Trading in ecommerce through the IRP platform opens up some new legal requirements for companies.
To a large degree these are not as complicated as might be anticipated, but it is important to understand:
- What information you must provide in your ecommerce site.
- What your legal obligations are to your customers.
It is important to comply with legislation, but it is also important to understand that overall common sense prevails.
Good customer service is key to ensuring that relations with customers remain positive. It is important to understand that the internet provides many outlets for feedback — so it is critical to keep legal but also to keep customers happy.
In the United Kingdom if are running an IRP, there are three acts and directives that you should comply with:
- Data Protection Act 1998
- Distance Selling Act 2000
- Ecommerce Directive 2002
This is an area that companies often ignore, however you do have obligations to your customers if you collect data on them:
- You must register under the Data Protection Act if you collect any kind of information about people. These could be your customers, employees or potential customers. This information includes names, addresses, telephone numbers and email addresses.
- You must state what you do and intend to do with your subjects’ data and not deviate from that statement.
- The Act applies to any size of business.
- You must not export the personal data outside the EC (European Community) without permission from the people you are collecting data on.
- You must ensure that all information is held securely and must be revealed or deleted upon request from the subjects of the information.
- You must only record data that is pertinent to your prime business needs.
Consumer Protection (Distance Selling) Regulations
The Consumer Protection (Distance Selling) Regulations 2000 apply to many ecommerce websites. However, they are not applicable to ‘business-to-business’ transactions. The basic requirements are also often exceeded by the companies’ own policies.
- You must provide clear information about your products and services before purchase.
- You must be clear about postage and packing costs and whether VAT or any other tax is included in the prices shown on your website.
- You must provide a written confirmation of order following purchase, for example a confirmation email.
- You must allow a “cooling off” period whereby the customer can change their mind and cancel or return the order within seven working days for most goods from the point they receive them. Certain exclusions do apply with items such as perishable items and digital-only items.
- You must inform your customers of their right to cancel their order with no loss other than return postage and packing. This does allow you to not return the cost of the postage that you paid to ship the item.
- You must display the name of your business, the company registration number (or proprietor’s name), geographical address (not a PO Box number), contact information e.g., telephone number and email address, VAT registration number (if registered).
- You may refer to trade or professional schemes, if applicable.
- You must provide clear information on price, tax and delivery to buyers.
- You must clearly display your site’s Terms and Conditions of Sale.
- You must acknowledge all orders that are placed.
- In commercial communication with your customers, you must clearly identify any electronic communication designed to promote your goods or services.
- You must clearly identify yourself as the sender of all electronic communication.
- You must clearly define any promotional offers and the qualifying conditions regarding these offers.
- If you send unsolicited emails, you must clearly identify them as unsolicited.
Information Commissioner’s Office E-Privacy Directive (the ICO Cookie Law)
- Cookies used for functional purposes do not require consent. Cookies not from a third-party that are required to make the IRP work do not require consent or opt in.
Beyond these legal obligations, you have VAT and Tax considerations that may apply when you reach certain thresholds of sales to EU countries. These thresholds vary by country but are often not noticed or enforced by the countries. It is important to be aware that they do exist.
For companies handling credit cards, the PCI Security Standards are required to be met to ensure that you are in compliance with the required standards to handle card data. The IRP is PCI Level 1 Compliant, however you often need to attest your own compliance if it is required. This can be time consuming, however if turnover is small, self-assessment is generally allowed.