Website Law

The first principle of data protection law is that personal data must be processed fairly and lawfully, and that one or more specified conditions must be met.

Perhaps the most important of those conditions affecting the collection and use of personal data via websites is:

“The data subject has given his consent to the processing.“  (Data Protection Act 1998, Schedule 2, paragraph 2)

This raises the question of when a child can be taken to have consented to the processing of his or her personal data.

The DPA 1998 does not itself explicitly deal with the issue of obtaining consent from children.  However, the Information Commissioner has written:

“Websites that collect information from children must have stronger safeguards in place to make sure any processing is fair. You should recognise that children generally have a lower level of understanding than adults, and so notices explaining the way you will use their information should be appropriate to their level, and should not exploit any lack of understanding. The language of the explanation should be clear and appropriate to the age group the website is aimed at. If you ask a child to provide personal information you need consent from a parent or guardian, unless it is reasonable to believe the child clearly understands what is involved and they are capable of making an informed decision”  (The Data Protection Good Practice Note: Collecting personal information using websites).

So, privacy policies should be extra-prominent and extra-clear.  A very young child may never be able to give adequate consent; whereas, an older child may be able to give adequate consent in many different circumstances.  The Information does go on to refer to a particular age threshold:

“The Act does not state a precise age at which a child can act in their own right. It depends on the capacity of the child and how complicated the proposition being put to them is. As a general rule, we consider the standard adopted by Trust UK (www.trustuk.org.uk) to be reasonable:  ‘TrustUK approved webtraders recognise children need to be treated differently from adults. They will not market their products in any way that exploits children, nor will they collect information from children under 12 without first obtaining the permission of a parent or guardian. They will not collect personal data about adults from children.‘”

There are particular pitfalls for the operators of social networking websites, other websites which publish user generated content, and websites that collect information that is passed on to third parties:

“There are certain practices that are likely to breach the Act, for example, collecting information about other people from children, and enticing children to reveal information to win a prize or similar. If you are going to disclose or transfer personal information collected from children to third parties, you need to have the explicit and verifiable consent of the child’s parent or guardian, unless you can be sure that the child really appreciates what is going on and the consequences of their actions.

If you want to publish a child’s personal information on the internet, you should usually get the verifiable consent of the child’s parent or guardian. Whether you need the parents’ or guardians’ consent for the publication, or that of the child, will depend on the circumstances, in particular, the child’s age and whether you can be sure the child fully understands the implications of making their information available on the internet.”

An obvious question arises: how can parental consent be verified?  The Commissioner states:

“If you need parental consent, you must have some way of verifying this. It will not usually be enough to ask children to confirm their parents have agreed by using a mouse click. If you need parental consent but decide that verifying the consent will involve disproportionate effort, you should not carry out your proposed activity.”

There are a wide range of methods which may be used to verify parental consent, some of which are stronger than others.  For example, you might ask for a nominal credit card payment to be made before the child can access the relevant functionality, or you might telephone parents to verify consent.

Note: there are is a dedicated US law concerning the online collection of children’s personal data.  The Children’s Online Privacy Protection Act of 1998 (COPPA) applies to commercial websites that are directed at children under 13 or, even if not so directed, knowingly collect information from children under the age of 13.  The most far-reaching provision of COPPA requires that such websites must, before collecting, using or disclosing personal information from a child, obtain verifiable consent from the child’s parent.  This is why many US-orientated websites prohibit children under 13 from registering and using the website.

Many contracts, and the vast majority of professionally-drafted contracts, contain what is known as a “choice of law” clause. Choice of law clauses specify the law that will be used to interpret the contract.

Choice of law clauses and choice of jurisdiction clauses (sometimes called choice of forum clauses) must be distinguished. Whilst choice of law clauses relate to the law that will be used to interpret a contract, choice of jurisdiction clauses specify the courts (or other decision making bodies) that will resolve disputes arising under the contract. For example, a contract could specify that it should be interpreted in accordance with English law, whilst at the same time granting exclusive jurisdiction to the courts of Germany to resolve disputes arising under the contract.

Like many other kinds of contractual clause, choice of law clauses are subject to a certain amount of judicial interference.

This note focuses upon the ways in which the English courts will interfere with choice of law clauses.

Some types of law will regulate contractual relations before the English courts irrespective of an express choice of law. For example, the following pieces of legislation may apply in whole or part to contracts which relate to England and Wales but which expressly choose another governing law:

• Competition Act 1998
• Unfair Contracts Terms Act 1977
• Unfair Terms in Consumer Contracts Regulations 1999

The ways in which the English courts will interfere with a choice of law clause depend to an extent upon whether the contract is a consumer contract. For example, the Unfair Contract Terms Act 1977 (UCTA) will apply to contracts that are not governed by English law where it appears to the court that the choice of law clause has been used for the purpose of avoiding the effects of UCTA, or where one of the parties is a UK consumer who took the steps necessary to enter into the contract in the UK. Note, however, that the UCTA rules on excluding and limiting liability do not apply to international supply (of goods) contracts.

National consumer protection measures may also apply more generally by virtue of the Rome Convention (which has been incorporated into English law via the Contracts (Applicable Law) Act 1990). Article 5(2) of the Convention provides:

“a choice of law made by the parties shall not have the result of depriving the consumer of the protection afforded to him by the mandatory rules of the law of the country in which he has his habitual residence:

- if in that country the conclusion of the contract was preceded by a specific invitation addressed to him or by advertising, and he had taken in that country all the steps necessary on his part for the conclusion of the contract, or

- if the other party or his agent received the consumer’s order in that country, or

- if the contract is for the sale of goods and the consumer travelled from that country to another country and there gave his order, provided that the consumer’s journey was arranged by the seller for the purpose of inducing the consumer to buy.”

Where there is no express choice of law in a contract, the courts may still determine that there has been an implied choice of law if the circumstances warrant such a finding. For example, where a contract contains a choice of jurisdiction clause but no choice of law clause, then the law of the chosen jurisdiction may be deemed to apply. References to other national laws in a contract may also have an effect.

Where the courts are unable to identify and express or implied choice of law, the usual rule is that the governing law will be that law that is most closely connected to the contract. Article 4(2) of the Rome Convention provides:

“… it shall be presumed that the contract is most closely connected with the country where the party who is to effect the performance which is characteristic of the contract has, at the time of conclusion of the contract, his habitual residence, or, in the case of a body corporate or unincorporate, its central administration. However, if the contract is entered into in the course of that party’s trade or profession, that country shall be the country in which the principal place of business is situated or, where under the terms of the contract the performance is to be effected through a place of business other than the principal place of business, the country in which that other place of business is situated.”

Note, however, that there are a number of exceptions to this general rule.

The preponderance of the laws that regulate commercial conduct online are the same laws that regulate commercial conduct offline: contract law, the law of torts, commercial law, consumer law,  intellectual property law, and so on.

If you know a little (or a lot) about publishing law, you know a little (or a lot) about digital publishing law.

But doing business on the internet involves added complexity and added uncertainty.   Added complexity, because a new layer of laws veils the legal backcloth.  Added uncertainty, because the new and evolving technologies may not yet have been digested by the system of legal precedent - and by the time a recognisable body of jurisprudence about a technology has emerged, the technology may be obsolescent.

Complexity, uncertainty and evolution are three causes of widespread non-compliance with the law.

The extent of non-compliance should not be underestimated.  For example, the E-commerce Regulations demand, with the inevitable exceptions, that e-retailers must make available to their customers “appropriate, effective and accessible technical means” allowing the customer to identify and correct input errors before placing an order.  This may be dealt with by means of a “confirm your order” page: but anyone with a passing familiarity with online shopping will know that as often as not there is no pre-order correction procedure.

Some fairly common internet practices are outlawed. For instance, many websites will send marketing emails to users who do not opt-out – when in some cases they should only be sending the emails to users who opt-in.

One reason why online compliance is particularly important is that anyone can conduct an impromptu audit of your website – and potentially find you wanting.  This can be embarrassing.

For example, whilst writing this I visited the website of one of the most prestigious law firms in the world.   Under the Privacy and Electronic Communications (EC Directive) Regulations 2003, a person using a website that serves cookies should, amongst other things, be “provided with clear and comprehensive information” about the cookies.  (Cookies are sent by a web server to a web browser and then sent back to the server each time the browser accesses that server, enabling the server to recognise and track the browser.)

The law firm website uses site-wide session cookies and instructs Google to serve four persistent Google Analytics cookies to the user.  But the legal notice on the firm’s website says that the website doesn’t use cookies, other than session cookies in one particular part of the website.

I doubt whether the firm in question would welcome publicity about this kind of (albeit technical) non-compliance.

But there is more than just embarrassment at stake if you fail to comply with the laws relating to digital publishing.  Contracts of sale that can be rescinded at the option of your customers; Trading Standards investigations and prosecutions; investigations and adverse decisions of the Information Commissioner; and civil claims by customers: the risks are varied, and non-compliance can be expensive.

Because of regular changes in the law relating to the internet and the technologies from which it is built, digital publishers should ensure not only that they have the expertise to identify the issues, but that they regularly update that expertise and regularly audit their compliance.