The legal and privacy issues of doing e-business
Discusses the legal and privacy considerations of doing business over the internet. Part of Ontario’s e-Business Toolkit.
On this page Skip this page navigation
Disclaimer: This booklet is intended for informational purposes only and does not constitute legal, technical, business or other advice and should not be relied on as such. Please consult a lawyer or other professional advisor if you have any questions related to the topics discussed in the booklet. The Ontario Government does not endorse any commercial product, process or service referenced in this booklet, or its producer or provider. The Ontario Government also does not make any express or implied warranties, or assumes any legal liability for the accuracy, completeness, timeliness or usefulness of any information contained in this booklet, including web-links to other servers. All URLs mentioned in this document will link to an external website.
What laws apply to e-business?
In general, all existing laws that apply to traditional commerce apply to business conducted via the Internet. Laws governing business incorporation, business name registration, taxation, consumer protection, advertising, importing or exporting, product safety, product standards, intellectual property and liability and so on, apply to e-business.
If you are doing business in different jurisdictions, you must comply with the law of any jurisdiction where you are deemed to be ‘carrying on business’.Source: E-business Information Guide – Canada-Ontario Business Service Centre (www.canadabusiness.ca).
Make sure you are familiar with your obligations for protecting personal information. The Personal Information Protection and Electronic Documents Act (PIPEDA) describes these obligations.
What are cookies?
Cookies are messages given to a Web browser by a Web server. The main purpose of a cookie is to identify users and to save information about how people use the site. This provides a basis for improving the website to better meet customer needs. Some cookies (session cookies) are erased when you close the Web browser. Permanent cookies are stored on the user’s hard drive until it expires or the person deletes the cookie. If your website uses ‘cookies’, you should explain to the website users how and why this information is used.
The Personal Information Protection and Electronic Documents Act (PIPEDA)
The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to businesses and it provides that you must have consent to collect, use or disclose personal information. If you collect, use or disclose personal information in the course of your commercial activities, this Government of Canada Act applies to your business.
In particular, the Act provides that businesses must obtain the consent of consumers to use their personal information. The Act also requires businesses to give consumers access to their personal information, and to information regarding redress procedures. PIPEDA is based on balancing an individual’s right to the privacy of personal information with the need of organizations to collect, use or disclose personal information for legitimate business purposes.
Personal Information Protection and Electronic Documents Act
Under PIPEDA, personal information must be:
- Collected for identifiable purposes and with consent.
- Used and disclosed for the limited purposes for which it was collected.
- Accessible for inspection and correction.
What can I do to protect personal information?
The list below presents some ways you can protect personal information.
- Do your business computers have passwords to protect against unauthorized access?
- Do you have firewall installation and support to prevent unauthorized access to the computers and servers?
- Do you adequately protect your laptops and computer(s) from theft?
- Have you clearly explained your policies and procedures with respect to security and privacy on your website and other communications materials?
- Do you restrict access to personal information to authorized employees?
- Do you collect and store only as much personal information as you need?
- Have you stored personal information in a secure environment? Avoid storing customer credit card information in your systems if possible. Note that more sensitive information requires greater security measures. If you are storing customer information in your computer systems make sure it is secure from access by employees or computer hackers.
- If you are sending out bulk or advertising emails, have you used an opt-in method to ensure you have permission to contact recipients?
- If you are selling products online, have you considered applying for a privacy seal? The privacy seal icon is displayed on the website and can increase consumer confidence. Three examples of privacy seal programs are TRUSTe, BBBOnline and WebTrust
- If you are selling online, do you have a secure server and SSL (Secure Socket Layer)? SSL technology encrypts all confidential information during transmission and authorization of transactions.
- If you are selling online, do you have appropriate security features for storing transaction information? For example a PCI (peripheral component interconnect hardware) card is often added for protection. Another approach is SET (Secure Electronic Transaction) that has been developed by Visa and Mastercard. With this approach, sensitive information is not seen by the business and is not stored on the company’s website.
- Does your web hosting agreement describe your rights to user data collected by the hosting service? You should maintain exclusive ownership of user data along with a nondisclosure provision.
Intellectual Property (IP) is an area of law that protects ideas. With respect to the Internet there are generally four areas of Intellectual Property: Copyright, Trademarks, Domain Names, and Patents. This booklet will describe the first three areas.
Where would I go to register copyright, trademarks and patents with the Canadian government?
Copyright is the right to make a copy and applies to pictures and written materials on your website. It can also relate to computer codes used to create computer programs. In Canada, people who create original works automatically have copyright protection over their work.
The new Copyright Modernization Act came into effect in November 2012, bringing changes to Canada’s copyright laws to adapt them to the digital economy. The new act provides stronger provisions to protect the rights of creators, while at the same time legalizing a number of common activities for users. It is important to recognize, however, that many of the new user-oriented provisions are meant for non-commercial purposes. Below are some of the key provisions of the act:
- Users have greater freedom to include copyrighted content into their own works, as long as it is not for commercial gain and does not affect the artist’s reputation or his/or her market.
- Users may include copyrighted content in their own products and activities if it pertains to the areas of education, satire or parody.
- Users can make back-up copies of material as long as they are not protected by a digital lock or part of an on-demand service.
- Users are prohibited from breaking digital locks, the technological measures that copyright holders have implemented to prevent users from copying the material.
Service providers are prohibited from offering services over the internet that will assist in the violation of copyright laws.
Sources: www.balancedcopyright.gc.ca, http://www.thestar.com/business/2012/11/10/what_the_new_copyright_law_means_for_you_geist.html
Intellectual property considerations – copyright
The following list highlights some measures you can take to protect copyright on the Internet and minimize the risk of infringing on the rights of others:
- Do you have the right to use or copy all the materials (including text and images) on your website? You should realize that most material available through the Internet is copyright protected. This includes e-mails and downloaded material.
- Have you obtained permission for the use of any copyright material (including information found on the Web)?
- Do your Internet-related agreements (e.g. agreements with web hosting service, web developers, website use agreements) outline the permitted and prohibited use of the website content? Do they include procedures for responding to claims of copyright infringement and other misconduct?
- Have you checked whether your web developer has copyright over the material (information and images)? If you want to own the copyright to the work contained on your website, you will need to have a written agreement that transfers the copyrights to you.
- If you are a copyright owner, have you registered your copyright?
- If you are a copyright owner, have you included copyright notices in your materials?
Trademarks are names or marks that are associated with your products and services. While trademark rights are acquired by use, registering your trademark with the Canadian Intellectual Property Office will enhance your rights. A trademark is typically a name, word, phrase, logo, symbol, design, image, or a combination of these. Keep in mind that website content can infringe on trademark rights. The similarity of the marks and the similarity of the goods or services are important factors in assessing infringement of trademark rights. If you have a unique name for your business or product you should seek advice from an experienced trademark lawyer. Internet trademark use that is lawful in the website owner’s jurisdiction may infringe trademark rights in other jurisdictions. Canadian courts have tended to apply jurisdiction over foreign owners of websites only in cases where the foreign owned websites are used to communicate and conduct commerce with Canadian residents.
Trademark infringements – beyond website content
When considering whether your website is at risk for trademark infringement you need to consider more than the content. For example, meta tags and links to other sites may lead to trademark infringement.
Meta tags provide information about the content of your website. They are codes (not visible to the user) that identify and describe the website content. The inclusion of another company’s trademarks into the meta tag is a trademark infringement.
Carefully consider how links are used on your website. For example, if the logo, trademark or descriptive text of the linked-to company is used, this may lead to trademark infringement.
The following are some measures that may be taken to protect trademarks on the Internet.
- Has the Internet been searched for the trademark you intend to use? It is wise to conduct this search before registering and using domain names.
- Have you considered using and registering your domain name as a trademark? This will help you support a claim of trademark rights if someone challenges your use of a particular trademark. Registrations should be made in as many common domains as possible (e.g. .com, .ca, .org, .net).
- Have you declared your trademark right on your websites? Have you declared your trademark rights in website use agreements? Any trademark use should use a trademark designation (e.g. TM or Registered Trademark).
- If you are using another business/person’s trademark, is it authorized by a trademark license? Similarly you should not allow others to use your trademark without a trademark license.
- Have you registered your domain names with local registrars? This will reduce the risk for infringing foreign trademarks.
- Do you (or your service provider) regularly search the Internet for unauthorized use of your domain name?
Domain names are the addresses of sites on the Internet. They can include key trademarks and can be valuable assets in terms of branding your business or product. The registration and use of website domain names are subject to trademark laws. You can opt to register your domain name as a trademark. Consult a lawyer if you think you might be infringing on another company’s trademark. Your domain name should not include the name of another company or product.
Domain names should be carefully selected so that you do not violate the trademark of another business. You can opt to have a web host select and register your domain name. If you wish to register a .ca domain name, you must do so through an accredited registrar. You can go to a domain registration site to check if your selected domain names are taken and also to register your domain name. Examples of accredited registrars where you can register a .ca domain name include:
You may wish to choose to buy more than one domain name to protect your brand and encourage more Internet users to visit your website (for example, you could use two domain names – one ending in .ca and the other ending in .com).
Legal considerations for selling online
Applicable laws and codes
The Electronic Commerce Act and the Ontario Consumer Protection Act have implications for selling online. In addition, the Canadian Code of Practice for Consumer Protection in Electronic Commerce identifies good business practices for businesses conducting commercial activities with consumers online. Review the following table for a brief description of each.
Applicable Legislation and Codes – Selling Online
|Where Can I Find It?||What is It About?|
|Ontario Electronic Commerce Act is available online at ontario.ca/laws|
This Act sets rules dealing with issues including:
Ontario Consumer Protection Act
A Summary of Consumer Rights (applicable to online transactions) is available online.
The Ontario Consumer Protection Act is available online at: ontario.ca/laws
The Act outlines consumers’ rights and supplier obligations. Under the Ontario Consumer Protection Act a key supplier obligation relates to the provision of specific and clear information about products and services. The Act specifies that consumers have the right to:
|The Canadian Code of Practice for Consumer Protection in Electronic Commerce is available online from Industry Canada by searching the website: www.ic.gc.ca|
The Canadian Code of Practice for Consumer Protection in Electronic Commerce was endorsed by federal, provincial and territorial Ministers responsible for consumer affairs in January 2004. The Code is intended to establish benchmarks for good business practices for merchants conducting commercial activities with consumers online.
The Code contains information on the following
Consumer Protection legislation applies to e-business as well as traditional forms of commerce. Most jurisdictions have legislation in place to protect consumers from unethical business practices. You should be aware of the rules if you are selling in other jurisdictions. If you are an Ontario based business, you should also be aware that the Consumer Protection Act applies to any on-line agreement you enter into with a consumer, whether or not that consumer is in Ontario.
Generally speaking, to meet consumer protection legal requirements with respect to electronic commerce, you should provide accurate information about the terms, conditions and costs associated with a transaction in order to help customers make an informed decision about whether to make a purchase.
When engaging in electronic commerce your website should include information with respect to the following:
- The full price, the currency, any shipping charges, taxes, customs duties, and any other charges.
- Accurate and clear information about the product or service.
- Terms and conditions.
- Methods for payment.
- Delivery terms, including timing, cost and method.
- Any geographic or time limitations imposed on the sale of the products or services.
- Terms of sale.
- Details of and conditions related to withdrawal, termination, return, exchange, cancellation or refund.
- For products, any warranties, guarantees, including any limitations and conditions.
- For services, any material standards, schedules, fees, or other offered terms, including limitations and conditions.
Consumer protection and online ordering process
"To comply with Canadian Internet consumer protection laws, Internet business-to-consumer suppliers should use a multi-step ordering process in which consumers click through: (a) an order verification screen that provides them with an opportunity to correct errors they may have made in the ordering process; and (b) a screen that presents all prescribed information regarding the proposed transaction and an opportunity to download and print the information before the transaction is completed".Source: http://www.blg.com/en/NewsAndPublications/Documents/publication49_EN.pdf
In general, online contracts should follow the same contractual principles as other types of contracts. Note that the rules and requirements with respect to online contracting vary across jurisdictions. You need to consider the regulations for online contracting in the jurisdiction you are selling in.
Contracts are simply agreements between parties creating obligations that the law will enforce. In order to create binding contracts in Ontario three primary elements must exist:
Source: Percival, Creating Enforceable Contracts on the Net, (http://www.itlaw.com/ecommerce_law_update.htm).
- The terms and conditions of the proposed contract (the offer) must be clearly and accurately presented;
- The party accepting the offer must unequivocally communicate that acceptance to the offering party; and
- The flow of consideration between the parties (monetary or otherwise) must occur”.
Browsewrap and cickwrap contracts
A ‘browse-wrap’ contract typically occurs when a website user is directed via a hyperlink to a contract contained on a separate webpage. With this type of contract, the user is not required to click on an icon to indicate agreement to the terms and conditions.
In ‘clickwrap’ contracts, users click through one or more steps that form the contract. When the user clicks on a box on the screen a tick mark appears to indicate acceptance of the terms and conditions. The user would indicate his or her rejection by clicking cancel or closing the window. If you have ever installed new software you have likely used a ‘clickwrap’ contract.
Concerns have been expressed about the enforceability of ‘browse-wrap’ contracts because it can be unclear whether a user has positively agreed to the terms of the contract.
In a recent U.S. case, the court held that the consumer was not held to a mandatory arbitration clause in a ‘browsewrap’ contract… That arbitration clause was not upheld and the party was allowed to sue in court.Source: http://podcasts.mcgill.ca/tags/mini-law/intellectual-property
Managing risks associated with online contracting
With an electronic contract, it is more difficult for the user to show that they have accepted the terms and conditions of the contract. It is also more difficult to establish the identity of the person entering into the contract process.
A list for managing the risks associated with online contracting is presented below:
- Have you presented the terms and conditions clearly and accurately?
- Have you provided an accurate and clear description of the product or service?
- Does the electronic offer indicate how acceptance of the offer can be made?
- Does the offer state the circumstances, if any, in which the offer can be revoked?
- Does the purchase order include the terms and conditions?
- Have you taken reasonable steps to ensure that the consumer’s agreement to contract is fully informed and intentional? Consumers should be provided with a meaningful opportunity to correct or cancel the order before it is accepted and processed.
- If the order cannot be fulfilled in the agreed upon timeframe, do you promptly notify your customer?
- Have you considered the use of appropriate technology to reduce the risk of contract fraud? This includes passwords or personal identification numbers and certified and secure electronic signatures.
- If there is a contract in place for ongoing provision of goods and services, do you promptly notify customers of any changes? Do you provide customers with an opportunity to decline further provision of goods and services?
- Do you retain adequate electronic records of the contracting process?
Selling online in other jurisdictions
Your business is potentially subject to the laws of any jurisdiction in which you seek to sell your products or services. The rules for forming a contract can vary from one jurisdiction to another, and there may be special rules for online contracts. It is important to consider those requirements when deciding where to do business online and with whom. The following are some jurisdictional considerations to take into account when selling online.
- Does your website define the geographical area of your sales territory?
- Are you aware of the laws in the jurisdiction where you would like to sell? For example, in some jurisdictions where a credit card is used, the purchaser can deny the agreement because the credit card is not physically present at the time of the sale. This can result in more chargebacks. A chargeback occurs when the customer asks the credit card company to reverse the charges.
- Do you require an export license? The application of export rules is the same for exporting via the Internet. If you currently require an export permit to sell your product overseas, then you will need it to sell over the Internet to other countries.
- Are you aware of the rules for forming contacts online in the jurisdiction you would like to sell?
- Have you obtained appropriate accounting, tax and legal advice?
Where can I go for information about exporting?
Visit the Government of Canada’s export website for more information about exporting: www.canadabusiness.ca/eng/105/165.
The issuance of Export Permits is administered by the Export Controls Division of International Trade Canada (ITC). Visit their Web site at http://www.dfait-maeci.gc.ca/eicb.
It is important that you know what taxes apply to various products and services you may be selling. In general, existing tax rules apply equally in an electronic environment. Obtain professional tax advice on which taxes apply to the product or service you are selling to ensure that you are meeting your legal obligations.
Where can I go for information about taxation?
For tax-related questions, you can contact either the Canada Revenue Agency: www.cra-arc.gc.ca/tx/bsnss/tpcs/cmm/menu-eng.html or the Ontario Ministry of Finance www.rev.gov.on.ca/en
In Canada, provisions of the Criminal Code, the Competition Act, in addition to provincial consumer protection and business practices legislation and regulations, govern advertising. These laws also apply to Internet advertising. If you use internet advertising on you website, you should clearly indicate in your privacy statement to customers which of their information you intend to share with advertising agencies.
In general these laws require that advertising be truthful, honest, fair and accurate. Under the Competition Act, it is a criminal offence to engage in certain kinds of misleading advertising and deceptive marketing practices. Online advertisements can be accessed by people all over the world. Your advertising therefore is subject to other jurisdictional laws. You may wish to seek legal advice regarding compliance with foreign laws.
Does your business send bulk e-mail (for commercial advertising purposes) to the United States?
The United States Federal Trade Commission Can-Spam Act governs unsolicited bulk e-mail as a form of commercial advertising. All commercial advertisements must be clearly identified as such early in the text of the message or within the subject line. The subject lines must not contain deceptive or misleading information. Ensure you are familiar with the details of this Act if you are sending bulk e-mail (for commercial advertising) to the United States.
Source: Federal Trade Commission
Canada’s anti-spam law
Canada’s new anti-spam law was passed in December 2010, and is set to come into force sometime in the near future. The new law regulates all commercial electronic communication and allows for the investigation of alleged violations of the law.
The legislation includes the following provisions:
- A business must obtain consent from a customer before sending commercial electronic messages to them. This includes to their email, social media accounts, and cell phone.
- In the message, the sender must identify themselves or the agency on whose behalf they are sending the message.
- All messages sent to recipients must have an unsubscribe function that takes effect immediately.
- False representation or misrepresentation is prohibited in the online promotions of products or services.
- The collection of electronic addresses through computer programs is prohibited.
There is a transition period that will take place once the law comes into effect that will allow businesses to adjust their operations. For example, businesses will have three years where they can operate under the previous consent rules regarding their current customer lists.
Good internet advertising practices
To help you comply with existing legislation and regulations consider the following Internet practices:
- View your online advertisements from the viewpoint of an average consumer. Does the consumer have enough information to make an informed choice? Is the information clear? Is the information easy to find?
- When using disclosures, make sure they are clear and easy to find. (Disclosure may be required to prevent an ad from being misleading and to ensure that consumers receive sufficient information – e.g. about the terms of the transaction). You should also display disclosures prior to purchase.
- When using disclaimers, make sure they are clear and easy to find.
- Clearly identify the business associated with the product or service being advertised. The advertisements should not mislead consumers as to the type of organization or as to the purpose of the representations. The geographic origin of the advertiser should be clear.
Website development, hosting and website use agreements
Here are three primary considerations when entering into agreements with website developers and web hosts:
- Does your Website Development Agreement provide you with ownership of your website content and underlying software?
- Does your Website Hosting Agreement provide you with adequate rights and remedies regarding the performance of your website?
- Does your Website Use Agreement adequately protect your interests and has it been effectively implemented?
Website development agreement
A clear written agreement between the website developer and your business can help to avoid misunderstandings or disputes. Good agreements typically include:
- Specifications related to website design and development. They should clearly identify the following: (a) website design, content, and functionality; (b) development timeline; and (c) deliverables.
- Identification of the developer’s project team, including project manager and other personnel with assurances that they will be available to work as required for timely performance of the project. The agreement should include a clause that your approval is needed with regard to personnel changes, requiring that they also provide you with remedies if the required project team is not available. The agreement should also indicate whether the developer is allowed to hire subcontractors.
- Clear timelines for each phase of the project with milestones and deliverables.
- Total costs of the project and a break down of costs for each phase of the project. The amounts payable upon the completion of each milestone.
- Identification of who is responsible for providing website content. The agreement should provide that if the developer obtains content from third parties, the developer must also obtain licences and waivers for you to use the content for the website. You should have absolute control over website content.
- The procedures to follow regarding your testing and acceptance of the website and the developer’s duty to make corrections.
- The developer’s responsibilities: to correct any website defects discovered during a specified period of time after acceptance. Obligations regarding the deployment of the website on the host server. The developer’s obligations regarding the future support and maintenance of the website.
- Any additional services (e.g., training, upgrades and additions to website content) required of the developer and the costs of those services.
- Clearly identify ownership and use rights of the website and its components.
- The developer may require that the agreement include liability disclaimers, exclusions and limitations that restrict the developer’s responsibility to compensate the owner for damage and loss resulting from the developer’s breach of the agreement.
- The agreement should specify termination rights and remedies and the consequences of termination.
- The agreement should indicate the manner, if any, in which the developer may use the website as a marketing tool, and whether the website will indicate the developer’s involvement in the site.
- The agreement should describe any restrictions on the developer’s ability to create a website for the owner’s competitors.
- The agreement should require the developer and its employees and subcontractors to keep confidential all information they obtain regarding the website and the owner’s business and customers. The agreement should require the developer to return to the owner at the conclusion of the project all documents and data obtained from the owner during the project.
Website hosting agreement
If you are contracting for website hosting your formal agreement should address some of the issues highlighted below.
- Service level: What amount of uptime does the agreement guarantee? Uptime is the time your website is working and accessible over the Internet. What guarantees are provided with respect to response time should there be problems?
- Maintenance and support: Are the levels and type of maintenance and customer support services clearly specified? Does the agreement specify how often the website will be backed up?
- User inquiries: If the agreement includes user support, does the agreement indicate how and within what timeframes the web host will respond to user inquiries?
- Website statistics: Does the agreement include requirements to maintain and deliver server logs (with information about website traffic, user information and other statistics required) on a regular basis?
- Data privacy: Does the agreement specify who has rights to the user data? Your business should maintain sole ownership of this information.
- Software, hardware, bandwidth: Does the agreement include details about the hardware and software requirements of the website? Are minimum requirements for bandwidth identified?
- Termination of Service: Does the agreement specify the conditions for termination of service? Does it specify the obligations of the Web host in the event of termination (e.g. handing over user information).
In the near future, organizations will particularly be affected by Canada’s new anti-spam legislation. When this legislation comes into effect, businesses will be required to adapt their marketing and electronic communication strategies to abide by the new regulations. While the government is allowing for a lengthy transition period after the legislation comes into effect, you should consider planning for how your business is going to meet these new requirements.
Cyber attacks from malware, hacking, and phishing are on the rise. Businesses will need to take strong steps towards not only ensuring they have the practices and technology to prevent security breaches but also the ability to quickly detect when a security breach has taken place, how it happened, and what was stolen.
Even well-known business such as Sony experienced security breaches in 2011, resulting in millions of records being exposed.
The cyber security community warns that no business is immune from attack and that businesses should have prevention and detection strategies, as well as plans for dealing with the consequences of an attack. If your business runs a website that is connected to a database that contains any kind of private or valuable information, you are well advised to invest resources in securing the application.
At the same time, businesses should have plans in place to deal with the security risks posed by lost or stolen business mobile devices. For example, businesses can secure these devices through a tracking system or remote-wipe capabilities. The more prepared businesses are for the increasing reality that they will experience a security breach, the better positioned they are to minimize the damage.
Sources: http://www.informationweek.com/security/vulnerabilities/10-security-trends-to-watch-in-2012/232400392, www.michaelgeist.ca
Related topics covered in other booklets
This publication is part of an e-Business Toolkit which includes a series of booklets on advanced e-business topics and an introductory handbook How You Can Profit from E-Business. The entire Toolkit is available at ontario.ca/ebusiness.