Article - New Ecommerce best practice model (June 2000)
In May the Government launched a new set of Ecommerce guidelines, with the long title ‘Building Consumer Sovereignty in Electronic Commerce: A ‘best practice model for business’ (hereafter referred to as the Model). The Model is the result of an initiative by the Consumer Affairs Division (part of Treasury) to improve consumer confidence in electronic commerce.
Following the adoption by the OECD of a similar set of principles earlier in the year, the Government made a commitment to implement the OECD principles in Australia. A small working party was established to develop a model code of conduct for Australian business. Somewhere along the way the term ‘code’ was removed, but the general intention remains the same - to provide guidance on how best to provide consumer protection in electronic commerce.
The resulting Model is a voluntary set of guidelines that a business or industry association might adapt as its core set of values or standards. Alternatively, consumers might choose to compare business practice with the standards when making purchase decisions or comparing online businesses. There is no built in complaints or enforcement mechanism in the Model.
The voluntary nature of the guidelines raises questions about how they hope to improve consumer confidence in electronic commerce. Ideally the guidelines will be adopted by industry associations which will then add complaints and enforcement mechanisms - this might happen through broad sectoral codes such as the proposed Internet Industry Association Code of Conduct or through the review of existing industry specific codes such as the Banking Code of Practice.
An initial problem with this structure is that the Government and other promoters of the Model have shown a tendency to oversell the Model and exaggerate its immediate benefits. The Minister for Financial Services and Regulation issued a media release headed ‘WORLD-CLASS INTERNET CODE OF CONDUCT ‘ which stated that he was unveiling a ‘world-class code of conduct for Australian businesses operating over the Internet.’
Obviously the Model is not a code of conduct, and Australia still has no established code of conduct for businesses operating on the Internet. These misleading statements tend to distract from the content of the guidelines set out in the model.
The guidelines provide comprehensive coverage of important online consumer issues, like identification, completion of transactions and the use of personal information.
The guidelines also go a step further, providing a new layer of consumer protection from unsolicited commercial emails (spam). The Model states that businesses should not send commercial e-mail except to people with whom they have an existing relationship or to people who have already said they want to receive commercial e-mail. Further, businesses should have simple procedures so that consumers can let them know they do not want to receive commercial e-mail.
This conditional ‘opt-in’ provision for spam tackles one of the most contentious issues in electronic commerce, and provides a contrasting approach to the ‘opt-out’ provisions established in some industry codes of conduct, including the Australian Direct Marketing Association Code of Conduct.
The Model also provides useful guidance on access and disability issues, which are looming as a major legal issue for electronic commerce in Australia.
The guidelines in the Model must be regarded as positive - they establish a new level of certainty and confidence for consumers of electronic commerce, and they set out in one location the major best practice requirements for business. However, the Government and others must take care not to mislead consumers about the status of the Model - it is a voluntary set of guidelines with no complaints or enforcement procedures. It should nit be described as a code and no reliance can be placed on the Model until it is implemented through effective industry codes of conduct.
Finally, the model attempts to tackle one of the most difficult online legal issues - jurisdiction. The Model does not require a business to specify an applicable law. However it does requires businesses to set out clearly which law will apply if one is specified, including a requirement to ‘conspicuously state that information at the earliest possible stage of the consumer’s interaction with the business’.
The Model encourages businesses to specify Australian law as the applicable law, but it is not a firm requirement.
The Model is available at: http://www.ecommerce.treasury.gov.au/html/build.htm.
1. Electronic commerce has the potential to substantially benefit business and consumers. This Best Practice Model provides guidance to businesses and enhances Consumer Sovereignty by giving consumers information on what businesses should do when dealing with consumers over the Internet. The Best Practice Model aims to set out best practice for business.
2. Consumer Sovereignty recognises the capacity of most people to make decisions about their own well-being. It involves four key elements - protection, information, choice and redress. The Best Practice Model aims to increase consumer confidence in business to consumer (‘B2C’) electronic commerce.
3. The Best Practice Model provides guidance to industry and consumers on the elements of an effective self-regulatory framework. Adoption of the Model will help to ensure that consumers are adequately protected and have confidence in making online transactions. Ideally, the Best Practice Model will be adopted by relevant industry associations and their members as part of existing codes of practice as well as by individual businesses.
4. The Best Practice Model is being developed for traders located in Australia dealing with both Australian and overseas consumers. Traders located outside Australia who are dealing with Australian consumers are also encouraged to adopt this Best Practice Model.
5. There are initiatives underway to educate consumers on the benefits of electronic commerce and let them know what they should do to ensure they are protected in the online environment.
6. The adoption of the Best Practice Model will contribute to ensuring that consumers have effective protection and confidence in making online transactions.
6.1 Effective industry self-regulation, including this Best Practice Model, is the preferred way to achieve the Government’s objective of developing Australia as a centre of excellence in Consumer Sovereignty and electronic commerce.
6.2 In accordance with the general principle of functional equivalence, consumers’ protection online should be no less than their protection in the offline environment. As such, the Best Practice Model addresses areas where the online environment’s special characteristics necessitate business practices different to those in the offline world. These include: the distance between the business and the consumer; the speed transactions can be completed online; the need for authentication; and information collection practices.
8. References to the singular include references to the plural and vice versa.
9. In this Model:
‘authentication mechanisms’ means tools and techniques for establishing the validity of a claimed identity of a user, device or another entity;
‘B2B’ means business to business electronic commerce;
‘B2C’ means business to consumer electronic commerce;
‘business’ means a legal entity, including a government body, acting in a commercial or professional capacity that supplies goods or services to consumers;
‘commercial e-mail’ means advertising or promotional emails, excluding emails relating to a contractual, operational or other service-related customer notice;
‘consumer’ means a natural person;
‘electronic commerce’ means commercial activities carried out through electronic networks including the promotion, marketing, supply, order or delivery of goods or services; and
10. The Best Practice Model applies to B2C electronic commerce. However, businesses are encouraged to adopt the Best Practice Model when engaging in B2B electronic commerce.
12. The Model’s objective is to guide businesses on:
12.1 fair business practices;
12.2 advertising and marketing;
12.3 disclosure of a business’s identity and location;
12.4 disclosure of a contract’s terms and conditions;
12.5 the implementation of mechanisms for concluding contracts;
12.6 the establishment of fair and effective procedures for handling complaints and resolving disputes;
12.7 adopting privacy principles;
12.8 using and disclosing information about payment, security and authentication mechanisms; and
Adoption of the Model
13. Any business or industry association engaging in B2C electronic commerce is encouraged to adopt the Best Practice Model.
14. Any industry association adopting the Model should notify the Department of Treasury by email to: [email protected]
or by mail to:
The General Manager
Existing Laws and Regulation
15. The Best Practice Model is not a replacement for other consumer protection laws or codes of conduct. Complying with the Best Practice Model does not exempt a business from compliance with obligations under such laws or codes.
16. Every effort has been made to avoid inconsistencies with existing laws. However, if there is an inconsistency, the law has precedence over the Best Practice Model.
17. Some parts of the Best Practice Model are legal requirements. Businesses should not rely on the Best Practice Model as a definitive statement of these requirements. Also, not all legal requirements relevant to electronic commerce are contained in the Best Practice Model.
Fair Business Practices
18.Businesses should adopt fair business practices when engaging in B2C electronic commerce.
19. In particular, the Trade Practices Act 1974, the Australian Securities and Investments Commission Act 1989 (in relation to financial services) and State and Territory Fair Trading legislation require that businesses:
19.1 not engage in conduct that is misleading or deceptive or is likely to mislead or deceive;
19.2 not make false or misleading representations about the goods or services they supply;
19.3 not engage in unconscionable conduct;
19.4 make sure that the goods supplied correspond with the description of the goods;
19.5 ensure that the goods supplied are of merchantable quality and fit for any purpose made known to the supplier by the consumer; and
19.6 ensure that services supplied:
19.6.1 will be rendered with due care and skill;
19.6.2 be reasonably fit for any purpose specified; and
20. Businesses should ensure that the electronic delivery of goods or services can be achieved without specialised software or hardware, unless the requirement for such specialised software or hardware is made clear to the consumer beforehand.
21. In accordance with the Disability Discrimination Act 1992, businesses have to make reasonable adjustment in the provision of goods and services to ensure that they are accessible to people with a disability.
Advertising and Marketing
22. Businesses should:
22.1 make sure advertising material is clearly identifiable and can be distinguished from other content, such as editorial comment, terms and conditions and independent product reviews;
22.2 make sure the business is identifiable from the advertising; and
22.3 be able to back up their advertising or marketing claims.
23.For commercial e-mail:
23.1 Businesses should not send commercial e-mail except:
23.1.1 to people with whom they have an existing relationship; or
23.1.2 to people who have already said they want to receive commercial e-mail; and
Engaging with Minors
24. Businesses should take special care in advertising or marketing that is targeted to children. This is because children may not understand the information with which they are presented.
25. When interacting with children, businesses should get consent from the child’s parent or guardian.
26. Before a business requests personal information from a consumer:
26.1 the business should take reasonable steps to establish whether the consumer is under 16 years; and
26.2 unless the business thinks the consumer is over 16 years, they should get the consent of the consumers’ parent.
Information - Identification of the Business
27. Businesses should provide consumers with accurate, and easily accessible information that allows:
27.1 identification - of the business involved in a particular transaction;
27.2 prompt, easy and effective communication with the business regarding any electronic transaction; and
27.3 service of legal documents.
28. This information (in 27) should include the following:
28.1 the name under which the business trades;
28.2 the physical address of the business and its registration address;
28.3 e-mail address, telephone and other contact information;
28.4 any relevant statutory registration or licence numbers, including the Australian Business Number and/or the Australian Company Number; and
28.5 contact details, an easy method of identifying the membership of and accessing the relevant codes of practice of any relevant self-regulatory scheme, business association, dispute resolution organisation or other certification body. This could be by displaying the logo of the industry association and giving an Internet link to the association’s website.
Information - Contractual
29. Businesses engaged in e-commerce should provide enough information about the terms, conditions and costs of a transaction to enable consumers to make informed decisions.
30. This information should be clear, accurate and easily accessible. It should be provided in a way that gives consumers an adequate opportunity for review before entering into the transaction and to retain a record of the transaction.
31. Businesses should provide all information online which they are required to provide offline either by law or by any relevant code of practice to which they subscribe. Where there is a legislative or other mandatory regime for disclosing contractual information, compliance with that regime is sufficient to meet the Best Practice Model obligations.
32. All information referring to costs should indicate the applicable currency, including guidance on how to get information on exchange rates, or a link to a site where such information may be found.
33. Information about terms and conditions should be clearly identified and distinguished from advertising material.
34. Businesses should give consumers a clear and complete text of the transaction’s terms and conditions. This information should be clear enough so that the consumer can access and retain a record of that information, for example, by printing or electronic record.
35. Where applicable, the information should include the following:
35.1.1 an itemisation of total costs to the consumer collected by the business; or
35.1.2 where the total cost of a transaction cannot be worked out in advance, a statement that a total cost cannot be provided and a description of the method that will be used to calculate it, including any recurrent costs and the methods used to calculate them; and
35.2 notice about the existence of other costs that are not collected by the business. This may include delivery, postage, handling and insurance and where it would be reasonably known to the business, taxes and duties; and
35.3 notice of ongoing costs, fees and charges and methods of notification for changes to those costs, fees and charges; and
35.4 if limited, the period for which the offer is valid, including time zone information where relevant; and
35.5 any restrictions, limitations or conditions of purchase, such as geographic limitations or parental/guardian approval requirements for minors; and
35.6 details of payments options; and
35.7 terms of delivery; and
35.8 mandatory safety and health care warnings that a consumer would get at any physical point of sale; and
35.9 conditions about termination, return, exchange, cancellation and refunds; and
35.10 details about any cooling-off period or right of withdrawal; and
35.11 any conditions about contract renewal or extension; and
35.12 details of any explicit warranty provisions; and
Conclusion of Contract
36. Where appropriate, prior to the conclusion of the contract, businesses should give consumers the opportunity to let them know the purpose for which they require the product or service or the result they wish to achieve.
37. Businesses should put in place procedures that let consumers:
37.1 review and accept or reject the terms and conditions of the contract;
37.2 identify and correct any errors; and
37.3 confirm and accept or reject the offer.
39. Businesses should respect consumers’ privacy when dealing with personal information. As a minimum they must comply with the benchmark standards for handling personal information set out in the Privacy Commissioner’s National Principles for the Fair Handling of Personal Information. The National Principles set out standards in relation to:
39.1 collection of personal information;
39.2 use and disclosure of personal information;
39.3 data quality;
39.4 data security;
39.5 openness about management of personal information;
39.6 access and correction;
39.7 use of identifiers;
39.8 anonymity when entering transactions;
39.9 onward transfers of personal information; and
39.10 highly sensitive personal information.
41. Businesses should provide to consumers payment mechanisms that are easy to use and offer security that is appropriate for the transaction. The payment mechanism should also be appropriate to the method of payment and the confidentiality of payment mechanism information provided.
42. Businesses should ensure that consumers have access to information on:
42.1 ways of making payments;
42.2 the security of those payment methods in clear, simple language. This will help consumers judge the risk in relying on those methods; and
42.3 how to best use those methods.
Security and Authentication
44. Businesses should:
44.1 make sure consumers have access to information about the security and authentication mechanisms the business uses in clear, simple language which helps consumers assess the risk in relying on those systems;
44.2 provide security appropriate for protecting consumers’ personal and payment information;
44.3 provide security appropriate for identification and authentication mechanisms to be used by consumers;
44.4 discourage consumers from giving confidential information in a way that is considered insecure;
44.5 update their security and authentication mechanisms over time to make sure the security offered is maintained, at an appropriate level; and
44.6 not try to contract out of their responsibility for losses arising from the misuse or failure of authentication mechanisms.
Internal Complaint Handling
45. Businesses should set up internal procedures to handle consumer complaints:
45.1 within a reasonable time;
45.2 in a reasonable way;
45.3 free of charge to the consumer; and
45.4 without prejudicing the rights of the consumer to seek legal redress.
Businesses should provide consumers with clear and easily accessible information about complaints handling procedures.
If a consumer is unhappy with the outcome of the complaint handling mechanism, the business should provide the consumer with information about any external dispute resolution bodies, to which it subscribes, or any relevant government body, such as a Fair Trading Agency.
External Dispute Resolution
48. Businesses should provide consumers with clear and easily accessible information on any independent customer dispute resolution mechanism to which the business subscribes.
49. This independent method of dispute resolution should be:
49.6 effective; and
Applicable Law and Forum
50. Where a business specifies an applicable law or jurisdiction to govern any contractual disputes or a jurisdiction or forum where disputes must be determined, it should clearly and conspicuously state that information at the earliest possible stage of the consumer’s interaction with the business.
A business located in Australia that enters into a contract with a consumer whom the business believes is resident in Australia - for instance, because of the consumer’s address - should spell out which Australian jurisdiction’s law is the governing law of that contract. It should also make clear that any contractual disputes will be heard by Australian courts and tribunals.
Any business adopting the Best Practice Model outside the membership of an industry association should set up an internal reporting and review mechanism to make sure the Model is implemented effectively.
Any industry association adopting the Best Practice Model may set up a new code administration mechanism or may use an existing body to administer the Model. This body should include an independent chair and equal numbers of industry and consumer/community representatives and would:
53.1 monitor and report on compliance with the code;
53.2 obtain adequate resources from members for the administration of the code as well as prepare budgets and financial reports;
53.3 publicise the code to members and consumers;
53.4 implement a system of sanctions for breaches of the code;
53.5 arrange periodic independent review of the code and the operations of its administering body and publicly report on the review’s findings; and
Review of the Best Practice Model
54. This Best Practice Model will be formally reviewed after one year and after that, every three years. The Model may also be modified between reviews. Businesses and industry groups that adopt the Best Practice Model should promptly incorporate changes to the Model within their own industry code.
1. Advertising and Marketing. Clauses 22 to 23. At the time of finalising the Best Practice Model, the Privacy Amendment (Private Sector) Bill 2000 included the following provisions in relation to direct marketing:
An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:
2. Information - contractual. Some, but not all of the list at clause 35 will be required for all products. Businesses are expected to ensure that the product information provided is consistent with their offline obligations. Examples of obligations include the Uniform Consumer Credit Code and the Trade Practices Act 1974.
3. Privacy. Clause 39 defers to the National Privacy Principles and businesses are encouraged to develop privacy practices based on the principles pending the enactment of the Privacy Amendment (Private Sector) Bill 2000. Further information on this Bill is available from http://www.law.gov.au.
4. Privacy. Further information on privacy is available in the publication: The Guidelines for Federal and ACT Government World Wide Websites at http://www.privacy.gov.au.
5. Payment, Security and Authentication. Clauses 41 to 44. It is not intended that financial institutions or other bodies providing payment, security and authentication services to businesses be parties to general industry codes based on the Best Practice Model but that there should be a requirement on the business itself to ensure that provisions in these clauses are complied with either directly by them or by third parties whose services they use.
6. Internal Complaint Handling. Clauses 45 to 47. There are a number of resources available in relation to this topic, including AS4269, the Australian Standard on Complaint Handling. The Standard is produced by the private organisation, Standards Australia and is not a Government publication.
7. External Dispute Resolution. Clause 49 (1) to (7) refers to the Commonwealth’s Benchmarks for Industry-Based Customer Dispute Resolution Schemes and businesses are encouraged to consult that document for more detail regarding the benchmarks.
8. Applicable Law and Forum. Clauses 50 and 51 encourage businesses, wherever possible, to draw on Australia’s reputation for consumer protection by specifying Australian law as the applicable law of the contract.