1. eCommerce NEWS
1.1 DRC to audit 1000 websites for accessibility for the disabled
2003 is the European Year of People with Disabilities. The EU has announced it will have a particular focus on promoting website accessibility for the disabled.
In the UK, the Disability Rights Commission (DRC) has announced that it will be investigating 1000 websites spanning the public and private sector to test for accessibility. The findings are likely to be released in late 2003 and the DRC has said they will be used to help website owners eradicate bad practice rather than as a prelude to litigation by the DRC.
Part III of the existing UK Disability Discrimination Act 1995 requires that reasonable steps be taken to ensure it is not impossible or unreasonably difficult for a disabled person to make use of the service that is provided. That duty includes an obligation to provide "auxiliary aids" where it is reasonable to do so. Neither the Act nor the Code provides detailed guidance on the level of accessibility that must be achieved for websites. Current industry best practice on website accessibility is to comply with at least the Level 1 standard in the accessibility guidelines issued by the World Wide Web Consortium (W3C) eg, including an option for the user to select a text only version and the ability to adjust colours and font size.
Both the Department of Trade and Industry and the Department of Works and Pensions are currently in the process of introducing changes to the UK Disability Discrimination Act 1995.
Please click through for a copy of the W3C Web Accessibility Guidelines
April 2002 IT Bulletin article on disabled access to the internet
1.2 Consultation on voluntary code of practice for data retention
The Home Office has released a consultation paper on a draft code pursuant to the Anti-terrorism Crime and Security Act 2001. The Act was passed in the UK after the events of September 11. It provides for the introduction of a voluntary Code requiring all communication providers to retain the communications data of all subscribers. Communications data includes traffic data for both email and the internet but does not include the actual content of the communication.
The draft code applies to communication providers who provide access to a public telecommunications system (eg, ISPs and telcos). It proposes the following retention periods for various types of communications data:
|
· Subscriber details, contact information |
12 months |
|
· Telephony data |
12 months |
|
· Text messaging data |
6 months |
|
· Email and ISP data |
6 months |
|
· Web activity logs |
4 days |
Failure to comply with the Code will not lead to any criminal or civil liability. However if industry rejects such a code the legislation gives government the power to require compliance. Business will be following the consultation paper with great interest as there are clearly technical and financial costs to retaining such data for extended periods. In March last year the government faced concerted opposition from ISPs when it tried to introduce an earlier version of a voluntary code for data retention.
Please click through for a copy of the Consultation Paper
1.3 Revised list of government bodies permitted to access communications data
The Regulation of Investigatory Powers Act 2002 (RIPA) controls the access regime for communications data. That includes controlling access to communications data retained pursuant to the Anti-terrorism Crime and Security Act 2001 (see article above).
When RIPA was first introduced the government agencies permitted to access communications data was limited to police and government security agencies. In 2002 the government released draft regulations to permit access to a large number of government agencies. Public outcry over the privacy implications lead the government to abandon the draft regulations.
The current Home Office Consultation paper seeks to smooth the way for a second attempt at legislation to increase the number of public authorities able to access communications data. It proposes to provide unrestricted access to the emergency ambulance service, fire authorities, the Maritime and Coastguard Agency, the Scottish Drugs Enforcement Agency and the United Kingdom Atomic Energy Authority Constabulary. It also seeks to provide restricted access to a further 21 types of public authorities.
Business will need to keep abreast of the changes to RIPA and also the Anti-terrorism Crime and Security Act 2001. Exact compliance with both will be necessary to ensure the respective Acts are not contravened. It is also important to remember that any disclosure of communications data to a public authority that falls outside those Acts is likely to contravene the Data Protection Act 1998.
Please click through for a copy of the Consultation document
1.4 Bogus Data Protection registration services
Over the last 18 months there has been over 60,000 reported cases of businesses being contacted by bogus data protection agencies offering registration services. The fees charged are typically 3 or more times the actual cost of official registration.
The Data Protection Act 1998 regulates the use of "personal data" i.e. data which by itself or with other data held by the data controller enables a living individual to be identified. Most organisations will hold personal data in relation to employees, suppliers and customers.
Processing personal data is an offence under the Act unless an appropriate registration is in place. Processing includes collecting, holding, using, disclosing and even destroying data. If an organisation is processing personal data it will need to complete a Notification Form and lodge it with the Office of the UK Information Commissioner. Each subsequent year there is also an annual renewal fee of £35.
If a business receives a letter from one of the bogus registers it should be ignored. Any threat by such registers to commence legal proceedings is groundless, as they have no official connection with the UK Information Commissioner. Businesses should however ensure that all aspects of data processing they undertake are detailed in a valid current notification to the Information Commissioner.
1.5 Managing the risk of mis-pricing on the Internet
The February 2002 IT Bulletin highlighted the hazards of mis-pricing on the internet. Kodak was placed in a difficult position when over 10,000 customers placed orders for a £329 camera that had been mispriced at £100. Due to it being unclear whether a contract had been formed Kodak elected to honor the orders to minimise adverse publicity.
Recently Amazon was faced with a similar situation when it was flooded with orders for a HP pocket PC. Normally the pocket PC was priced at £290. It was accidentally advertised on the Amazon website for £7.32. Amazon was able to minimise the impact of the error as it was using clearly drafted terms and conditions. Amazon automatically acknowledged each order as soon as it was received. The acknowledgement made it clear that the order would not be accepted until Amazon confirmed by email that it had despatched the goods.
Such a policy is not only prudent but it is also consistent with the UK’s Electronic Commerce (EC Directive) Regulations 2002. The Regulations merely require vendors to ensure the steps to formation of an online contract are made clear to customers. The Regulations do not predetermine the stage at which the contract will be formed. While pricing errors will always occur a well drafted set of terms and conditions will make the legal position of the parties clear. In the process it will also ensure compliance with the Regulations and assist in minimising adverse publicity.
1.6 11th Edition of UK Advertising Code launched
The Committee of Advertising Practice (CAP) is the industry body that creates, revises and enforces the British Code of Advertising, Sales Promotion and Direct Marketing. The Code applies to non-broadcast marketing communications in the UK. It is endorsed and administered independently by the Advertising Standards Authority (ASA), a non-government body.
In March 2003, CAP launched the 11th edition of the Code. The Code is not law but rather is only industry self-regulation. It does however reflect EU and UK regulation of distance selling and data privacy as well as the new EU Privacy and Electronic Communications Directive. (For an overview of the Privacy and Electronic Communications Directive and its implementation in the UK see the Feature Article below.) Although the Privacy and Electronic Communications Directive is not required to be implemented in the member states until 31 October 2003 the Code already reflects its requirements.
For a copy of the new CAP Code please click through.
2. FEATURE ARTICLE – A BITTER SWEET VICTORY FOR IT SUPPLIERS EXCLUDING LIABILITY
Background
As part of the European Commission's 1999 Review of the communications framework, the Directive on Privacy and Electronic Communications was adopted on 12 July 2002 and requires implementation in Member States by 31 October 2003. It will replace the existing Telecoms Directive (97/77/EC). An overview of the new Directive was provided in the October 2002 IT Bulletin.
Overview
In March 2003 the DTI released a public consultation paper on the implementation of the Directive in the UK. Annexed to the consultation paper is the UK’s draft implementing legislation, the Privacy and Electronic Communications (EC Directive) Regulations 2003. The consultation will run for 12 weeks, closing on 19 June 2003. The final version of the implementing regulations are planned to be published in August 2003 and come into force by 31 October 2003.
The following key features of the draft regulations closely follow those of the Directive:
- value added services based on location and traffic data (for example, location based advertising to mobile phone users) are permitted subject to the consent of subscribers;
- public directories will be subject to tight controls including:
- all public directories must give subscribers the right to be removed from the directory, free of charge;
- subscribers must be given information on all of the usage possibilities of publicly available directories - e.g. reverse searching from a telephone number in order to obtain a name and address;
- regulation of unsolicited direct marketing will now cover all forms of electronic communications including e-mail (spam) and SMS to mobile telephones;
- confirmation that that the Directive does not prevent Member States from introducing provisions on the retention of traffic and location data for law enforcement purposes (see article 1.2 and 1.3 above for details of the UK regulation of communications data retention); and
- tighter regulation of the use of cookies.
Key features for business
Cookies
At its simplest, a cookie enables a web site to "recognise" a repeat visitor to that website. For this reason, cookies have been described as giving web sites "memory". They are used by the majority of websites to both customise the presentation of the website for individual users and also to collect information to build user profiles.
The ability of cookies to be used to collect information has lead to calls from some privacy groups and consumers to restrict their usage without prior consent. After some heated debate the final text of the Directive permitted cookies to be used provided the following two conditions are met:
i) users are informed when and how cookies are used; and
ii) users have the ability to refuse cookies.
The DTI’s view in the Consultation Paper view is that those conditions can be achieved via a clearly signposted privacy policy that provides details on when and how cookies are used. The website will also need to either provide its own "off switch" or advise users how to adjust the settings on their internet browser software to reject cookies.
Spam
The general rule under the Directive is that direct marketing by email or SMS is only permitted with the prior consent of the recipient (opt-in). The Directive does not require prior consent in relation to "existing customers" if a number of conditions are satisfied including that the message relates to "similar goods". Existing customers must however be given an opportunity to opt-out of receiving such direct marketing material.
The DTI has taken a very commercial approach to those requirements as is evident from the draft wording of section 21(3) of the regulations. It provides that a recipient will be an "existing customer" even if the recipient has only entered into negotiations to make a purchase. The Consultation Paper elaborates on this by stating that provided the email address of the recipient was legitimately obtained as part of a promotional campaign or when providing product information the recipient will be an "existing customer". At the time when the customer's contact details are obtained the customer must be told those details will be used for direct marketing.
The "similar goods" limitation has also been clarified. Email direct marketing of any of the vendor’s goods and services is permitted provided the recipient was previously made aware of the nature of the goods and services offered by the vendor. Vendors will need to take care when collecting the recipient’s contact address that the nature and scope of the vendor’s products and services are described accurately.
Conclusion
The DTI’s consultation paper provides some much needed clarification of the Directive, but business should not celebrate prematurely for three reasons. First, the draft regulations must still undergo both public consultation and parliamentary scrutiny so the wording is by no means finalised. Secondly, the DTI’s comments in the Consultation Paper on the way in which the regulations should be interpreted are not the law. It will still be for the courts to interpret the regulations once they have been passed into law. Lastly, the UK Information Commissioner has welcomed the implementation of the Directive in the UK but has also used it as an opportunity to call for an increase in his powers of enforcement.
Business will need to continue to play a waiting game but at least they have now received some encouraging signs from the DTI.
Please click through for a copy of the DTI Consultation Paper
Article by Mark Turner and Dominic Callaghan