New Ecommerce best practice model (June 2000)

In May the Government launched a new set of Ecommerce guidelines, with the long title Building
Consumer Sovereignty in Electronic Commerce: A best practice model for business (hereafter
referred to as the Model). The Model is the result of an initiative by the Consumer Affairs Division (part
of Treasury) to improve consumer confidence in electronic commerce.
Following the adoption by the OECD of a similar set of principles[1] earlier in the year, the Government
made a commitment to implement the OECD principles in Australia. A small working party was
established to develop a model code of conduct for Australian business. Somewhere along the way the
term code was removed, but the general intention remains the same - to provide guidance on how
best to provide consumer protection in electronic commerce.
The resulting Model is a voluntary set of guidelines that a business or industry association might adapt
as its core set of values or standards. Alternatively, consumers might choose to compare business
practice with the standards when making purchase decisions or comparing online businesses. There is
no built in complaints or enforcement mechanism in the Model.
The voluntary nature of the guidelines raises questions about how they hope to improve consumer
confidence in electronic commerce. Ideally the guidelines will be adopted by industry associations
which will then add complaints and enforcement mechanisms - this might happen through broad
sectoral codes such as the proposed Internet Industry Association Code of Conduct[2] or through the
review of existing industry specific codes such as the Banking Code of Practice.[3]
An initial problem with this structure is that the Government and other promoters of the Model have
shown a tendency to oversell the Model and exaggerate its immediate benefits. The Minister for
Financial Services and Regulation issued a media release headed WORLD-CLASS INTERNET CODE OF
CONDUCT which stated that he was unveiling a world-class code of conduct for Australian businesses
operating over the Internet.
Obviously the Model is not a code of conduct, and Australia still has no established code of conduct for
businesses operating on the Internet. These misleading statements tend to distract from the content
of the guidelines set out in the model.
The guidelines provide comprehensive coverage of important online consumer issues, like
identification, completion of transactions and the use of personal information.
The guidelines also go a step further, providing a new layer of consumer protection from unsolicited
commercial emails (spam). The Model states that businesses should not send commercial e-mail
except to people with whom they have an existing relationship or to people who have already said
they want to receive commercial e-mail. Further, businesses should have simple procedures so that
consumers can let them know they do not want to receive commercial e-mail.
This conditional opt-in provision for spam tackles one of the most contentious issues in electronic
commerce, and provides a contrasting approach to the opt-out provisions established in some
industry codes of conduct, including the Australian Direct Marketing Association Code of Conduct.[4]
The Model also provides useful guidance on access and disability issues, which are looming as a major
legal issue for electronic commerce in Australia.

The guidelines in the Model must be regarded as positive - they establish a new level of certainty and
confidence for consumers of electronic commerce, and they set out in one location the major best
practice requirements for business. However, the Government and others must take care not to
mislead consumers about the status of the Model - it is a voluntary set of guidelines with no
complaints or enforcement procedures. It should nit be described as a code and no reliance can be
placed on the Model until it is implemented through effective industry codes of conduct.
Finally, the model attempts to tackle one of the most difficult online legal issues - jurisdiction. The
Model does not require a business to specify an applicable law. However it does requires businesses to
set out clearly which law will apply if one is specified, including a requirement to conspicuously state
that information at the earliest possible stage of the consumers interaction with the business.
The Model encourages businesses to specify Australian law as the applicable law, but it is not a firm
The Model is available at:

Building Consumer Sovereignty in Electronic Commerce: A best practice model for business

1. Electronic commerce has the potential to substantially benefit business and consumers. This Best Practice Model pr
businesses and enhances Consumer Sovereignty by giving consumers information on what businesses should do when
consumers over the Internet. The Best Practice Model aims to set out best practice for business.

2. Consumer Sovereignty recognises the capacity of most people to make decisions about their own well-being. It inv
- protection, information, choice and redress. The Best Practice Model aims to increase consumer confidence in busine
electronic commerce.

3. The Best Practice Model provides guidance to industry and consumers on the elements of an effective self-regulato
of the Model will help to ensure that consumers are adequately protected and have confidence in making online trans
Best Practice Model will be adopted by relevant industry associations and their members as part of existing codes of p
individual businesses.

4. The Best Practice Model is being developed for traders located in Australia dealing with both Australian and oversea
located outside Australia who are dealing with Australian consumers are also encouraged to adopt this Best Practice M

5. There are initiatives underway to educate consumers on the benefits of electronic commerce and let them know wh
ensure they are protected in the online environment.

6. The adoption of the Best Practice Model will contribute to ensuring that consumers have effective protection and co
online transactions.

6.1 Effective industry self-regulation, including this Best Practice Model, is the preferred way to achieve the Governme
developing Australia as a centre of excellence in Consumer Sovereignty and electronic commerce.

6.2 In accordance with the general principle of functional equivalence, consumers protection online should be no less
the offline environment. As such, the Best Practice Model addresses areas where the online environments special cha
business practices different to those in the offline world. These include: the distance between the business and the co
transactions can be completed online; the need for authentication; and information collection practices.

7. This best practice model may be cited as Building consumer sovereignty in electronic commerce: a best practice m

8. References to the singular include references to the plural and vice versa.
9. In this Model:

authentication mechanisms means tools and techniques for establishing the validity of a claimed identity of a user, d
B2B means business to business electronic commerce;
B2C means business to consumer electronic commerce;

business means a legal entity, including a government body, acting in a commercial or professional capacity that sup
to consumers;

commercial e-mail means advertising or promotional emails, excluding emails relating to a contractual, operational o
customer notice;
consumer means a natural person;

electronic commerce means commercial activities carried out through electronic networks including the promotion, m
or delivery of goods or services; and
goods and services means goods or services of a kind ordinarily bought for personal use.

10. The Best Practice Model applies to B2C electronic commerce. However, businesses are encouraged to adopt the Be
engaging in B2B electronic commerce.

11. The Best Practice Model does not apply to transactions between individuals both acting in a non-business capacity
12. The Models objective is to guide businesses on:
12.1 fair business practices;
12.2 advertising and marketing;
12.3 disclosure of a businesss identity and location;
12.4 disclosure of a contracts terms and conditions;
12.5 the implementation of mechanisms for concluding contracts;
12.6 the establishment of fair and effective procedures for handling complaints and resolving disputes;
12.7 adopting privacy principles;
12.8 using and disclosing information about payment, security and authentication mechanisms; and
12.9 the processes and policies necessary to administer a code based on the Best Practice Model.
Adoption of the Model

13. Any business or industry association engaging in B2C electronic commerce is encouraged to adopt the Best Practi

14. Any industry association adopting the Model should notify the Department of Treasury by email to: ecommerce@t
or by mail to:
The General Manager
Consumer Affairs Division
Department of Treasury|
Parkes Place
Businesses adopting the Model outside the membership of an industry association should also notify the Department

Existing Laws and Regulation

15. The Best Practice Model is not a replacement for other consumer protection laws or codes of conduct. Complying
Model does not exempt a business from compliance with obligations under such laws or codes.
16. Every effort has been made to avoid inconsistencies with existing laws. However, if there is an inconsistency, the
over the Best Practice Model.

17. Some parts of the Best Practice Model are legal requirements. Businesses should not rely on the Best Practice Mo
statement of these requirements. Also, not all legal requirements relevant to electronic commerce are contained in th
Fair Business Practices
18.Businesses should adopt fair business practices when engaging in B2C electronic commerce.

19. In particular, the Trade Practices Act 1974, the Australian Securities and Investments Commission Act 1989 (in re
services) and State and Territory Fair Trading legislation require that businesses:
19.1 not engage in conduct that is misleading or deceptive or is likely to mislead or deceive;
19.2 not make false or misleading representations about the goods or services they supply;
19.3 not engage in unconscionable conduct;
19.4 make sure that the goods supplied correspond with the description of the goods;

19.5 ensure that the goods supplied are of merchantable quality and fit for any purpose made known to the supplier b
19.6 ensure that services supplied:
19.6.1 will be rendered with due care and skill;
19.6.2 be reasonably fit for any purpose specified; and
19.6.3 achieve any result which the consumer makes known.

20. Businesses should ensure that the electronic delivery of goods or services can be achieved without specialised sof
unless the requirement for such specialised software or hardware is made clear to the consumer beforehand.
Disability Access

21. In accordance with the Disability Discrimination Act 1992, businesses have to make reasonable adjustment in the
services to ensure that they are accessible to people with a disability.
Advertising and Marketing
22. Businesses should:

22.1 make sure advertising material is clearly identifiable and can be distinguished from other content, such as editor
and conditions and independent product reviews;
22.2 make sure the business is identifiable from the advertising; and
22.3 be able to back up their advertising or marketing claims.
23.For commercial e-mail:
23.1 Businesses should not send commercial e-mail except:
23.1.1 to people with whom they have an existing relationship; or
23.1.2 to people who have already said they want to receive commercial e-mail; and

23.2 Businesses should have simple procedures so that consumers can let them know they do not want to receive com
Engaging with Minors

24. Businesses should take special care in advertising or marketing that is targeted to children. This is because childr
the information with which they are presented.
25. When interacting with children, businesses should get consent from the childs parent or guardian.
26. Before a business requests personal information from a consumer:
26.1 the business should take reasonable steps to establish whether the consumer is under 16 years; and

26.2 unless the business thinks the consumer is over 16 years, they should get the consent of the consumers parent
Information - Identification of the Business
27. Businesses should provide consumers with accurate, and easily accessible information that allows:
27.1 identification - of the business involved in a particular transaction;
27.2 prompt, easy and effective communication with the business regarding any electronic transaction; and
27.3 service of legal documents.
28. This information (in 27) should include the following:
28.1 the name under which the business trades;
28.2 the physical address of the business and its registration address;
28.3 e-mail address, telephone and other contact information;

28.4 any relevant statutory registration or licence numbers, including the Australian Business Number and/or the Aus
Number; and

28.5 contact details, an easy method of identifying the membership of and accessing the relevant codes of practice of
regulatory scheme, business association, dispute resolution organisation or other certification body. This could be by d
the industry association and giving an Internet link to the associations website.
Information - Contractual

29. Businesses engaged in e-commerce should provide enough information about the terms, conditions and costs of a
consumers to make informed decisions.

30. This information should be clear, accurate and easily accessible. It should be provided in a way that gives consum
opportunity for review before entering into the transaction and to retain a record of the transaction.

31. Businesses should provide all information online which they are required to provide offline either by law or by any
practice to which they subscribe. Where there is a legislative or other mandatory regime for disclosing contractual info
with that regime is sufficient to meet the Best Practice Model obligations.

32. All information referring to costs should indicate the applicable currency, including guidance on how to get informa
rates, or a link to a site where such information may be found.
33. Information about terms and conditions should be clearly identified and distinguished from advertising material.

34. Businesses should give consumers a clear and complete text of the transactions terms and conditions. This inform
enough so that the consumer can access and retain a record of that information, for example, by printing or electroni
35. Where applicable, the information should include the following:
35.1 Either:
35.1.1 an itemisation of total costs to the consumer collected by the business; or

35.1.2 where the total cost of a transaction cannot be worked out in advance, a statement that a total cost cannot be
description of the method that will be used to calculate it, including any recurrent costs and the methods used to calc

35.2 notice about the existence of other costs that are not collected by the business. This may include delivery, posta
insurance and where it would be reasonably known to the business, taxes and duties; and

35.3 notice of ongoing costs, fees and charges and methods of notification for changes to those costs, fees and charg
35.4 if limited, the period for which the offer is valid, including time zone information where relevant; and

35.5 any restrictions, limitations or conditions of purchase, such as geographic limitations or parental/guardian appro
minors; and
35.6 details of payments options; and
35.7 terms of delivery; and
35.8 mandatory safety and health care warnings that a consumer would get at any physical point of sale; and
35.9 conditions about termination, return, exchange, cancellation and refunds; and
35.10 details about any cooling-off period or right of withdrawal; and
35.11 any conditions about contract renewal or extension; and
35.12 details of any explicit warranty provisions; and
35.13 details of any after-sales service.
Conclusion of Contract

36. Where appropriate, prior to the conclusion of the contract, businesses should give consumers the opportunity to l
purpose for which they require the product or service or the result they wish to achieve.
37. Businesses should put in place procedures that let consumers:
37.1 review and accept or reject the terms and conditions of the contract;
37.2 identify and correct any errors; and
37.3 confirm and accept or reject the offer.
38. Businesses should promptly acknowledge receipt of the order.

39. Businesses should respect consumers privacy when dealing with personal information. As a minimum they must c
benchmark standards for handling personal information set out in the Privacy Commissioners National Principles for t
Personal Information. The National Principles set out standards in relation to:
39.1 collection of personal information;
39.2 use and disclosure of personal information;
39.3 data quality;
39.4 data security;
39.5 openness about management of personal information;
39.6 access and correction;
39.7 use of identifiers;
39.8 anonymity when entering transactions;
39.9 onward transfers of personal information; and
39.10 highly sensitive personal information.
The National Principles are available at:

40. Businesses should provide consumers with clear and easily accessible information online about the way they hand

41. Businesses should provide to consumers payment mechanisms that are easy to use and offer security that is appr
transaction. The payment mechanism should also be appropriate to the method of payment and the confidentiality of

information provided.
42. Businesses should ensure that consumers have access to information on:
42.1 ways of making payments;

42.2 the security of those payment methods in clear, simple language. This will help consumers judge the risk in relyi
42.3 how to best use those methods.
43. Businesses should update the payment mechanisms to make sure security is maintained at an appropriate level.
Security and Authentication
44. Businesses should:

44.1 make sure consumers have access to information about the security and authentication mechanisms the busines
language which helps consumers assess the risk in relying on those systems;
44.2 provide security appropriate for protecting consumers personal and payment information;
44.3 provide security appropriate for identification and authentication mechanisms to be used by consumers;
44.4 discourage consumers from giving confidential information in a way that is considered insecure;

44.5 update their security and authentication mechanisms over time to make sure the security offered is maintained,

44.6 not try to contract out of their responsibility for losses arising from the misuse or failure of authentication mecha
Internal Complaint Handling
45. Businesses should set up internal procedures to handle consumer complaints:
45.1 within a reasonable time;
45.2 in a reasonable way;
45.3 free of charge to the consumer; and
45.4 without prejudicing the rights of the consumer to seek legal redress.

Businesses should provide consumers with clear and easily accessible information about complaints handling procedu

If a consumer is unhappy with the outcome of the complaint handling mechanism, the business should provide the co
information about any external dispute resolution bodies, to which it subscribes, or any relevant government body, su
External Dispute Resolution

48. Businesses should provide consumers with clear and easily accessible information on any independent customer d
mechanism to which the business subscribes.
49. This independent method of dispute resolution should be:
49.1 accessible;
49.2 independent;
49.3 fair;
49.4 accountable;
49.5 efficient;
49.6 effective; and
49.7 without prejudice to judicial redress.

Applicable Law and Forum

50. Where a business specifies an applicable law or jurisdiction to govern any contractual disputes or a jurisdiction or
must be determined, it should clearly and conspicuously state that information at the earliest possible stage of the co
with the business.

A business located in Australia that enters into a contract with a consumer whom the business believes is resident in A
because of the consumers address - should spell out which Australian jurisdictions law is the governing law of that co
make clear that any contractual disputes will be heard by Australian courts and tribunals.
Code Administration

Any business adopting the Best Practice Model outside the membership of an industry association should set up an int
review mechanism to make sure the Model is implemented effectively.

Any industry association adopting the Best Practice Model may set up a new code administration mechanism or may u
administer the Model. This body should include an independent chair and equal numbers of industry and consumer/co
representatives and would:
53.1 monitor and report on compliance with the code;

53.2 obtain adequate resources from members for the administration of the code as well as prepare budgets and fina
53.3 publicise the code to members and consumers;
53.4 implement a system of sanctions for breaches of the code;

53.5 arrange periodic independent review of the code and the operations of its administering body and publicly report
findings; and
53.6 prepare publicly available annual reports on the codes operation.
Review of the Best Practice Model

54. This Best Practice Model will be formally reviewed after one year and after that, every three years. The Model ma
between reviews. Businesses and industry groups that adopt the Best Practice Model should promptly incorporate cha
within their own industry code.

1. Advertising and Marketing. Clauses 22 to 23. At the time of finalising the Best Practice Model, the Privacy Amendm
2000 included the following provisions in relation to direct marketing:

An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpo
primary purpose of collection unless:

if the information is not sensitive information and the use of the information is for the secondary purpose of d

it is impracticable for the organisation to seek the individuals consent before that particular use; and

the organisation will not charge the individual for giving effect to a request by the individual to the organisatio
marketing communications; and

the individual has not made a request to the organisation not to receive direct marketing communications; an

the organisation gives the individual the express opportunity at the time of first contact to express a wish not
direct marketing communications.

2. Information - contractual. Some, but not all of the list at clause 35 will be required for all products. Businesses are
that the product information provided is consistent with their offline obligations. Examples of obligations include the U
Credit Code and the Trade Practices Act 1974.

3. Privacy. Clause 39 defers to the National Privacy Principles and businesses are encouraged to develop privacy pract
principles pending the enactment of the Privacy Amendment (Private Sector) Bill 2000. Further information on this Bil

4. Privacy. Further information on privacy is available in the publication: The Guidelines for Federal and ACT Governm

5. Payment, Security and Authentication. Clauses 41 to 44. It is not intended that financial institutions or other bodie
security and authentication services to businesses be parties to general industry codes based on the Best Practice Mo
should be a requirement on the business itself to ensure that provisions in these clauses are complied with either dire
parties whose services they use.

6. Internal Complaint Handling. Clauses 45 to 47. There are a number of resources available in relation to this topic, i
Australian Standard on Complaint Handling. The Standard is produced by the private organisation, Standards Australi
Government publication.

7. External Dispute Resolution. Clause 49 (1) to (7) refers to the Commonwealths Benchmarks for Industry-Based Cu
Resolution Schemes and businesses are encouraged to consult that document for more detail regarding the benchma

8. Applicable Law and Forum. Clauses 50 and 51 encourage businesses, wherever possible, to draw on Australias rep
protection by specifying Australian law as the applicable law of the contract.

