SMEs and commercial law: Are my privacy policies private enough?

E-commerce sites have blossomed in the last five years, increasing in number by 11% in 2015 alone. But, while the time to open a virtual marketplace may be now, it’s not a venture that small businesses should rush into head-first. Recently, commercial lawyers have begun to take on more e-commerce clients, as interest in business legal advice grows.

One of the biggest concerns amongst consumers is data protection: can they guarantee that an internet retailer will use their personal details for legitimate purposes? If not, they are likely to shop elsewhere, rather than taking an unnecessary risk. It’s a concern SMEs need to be aware of, as more and more companies take to the net. Privacy policies need to cover all bases, indemnifying businesses against accusations of data mishandling.

How does the law define an e-commerce business?

To start, it’s worth knowing where you stand in the eyes of the law. What can you not afford to miss out of your privacy policies? The truth is: e-commerce is still somewhat of a legal grey area, as the industry continues to experience rapid growth and change. However, as a general rule of thumb, there are two laws every business should be abiding by: The Data Protection Act (1998) and The Electronic Commerce (EC Directive) Regulations (2002). Both these legislative measures protect the interest of the consumer and restrict the collection and dissemination of personal details.

For businesses handling online transactions, processing customer data or generally requiring personal details to operate, these laws must become your scripture. While there is still ongoing debate amongst commercial lawyers over what constitutes an e-commerce business, the EC Directive offers a fairly conclusive guideline:

“The requirement for an information society service to be ‘normally provided for remuneration’ does not restrict its scope to services giving rise to buying and selling online. It also covers services (insofar as they represent an economic activity) that are not directly remunerated by those who receive them, such as those offering online information or commercial communications (e.g. adverts) or providing tools allowing for search, access and retrieval of data”. (Electronic Commerce Regulation 2002)

But what exactly qualifies as an “information society service”? While the term seems deliberately vague, it can be boiled down to money and permission. In plainer words, an information society service is any business that is compensated for providing an electronic service which processes and stores personal data at the request of the user. Commercial lawyers will tend to treat any business that handles the electronic transfer of data as e-commerce.

What do I need to declare in my privacy policies?

Under EU law, e-commerce sites must provide a statement of intent, known more commonly as a privacy policy. These terms and conditions tell the user exactly what their personal details will be used for and whether they will need to be passed on to third party companies. It’s important that small businesses don’t deviate from their privacy policies, in an attempt to collect and distribute customer details beyond their intended purpose. Data should only be collected in certain situations and only in the cases you have discussed in your policies. If your e-commerce site meets the following regulations, you shouldn’t have too many issues:

  • Collecting data is a necessary legal requirement
  • Consent is provided by each individual user
  • Processing personal details will protect the interests of the user
  • The user is able to make alterations and deletions to any information that is incomplete, inaccurate, or fails to comply with data protection laws
  • Data is processed with the express purposes you outlined in your policy, either by you or a third party

In the majority of incidents, sticking to these guidelines will ensure you are operating within your rights. However, it’s always best to seek business legal advice before your website is launched. Each individual member state of the EU has its own directives on data handling, so if you are selling to customers overseas, it’s worth going over your options with a commercial lawyer.

Carl Parslow is the managing partner of Parslows: commercial lawyers in Jersey. He is an Honorary Librarian of the Law Society of Jersey and serves on several Law Society committees.