UK: IT/eCommerce Bulletin April 2003

Last Updated: 16 April 2003

1. eCommerce NEWS

1.1 DRC to audit 1000 websites for accessibility for the disabled

2003 is the European Year of People with Disabilities. The EU has announced it will have a particular focus on promoting website accessibility for the disabled.

In the UK, the Disability Rights Commission (DRC) has announced that it will be investigating 1000 websites spanning the public and private sector to test for accessibility. The findings are likely to be released in late 2003 and the DRC has said they will be used to help website owners eradicate bad practice rather than as a prelude to litigation by the DRC.

Part III of the existing UK Disability Discrimination Act 1995 requires that reasonable steps be taken to ensure it is not impossible or unreasonably difficult for a disabled person to make use of the service that is provided. That duty includes an obligation to provide "auxiliary aids" where it is reasonable to do so. Neither the Act nor the Code provides detailed guidance on the level of accessibility that must be achieved for websites. Current industry best practice on website accessibility is to comply with at least the Level 1 standard in the accessibility guidelines issued by the World Wide Web Consortium (W3C) eg, including an option for the user to select a text only version and the ability to adjust colours and font size.

Both the Department of Trade and Industry and the Department of Works and Pensions are currently in the process of introducing changes to the UK Disability Discrimination Act 1995.

Please click through for a copy of the W3C Web Accessibility Guidelines

April 2002 IT Bulletin article on disabled access to the internet

1.2 Consultation on voluntary code of practice for data retention

The Home Office has released a consultation paper on a draft code pursuant to the Anti-terrorism Crime and Security Act 2001. The Act was passed in the UK after the events of September 11. It provides for the introduction of a voluntary Code requiring all communication providers to retain the communications data of all subscribers. Communications data includes traffic data for both email and the internet but does not include the actual content of the communication.

The draft code applies to communication providers who provide access to a public telecommunications system (eg, ISPs and telcos). It proposes the following retention periods for various types of communications data:

· Subscriber details, contact information
and services used

12 months

· Telephony data
(numbers called, dates, duration, location data etc)

12 months

· Text messaging data

6 months

· Email and ISP data

6 months

· Web activity logs

4 days

Failure to comply with the Code will not lead to any criminal or civil liability. However if industry rejects such a code the legislation gives government the power to require compliance. Business will be following the consultation paper with great interest as there are clearly technical and financial costs to retaining such data for extended periods. In March last year the government faced concerted opposition from ISPs when it tried to introduce an earlier version of a voluntary code for data retention.

Please click through for a copy of the Consultation Paper

1.3 Revised list of government bodies permitted to access communications data

The Regulation of Investigatory Powers Act 2002 (RIPA) controls the access regime for communications data. That includes controlling access to communications data retained pursuant to the Anti-terrorism Crime and Security Act 2001 (see article above).

When RIPA was first introduced the government agencies permitted to access communications data was limited to police and government security agencies. In 2002 the government released draft regulations to permit access to a large number of government agencies. Public outcry over the privacy implications lead the government to abandon the draft regulations.

The current Home Office Consultation paper seeks to smooth the way for a second attempt at legislation to increase the number of public authorities able to access communications data. It proposes to provide unrestricted access to the emergency ambulance service, fire authorities, the Maritime and Coastguard Agency, the Scottish Drugs Enforcement Agency and the United Kingdom Atomic Energy Authority Constabulary. It also seeks to provide restricted access to a further 21 types of public authorities.

Business will need to keep abreast of the changes to RIPA and also the Anti-terrorism Crime and Security Act 2001. Exact compliance with both will be necessary to ensure the respective Acts are not contravened. It is also important to remember that any disclosure of communications data to a public authority that falls outside those Acts is likely to contravene the Data Protection Act 1998.

Please click through for a copy of the Consultation document

1.4 Bogus Data Protection registration services

Over the last 18 months there has been over 60,000 reported cases of businesses being contacted by bogus data protection agencies offering registration services. The fees charged are typically 3 or more times the actual cost of official registration.

The Data Protection Act 1998 regulates the use of "personal data" i.e. data which by itself or with other data held by the data controller enables a living individual to be identified. Most organisations will hold personal data in relation to employees, suppliers and customers.

Processing personal data is an offence under the Act unless an appropriate registration is in place. Processing includes collecting, holding, using, disclosing and even destroying data. If an organisation is processing personal data it will need to complete a Notification Form and lodge it with the Office of the UK Information Commissioner. Each subsequent year there is also an annual renewal fee of £35.

If a business receives a letter from one of the bogus registers it should be ignored. Any threat by such registers to commence legal proceedings is groundless, as they have no official connection with the UK Information Commissioner. Businesses should however ensure that all aspects of data processing they undertake are detailed in a valid current notification to the Information Commissioner.

1.5 Managing the risk of mis-pricing on the Internet

The February 2002 IT Bulletin highlighted the hazards of mis-pricing on the internet. Kodak was placed in a difficult position when over 10,000 customers placed orders for a £329 camera that had been mispriced at £100. Due to it being unclear whether a contract had been formed Kodak elected to honor the orders to minimise adverse publicity.

Recently Amazon was faced with a similar situation when it was flooded with orders for a HP pocket PC. Normally the pocket PC was priced at £290. It was accidentally advertised on the Amazon website for £7.32. Amazon was able to minimise the impact of the error as it was using clearly drafted terms and conditions. Amazon automatically acknowledged each order as soon as it was received. The acknowledgement made it clear that the order would not be accepted until Amazon confirmed by email that it had despatched the goods.

Such a policy is not only prudent but it is also consistent with the UK’s Electronic Commerce (EC Directive) Regulations 2002. The Regulations merely require vendors to ensure the steps to formation of an online contract are made clear to customers. The Regulations do not predetermine the stage at which the contract will be formed. While pricing errors will always occur a well drafted set of terms and conditions will make the legal position of the parties clear. In the process it will also ensure compliance with the Regulations and assist in minimising adverse publicity.

1.6 11th Edition of UK Advertising Code launched

The Committee of Advertising Practice (CAP) is the industry body that creates, revises and enforces the British Code of Advertising, Sales Promotion and Direct Marketing. The Code applies to non-broadcast marketing communications in the UK. It is endorsed and administered independently by the Advertising Standards Authority (ASA), a non-government body.

In March 2003, CAP launched the 11th edition of the Code. The Code is not law but rather is only industry self-regulation. It does however reflect EU and UK regulation of distance selling and data privacy as well as the new EU Privacy and Electronic Communications Directive. (For an overview of the Privacy and Electronic Communications Directive and its implementation in the UK see the Feature Article below.) Although the Privacy and Electronic Communications Directive is not required to be implemented in the member states until 31 October 2003 the Code already reflects its requirements.

For a copy of the new CAP Code please click through.



As part of the European Commission's 1999 Review of the communications framework, the Directive on Privacy and Electronic Communications was adopted on 12 July 2002 and requires implementation in Member States by 31 October 2003. It will replace the existing Telecoms Directive (97/77/EC). An overview of the new Directive was provided in the October 2002 IT Bulletin.


In March 2003 the DTI released a public consultation paper on the implementation of the Directive in the UK. Annexed to the consultation paper is the UK’s draft implementing legislation, the Privacy and Electronic Communications (EC Directive) Regulations 2003. The consultation will run for 12 weeks, closing on 19 June 2003. The final version of the implementing regulations are planned to be published in August 2003 and come into force by 31 October 2003.

The following key features of the draft regulations closely follow those of the Directive:

  • value added services based on location and traffic data (for example, location based advertising to mobile phone users) are permitted subject to the consent of subscribers;
  • public directories will be subject to tight controls including:
    • all public directories must give subscribers the right to be removed from the directory, free of charge;
    • subscribers must be given information on all of the usage possibilities of publicly available directories - e.g. reverse searching from a telephone number in order to obtain a name and address;

  • regulation of unsolicited direct marketing will now cover all forms of electronic communications including e-mail (spam) and SMS to mobile telephones;
  • confirmation that that the Directive does not prevent Member States from introducing provisions on the retention of traffic and location data for law enforcement purposes (see article 1.2 and 1.3 above for details of the UK regulation of communications data retention); and
  • tighter regulation of the use of cookies.

Key features for business


At its simplest, a cookie enables a web site to "recognise" a repeat visitor to that website. For this reason, cookies have been described as giving web sites "memory". They are used by the majority of websites to both customise the presentation of the website for individual users and also to collect information to build user profiles.

The ability of cookies to be used to collect information has lead to calls from some privacy groups and consumers to restrict their usage without prior consent. After some heated debate the final text of the Directive permitted cookies to be used provided the following two conditions are met:

i) users are informed when and how cookies are used; and
ii) users have the ability to refuse cookies.

The DTI’s view in the Consultation Paper view is that those conditions can be achieved via a clearly signposted privacy policy that provides details on when and how cookies are used. The website will also need to either provide its own "off switch" or advise users how to adjust the settings on their internet browser software to reject cookies.


The general rule under the Directive is that direct marketing by email or SMS is only permitted with the prior consent of the recipient (opt-in). The Directive does not require prior consent in relation to "existing customers" if a number of conditions are satisfied including that the message relates to "similar goods". Existing customers must however be given an opportunity to opt-out of receiving such direct marketing material.

The DTI has taken a very commercial approach to those requirements as is evident from the draft wording of section 21(3) of the regulations. It provides that a recipient will be an "existing customer" even if the recipient has only entered into negotiations to make a purchase. The Consultation Paper elaborates on this by stating that provided the email address of the recipient was legitimately obtained as part of a promotional campaign or when providing product information the recipient will be an "existing customer". At the time when the customer's contact details are obtained the customer must be told those details will be used for direct marketing.

The "similar goods" limitation has also been clarified. Email direct marketing of any of the vendor’s goods and services is permitted provided the recipient was previously made aware of the nature of the goods and services offered by the vendor. Vendors will need to take care when collecting the recipient’s contact address that the nature and scope of the vendor’s products and services are described accurately.


The DTI’s consultation paper provides some much needed clarification of the Directive, but business should not celebrate prematurely for three reasons. First, the draft regulations must still undergo both public consultation and parliamentary scrutiny so the wording is by no means finalised. Secondly, the DTI’s comments in the Consultation Paper on the way in which the regulations should be interpreted are not the law. It will still be for the courts to interpret the regulations once they have been passed into law. Lastly, the UK Information Commissioner has welcomed the implementation of the Directive in the UK but has also used it as an opportunity to call for an increase in his powers of enforcement.

Business will need to continue to play a waiting game but at least they have now received some encouraging signs from the DTI.

Please click through for a copy of the DTI Consultation Paper

Article by Mark Turner and Dominic Callaghan

© Herbert Smith 2003

The content of this article does not constitute legal advice and should not be relied on as such. Specific advice should be sought about your specific circumstances.

For more information on this or other Herbert Smith publications, please email us.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.