Field research compliance e-commerces with Directive 2000/31/EC

This article was published in 2001, at the time I was still an attorney with Jausas; the article was quoted in several national news bulletins on the day of the press conference, as well as in the Financial Times. For the sake of completeness of my archives, and of course for nostalgic reasons I publish it here again.

Fines of up to EUR. 600.000 may be neck shot for bubble survivors.

If your e-business yet hasn’t stranded due to the ongoing stormy weather in cyberspace by autumn or winter this year, it anyway still might hit the ground for the shift in the legal climate by that time. You may face fines up to a 600.000 Euro when the Law on Information Society Services and Electronic Commerce (ISSEC) will enter into force. The ISSEC is the Spanish implementation of directive

2000/31/EC on e-commerce in the European internal market.

The above is not just a hypothetical situation: a brief sample research, undertaken by SAFENET SOLUTIONS indicates that a majority of e-businesses in Spain neither comply with current legislation nor with the new legislation mentioned. The latter will have a transitional period, but still, the risk is there and transitional periods are not forever. The research was carried out with the idea of getting an indication of what the legal-risk situation of Spanish e-commerce looks like.

Researched e-businesses.

The research sample was selected with a simple tool, available to every internet user. To verify the sample, go to and start a search, restricting it to: Spain; category ‘economía y negocios’; subcategory ‘productos y servicios para el consumidor’ and typing as search term ‘venta en línea’. This results in 38 categories containing 263 sites. From these categories you take ‘turismo y agencies de viaje’, ‘ordenadores’, ‘libros y librería’, ‘centros comerciales’ and ‘vinos’ in this order. The research contains a 100 researched sites. These categories are interesting because they contain businesses that have been active on the internet since the early days. The category ‘Vinos’ was taken to include a category with typical Spanish products.

Quick and dirty.

The research itself was done only on requirements the compliance with which can be established by just looking at the website. Quick and dirty, without additional need for background information. The legal fields covered were selected in a cross country style. Some specific ISSEC issues like mandatory information on the company and General Contracting Conditions were taken into account and more in general Intellectual Property Rights, Data Protection Rights (LOPD), Protection against possible contractual or non-contractual liability for products, services, links or contents on the sites have been checked.


Tables with results.

The Tables below show the results of the investigation. Some of the researched sites require that you become a member before you are supplied legal and other very essential information. Apart from the fact that a consumer may hardly be expected to make a fair choice if he isn’t fully informed previously, this blurs the results. These sites are considered not to have supplied the relevant information. Another blur of the results is posed by the circumstance, that some sites were off the air, temporally or permanently, for maintenance, paused business or other / not further specified reason. This illustrates in practice the necessity of letting the consumer download information, as discussed below.

Traditional small letters mentality.


Striking for the state of the legal development of the researched sites is the widespread habit of not having the relevant legal information easy and directly available. Once having found something looking like General Conditions, virtually no site offers you even a simple print and absolutely no site offers a download option. The ISSEC explicitly requires that consumers are given access to this information in an electronic form and in a permanent way. This means downloadable. Furthermore, the ISSEC requires it to be accessible in a direct, for free and easy way. This means that one should have easy and quick access to it, before entering any procedure, without paying and without any stunting. Plainly speaking, this really is a simple point of departure, coming before any substantial legal consideration. We haven’t found any e-business that gave it’s consumer the opportunity to download its General Conditions. One would think that, with the virtually limitless possibilities in this respect of the New Economy, this legal evasiveness might have ended and transparency have triumphed. Unfortunately this is not at all the case. This reminds to the typical reference of traditional small letters in contracts. The potentially heavy fine mentioned in the first paragraph and further below, is applicable here.


Transparency of information.


The same point of departure on transparency applies to all company information a consumer should be supplied with, in order to be able to take an informed decision on whether or not the company to enter into business with is trustworthy and reliable. We don’t expect you to be surprised, if we tell you that a considerable percentage of the researched businesses do not even bother to supply a company name, let alone a residence or domicile and information other than email to establish a direct and effective communication. Concerning the companies that did supply the recommended information, we haven’t been very strict on the five legal elements defining the way in which the recommended information shall be supplied. These elements are again, as in the previous paragraph: accessible in an electronic, permanent, direct, for free and easy way. None of the researched e-businesses complied with all of these elements and since the five elements are cumulative, the researched e-businesses are all non-compliant on this matter. To still give you some indication, the table shows whether or not the information is supplied by the researched e-businesses, without regard to the way they do it. The repercussions for all this, the ISSEC translates in fines again.

Nobody is going to see your data.


Personal Data Protection Rights have been another interesting researched field. Surprisingly, since the LOPD is well known in the sector, many researched companies still do not comply with it. The principal idea is a very simple one, if you want to collect data from your customer, you have to tell your customer first what your plans are with these data. You have to take certain measures to protect these data and write a privacy policy explaining it to your consumer. This is plain consumer protection. More specifically, the privacy policy should explain the customer what the e-business has done to prevent unauthorised access, incorrect use or disclosure, unauthorised modifications and alterations and illegal destruction or accidental loss, furthermore it should inform the consumer about his rights to access, modify and cancel any information in the file concerning him. A very large percentage of the researched e-businesses bluntly do not have a privacy policy at all, others hide it in other information and the majority of the researched e-businesses which have such a policy, consider a phrase with a content more or less like ‘nobody is going to see your data’ sufficient to comply with specific and different requirements. A very sharp contrast is the way in which most of the researched e-businesses treat their customers, when it comes to use the right of the customer to access, modify and cancel the filed information. Most of the researched e-businesses expect their clients to send them, by mail with acknowledgement of receipt, a petition with the description of the data they want to change or see and sometimes even the consumers’ motives to do so. Considering the comfort and convenience these e-businesses do offer when it comes to collect the information mentioned, this practice appears a little impolite to us. The LOPD, superfluous to mention, is enforceable with fines.


Legal risks as a threat financial to continuity.


The results of the research, assuming that the rest of the e-commerce sector wouldn’t show significantly different results, is that, in general, e-businesses run severe legal risks. This may become an existential problem for many already worn down e-businesses. These risks do not only translate into a nice list of fines, but also in potentially more dangerous situations. Unforeseeable legal procedures, uncertain validity of transactions and unstable commercial structure in general, to just mention a few, are threats to the commercial feasibility and continuity of the enterprises in the New Economy. As a consequence of this lack of legal solidness, the already not very high esteem consumers have in e-commerce may further fall, if e-businesses won’t improve on this. Consumers emancipate and the internet propels this development as much as it propels the development for e-commerce. A more direct and close-to-home consequence is that the financiers and bankers of the sector are very keen on continuity aspects too, lately. Additionally to the already cooled down climate in the money negotiating rooms, the legal risks mentioned will be a topic of special scrutiny to the negotiators. Related to this are the high costs of an insurance policy with risk of this dimension. The legal risks uncovered thus have a boomerang repercussion on the financial continuity of e-businesses.


Winning trust of your consumer.


It is probable that a layman wouldn’t detect all of the shortcomings established in this research, this circumstance shouldn’t be taken as a basis for e-commerce to build its future on, however. Apart from the consideration on financiers and bankers mentioned in the former paragraph, in the New Economy, building trust with legal tools now is more important than in the classic economy, since you can’t compensate a principal lack of trust with personal contact. Many businesses apparently still don’t fully comprehend this need for actively building trust and consequently the need for showing that they’ve got nothing to hide. A hiding mentality only fosters further distrust.