Website Law

On 26 May 2011, the rules about the use of cookies and similar technologies were changed. The change was prompted by amendments to the EU’s Privacy and Electronic Communications Directive. Although several weeks have passed since the change, few websites comply with the new law, and confusing guidance from the UK and EU data protection authorities has left website owners scratching their heads.

What the law says

The old rules on cookies said that you had to tell users what cookies were doing, why they were there, and how users could opt out of receiving them. The usual practice was to provide this information in a privacy policy.

The new rules (quoted in full at the end of this post) require that websites obtain a user’s consent before using cookies.

There is an exception to this new rule: if a cookie is strictly necessary for “the provision of an information society service requested by the subscriber or user”, then consent will not be needed before the cookie can be placed on the user’s computer. However, the Information Commissioner has indicated that this exception will be interpreted narrowly.

Methods of getting consent

One area of confusion concerns the question of consent. Widely discussed possibilities include the use of browser settings, the use of pop-ups, consent incorporated into T&Cs acceptance, and the approach taken by the Information Commissioner’s Office (the ICO).

Browser settings

The Directive and implementing Regulations appear to allow web businesses to rely upon browser settings, but both the UK and EU authorities have indicated that current web browsers do not effectively enable consent. There is a UK government-formed working group tasked with finding a technical solution to the consent issue. With industry-leaders like Microsoft, Mozilla, Apple, Google, Yahoo and Adobe on board, the authorities appear to be hoping that the problem will be solved without further legislation.

However, if the position of the authorities is right, and current browser settings are insufficient, then taking into account the fact that many users continue to use outdated browsers (5% of this site’s visitors use IE6, released in 2001), browser setting may never be a complete answer.

Further, its not entirely clear what changes to browser settings would lead to compliance. More granularity may mean more confusion.

Pop-ups

The consent requirement could be implemented by means of a pop-up box that asks new users to consent to cookies. Some of the problems of this approach are obvious.

Most importantly, this type of feature will ruin the usability of the website: unless used very carefully, pop-ups are inherently offensive to most users. And how will the website remember users who have opted-out (without using cookies)? Will they see the pop-up on every visit? Where many cookies are being used (as on most modern websites), how can users realistically differentiate between the cookies and their different functions? Will the average user even understand the reason for the opt out procedure?

T&Cs

Where all users have to consent to website T&Cs, cookie consent can be incorporated into this process.

However, the demands of usability mean that sign-up processes should be kept to a minimum, and this option will only be a solution for a small number of websites (Facebook, anyone?).

The ICO approach

One approach is to follow in the footsteps of the ICO itself. If you visit www.ico.gov.uk, you will see a banner across the top of the page asking for cookie consent.

But look closer: the banner also highlights a key issue with the new law. Modern websites with interactive functionality don’t function properly without cookies. Given that many users (e.g. EU legislators and regulators) may not fully understand the importance of cookies, there is a risk that many users will refuse their use, without necessarily reading the explanatory text.

Another problem – the potential of the new law to make cookie-based analytics systems (such as Google Analytics) worthless – has been highlighted by researcher Vicky Brock. The results of her freedom of information request concerning ICO usage statistics after the implementation of the consent banner make very interesting reading.

No enforcement for 12 months

Unusually, the Information Commissioner has announced that these new laws will not actually be enforced for 12 months.

The purpose of this grace period is to enable website owners to review their use of cookies and to start thinking about how they will comply with the revised laws come May 2012. But the Information Commissioner has also stressed that he will not tolerate operators who ignore the changes or refuse to take action.

Reaction to the new laws

Few informed commentators have much praise the new laws.

At the time of writing, almost no UK websites have made changes to comply (the ICO site is the only one I’ve come across that wasn’t in jest, although I haven’t systematically searched).

The fact is that many if not most UK websites using cookies didn’t comply with the old law, and it’s hard to believe that the level of compliance is going to increase significantly now that it is much harder to comply.

Any chance of new new laws?

Less than one third of EU countries have complied with the Privacy and Electronic Communications Directive to date, and the UK has said it won’t enforce the law for now. Surely policy makers realise that there is a serious problem with the new laws?

A more targeted (and perhaps less technology-neutral) approach may be necessary to deal with the real problem of data misuse. However, at the time of writing there is no sign of any plans to amend the Directive or Regulations.

***

Regulation 6 of the Privacy and Electronic Communications Regulations (as amended) is quoted below:

(1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment– (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information—(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

There are three fundamental requirements for the formation of a legally enforceable contract, and they are as applicable online as offline.

• First, the contracting parties must agree on the terms of the contract, through the issue and acceptance of a contractual offer.
• Second, they must intend to create a legally binding agreement.
• Third, the contract must be supported by consideration: an exchange of value.

This post is concerned with the first of these requirements, a familiar subject to all law students, and known simply as “offer and acceptance”.  It considers the online application of the traditional principles of offer and acceptance.

The basics are these.  An offer has been defined as an “expression of willingness to contract on specified terms, made with the intention that it is to become binding as soon as it is accepted by the person to whom it is addressed” (Treitel, The Law of Contract, 12th Edition, p9).  An offer must be sufficiently clear, certain and communicated to the offeree (the person to whom the offer is made). The acceptance from the offeree must be equally clear, unequivocal and in response to the offer.  And the acceptance must mirror the terms of the offer and be communicated to the offeror (the person making the offer).

Websites as advertisements

The general principle is that adverts or displays of products do not constitute an offer.  Instead, they are said to be “invitations to treat”.

An invitation to treat precedes an offer in the contract formation process; it is an invitation to make an offer.  By contrast, an offer is capable of binding the offeree if it is accepted.

Websites used to market products and services may be considered as analogous to offline advertisements.  Generally speaking, such websites will communicate an invitation to treat, not an offer.

Online ordering

Internet transactions typically require the completion of web order form by the customer followed at some point by the clicking of a “complete order” button or link.  Regulation 11 of the Electronic Commerce (EC Directive) Regulations 2002 requires online traders to acknowledge receipt of an order by electronic means. After the submission of an order, the customer will usually be taken automatically to a new web page confirming whether or not the order has been placed successfully.  A confirmation email may also be sent.

In the absence of any factors to the contrary, there is a risk that the contract may be formed once the confirmation page is displayed or the confirmation email is sent or received.

An online trader’s T&Cs of sale may distinguish a confirmation page or email from a contractual acceptance.  In these circumstances, the buyer’s order will typically be categorised as a contractual offer.  Accordingly, the trader will not be obliged to fulfil the order until after acceptance.

This approach recognises that an online trader’s stock will be limited, and also that a trader may wish to retain some discretion over the persons with whom he contracts.

The trader’s T&Cs should specify what acts will constitute the offer and the acceptance. For instance, in relation to the sale of goods, the T&Cs may specify that acceptance will only take place (and, consequently, a binding contract be formed) once the customer is notified that goods have been shipped.

However, a statement in the T&Cs may not be conclusive in all circumstances.

If the order process has been configured in such a way that a reasonable customer would consider that a contract of sale has been formed, then a statement to the contrary buried away in the T&Cs may not assist a seller trying to avoid a contract.

Manufacturer-suppliers need to take particular care here.  In some circumstances an “advertisement” from a supplier who is also a manufacturer may amount to an offer.  Accordingly, sellers who are also manufacturers should be particularly careful to make it clear on their websites and in their T&Cs that the “advertisement” of products is merely an invitation to treat.

An example: £2.99 televisions

In 1999 Argos accidentally advertised Sony televisions for sale on its website at £2.99 instead of £299.99.  Subsequently, orders were placed and confirmed by Argos at the £2.99 price. However, since a website is generally construed as an invitation to treat, no binding contract had arisen between Argos and customers whose orders had not been expressly accepted.

Incorporation of T&Cs into contract

To be effective, a website’s T&Cs of sale must be agreed by both parties and incorporated into the contract. The T&Cs should be available to the customer before the placing of an order.

The usual way to ensure that T&Cs are incorporated into an online contract is to prevent the submission of an online order form unless the customer has positively indicated acceptance of the T&Cs, for example by clicking on an ‘agree’ button.  T&Cs assented to in this way will usually bind the customer.

Less explicit forms of consent may sometimes be sufficient.  A statement proximate to an “order” button that the sale is subject to the online trader’s T&Cs, posted on another webpage and accessible through a hyperlink, may amount to sufficient notice.

T&Cs governing website use

The use of websites by casual visitors is (for usability reasons) not usually made subject to active acceptance of the website’s T&Cs.

Usually such T&Cs will provide that they are accepted by virtue of the visitor’s use of the website.

Whether they actually create a binding contract will depend upon the specific circumstances, but in many circumstances there will be no contract.  This does not mean that such T&Cs have no value: they may act as valid licences, and the disclaimers of liability they contain may still be enforceable.  Of course, to serve these function the T&Cs still must be brought to the attention of the users.

Conclusions

There is no difference of principle between the process of offer and acceptance online and the process offline.

The main practical points to take away from this post are these:

• traders should take care to ensure that they are not prematurely bound by contract;
• to avoid being prematurely bound, traders should specify the acts that constitute the offer and acceptance in their T&Cs, and ensure that those T&Cs are properly brought to the attention of users and accepted by customers;
• traders should also ensure that the structure of their checkout process (usually dictated by shopping cart software) and statements on their websites generally do not imply that a contract is formed before time; and
• where particular caution is needed (e.g. because a seller is also a manufacturer) then a clear an unambiguous statement that the advertisement of products on the website does not constitute a contractual offer should be included on the website.

Discrimination against people with disabilities is prohibited by law, but website owners often don’t realise how the law affects websites.

A 2005 study found that as many as 97% of European public service websites failed to provide a minimum level of accessibility. There are few reasons to think that commercial websites are more accessible than governmental websites.

Web designers, developers and operators clearly need to be more conscious of accessibility issues. Even if operators are not deliberately excluding disabled users, they could find themselves on the wrong side of the law.

This post gives a brief overview of the Equality Act 2010, its application to websites, the obligations it places on their owners, and the practical steps that may be taken to improve accessibility.

The Equality Act 2010

Since 2 December 1996 (when the Disability Discrimination Act 1995 came into force) website owners have been obliged to ensure that their websites are accessible to users with disabilities. After over a decade in force, the DDA’s requirements were merged into the Equality Act 2010.  The 2010 Act was intended to bring clarity to the diversity of previously-extant discrimination legislation. Despite the goal of clarity, the new legislation can be more confusing than the old.

Section 29(1) of the 2010 Act says that:

A person … concerned with the provision of a service to the public or a section of the public (for payment or not) must not discriminate against a person requiring the service by not providing the person with the service.

Accordingly, neglecting to provide a service to a disabled person that is normally provided to other persons is unlawful discrimination. This applies to commercial web services as much as to traditional services.

Applying the law: an example

Examples of website design issues that are affected by this law abound.

For instance, many visually impaired visitors use speech synthesizer software to read the text in the HTML code of web pages and translate it into audible speech. However, many websites include images that contain text as part of the pre-rendered picture file. These may be unreadable by the software.

If the text is not embedded in the image properties (using an alt tag) or alternatively available in text somewhere on the website, this could render the content inaccessible visually impaired users, and could therefore be discriminatory for the purposes of the 2010 Act.

Reasonable adjustments

Sections 20 and 29(7) of the Equality Act create and elaborate a duty for service providers to make “reasonable adjustments” to enable disabled persons to access their services.

Section 20(6) says that with respect to services relating to the provision of information:

the steps which it is reasonable for [an information service provider] to have to take include steps for ensuring that in the circumstances concerned the information is provided in an accessible format.

The Equality and Human Rights Commission’s Code of Practice concerning the application of the Act notes that this is a ongoing and evolving duty that should be continually reviewed rather than simply considered once (7.27), and one that should be anticipatory and shouldn’t wait for the disabled user to want to make use of the site (7.21).

Hosting company plug-pulling

A particular concern for site operators (and web hosts) is that the legislation provides for hosting service providers to pull the plug on inaccessible websites.

In provisions similar to those in Regulation 19 of the Ecommerce Regulations, Schedule 25 states that hosting providers will be exempt from liability under the Equality Act in relation to discriminatory material they host if they have no actual knowledge of its discriminatory nature, and they “expeditiously remove” it upon becoming aware of its nature. This presents the possibility of a complainant avoiding court altogether by approaching the hosting company.

Cases involving disability discrimination and websites

Before the Equality Act, there were two widely publicised prospective legal actions against companies on the grounds of discrimination against disabled users arising from their website’s inaccessibility. The Royal National Institute of Blind People had intended to pursue the actions, but the (anonymous) companies in question made the requisite changes to their website design before the matter was brought before a court.

Though a similar case that did come before a tribunal found that an online exam was non-compliant and discriminatory against a blind candidate, the application of the law to commercial websites is largely untested, and it is difficult to predict exactly how high the bar of reasonableness will be set by the courts.

Practical steps

The World Wide Web Consortium (W3C), the international organisation concerned with providing standards for the web, publishes guidelines which are a good indicator of what the court would reasonably expect of website owners and businesses to follow to ensure that websites are as accessible as possible and in line with the Equality Act.

At the most basic (“priority 1″) level of compliance, these include suggestions such as:

• Providing text to accompany non-text elements (such as pictures or graphical buttons for navigating).
• Document organisation for sensibly ordered readability without the need for the accompanying style sheets.
• Make sure all information conveyed through coloured content can be inferred or is available without colour.
• Clearly and simply labelling the websites content.
• Clearly delineating changes in the natural text of the document to other content, such as captions.

Compliance with both the priority 1 and 2 checklists is recommended. The priority 2 checklist includes:

• Ensuring the foreground and background colours have sufficient contrast for those who struggle with differentiating colours.
• Using an appropriate markup language rather than images to convey information.
• Using header elements to convey structure.
• Using style sheets to control the layout and presentation.
• Clearly identifying the target of each link.
• Providing further information about layout (e.g. a sitemap).
• Using navigation mechanisms in a consistent manner.
• Providing metadata to add semantic information to web pages.
• Dividing large blocks of information into more manageable blocks when possible.

The W3C guidelines have been adopted as the benchmark test in Australia, following the case of Maguire v SOCOG (2000), which concerned a website for the Olympic Games not being adequately useable by visually impaired people. The RNIB offer free accessibility tips to aid with the technical design of your website, with the World Wide Web Consortium standards in mind.

The British Standards Institution provides a comprehensive and non-technical code of practice on web accessibility aimed at helping businesses achieve wider digital inclusion when commissioning or designing a website, with the requirements of the Equality Act 2010 in mind.

Commercially, many organisations offer web accessibility audits, which can assess the accessibility of a website and give detailed feedback on what changes could be incorporated to achieve greater accessibility.

Engaging with disabled users, for instance through online surveys and feedback systems, and  is another excellent way of flagging potential accessibility problems.

Accessibility should be addressed at the web design stage, because many fundamental design decisions have an impact on accessibility; but as the EHRC Code of Practice requires, the duty does not end there: many types of change to a website could have accessibility implications.

Although it is not a common basis for legal action, website accessibility is important, both from the perspective of legal compliance and because a more accessible website is a website with a greater potential user-base.