Digital Commerce: Contracting for Digital Services – Top Tips
This is a short companion piece to our webinar on 28 April 2021 on Digital Commerce. It overviews some of the questions about contracting for digital services that we are most frequently asked to look at.
Clickwrap or browsewrap?
It’s clickwrap when the user scrolls down the terms and conditions or terms of service and clicks the ‘I accept’ button. So long as the provider keeps a record of acceptance in their system then clickwrap is generally recognised under English law as meeting the formal requirements for contract formation – offer, acceptance, consideration and communication of acceptance to the offeror.
In the browsewrap case, the user is simply notified that continued use of the website or service constitutes acceptance of the terms and conditions or terms of service, but the user takes no positive action.
In this case, the UK Law Commission has stated that there is no valid acceptance so there is unlikely to be a contract, whether in the B2C or B2B scenario.
However, even if there is no binding contract, some terms may be effective by notice – for example copyright or other IP licensing terms, and some liability terms that are effective when brought to the notice of the user.
In practice whether to use clickwrap or browsewrap is a balance between managing conflicting priorities – the extra resource to ensure the ‘I accept’ and record retention function in the provider’s system and perceived user resistance against the risk of unenforceable contractual terms.
How do we know the person clicking has authority?
There’s a famous New Yorker cartoon of a dog at their computer workstation turning to a friend and saying “On the Internet, nobody knows you’re a dog”.
This neatly illustrates the difficulty of standard website terms that say “where you accept for the Customer, you confirm that you have authority to bind the Customer to these terms and conditions” and/or“if you do not have authority to bind the Customer do not click ‘I agree’”.
To coin Joseph Heller, another famous New Yorker, there’s a bit of a Catch 22 here: if the person accepting does not have authority then the customer can argue it isn’t bound by the terms he or she purportedly signed up to; and also there’s no basis (apart from perhaps misrepresentation) to take action against the person who accepted as there’s no contract.
Again, in practical terms this is a risk management matter – what’s the worst that can happen for the provider if the person purportedly signing does not have authority? If the provider can adopt through later action – for example payment – or you could get a written signature from the customer by someone actually or apparently in authority, then this risk is more manageable.
What about e-signatures?
The UK legal and regulatory framework for electronic signatures is based on the 2014 EU eIDAS regulation. It’s gaining traction quickly at the moment, particularly in data trust frameworks and other digital data driven ecosystems.
Essentially, it’s in three parts or layers:
first, it regulates the requirements for e-signatures (and e- time stamps, e-documents etc.) as digital data associated with other digital data that the signatory uses to sign and gives them legal admissibility, broadly in the same way as written signatures;
second, it introduces Trust Services ensuring certainty in the digital transactions concerned by confirming the validity of the underlying e-signature, etc.;
third, it establishes a system of Qualified Trust Service Providers – entities who effectively guarantee authenticity. (There are 17 Qualified Trusted Services Providers in the UK at the moment, including Barclays, BT, Digidentity, Entrust, Experian, RBS, Royal Mail and Verizon).
What security duties apply to digital commerce transactions?
Whilst there is no single source of security duties in the digital space, digital commerce businesses:
as data controllers must take appropriate technical and organisational measures (‘ATOMs’) to ensure security appropriate to the risk (Art. 32 GDPR);
as public electronic communications service (‘ECS’) providers, in the language of telecoms regulation, must take ATOMs to “safeguard the security of that service” (Regulation 5, PECR 2003) – note that the e-privacy regulation is still making its way through the legislative process and is likely to impose stricter duties when passed and to the extent it’s implemented in the UK;
as cloud and other relevant digital service providers, must take appropriate and proportionate measures to manage security risks (Regulation 12, NIS Regs 2016);
accepting card payments, must comply with the PCI DSS (Payment Card Industry Data Security Standard);
may also be subject to sector specific security regulation depending on their particular sector; and
may be subject to civil (? statutory) liability for breach of duty of care.
Do we need to use data encryption?
Data encryption is not legislatively or regulatorily prescribed, but is recognised in Art. 32(1)(a) GDPR as a way of taking ATOMs to ensure security, so may be helpful evidence as positive steps taken to manage security risk
On the other hand, note that the US EARN IT and LAED Acts, if enacted, could ban providers from offering end to end encryption without a built in means of decryption for law enforcement; and that the EC Council Resolution of 24th November 2020 on encryption expressly notes the law enforcement challenges of encryption and that preserving lawful access for law enforcement is essential.
Do we have to accept when the cloud service provider insists on broad suspension rights?
This question needs to be looked at from both the provider’s and the customer’s perspectives.
From the customer’s standpoint a provider right to suspend could in some cases be viewed as a back door to termination without proving fault. The customer will view these terms particularly closely especially when this sort of term is in a contract that covers a service or system that is mission critical for the customer.
However, the provider will need to preserve its rights in its customer agreements to take down offending material on notice in order to preserve its intermediary liability immunities under the e-Commerce Regulations (hosting, caching and mere conduit). In order to preserve these rights, it is likely to need to include some suspension rights in order to be in a position to comply with these statutory duties.
In general terms, there’s a practical balance to be struck here between not hamstringing necessary provider actions (on the one hand) and not making it too easy to suspend on the other.
Are we free to choose the law that governs the contract?
In B2B contracts, the parties will usually be able to agree between themselves the governing law and jurisdiction terms that apply, so long as the clause is correctly drafted;
In B2C contracts involving the UK and the EU however, consumers:
when claiming, can choose to claim in their or the provider’s country;
when being claimed against, may only be sued in their own country.
However, the underlying background law is a thicket of rules, both in the business and consumer spaces, consisting of a mix of international conventions and common law. Brexit has inevitably had an impact on the EU-based regulations that the UK signed up to and it will take some time for these to be clarified.