suitable firewalls, an SSL certificate, anti virus software and limit access.
EU anti-spam laws
The Privacy and Electronic Communications Directive (E-Privacy Directive) was created for data protection and privacy in the digital age. This directive prohibits the sending of unsolicited commercial communications by email or other electronic messaging such as SMS.
To comply you must ensure that the user is offered an opt-in option. Customers are exempt from this but you are required to offer an opt-out option. If you purchase a database of emails you must ensure that those people have given consent to pass their emails on to third parties. Lastly, if you send an email there must be instructions to opt-out.
Cookies are small files that can be stored on a users computer when they visit a website. They’re used for Google Analytics, keeping you logged in or keeping a history of someones basket who is not logged in.
Cookies can also be used on websites to target advertising. This is potentially a privacy issue so the Information Commissioners Office (ICO) created a policy to prevent this from happening – say hello to the EU Cookie Law.
The EU cookie law states that a website must clearly show that it is using cookies. Most websites use an unobtrusive bar at the bottom or top of the page. This bar contains a link to a page with more information. It’s fine to assume consent for cookies but clear instructions should be available for how to block them.
Your website legal requirements – a quick recap;
- You must display your company information on all documents, including your website. This includes company’s registered number, office address, where the company is registered and if it is limited.
- All websites must satisfy priority 1 and should satisfy priority 2 of the web accessibility guidelines.
- Collect data responsibly following the 8 principles set out by the data protection act. All data must be collected on an opt-in basis unless they are a customer when an opt-out option must be available.
- Adhere to the Consumer Contracts Regulation for distance selling. This includes good descriptions of products, the full cost, company information, returns information and cancellation procedures.
- When selling to the EU, you only need to comply with the laws in the country of origin.
- If taking payments on your site make sure you meet the 12 requirements of PCI DSS. Even if you’re using third party payment gateways such as Paypal or SagePay some points will still apply.
- Make sure everyone on your mailing list has opted-in to marketing emails. On each email you send make sure there are clear instructions on how to unsubscribe.
- Add detailed information about cookies used on your website with instructions on how to disable them. Include a ‘cookie bar’ for first time visitor but you can assume consent.
If you’re in any doubt we recommend contacting your website developers or seeking legal advice.
Want to discuss a project?
Talk to our Magento experts on 01785 279920