Special Rules
19.0 ONLINE COMMERCIAL COMMUNICATIONS (E-Commerce) cont.
Payment mechanisms d) information on the payment mechanisms available, including any credit and instalment terms, which must be easy to use. Where online payment mechanisms are employed, a statement must be included setting out the security measures used and the level of protection provided by them (see para 19.20 below)
Delivery arrangements e) clear details of the arrangements for the delivery of goods or performance of a service, including the estimated fulfilment time, which, unless the parties agree otherwise, must be within a maximum of 30 days from the day following that on which the customer placed their order (see para 9.10 above)
Right to cancel f) a prominent statement explaining the existence of a right to cancel, orders for goods or services (unless exempted, see para 9.24 above)
Access to terms and
conditions g) information on how users can easily access the terms and conditions applicable to a particular transaction, which must also be available in writing or other durable medium.
Mobile communications 19.11 On-line commercial communications sent to a mobile device should provide the details listed in para 19.10 above on screen but where it is not practical to provide all the information, prominent details must be given of where the information can be accessed or a mechanism must be provided so that the information can easily be accessed.
Acceptance of terms 19.12 Prior to the conclusion of a contract via a mobile device for the sale or supply of goods or services, users must be required to indicate in a clearly defined manner that any of the information in para 19.11 above not provided on screen has been accessed and agreed to.
Additional information 19.13 Following the conclusion of the contract, but no later than the time of delivery or before the service has been fully performed, individuals must be provided in writing or other durable medium, with the
additional and written information set out in para 6.28 above. Members must also comply with para 6.30 above.
Acknowledgement of
orders 19.14 All orders must be acknowledged online immediately they are placed, with a date and time of order, a unique identifying reference number and the total and final price charged. This information must also be available in writing or other durable medium.
Fulfilment timing and
availability of goods 19.15 Members must refer to Section 9 of this Code for the rules relating to fulfilment and performance. Call backs 19.16 Where, as a result of visiting a website a consumer requests a call
back, then members carrying out this request must in all cases comply with Section 21 of this Code on Telemarketing. In particular, members must take reasonable steps to verify the identity of the recipient of the call before obtaining any personal information.
19.0 ONLINE COMMERCIAL COMMUNICATIONS
(E-Commerce) cont.
DIRECT MARKETINGCODE OF PRACTICE
Co-browsing 19.17 When inviting a consumer to co-browse, members must explain clearly what this involves and must not proceed without the consent of the individual. In particular, if co-browsing results in the individual leaving the member's website and visiting another, this fact must be fully explained in advance and details given of the contents of the website in question and the relevance for the individual. The consent of the individual must be obtained before the move to another website proceeds.
Joint form completion 19.18 Where a member wishes to assist a consumer in the completion of an online order or enquiry form, they must verify the identity of the individual before offering to input any personal information or data referring to previous orders or activities. On completion of such a form, the submission may only be carried out by the consumer and it must not be possible for any member, their staff or representatives to submit the form.
Data
Data Protection Act and
Section 5 19.19 In addition to the requirements set out below, members must comply with the Data Protection Act 1998 and all related legislation and with Section 5 of this Code that covers data in the off and on-line environment.
Online Payment Security
Security of payment 19.20 Members must provide easy-to use, secure payment mechanisms and must give clear information on the level of security such mechanisms afford. If payment is made using a payment card, members must comply with the Payment Security Systems Data Security Standards (available at https://www.pcisecuritystandards.org/security_
standards/pci_dss.shtml). System security BS150/
IEC 19.21 a) It is recommended that members use BSBS150/IEC 11770-3:2008 (Information Technology Security Techniques. FRX management) as a basis for their security standards
Implementation of
security policy b) Members must ensure that a security policy for their systems has been developed and reviewed and that its provisions are implemented and tested appropriately
Responsibility for
security c) Members must identify a person who is responsible for the security of the company’s systems. Their responsibilities should include: i) scheduled reviews of the security of the system
ii) ensuring that changes to the system (including maintenance and disposal of component parts of the software and
hardware) are made in a secure manner
iii) ensuring that security-critical changes recommended by the supplier of the system or any of its components are made in a secure and timely manner.
19.0 ONLINE COMMERCIAL COMMUNICATIONS
(E-Commerce) cont.
Authentification of
parties d) Members must authenticate parties to transactions (including third parties) in a secure manner unless such transactions are designed to be anonymous
Integrity of content e) Members must assure the integrity of the content available on their website
Integrity and
confidentiality f) Members must assure the integrity and confidentiality of transactions and the integrity and confidentiality of information about such transactions whether stored on computers or in transit across networks and against both internal and external threats and abuse
Third parties and
security g) Members must ensure that third parties involved in the fulfilment of a transaction maintain an equivalent level of security in respect of transactions and information about such transactions
Security of information
in disputes h) Members must ensure that, where the Commission for the purposes of investigating a complaint or dispute has a legitimate interest in information about transactions, this information is made available in accordance with the Commission’s procedures as set out in Section 4. Similarly, correct procedures must be followed when releasing information for the purposes of legal proceedings Third parties i) If members contract with another party to operate any part of
its service they must ensure that the other party is contracted to operate in accordance with the requirements of this Code.
Online Commercial Communications sent to Children
Definition of children 19.22 Children for this purpose are those under 18 years of age unless a different age is mentioned. Reference to parents includes, where applicable, legal guardians.
Section 7 19.23 In addition to the paragraphs below, members must comply with paras 8.13 to 8.25 above of this Code that set out the detailed rules covering marketing to children, either on or off line.
Orders from children 19.24 Orders for goods or services must not be accepted from children under 12 without first obtaining a parent/teacher's verifiable and explicit consent. Members should also note that contracts are legally unenforceable against children and young persons.
Personal information
from children 19.25 Websites that are directed to children must not collect personal data from children under 12 years of age without first obtaining a parent/ guardian's verifiable and explicit consent.
Transfer of data 19.26 Websites that are directed to children and that collect personal data from children must not publicly post or disclose personal data collected from children under 12 years of age without first obtaining a parent/guardian's verifiable and explicit consent.
19.0 ONLINE COMMERCIAL COMMUNICATIONS
(E-Commerce) cont.
DIRECT MARKETINGCODE OF PRACTICE
Submission of age 19.27 Websites that are directed to children and that collect personal data from children must require a child to give their age before any other personal information is requested. If the age given is under 12 the child should be excluded from giving further personal information until the appropriate verifiable and explicit consent has been given. Notice informing of
consent requirements 19.28 A notice informing children of the requirement for parental or guardian's consent must be shown at the point where personal information is requested. This notice should be clear and prominent and written in language that will be easily understood by young children. It should include an explanation of the purposes for which data are being collected (ie for marketing purposes) and how that consent may be given to the advertiser.
Contingent access to
websites 19.29 Advertisers must not make a child's access to a website contingent on the collection of personal information or entice a child to divulge personal information with the prospect of a special prize or other offer. Collection of other data 19.30 Personal information relating to other people (for example parents)
must not be collected from children.
Privacy policy statement 19.31 Members collecting personal information from children must post a privacy policy statement on their internet website (or for other means of online communication where this may not be practical, they must provide a prominent link to where this information can be accessed). Such a statement, and any link to it, must be understandable by a child audience and posted in a prominent location - both on a site's home page and any page where information is collected. In addition to the requirements set out in para 5.28 above, such a statement must contain:
a) a statement that data will not be collected online without the explicit and verifiable consent of the parent/guardian
b) a statement that provision of the requested information is entirely voluntary
c) an explanation of the measures by which the parent/guardian may exercise their right to have ready and inexpensive access to the data held regarding the child in their care, so as to contest inaccurate or incomplete data, verify the information and correct it as appropriate
d) where a website offers children interactive activities such as chat, message boards, free email services, posting of home pages etc, information by which the parent/guardian can assess and understand the nature of these activities and the consequences of the child's participation.
Complaint Handling and Customer Service
Complaint handling
system 19.32 Members must have in place a complaints handling system that is fair, effective, confidential, easy to use and speedy. Specifically, such a system must, as a minimum, adhere to the following procedures:
19.0 ONLINE COMMERCIAL COMMUNICATIONS
(E-Commerce) cont.
Making a complaint a) other than for WAP communications (see i) below, users must be able to make an initial online complaint to the member via an easy to use “click-through” mechanism
WAP complaints i) for WAP communications or otherwise where technology does not allow, users must be provided with prominent link to information on how to make a complaint which must be possible with minimum effort.
Complaint handling b) members must have in place effective in-house procedures for handling complaints ie through customer service or a named individual who is responsible for complaints/enquiries and who has the authority to resolve complaints and answer enquiries
Acknowledging
complaints c) members must acknowledge complaints promptly and normally within five working days. If the complaint is complicated and will take longer to resolve, then at this time details must be given as to the likely timescale for resolving the complaint
Resolving complaints d) members must take appropriate action to resolve complaints, such as ensuring that the goods or services have been delivered/ replaced or a refund given.
Direct Marketing
Commission 19.33 Where a complaint cannot be satisfactorily resolved or where a customer specifically requests it, members must direct complaints to the Commission or other appropriate industry regulatory body for consideration.