PIAC study seeks public input

Threatened or sued for complaining about a product or service? Let us know!

Have you been warned by businesses that you may be subject to legal action after you voiced your dissatisfaction with a product or service received from them? PIAC is conducting research on the consumer experience in this area, and we need your stories. Email us at piac@piac.ca if you’ve had such an experience, irrespective of whether the threatened legal action ever materialized.

THE ISSUE

In the past decade, Canada has witnessed a rise in lawsuits against individuals who have publicly criticized corporations. Increasingly, private interests are retaliating against individuals and public interest groups who criticize them by threatening to, or actually initiating, lawsuits for defamation or interference with economic relations. As a result, Canadians who simply exercise their right to express dissent (by, for example, writing letters to the BBB, government agencies or newspapers, or by organizing consumer boycotts), may find themselves subject to a costly lawsuit. These kinds of retaliatory lawsuits are known as Strategic Lawsuits Against Public Participation (SLAPP).
These suits have been particularly prominent in the area of environmental activism. However, they have also been used to stifle criticism about other business practices. PIAC is particularly concerned with the chilling effect that SLAPPs can have on consumer complaints and criticism regarding products, services, or business practices in the marketplace.
SLAPPs are initiated for the sole purpose of stifling public dissent or criticisms. As such, the corporations who initiate them aren’t seeking a judicial victory or financial compensation. Rather, they are aiming to intimidate, harass or distract their opponents so that people stop speaking out against them.
The legal basis for SLAPPs is usually weak, and they are tyically settled out of court. Nevertheless, the costs of defending oneself against such suits can be devastating. While corporations absorb these as the costs of doing business, they represent a significant burden for the regular consumer. In short, the significant personal and financial costs to defending oneself against a SLAPP suit deters consumers from publicly criticizing corporations or businesses, and thus stifle an important consumer protection mechanism.

Ontario Consumer Protection Law Reform

Ministry of Consumer and Corporate Relations
Consumer Protection Consultation
250 Yonge St., 35th Floor
Toronto, Ontario M5B 2N5
Dear Sir/Madam:
Re: Consumer Protection Consultation
Thank you for the opportunity to comment on proposals for reform of Ontario’s consumer protection legislation.
The Public Interest Advocacy Centre (PIAC) is a national, non-profit organization which has been representing the interests of ordinary consumers in matters to do with public utility regulation (telecommunications, energy, transportation), financial institutions, broadcasting, Internet access, consumer privacy, and consumer protection generally, since its formation in 1976. PIAC is run by a distinguished Board of Directors from across Canada, and has organizational members who themselves represent millions of Canadians. PIAC has developed a strong reputation nationally for its effective consumer advocacy in these areas.

General

As a preliminary matter, PIAC would like to commend the Ontario government on this timely initiative. We agree that Ontario’s consumer protection laws are in need of modernization for the reasons set out in the Consultation Paper. We also agree with the three guiding principles of Fairness to Consumers, Responsiveness to both Businesses and Consumers, and Flexibility to Adapt to Future Needs. In general, we support the proposals for reform, with the qualifications identified below, and in many cases, we strongly support the proposals. In some cases, such as electronic commerce, however, we feel that more legislative action is needed to address existing or potential problems.

Issues Not Addressed in the Consultation Paper

The discussion paper requests suggestions on additional consumer protection issues that should be addressed in the revision and consolidation of the Consumer Protection Act. There are two important areas that the government should seriously consider taking action on: fringe banking and “white label” ATMs.

The “Fringe Banking” Sector*

The fringe banking sector is currently unregulated, making consumers who use these fringe services easy targets for unscrupulous operators. Issues include: excessively high fees and interest rates, inadequate disclosure of fees and rates, and unfair collection practices. We understand that all the provincial governments are co-operating with the federal government to develop a national approach to this problem. It is appropriate to wait until this federal-provincial exercise is complete to take any action, but would like to see a government commitment to address fringe banking through legislation in the near the future. Also, as we suggest later in our comments, fringe creditors should be subject to the same collection practices rules as collection agencies.

Generic (“white label”) ATMs*

Unregulated “white label” ATMs also pose serious consumer concerns, considering that:
“White label” ATM operators enter into contractual relationships with financial institutions, but are not financial institutions themselves. Therefore, while the federal government can regulate bank fees under the Bank Act, the activities of “white label” ATM operators come under provincial jurisdiction. We urge the government to seriously consider taking action on this growing problem for consumers.

Questions Posed in the Consultation Paper

1. Scope of Consumer Protection – type of transactions
PIAC agrees that consumer protection laws should be expanded to apply to a wider range of transactions, as proposed.
2. Scope of Consumer Protection – Small Businesses
PIAC does not oppose expanding the scope of protection to include small business consumers as proposed in the paper.
3. Protection re: Services as well as Goods
PIAC strongly supports the application of consumer protection laws to the sale of services as well as goods. The lack of similar protection for consumers of services vs. goods has been a growing problem that we have confronted on numerous occasions, as the marketplace becomes increasingly centered around services rather than goods. This is an overdue reform. The current asymmetry as between good and services can no longer be rationalized and must be corrected.
4. Electronic Commerce Transactions
We support the government’s proposal as set out in the Consultation Paper, but submit that it does not go far enough.
Ontario recently passed Bill 88, The Electronic Commerce Act, which gives electronic contracts the same legal validity as contracts concluded via non-electronic methods. Yet, a large proportion of consumers in Ontario are not yet fully conversant with this new medium of contracting. Many do not have Internet access from home, and of those that do, many are not yet computer or Internet “literate”. By assuming a level of consumer knowledge and ability which does not in fact exist, the new law risks creating a situation by which unscrupulous businesses can take advantage of those consumers who are not yet Internet savvy.

Delivery of Legally Required Notices and Binding Communications

Ontario’s new Electronic Commerce Act permits contractual notices and other binding communications to be made via email. Often, such notices specify a time period after which action will be taken adverse to the consumer’s interest. Such messages are considered to be received when they enter the “information system” of the addressee and become “capable of being retrieved and processed by the addressee” (subs.22(3)(a)).
This works for people who have private email addresses and who check their email daily. However, it fails to accommodate the current reality, in which email addresses are often shared, infrequently accessed, or otherwise used by consumers in a manner which is not appropriate for binding communications. For example,

People don’t necessarily check their email daily. Checking email typically requires much more effort (e.g., firing up a computer, connecting by modem, etc.) and cost than does checking a regular mailbox. Email is often ignored for days in a way that regular mail is not.

Particularly where two people share an email address (a common practice in multi-person households), a message may be entirely missed by the intended recipient, although it has been actually received by the recipient’s computer.

Email is used by consumers for many more “light” purposes, and to a much great degree for such “light” purposes (e.g., light personal correspondence, networking; discussion groups) than is regular mail; hence it is generally viewed as a “lighter” medium, and it can be difficult to identify a serious binding communication amongst all of the unimportant messages;

Online consumers often receive dozens of emails daily (much of it spam), and simply can’t cope with the quantity – to a much greater extent than with regular mail.

These are just some examples of material differences between email and regular mail. Such differences must be taken into account when designing rules for today’s marketplace. Until we have progressed further in terms of commonly understood protocols for email use, rules which create liability on the basis of a higher standard of care than is the current practice are premature. Certainty of receipt is too important in certain cases. It is inappropriate to establish laws which assume a higher degree of email “literacy” than actually exists, where such laws make consumers even more vulnerable than they already are.
It is particularly important that any electronic notices, failure to reply to which will lead to loss of service or property, actually reach the consumer. Unlike receipt of mail via Canada Post or courier service, receipt via email requires access to a working computer with Internet access. Home internet access remains a luxury service for many consumers, and is likely to be one of the first services discontinued when a household without such access runs into financial difficulty. In such situations, the customer’s failure to respond to the creditor’s email notice should trigger a requirement that the notice be provided in paper form. We therefore recommend establishment of a rule that:

in respect of notices of impending default by or penalty to the consumer, electronic delivery is legally effected only where the consumer recipient (and not just the consumer’s information system) has actually received the notice

At a minimum, Ontario’s consumer protection laws should put the onus on vendors to ensure that binding communications sent by them to consumers have actually been received by the consumer. One possible approach is simply to apply the rule for presumed receipt set out in subs.22(3)(b) – i.e., “when the addressee becomes aware of the information or document in the addressee’s information system and it becomes capable of being retrieved and processed by the addressee” – to all consumer transactions, unless the consumer has specifically elected to receive binding communications from the vendor electronically.
This does not solve the problem for all consumers, however. Merchants may simply add a term to their standard form contracts stating that the consumer elects to receive any future communications by email. Such election is clearly not meaningful, but may nevertheless be upheld by courts as a contractual agreement. In any case, leaving the question of when consumer consent to electronic disclosures and records is binding to a case-by-case determination by the courts will create uncertainty and necessitate costly litigation. It is also fundamentally unfair to vulnerable consumers who do not have the means to litigate in the first place.
For these reasons, Ontario’s consumer protection laws should specify that:

electronic delivery of legally required notices, and of any information that is required by law to be in writing, is permitted only where the consumer transaction is negotiated electronically, or where the consumer’s consent to receive such information electronically originates from the consumer’s email address to which the electronic records will be delivered.

In this way, disputes over the validity of standard form consents to electronic communications will be limited, and consumers will be clearly protected from unintentional consent in the most egregious situations (e.g., when the consumer does not even own a computer, or does not have Internet access). It is important to note in this respect that approximately half of Canadian households still do not have Internet access, and that three-quarters of low income households remain unconnected.
Paper disclosures required by law are designed to provide consumers with information critical to making informed choices in the marketplace, to understanding their rights and obligations during commercial transactions, and to enforcing their rights when transactions go sour. Consumers can benefit from receiving information electronically, and should be permitted to do so, but the law should not create a situation in which consumers without the ability to receive electronic communications may be required by contract to do so.
Another, related, problem with reliance on electronic records in consumer transactions occurs when consumers find that they are unable to access or print the electronic record in question. This can happen as a result of computer breakdown, or incompatible software programs, for example. It is important in such situations that consumers be able to obtain paper copies of the records in question. For this reason, we recommend statutory requirements that:

regardless of the terms of the contract, the consumer is entitled to receive paper copies of electronic records upon request, for which providers may charge no more than their actually incurred costs of accommodating this request.

Consequences of Refusing to Deal Electronically

It is likely, assuming passage of laws based on the UECA, that businesses rely increasingly on electronic communications. Indeed, given the low cost of electronic communications as opposed to paper communications, it is likely that businesses will take various measures to encourage consumer acceptance of electronic communications, including preferential pricing for those consumers who agree to deal electronically.
While such pricing strategies are understandable in light of underlying cost considerations, they will in effect penalize unconnected consumers (disproportionately low income) and will tend to further marginalize those who cannot afford to deal electronically in the first place. Such implications of the UECA need to be seriously considered in the overall policy context.
At a minimum, consumers transacting non-electronically should always be entitled to refuse electronic receipt of contractual records and statutorily required notices without incurring extra charges as a result. Until Internet household penetration has reached the level of telephone penetration, it is premature to establish laws and policies which assume electronic capability. There is no compelling policy reason to favour consumers with electronic access over those without, in respect of important commercial disclosures.

Integrity of Electronic Signatures

Electronic commerce requires the development of reliable methods of verifying the identity and capacity of contracting parties. The UECA provides electronic signatures the same legal status as handwritten signatures and leaves it up to each enacting jurisdiction to decide whether or not to establish regulations regarding the reliability of electronic signatures. Moreover, the UECA does not attribute liability for losses arising from good faith use of electronic signatures.
In deciding how to address this issue, it is important to recognize, first, that different forms of electronic signatures will have different levels of security and that the standard of care for the use of electronic signatures is unclear at this early stage of development. At the same time, most consumers using electronic signatures will have no sophistication in electronic security procedures, and could unwittingly expose themselves to liability despite due diligence and good faith.
Second, businesses have access to information about electronic commerce-enabling technologies and the ability to limit and plan for the risks created by electronic commerce. Consumers, in contrast, have neither the access to information nor the expertise necessary to evaluate the reliability of a given technology.
Third, unless fraud and error losses associated with online transaction technologies (and not attributable to carelessness on the part of the consumer) are allocated to technology providers and online vendors, there will be little incentive for investment in the further improvement of authentication technologies.
For all these reasons, Ontario legislation should clearly place the responsibility and liability for technology failures on certificate authorities, manufacturers, and/or the businesses dictating the authentication technology to be used. In particular, consumers should be protected against liability for losses arising from misuse or failure of security mechanisms which misuse or failure was not the fault of the consumer.
A good baseline model to consider in this respect is the Canadian Code of Practice for Consumer Debit Card Services, prepared by the Electronic Funds Transfer Working Group in 1992, and revised in 1996. This voluntary code outlines the respective responsibilities of industry players and consumers in the use of debit cards.

Liability generally

Ontario’s consumer protection legislation should clearly establish that consumers are not liable for electronic transactions in which:
a) The transaction was not authorized by the consumer;
b) The product delivered was not as described by the vendor;
c) The vendor failed to provide relevant information about the product;
d) The product was not delivered in the time specified, or at all; or
e) There was no adequate opportunity for the consumer to cancel an inadvertent transaction where the consumer acted reasonably.
In these circumstances, consumers should also be entitled to refund of any payment made, upon return, where applicable, of the product in question to the vendor in good order and within a reasonable time.
5. Standards for Ecommerce
Yes, as technology and the marketplace evolve, modernized consumer protection legislation should also evolve so as to ensure ongoing adequate protection of consumers. New technologies pose new problems for consumers and create new opportunities for unscrupulous merchants. They may also exacerbate previously existing problems, which were until then rare enough to justify inaction. In either case, governments should be able to move quickly and decisively to protect consumers from bad actors.
In addition, even those businesses who wish to operate in full compliance with the law can run into trouble in such a rapidly evolving marketplace. New technologies and marketplace practices can create uncertainty as to the threshold of acceptable business practices. Privacy is a good example of this: technology and market forces have surged far ahead of laws, pushing business practices beyond what consumers consider acceptable. Similarly, standards of information disclosure, contract formation, liability and redress in electronic commerce need to be clearly established. In such cases, it is incumbent on government to provide leadership in the marketplace by legislating minimum standards of behaviour.
6. Application of Consumer Protection Legislation in cases where other regulatory regimes apply
General consumer protection legislation should always apply where it offers greater protection to consumers than does the specialized regulatory regime. If the specialized regime provides the same or greater protection to consumers, then it should take precedence. Essentially, consumers should benefit from the highest level of protection that exists, whether via specialized or general regulatory regimes.
Excluding the application of general consumer protection legislation in respect of transactions governed by other regulatory regimes will result in a “patchwork” of differing consumer protection regimes, precisely the opposite of what the Consultation Paper suggests is a key goal of this initiative. It is essential that consumer protection be as streamlined, consistent, and effective as possible across all marketplace sectors. Permitting some sectors a lower level of consumer protection than others is inappropriate and risks marketplace distortions.
If specialized regulatory regimes are to take precedence over general consumer protection legislation, it is essential that they offer at least the same level of consumer protection as does the general legislative regime. The proposed standard of “adequacy” is insufficient.

Remedies and Enforcement

Yes, consumers who are affected by a violation of consumer protection legislation should be entitled to cancel the contract, receive a refund and pursue damages through civil action. As well, consumers should not be liable in such cases (e.g., for unauthorized contracts).
8. Yes, we agree that consumer legislation should contain a consistent set of enforcement powers and a uniform limitation period. 9. We strongly support the establishment of consistent and effective fines and other penalties for wrongdoers. It is essential that judges have the power to set fines which are proportionate to the gains achieved through the malpractice, and that such fines constitute a meaningful deterrent.
We also strongly support clear statutory authority for restitution orders.
10. Future Performance Contracts
We strongly support the proposals to clarify and improve existing legislation regarding executory contracts.
11. Advance Payment Schemes
We support the proposal to allow for regulation-making authority to prohibit specific advance payment schemes, and to use this authority to limit the activities of credit repair companies. The consultation paper proposes that credit repair companies be required to disclose to consumers their right to correct inaccurate information in a credit file. We would support such a measure, as long as the disclosure is clear and useful to the consumer. It should state how to contact the major credit bureaus, what service standards to expect, and what recourse to take in the event of a dispute.
We would note, however, that while the discussion paper states that credit repair companies sell the service of correcting inaccurate information to consumers, in fact, credit repair companies do offer some legal techniques of removing accurate information on a credit report. Specifically, credit repair companies dispute accurate credit information, which requires credit bureaus to remove the information if it can no longer be substantiated by its source. Also, credit repair companies may attempt to create “split” credit reports, by having the consumer alter their name slightly, and/or remove their SIN number from the file.
Generally, we would support prohibiting these methods of getting around the credit reporting system, but currently, we are uncomfortable with the idea of further restricting consumers’ rights because of serious unresolved consumer protection issues in the sector. For instance, there are no provisions in the Consumer Reporting Act for disclosure to the consumer of his or her rights to correct inaccurate credit information. If consumers’ knowledge of their rights is so low as to necessitate this type of disclosure by credit repair companies as is being proposed, why are similar disclosures not required at other times, such as when a credit file is created about an individual?
The consumer reporting sector does not fully disclose its practices to consumers, and makes little effort to ensure that consumers are aware of how their personal information is used. In addition, there are reports of problems with credit bureau practices in disclosing reports to consumers and correcting credit information. In this context, consumers may legitimately need representation to protect their interests. It is very unfortunate that consumers have turned to unethical companies for this representation, but prohibiting these unethical practices will not solve the underlying problems with the credit reporting system. The most important step that needs to be taken is to subject credit bureaus to comprehensive privacy legislation.
12. Timeshare Marketing
We strongly support the proposal to apply a 10 day cooling off period for timeshare marketing, and to require certain disclosures on the part of timeshare marketers.
13. Implied Warranties on Services
We strongly support the proposal to make consumer services subject to an implied warranty of acceptable quality, similar to that applicable to goods. There is no justification for exempting services from such a requirement.
14. Plain Language
We strongly support the proposal to interpret contracts in the consumer’s favour where the language of the contract is ambiguous. This is a simple, fair, and potentially effective way of encouraging plain language in consumer contracts without creating a burden on businesses.

Bailiffs

We support the proposals to modernize the regulatory regime for private bailiffs.

Collection Practices

We are pleased to see that the government is proposing to extend the protections from harassment in debt collection, and require testing for debt collectors. However, consumers could benefit from further protections in two areas:
a) Greater Application of Prohibitions on Harassment
The consultation paper argues that creditors generally “want to acquire and retain customers” which “discourages them from treating customers badly”. However, creditors usually do not want to retain customers who are badly in debt, and in fact conduct credit checks to identify and avoid such consumers. It is very doubtful that there is “natural” incentive on the part of businesses to treat debtors fairly as the paper suggests, and therefore little rationale for not requiring all creditors to comply with collection standards. No consumer should ever be subject to the tactics prohibited by the Collection Agencies Act, and indeed, no ethical company would engage in these practices. Compliance with the law, therefore, would not be a problem for legitimate businesses. We strongly recommend that the government seriously apply collection standards to all cases of debt collection.
In particular, the government should ensure that the legislation applies to the “fringe” banking sector. This sector has been implicated in coercive collection practices in the United States, and there is reason to be concerned that the same type of practices occur in Canada. Collections and repossessions tend to be a very important aspect of fringe banking, specifically, rent-to-own businesses, second hand dealers, sub-prime lending and payday lending. Consumers who use these services tend to be low income and already in debt, and thus are particularly vulnerable and in need of protection from harassment.
b) Limitations on Use and Disclosure of Personal Information
The Consumer Reporting Act allows credit report reports to be accessed for the purposes of collecting a debt without give notice to the consumer. Similarly collections activities are exempt from the requirements of proposed Ontario Privacy Act. These exemptions are necessary to allow for debt collection, but consumers should still be protected from unnecessary and unwarranted privacy invasions. Therefore, the new Consumer Protection Act should ensure that collections standards include suitable limitations on how personal information that is obtained without consent in the course of collecting a debt may be used and disclosed.
Specifically, creditors and collections agencies should not be permitted to use any of the information they collect in the course of a collection for secondary purposes (purposes other than collecting the specific debt). They should not be permitted to disclose such personal information to a third party (such as telling someone’s family or employer about the debt). Also, collection agencies should not be permitted to disclose information to a credit bureau, as it is not necessary to do so in order to carry out a collection.
All of which is respectfully submitted,
Philippa Lawson Angie Barrados
Counsel Researcher

Comments on Building Trust and Confidence in e-commerce

A Framework for Electronic Authentication in Canada (September 27, 2000)

Mr. Peter Ferguson
Deputy Director General
Policy Development
Electronic Commerce Task Force
300 Slater Street, Room 2016A
Ottawa, Ontario, Canada K1A 0C8
Dear Mr. Ferguson,
Thank you for the opportunity to comment on Building Trust and Confidence in Electronic Commerce: A Framework for Electronic Authentication in Canada. We are pleased that many of the concerns we raised in response to the previous draft of this paper have been acknowledged in the final draft. However, some serious concerns from a consumer perspective remain with the proposed approach.
Throughout the paper, there is an emphasis on balancing consumer interests, such as privacy and protection from additional liability, with allowing market-driven innovation. It must be recognized that certain privacy and consumer protections are fundamental, and cannot be balanced with other considerations. In other words, Canadian consumers do not want, and should not be subject to market-driven innovations that compromise their privacy or other basic interests.
The paper comments that “there is the perception that the use of electronic authentication offers the opportunity to enhance consumer protection to ‘raise the bar’”. We are concerned that our suggestions on consumer protection are being viewed as ‘raising the bar’ when in fact they are merely reflecting the protections consumers have expected and enjoyed until now. The widespread introduction of electronic authentication involves the establishment of new databases, new powerful social actors, new relationships between consumers and corporations, and new consumer responsibilities. Appropriate measures must be introduced if consumers are going to be protected from unprecedented privacy invasions and liabilities that are made possible by the new technology. This is not raising the bar, but keeping the bar at the same level.
We are concerned about consumer protections being a bargaining point in the development of the proposed principles for authentication and certification services. The public does not have any understanding of the principles’ importance, and it is possible that such understanding may not develop until consumers begin to actually use certification services. It is important, therefore, that government strongly represent the public interest as the principles are developed. Most importantly, the government must ensure that representatives of the public are fully involved in the development of the principles. We were concerned to note that the discussion paper suggests a process that includes only government and industry.
Feel free to contact me should you wish to discuss any of these matters further, and please continue to keep us informed of new developments.
Yours sincerely,
Angie Barrados
Researcher

Letter Re: Uniform Electronic Commerce Act and Consumer Protection

TO: Provincial Ministers responsible for Consumer Affairs;
Provincial Ministers of Justice
Dear Ministers:
Re: Uniform Electronic Commerce Act and Consumer Protection
In October 1999, the Uniform Law Conference of Canada adopted the Uniform Electronic Commerce Act (“UECA”), a model statute designed to facilitate electronic commerce throughout Canada. Provinces are now being urged to enact legislation based on this model. We are writing to express concerns about the potential effect of this proposed legislation on consumer protection, and to urge you to address these concerns through either your province’s general electronic commerce legislation or its specific consumer protection legislation.
The Public Interest Advocacy Centre (PIAC) is a federally incorporated non-profit organization which provides legal advice, representation and research to groups and organizations who represent vulnerable Canadian consumers and who lack the ability to be heard when decisions are made that affect their interests. PIAC’s membership includes over 800 individuals and group members representing over 1.5 million Canadians. Since its inception in 1976, PIAC has made issues associated with communications policy and regulation a priority. Over the past few years, consumer issues in electronic commerce have been a focus of our attention.
The UECA has been carefully drafted so as not to change existing contract law, but rather to permit the use of a new medium of communication in commercial transactions. However, a practical effect of permitting businesses to use electronic means of communicating with their customers, without further safeguards against abuse, may be to undermine existing consumer protection law.
We are wholly supportive of the goal of facilitating electronic commerce between businesses and consumers. However, we also want to ensure that households without the means to engage in electronic commerce are not penalized by new laws which give this new medium the status of a norm – a status that electronic commerce has not yet reached. At a minimum, it is essential that existing laws designed to protect consumers from unfair or deceptive business practices are not circumvented through the use of electronic communications.
Accordingly, we ask you to consider the following recommendations for amendments to the UECA and/or supplementary consumer protection laws.

Existing Requirements to Provide Information to Consumers

Consumer protection laws typically include requirements for certain key information to be provided to the consumer (for example, by the vendor in advance of a purchase transaction). The purpose is to ensure that the consumer is in possession of the information.
Clauses 8 and 9 of the UECA address this issue by stating as follows:
8. A requirement under [enacting jurisdiction] law for a person to provide information in writing to another person is satisfied by the provision of the information in an electronic document,
(a) if the electronic document that is provided to the other person is accessible by the other person and capable of being retained by the other person so as to be usable for subsequent reference;
9. A requirement under [enacting jurisdiction] law for a person to provide information in a specified non-electronic form to another person is satisfied by the provision of the information in an electronic document,
(a) if the information is provided in the same or substantially the same form and the electronic document is accessible by the other person and capable of being retained by the other person so as to be usable for subsequent reference;
These clauses leave unclear the question of what “provision” entails. Specifically, it is unclear whether mere posting of the information to a website can satisfy the requirement of provision. Yet, such an interpretation would undermine the functional objective of consumer protection laws which require actual transfer of information in to the custody of the consumer.
Enacting jurisdictions should therefore ensure, through appropriate drafting, that the term “provision” means actual transfer into the other’s custody, as opposed to mere notice of availability.

Consumer consent to receive information electronically

Clause 6(1) of the UECA states:
Nothing in this Act requires a person to use or accept information in electronic form, but a person’s consent to do so may be inferred from the person’s conduct.
This rule is meant to ensure that the Act is not used to compel people to accept electronic documents against their will. It is effective in the context of individually negotiated contracts between parties of relatively equal bargaining power. It provides very little protection, however, to the average consumer who is faced with standard form contracts and “take it or leave it” offers in which consent to replace paper disclosures with electronic disclosures is required as a condition of entering into the transaction. Instead, the UECA leaves up to courts the question of whether consent in such situations is meaningful and therefore legally binding.
This approach may seem reasonable insofar as the UECA is not meant to change the law of contract, but rather to ensure that the same rules of contract apply to a new medium of communication. However, leaving the question of when consumer consent to electronic disclosures and records is binding to a case-by-case determination by the courts will create uncertainty and necessitate costly litigation in cases where the question could easily have been settled in advance by statute. It is also fundamentally unfair to vulnerable consumers who do not have the means to litigate in the first place.
For these reasons, consumer protection laws (or the UECA itself) should specify that:

electronic delivery of legally required notices, and of any information that is required by law to be in writing, is permitted only where the consumer transaction is negotiated electronically, or where the consumer’s consent to receive such information electronically originates from the consumer’s email address to which the electronic records will be delivered.

In this way, disputes over the validity of standard form consents to electronic communications will be limited, and consumers will be clearly protected from unintentional consent in the most egregious situations (e.g., when the consumer does not even own a computer, or does not have Internet access). It is important to note in this respect that approximately half of Canadian households still do not have Internet access, and that three-quarters of low income households remain unconnected.
Paper disclosures required by law are designed to provide consumers with information critical to making informed choices in the marketplace, to understanding their rights and obligations during commercial transactions, and to enforcing their rights when transactions go sour. Consumers can benefit from receiving information electronically, and should be permitted to do so, but the law should not create a situation in which consumers without the ability to receive electronic communications may be required by contract to do so.
It is particularly important that any electronic notices, failure to reply to which will lead to loss of service or property, actually reach the consumer. Unlike receipt of mail via Canada Post or courier service, receipt via email requires access to a working computer with Internet access. Home internet access remains a luxury service for many consumers, and is likely to be one of the first services discontinued when a household without such access runs into financial difficulty. In such situations, the customer’s failure to respond to the creditor’s email notice should trigger a requirement that the notice be provided in paper form. We therefore recommend establishment of a rule that:

in respect of notices of impending default by or penalty to the consumer, electronic delivery is legally effected only where the consumer recipient has affirmatively acknowledged receipt of the notice

Another, related, problem with reliance on electronic records in consumer transactions occurs when consumers find that they are unable to access or retain the electronic record in question. This can happen as a result of computer breakdown, or incompatible software programs, for example. It is important in such situations that consumers be able to obtain paper copies of the records in question. For this reason, we recommend statutory requirements that:

regardless of the terms of the contract, the consumer is entitled to receive paper copies of electronic records upon request, for which providers may charge no more than their actually incurred costs of accommodating this request.

Consequences of Refusing to Deal Electronically

Integrity of Electronic Signatures

Electronic commerce requires the development of reliable methods of verifying the identity and capacity of contracting parties. The UECA provides electronic signatures the same legal status as handwritten signatures and leaves it up to each enacting jurisdiction to decide whether or not to establish regulations regarding the reliability of electronic signatures. Moreover, the UECA does not attribute liability for losses arising from good faith use of electronic signatures.
In deciding how to address this issue, it is important to recognize, first, that different forms of electronic signatures will have different levels of security and that the standard of care for the use of electronic signatures is unclear at this early stage of development. At the same time, most consumers using electronic signatures will have no sophistication in electronic security procedures, and could unwittingly expose themselves to liability despite due diligence and good faith.
Second, businesses have access to information about electronic commerce-enabling technologies and the ability to limit and plan for the risks created by electronic commerce. Consumers, in contrast, have neither the access to information nor the expertise necessary to evaluate the reliability of a given technology.
Third, unless fraud and error losses associated with online transaction technologies (and not attributable to carelessness on the part of the consumer) are allocated to technology providers and online vendors, there will be little incentive for investment in the further improvement of authentication technologies.
For all these reasons,
Legislation should clearly place the responsibility and liability for technology failures on certificate authorities, manufacturers, or the businesses dictating the authentication technology to be used.
A good baseline model to consider in this respect is the Canadian Code of Practice for Consumer Debit Card Services, prepared by the Electronic Funds Transfer Working Group in 1992, and revised in 1996. This voluntary code outlines the respective responsibilities of industry players and consumers in the use of debit cards.

Conclusion

Consumer protections equivalent to those found in the offline world must be built into the online marketplace, at the same time that rules facilitating the conduct of commerce electronically are enacted. In this way, we will ensure the emergence of a robust infrastructure for electronic commerce in Canada. We trust that you will consider and act upon the concerns and recommendations raised in this letter.
Yours truly,
Philippa Lawson
Counsel
cc: John Gregory, Chair, ULCC Working Group on Uniform Electronic Commerce Act ; David Waite and Rob Harper, Co-Chairs, Consumer Measures Committee Working Group on ECommerce

Electronic Authentication: An Element of Canada’s Trust Agenda

Comments on Electronic Authentication: An Element of Canada’s Trust Agenda

Public Interest Advocacy Centre
1204 – 1 Nicholas Street
Ottawa, Ontario
K1N 7B7
Contact:
Angie Barrados, Researcher
barrados@web.net

General

To date, issuing authoritative forms of personal identification has been the exclusive prerogative of government. Similarly, it has been governments alone that have traditionally made rules about who can use infrastructure, particularly infrastructure that is important to its citizens’ standard of living. In public key infrastructure (PKI), it is proposed that private certification authorities (CAs) will both issue identification and potentially control access to the information highway. Implementing this proposal would transfer powers that have historically been the realm of governments to private entities. Electronic Authentication: An Element of Canada’s Trust Agenda does not acknowledge this fundamental shift in power, and does not meaningfully consider what it means for individual citizens.
The proposed transfer of traditionally public power to the private sector could have very important implications for individuals. For instance, it is quite possible that the main CAs will be major banks, and that the certificates they issue would be used by consumers to communicate with many other companies on-line. Banks will certainly want to limit who they issue certificates to; perhaps they will issue certificates only to consumers who keep a certain balance in their bank accounts. In this way, banks’ policies could become a limitation on who has access to the information highway. Those consumers who are disadvantaged by bank policies will have little power to change them. In contrast, when government limits access to certain benefits, such as determining who is permitted to drive, or to own a dog, it is democratically accountable for these limitations, and citizens can potentially change them through the democratic process.
The power imbalances between corporations, such as banks, and private individuals are immense, and for this reason, governments set ground rules for how corporations must deal with individuals in the private sector. There are, as yet, few ground rules for the transactions between individuals and CAs. CAs may well be part of or associated with established corporate interests. How individuals’ interests will be protected in a digital environment dominated by corporate interests is a very important issue, but the discussion paper does not address it.
The goals of the proposed approach to authentication services focus on the need to build up trust in authentication schemes, and the need to ensure that businesses are not subject to conflicting requirements. What the discussion paper does not state is that individuals will only trust authentication schemes if their rights to privacy and consumer protection are respected in the context of authentication The discussion paper does not deal with how either privacy rights, or consumer rights embodied in hard-won consumer protection rules, would be protected in this context. For instance, the discussion paper does not deal with the danger that certificates could become universal identifiers, and the privacy implications of this. Also, it does not consider the consumer protections embodied in physical signatures, and how to maintain these for digital signatures. Nor does it mention the goal of ensuring universal access to important public infrastructure, a longstanding Canadian value in many fields.
The protection of individual rights in the context of digital authentication has not been fully covered by other government initiatives related to the information highway. The Personal Information and Electronic Documents Act will likely apply to CAs, and be important for ensuring that CAs follow good data protection practices. However, the new law will not determine whether PKI overall is privacy-respectful or privacy-invasive. Also, the consumer protection issues raised by setting up CAs go far beyond the Principles of Consumer Protection for Electronic Commerce. These principles address the relationship between retailers and customers, not the one between individuals and CAs.
Ensuring that privacy is protected, consumer protection rules are maintained and that universal access to new digital systems is promoted should be the most important of the government’s goals in developing PKI.
It is hard to know what the future digital world will be like, but it is clear that the potential widespread introduction of public key digital authentication systems raises many new concerns for individuals that have not previously been encountered. These new concerns should be better understood, and taken into account as PKI is developed. Our preliminary understanding of the major concerns for individual consumers is provided below(1). However, it is clear to us that far more work needs to be done to study some of the emerging issues in this area.

Certification Authority Power

The discussion paper mentions that CAs will potentially assume powerful social roles but does not explore the implications of this. CAs could have a great deal of power over individuals by virtue of their function in issuing/withholding certificates, and revoking certificates. In particular, a CA will probably be able to record everyone with whom an individual transacts using a particular digital signature(2). In creating PKI, careful attention needs to be paid to limiting the power of CAs, both through the structure of the system, and through consumer protection rules. In terms of PKI structure, the following factors that will determine the extent of CAs’ power over individuals:

whether individuals must obtain a certificate in order to engage in important or essential transactions;
whether individuals have a choice as to which CA they deal with;
whether CAs create a diversity of services that respond to consumers’ needs;
whether eligibility requirements for certificates are determined by the certificate authority, or are regulated in some way;
whether identification requirements and criteria used to judge applications for certificates are publicly disclosed.

In terms of consumer protection, the most important rules will involve assigning liability to parties in a transaction. This is especially true in the area of security and potential misuse of certificates. Only if CAs bear the liability for misuse of certificates will they have the incentive to take all possible precautions against such misuse. This assignment of liability would be analogous to the liability banks have for misuse of ATM cards. Banks bear the liability for misuse of ATM cards provided customers take reasonable security precautions, so they use good security methods at ATM machines.
Consumer will also potentially need protection from unreasonable restrictions in obtaining certificates, and from being pressured to obtain certificates with privacy-invasive features. In the future, consumers may be pressured to obtain certain certificates in a number of ways: important or essential transactions may require a certain certificate, there may be mandated use of certificates, and/or there may be cost differentials among certificates (with privacy-respecting certificates being unaffordable for some consumers). Certificates will be more privacy invasive if they identify someone by a universal or near-universal identifier (which facilitates data matching), and if they disclose personal information in the certificate itself.

Competition

On several occasions, the discussion paper repeats the following statement:
There are compelling arguments to allow the market, through its competitive forces, to determine how CAs and their services will evolve.
Yet, there is little evidence that competition alone will produce good outcomes for consumers. CA services would form part of the infrastructure for the information highway; competition to provide CA services would therefore be analogous to competition for the provision of other utility services. Competitive utility markets usually benefit business more than individual consumers, and often suffer from weak competition(3). Even in utility markets in which workable competition develops, an array of regulatory safeguards are still required to protect consumers. Careful thought needs to be given to how real competition could be fostered among CAs, and to the limitations of market forces in providing full protection for consumers. This is especially true if CA functions are taken on by companies, such as banks, that already dominate other retail markets.

Will PKI be Privacy Respecting or Privacy Invading?

The development of electronic systems that use public key authentication could lead to unprecedented centralization of individuals’ personal information, both in the hands of those that run the systems, and in hands of CAs. In this context, there are two main ways to make sure that PKI does not become an instrument for privacy invasion:

Ensure that CAs have good information management practices (i.e. that they conform to the Personal Information and Electronic Documents Act);
Ensure that individuals maintain control over their personal information.

Ensuring that individuals maintain control over their personal information is the most important way of protecting individuals privacy. Individual control over personal information could be maintained in the context of PKI by:

Providing consumers with adequate information to be able to choose amongst service providers;
Ensuring that consumers are not forced to opt into using digital signatures and the like, but can opt in when they have confidence that the system offers adequate consumer protection;
Setting up the system so that individuals will tend to have a number of certificates for different purposes rather than one multipurpose one. If it becomes the norm to use a digital signature for all transactions, that signature would become a de facto universal identifier, and there would be a very real potential for privacy-invasive data matching;
De-linking identification from authentication. To protect individuals’ privacy, individuals should only be identified in digital transactions when it is necessary to do so. This will require the development of blind signatures, or signatures that convey eligibility or attributes rather than identity.

Principles

Principles for the development of authentication services in Canada should address the issues of limiting CA power and designing a privacy-respectful PKI. To develop the principles, there needs to be a broader discussion that includes more public input, and that clearly addresses the ways that widespread use of digital authentication will change the way in which many consumer transactions are conducted. Clearly there is a need for a “balanced and neutral process” in establishing the principles, but public sector involvement should not be limited to facilitating the process. Government should also ensure that individual’s rights are adequately protected in any principles and standards generated by the process. In other words, the government should be preparing for its role as the “competent authority” (regulator) of PKI.
The principles should not focus on the use of authentication for identity purposes as the discussion paper suggests, since this type of authentication is potentially the most privacy invasive. Instead, the principles should reflect a balance between the need for consumers to identify themselves in digital transactions and the need of consumers to control their personal information. The principles should ensure that PKI allows consumers to obtain certificates that do not identify them, and that consumers are not forced to identify themselves unnecessarily.
The concept of CAs cooperatively registering users as suggested in the discussion paper needs to be treated with caution. Cooperative registration would centralize personal information more than a system in which CAs have separate registration systems. This kind of centralization increases potential privacy concerns. Also, such cooperative registering suggests a system in which individuals would have one certificate for all purposes. As mentioned above, a “one certificate” system is more privacy invasive than a system that allows for many certificates to be used for different purposes.

Standards

If standards are to be developed to operationalize the principles, common standards should apply to all CAs that deal with individual consumers. Ideally, regulated standard contracts between CAs and consumers would be developed. The distinction between open and closed models would appear to be more relevant for business-to-business transactions than business-to-consumer transactions. Individual consumers always face a power imbalance in dealing with major corporations and thus need some protection whether the model is open or closed.
Standards are only effective if they include an adequate compliance component. A recent Industry Canada sponsored publication stated this quite clearly:
For fairness and credibility, the parties themselves and the greater affected community must have information about the state of compliance with code provisions and how non-compliance is being addressed. The code’s information-related provisions should include some combination of self-reporting obligations for adherents, powers of monitoring, compliance verification or auditing, impact assessments and the ability to publicize data on compliance on non-compliance(4).

Government PKI

Public key authentication could become very important for government services delivery in the future. The computerization of health records, for instance, may require public key methods of authentication. In fact, large-scale use of public key authentication may emerge for government services before it does in private sector e-commerce, given the preponderant use of credit cards in the latter (since consumers will have little reason to acquire digital signatures if they can use credit cards). Therefore, the government should consider developing CA standards for CAs involved in citizen-to-government transactions, which could the be used as a model for private-sector PKI.

Raising Consumer Awareness and Use

The questions posed by the discussion paper on how to promote the use of “strong” authentication techniques among individual users are premature, since it is far from clear that public key authentication will actually benefit individual consumers. Public key authentication can only be meaningfully promoted to consumers in the context of some assurance that the new systems will not be privacy invasive, and will not involve significant new liabilities for consumers.

Next Steps

More work needs to be done to study the implications of large-scale use of public key authentication in consumer-to-business and citizen-to-government transactions. How individual interests will be affected by implementation of public key authentication needs to be well understood before principles for authentication are developed. Also, there is a need to develop a clear, non-technical explanation of digital authentication and PKI so that a wider audience can participate in discussions about it.
1. Our paper Digital Authentication and Consumers’ Privacy provides more commentary on this subject based on the proceedings of the Tenth Conference on Computers, Freedom and Privacy held in Toronto from April 4-7, 2000. It is available on our web site at www.piac.ca.
2. This potential arises from the CAs management of the revocation lists. Anyone relying on digital signatures would have to check the revocation list each time they accept a signature. In the process of checking the revocation list, a data trail would be created that would show every inquiry about a particular certificate.
3. See PIAC’s paper on residential long distance service, Still A Long Distance to Go, or our paper on energy deregulation, Utility Shopping: Are Consumers Ready?
4. Government of Canada, Voluntary Codes: A Guide for Their Development and Use, March, p.22.

PIAC Submission to Senate Committee, on Privacy and Security on the Internet

Privacy and Security on the Internet
Submission to the Senate Subcommittee on Communications

Philippa Lawson, Counsel
Public Interest Advocacy Centre
1204 – 1 Nicholas St., Ottawa, ON K1N 7B7
pippa@web.net
http://www.piac.ca

Background on PIAC

PIAC is a federally incorporated non-profit organization which provides legal advice, representation, and specialized research to groups and individuals who are voicing public concern on issues of broad national interest and matters involving public utilities and essential services. Since its inception in 1976, the Centre has developed a reputation for providing effective consumer advocacy in the regulation of telecommunications, cable TV, broadcasting, energy, and transportation, as well as in the field of privacy and consumer protection generally.
In addition to its wide clientele and partner organizations, PIAC has a membership of organizations covering over 2 million Canadians. PIAC’s member organizations include the Alberta Council on Aging, Canadian Pensioners Concerned, Consumers Fight Back Association, Manitoba Society of Seniors, Ontario Coalition of Senior Citizen Organizations, One Voice – The Canadian Seniors’ Network, PEI Council of the Disabled, and Rural Dignity of Canada. PIAC also has a donor list of approximately 900 individual Canadians.
PIAC has been involved in privacy issues since the early 1990’s, when new telecommunications services affecting personal privacy (e.g., Call Display) were first offered. Since then, PIAC has developed significant expertise in the field of privacy: publishing a legal text, overseeing a national opinion survey, participating in the development of our national standard on data protection, CAN/CSA-Q830, and working with government and stakeholders to develop effective data protection legislation in Canada. PIAC counsel is frequently quoted by the media on privacy issues.

Consumer Privacy on the Internet

My comments today are from the perspective of a consumer advocate, and are therefore focused on privacy concerns of individuals in their roles as consumers in the marketplace, and in particular, the electronic marketplace. That is not to say that there are not enormous privacy concerns with respect to data collection and use by governments, or by private parties engaged in research or other non-commercial activities. These are equally important issues that governments should be addressing.
When we shop in the real world, nobody is watching our every move, monitoring the stores we visit, what we buy, the clothes we try on, or the products we look at. But when we go online, this is exactly what is happening. Through the use of computer technologies, private companies are collected detailed personal data about us, using it to target their advertising to us, and trading it in the marketplace. In fact, a huge industry in personal data collection has developed and is growing by leaps and bounds. Many websites depend on revenue from selling user data to third parties, or delivering specific demographics to advertisers. Ecommerce business models are often based on the collection and sharing of personal information. The more information they have about you, the more money they make. As one ecommerce CEO said, “if it’s a question of profit versus privacy, profits come first every time”.(1)
Consumer profiling is by no means unique to the online world: mail-order firms track consumer purchases in order to send catalogues specific to the consumer’s interest; supermarket chains offer club cards that keep detailed records of individual purchases, and magazines trade and sell subscription lists for profit. But Internet technology permits a whole new level of consumer surveillance that is not possible in the physical world. Websites can track not only every item you purchase, but also every site you visit, every page or product you look at. Combined with other, often publicly available data, Web-generated information creates an unprecedented level of detail regarding individual behaviour, tastes, habits, and interests – a profile like no other. Yet many – probably most – consumers are not aware of the extent to which they are being watched online.
Let me mention briefly some examples of the kind of systematic privacy invasions we are beginning to confront with the growth of ecommerce:

“Cookies” are now considered an essential tool of ecommerce. They are files sent by a website to your computer when you visit that website. When you return to that website, the cookie tells the site who you are (a unique computer ID), what your expressed preferences are with respect to that site, and where you’ve been on the Net. Cookies can therefore eliminate the need to repeatedly fill out a registration form every time you visit a website, and help online service providers to customize their service offerings based on the consumer’s preferences. But they also permit online advertisers and websites to surreptitiously track individual web surfing behaviour.

This month’s Consumer Reports magazine focuses on the use of cookies in online marketing. The lead article warns: “Bit by bit and click by click, intimate details of your personal life are piling up in enormous commerical databases – often without your knowledge or consent.”

Doubleclick is an online advertiser that uses cookies to track the surfing habits of Internet users. You don’t even have to click on the banner ad to be monitored in this way; every time you visit a webpage with a Doubleclick banner ad on it, that information is passed back to Doubleclick, which now has a database of the surfing habits of over 100 million Internet users. Last fall, Doubleclick bought an offline market research firm by the name of Abacus Direct, with the intention of linking its non-personal clickstream data with personal names, email addresses, offline purchasing habits, and other personal information held by Abacus. A huge consumer backlash in the USA caused the company to suspend its plans, at least temporarily.
Two other high profile websites, RealNetworks and Alexa, a subsidiary of Amazon.com, also stand accused of linking personally identifiable information with users’ Web trails. While these companies deny the charges and have taken measures to block such data matching, it is clear that the only thing stopping them from the privacy invasions of which they are accused is public pressure.
FreeAtLast.com, a new ISP, recently announced plans to offer free Internet access to people who agree to install software that, like Doubleclick, tracks their online behaviour and then uses the information to send targeted advertisements to them. While the ISP assures critics that it sill not connect individual names with clickstream data, it will have the capacity to do so.(2) This business model – offering free services in exchange for personal information – is becoming more and more common. It raises the question: do consumers appreciate the implications of this kind of exposure?
Along with the trend toward personalization and customization of products and services to individual consumers, companies are increasingly engaging in “weblining”, a practice similar to the practice of “redlining”, in which lenders and other businesses marked certain neighbourhoods off-limits. “Weblining” uses your online profile to determine your choices in products and services, and even the price at which they are offered to you. Geographic stereotypes are giving way to market segmentation based on all sorts of factors, including ethnicity, age, gender, and religion. The information-gathering capabilities of the Internet, together with the information-sorting capacity of computers, now permit companies to maintain the equivalent of profit and loss statements on every customer. Those judged of minimal value receive fewer offers, and fewer opportunities. The choices presented to you will be based on a computer program’s determination of what you would most like, which in turn is based on your data profile.(3)

Online Data Security

In addition to intentional information gathering, ecommerce has opened up new opportunities for unintentional leaks and outright theft of personal information. Once personal information is amassed in a computer database, a single security breach can release a huge amount of very sensitive information. Thieves can get access to credit card information; stalkers can find out where their victims reside; vandals can interfere with stored data. It is estimated that one half to three-quarters of all commercial websites can be hacked. Some hacking experts claim to have found a way in to every site they have examined, accessing sensitive customer data, and sometimes even executing financial transactions using someone else’s account.(4)
It’s therefore not surprising that hardly a week goes by without reports of security breaches at some major website – just last week, Microsoft had to shut down its Hotmail service for four hours while it fixed a problem that permitted attackers to penetrate user accounts via email.(5)

Online Investigative Services

And then there are the investigative companies that specialize in collecting data on specific individuals and selling it to anyone who will pay the fee. If you are a frequent email user, you will likely have received at least one message claiming to “Find Anything About Anyone On The Net!” These companies are able to pull up addresses, phone numbers (even unlisted ones), physical descriptions, details of property ownership, past employment information, and social insurance numbers, for example. While this kind of service can be useful to creditors looking for evasive debtors, it can also be used by stalkers to locate their victims, as was the case in the death of a New Hampshire woman last fall.

Identity Theft

Not surprisingly, all this collection and disclosure of personal information has resulted in a new wave of identity theft, as Internet sites offer easy access to financial and other personal information with little attempt to verify the customer’s legitimacy.(6) Once they’ve got your name and social insurance number, together with other personal information about you, imposters can open up charge accounts in your name and destroy your credit. It is estimated that 400,000 Americans will suffer identity theft this year, according to a report in PCWorld Magazine.(7)

Responses to the Privacy Problem

In light of all of this, many just throw up their hands and say “there is no privacy on the Web – get used to it”. That’s certainly one way to look at it, but I would say that it is unnecessarily defeatist. It is possible, through a mix of legislated groundrules, voluntary codes of practice, and mass-marketed technological tools, to change the way that the Internet is evolving in respect of consumer privacy and to regain control over our personal information.

Technological Fixes

Privacy-enhancing technologies and tools already exist to help consumers navigate the Internet without giving away more personal information than they wish to. Web browsers allow users to control the use of cookies on their computer – you can set your browser to warn you that a cookie is about to be deposited in your computer, at which point you can choose whether or not to accept it. Alternatively, you can set your browser to refuse all cookies, in which case you may not be able to access certain websites. According to a recent survey by Cyber Dialogue, an Internet customer relationship management company, over 46% of all Web browsers are set to accept all cookies indiscriminately, without any warning to the user. Most users simply don’t know how to adjust this feature, and even if they do, most users are unable to distinguish between good and bad cookies.
At the other end of the scale are programs like Zero Knowledge System’s “Freedom”, which permits users to remain anonymous as they surf the Net or send email. But most of these programs cost money, and don’t yet protect the user once he or she wants to transact online (Zero Knowledge is working on a system to do just that). Moreover, they put the onus on users to protect their personal information without giving them the legal rights to such protection.
Privacy-enhancing technologies are an important component of the solution to the problem of privacy and security on the Internet, but they cannot do the job themselves.

Voluntary Codes of Practice

Industry self-regulation is another piece of the puzzle. Many businesses now recognize that protecting customer privacy and respecting the right of individuals to informational self-determination is good business practice in the long term, even when the immediate gains from unauthorized trading of personal information are large. Just this week, a number of the biggest American online providers together urged their compatriots to reign in data collection and trading practices, and to show government that they can and will self-regulate through effective codes of practice.
But voluntary privacy policies don’t seem to be working: a recent poll of web users found that only 38% think that most privacy policies are easy to understand.(8) Whether or not they are understandable, most voluntary privacy policies are incomplete, and come nowhere near meeting fair information standards, as set out in Canada’s new data protection legislation, for example. Moreover, many sites do not comply with their own policies: a recent study of health advice sites in the USA found that personal information was transferred to third parties in direct violation of stated privacy policies.(9) Efforts such as TRUSTe and BBBOnline’s Privacy seal in the USA have met with strong criticism by privacy advocates who point out that neither of these programs has yet withdrawn an endorsement from an approved site.

Legislation

Legislation is clearly needed to back up self-regulatory efforts and to guide technological and market developments in the direction of socially desirable and acceptable information practices. This fact is gradually coming to be recognized in the US, as polls show an increasing public demand for law regulating how personal information can be collected and used on the Internet.(10) Just this past week, for example, the FTC published a rule requiring financial institutions (broadly defined) to notify customers about the collection of personal information and to offer choice as to how that data is subsequently shared. President Clinton recently announced proposals for legislated privacy protection aimed at giving consumers more control over their personal information. Canada is clearly ahead of its major trading partner in this respect, with the recent passage of Bill C-6 – a legislative initiative for which this government should be congratulated.

Implementation of Bill C-6

However, the passage of Bill C-6 is just the beginning. Rules are of little value unless they are enforced. Indeed, tolerance of non-compliance with legislation such as this can be damaging to the rule of law generally. It is essential therefore that government put its money where its mouth is, and back up the Protection of Personal Information Act with a strong compliance plan, including adequate resources to the Privacy Commissioner, who is now faced with the enormous task of educating industry and the public, helping and coercing businesses to comply, using his powers of publicity to obtain compliance, and taking cases to court where necessary.
Without sufficient resources to do this job effectively over the next few years, there is a serious risk that we will fall flat on our faces – that widespread violations of Bill C-6 will remain the norm, that businesses will see that they can get away with it, that consumers are no better off, and that the rule of law is irreparably damaged.
We have allowed technology and market forces to get ahead of our laws and social principles over the past several years. Business plans have been built up on the basis of unauthorized gathering and sharing of personal information. This makes it all the more difficult to implement fair information practices as set out in Bill C-6. There will be resistance, and there will always be those market players who try to get away with disrespect for the law – just as with misleading advertising, for example. If we are to create a culture of respect for privacy in the new wired world, the government must do more than just lay out the rules. It must take proactive steps to ensure that this legislation is honoured not only in the breach.
Bill C-6 gives complainants the right to sue for damages in Federal Court, where companies refuse to comply with the law. Instead of state prosecution, the regime shifts the burden of enforcement to citizens, who are now expected to take non-compliant companies to court. We are skeptical, to say the least, about the effectiveness of this approach. Nevertheless, if it is to be at all effective, complainants will need assistance. It will be the rare person who is able and willing to fund a lawsuit against a company for failure to comply with this Act. If the government is going to shift the burden in this manner, it should at the very least provide some kind of funding program, such as exists for Charter challenges under the Court Challenges Program, to permit individuals to exercise their rights under the new law.
Finally, we need to monitor the effectiveness of this new legislation in dealing with the privacy and security concerns of the new wired world. We should start thinking now about what kind of information we will need in order to conduct the five year review of the Protection of Personal Information Act, and we should start tracking that information as soon as the law is enacted. We will need to know if this law deals effectively with the various threats to privacy that continue to arise. Does it, for example, adequately reign in the use of cookies, for example? (Cookies use computer identifiers, not personal identifiers.) Does it ensure that consumer consent to secondary uses of their personal information is adequately informed and truly voluntary? Do any of the exceptions, such as disclosure for the purpose of debt collection, open up huge, unintended loopholes? This is a first attempt at legislating a whole new area of marketplace activity; it is unlikely to be perfect. We should be prepared to improve it after a few years of experience.

The International Context

With the growth of the Internet-based economy, national borders are increasingly meaningless. Privacy invasions cannot be stopped at the border. Canada cannot act alone in order to effectively protect its citizens from abusive practices. Not only is this a practical impossibility; it could raise trade barrier issues if countries do not move in tandem with each other. We should continue to work with our trading partners and multilaterally within international organizations to establish common standards of data protection world-wide.
The Canadian model, set out in the CSA International Privacy Code and Bill C-6, is a good basis on which to build international consensus. Canada should take advantage of its unique situation and move now to encourage the adoption of an international data protection standard based on its widely accepted model code and law. All that is needed is financial support to the Standards Council of Canada, in order for it to take on the job of developing international consensus around a data protection standard.
In this way, Canada would not only achieve a more level playing field for Canadian business and more meaningful protections for Canadian consumers – it would do so using the Canadian model as the basis for international agreement. Canada is uniquely poised to provide international leadership in this field. It would be a pity if we squandered this opportunity.

Privacy as a Human Right

At the same time, we must recognize the fundamental nature of privacy as a human right – something that is essential to individual dignity and autonomy. Data protection standards for businesses should therefore flow from a recognition that individual privacy, at some point, should not be treated as a negotiable commodity in the marketplace. In this respect, we look forward to legislative initiatives aimed at establishing a general right to privacy.

Recommendations

We therefore recommend:

that the Privacy Commissioner be provided with sufficient financial resources to effectively publicize, educate, obtain compliance and pursue non-compliant actors under the new data protection legislation;
that the effectiveness of the new law be monitored closely over the next five years, with a view to its Parliamentary review at that time;
that a fund be established, possibly as a new component of the existing Court Challenges program, to assist individual complainants in exercising their rights and enforcing the law via court actions, where appropriate;
that Canada take a leading role in the development of international standards of data protection through ISO, the International Organization for Standardization; and
that a general right to individual privacy be established in law.

Comparative Analysis of BBBOnline Draft Code

Comparative Analysis of BBBOnline Draft Code of Online Business Practices with Other Consumer ECommerce Codes and Standards

Public Interest Advocacy Centre
1204 – 1 Nicholas St.
Ottawa, Ontario K1N 7B7
TABLE OF CONTENTS
I. INTRODUCTION
II. COMPREHENSIVENESS OF BBBONLINE DRAFT CODE
III. COMPREHENSIVENESS OF OTHER CODES AND STANDARDS RELATIVE TO THE BBBONLINE DRAFT CODE
IV. FORMAT/STRUCTURE OF BBBONLINE DRAFT CODE
V. FORMAT/STRUCTURE OF OTHER CODES
VI. ADEQUACY OF BBBONLINE DRAFT CODE PROVISIONS
1. Information Disclosure
2. Misleading/Deceptive Practices
3. Online Contract Formation/Cancellation
4. Contract Fulfilment/Return Policy
5. Consumer Privacy (Data Protection)
6. Transactional Security
7. Consumer Redress
8. Unsolicited Commercial Email
9. Protection of Children
10. Compliance Assessment and Oversight
VI. CONCLUSION
APPENDIX A: OUTLINE OF SELECTED CODES AND STANDARDS
APPENDIX B: COMPONENTS OF A CONSUMER ECOMMERCE STANDARD

INTRODUCTION

The following report examines the current draft “Code of Online Business Practices” developed by BBBOnline,(1) and analyses its practicability and rigour from a consumer perspective, in comparison with other existing codes and standards on consumer ecommerce. The conclusion of the comparative analysis is that the draft BBBOnline Code is strong in some respects but weak in others. The Code is particularly strong in the areas of information disclosure, misleading and deceptive practices, and the protection of children. It is particularly weak, however, in the areas of consumer privacy and redress. Depending on how each of these components is valued, the BBBCode may be considered adequate or inadequate. It is certainly superior to many other codes and seal programs currently offered in the marketplace, but is clearly deficient in some key respects.
The author reviewed a number of Codes and Standards (see Appendix A) in order to develop a list of possible components of a consumer ecommerce standard (See Appendix B). This list is divided into the following categories:

Information Disclosure
No Misleading/Deceptive Practices
Online Contract Formation/Cancellation
Contract Fulfilment/Return Policy
Consumer Privacy (Data Protection)
Transactional Security
Consumer Redress
Unsolicited Commercial Email
Protection of Children
Compliance Assessment
Miscellaneous

The BBBOnline draft Code was then judged against this list in order to determine its comprehensiveness, both absolutely and relative to other Codes and Standards. The terms of the BBBOnline draft Code were then assessed for adequacy and rigour, under the general headings above. In each case, the adequacy of the BBBOnline Code was assessed both absolutely and relative to other Codes and Standards.
In general, the documents examined fall into three categories, which we have termed “standards”, “seal programs”, and a “seal of seals” or “umbrella code”.

Standards set out a list of requirements, but have no compliance mechanism attached to them, no “seal” to place on the business’s website, no registration system, and no oversight body or “code owner”. (Such mechanisms may be attached to formal standards, but are not necessarily so.)
Seal programs, on the other hand, couple a list of requirements with a seal and registration system administered by the “code owner”, and usually also include a compliance mechanism also administered by the “code owner”.
A “seal of seals” legitimizes and certifies seal programs according to its own code of practice, and therefore involves all of the same components as a seal program, with additional requirements for “code owners”.

The BBBCode, as presented, is in the nature of a standard, lacking any particular compliance mechanism or seal. BBBOnline states the draft Code “is designed to guide ethical business conduct in electronic commerce”, and goes on to “encourage broad compliance with this voluntary Code”, stating: “We encourage all online businesses to adopt these guidelines.” Thus, it appears that the Code will not be accompanied by a separate seal, and that businesses may simply self-declare their adherence to the Code. This raises concerns from a consumer perspective, since association of the Code with BBB may suggest a level of oversight that does not exist.
However, BBBOnline also indicates that it intends to apply this new Code of Practice to its existing “Reliability” seal program: “Our BBBOnline Reliability participants are expected to adhere to these guidelines.” In this context, the Code would then become part of a seal program, with the associated mechanisms for consumer redress and subscriber compliance.(2) In this context, some of the draft Code’s deficiencies would be corrected, but gaps would still remain in the areas identified above.
BBBOnline also administers another Code of Practice, focused on consumer privacy: the BBBOnline Privacy Seal is a separate program, with a much more detailed set of privacy requirements than those set out in the draft Code examined.(3) It is unclear why BBBOnline sees fit to accept data protection practices under its Reliability Seal that are of a lower standard than those required under its Privacy Seal.
The following codes, seals, and standards were examined in the research underlying this report:

Standards

Canadian Principles of Consumer Protection for Electronic Commerce
CSA International Privacy Standard (part of Canadian Principles)
OECD Consumer Protection Guidelines for E-Commerce
Australian Complaints Handling Standard (AS/NZS 4269)
British Standard on Information Security Management (BS 7799-2)
Ziff-Davis “The Standard for Internet Commerce”
Seal Programs
WebTrader (UK)
WebTrust
TRUSTe
Better Internet Bureau
Better Cyber Bureau (Safengine)
Seal of Seals
TrustUK

II. COMPREHENSIVENESS OF BBBONLINE DRAFT CODE

The BBBOnline draft Code (“BBBCode”) covers all relevant topics, but is more comprehensive in some areas than in others. Its rules regarding information disclosure, misleading or deceptive business practices, contract formation/cancellation, contract fulfilment, and protection of children are highly comprehensive; BBBOnline scores top marks here. Many of the BBBCode provisions in these areas were found in no other code. Indeed, the BBBCode deserves special mention for its relatively comprehensive prohibitions in the area of misleading and deceptive practices, as well as information disclosure. The only gaps noticed in these areas are minor, and mitigated by other requirements – they involve:

the tentative nature of the proposed clause requiring online businesses to disclose “any health, safety, nutrition or other package warnings for those transactions if those warnings are required to appear on the good or service packaging” (A note following this clause expresses concern that it may be too burdensome for businesses.)
there is no clause requiring certain information to be provided with tangible goods at the time of delivery. However, all relevant information is to be provided on the website.
there is no rule specifically requiring the business to promptly correct any mistakes in billing, payment, or receipts. However, there is a general rule that al commitments and representations be honoured, and that good faith efforts be made to resolve any disputes to the consumer’s satisfaction.

The BBBCode is less comprehensive, however, when it comes to consumer privacy, redress and transactional security. While each of these areas is addressed, large gaps remain. In particular,

there is no rule requiring the clear identification of unsolicited commercial email as such (however, the Code does require businesses to offer an “opt-out” option, and to respect the consumer’s preference regarding unsolicited commercial email);
the rule regarding security is brief and general, seems to focus on confidentiality of transactional information, and does not clearly cover issues concerning authenticity and integrity;
the rules regarding consumer privacy fail to limit collection, use or disclosure (other than to third parties for marketing purposes), fail to limit retention (other than when the transaction is not completed), and fail to establish any individual access rights, redress rights, or compliance/accountability standards. Instead, they focus almost exclusively on disclosure;
there is no rule establishing business responsibility for unauthorized transactions;
businesses are not required to have a returns policy, or to refund the consumer in appropriate circumstances;
the rules regarding complaints handling and dispute resolution are extremely brief and general, which is surprising given the BBB’s long history of expertise in this area. In particular, all that the draft code currently requires with regard to dispute resolution where the complaint cannot be resolved internally is that “additional means” be provided to satisfy the consumer, which “means” may or may not include third party dispute resolution (they could instead be refunds, insurance policies, escrow services, or chargeback mechanisms). It should be noted, however, that BBBOnline highlights the tentative nature of this approach and has invited feedback on it.

In summary, the BBBCode covers all major areas of consumer concern in ecommerce, but does so with varying degrees of comprehensiveness. Areas well covered include information disclosure, fair business practices, contract formation and fulfilment, and special protection for children. Areas not so well covered include consumer privacy and consumer redress.
Interestingly, privacy and redress are areas in which BBBOnline offers separate programs, with separate codes and compliance mechanisms: businesses who subscribe to the BBBOnline Reliability program must pledge to offer dispute resolution through the BBB or another dispute resolution provider that meets BBB standards (which involve a long and detailed set of rules to ensure due process); and businesses who subscribe to the BBBOnline Privacy Seal must adhere to a set of rules regarding consumer privacy, as well as a special dispute resolution process for privacy complaints. While a detailed review of these two BBB programs is beyond the scope of this report, we have briefly addressed the adequacy of the Privacy Seal requirements under section VI, part 5, below, and of the dispute resolution mechanism associated with the Reliability Seal under section VI, part 7, below.
To the extent that the new Code will form part of the BBBOnline Reliability Seal requirements, it is appropriate that we examine those requirements as well. In order to use the BBBOnline Reliability Seal, companies are required to:

Become a member of the appropriate local Better Business Bureau;
Provide the BBB with information regarding company ownership and management and the street address and telephone number at which they do business, which will be verified by the BBB in a visit to the company’s physical premises;
Be in business a minimum of one year (with limited exceptions);
Have a satisfactory complaint handling record with the BBB;
Agree to participate in the BBB’s advertising self-regulation program, and correct or withdraw online advertising when challenged by the BBB and found not to be substantiated or not in compliance with our children’s advertising guidelines;
Respond promptly to all consumer complaints; and
Agree to dispute resolution, at the consumer’s request, for unresolved disputes involving consumer products or services advertised or promoted online.

The BBB’s initial onsite verification, ongoing monitoring of complaints, advertising self-regulation program, and dispute resolution mechanism are all valuable components of its seal program, and if added to the draft Code, will substantially improve on its provisions for consumer redress and compliance assessment. In particular, the requirement for a physical onsite inspection of online businesses by BBB officers is unique and adds significantly to the value of the BBBOnline seal. We have, however, reviewed the draft Code as a stand-alone document, since BBBOnline is promoting it as such.

III. COMPREHENSIVENESS OF OTHER CODES AND STANDARDS RELATIVE TO BBBONLINE DRAFT CODE

Compared to the BBBCode, the Canadian Principles (and incorporated CSA Privacy Code) are more comprehensive in the areas of consumer privacy, returns policy, and, to some extent, dispute resolution, but less comprehensive in the areas of misleading/deceptive business practices, contract fulfilment, and, to a lesser extent, information disclosure. Protection of children is not addressed at all in the Canadian Principles or CSA Standard.
The Ziff-Davis Standard is far less comprehensive than the BBBCode, both in an overall sense (areas covered) and by topic. It provides no guidance at all on contract formation/cancellation, unsolicited commercial email, protection of children, or dispute resolution, almost none in the area of misleading/deceptive business practices and very little on internal complaints handling. Its rules on consumer privacy are as weak or weaker than those of BBBOnline.
Clearly, the Australian Complaints Handling Standard is highly comprehensive in the area of complaints handling, and the British Standard on Information Security Management similarly in the area of security. None of the general ecommerce standards or codes examined would be expected to match the comprehensiveness of these specific standards in the areas they cover.
TrustUK, the “seal of seals” program, has a list of accreditation criteria which is the most comprehensive of all other codes examined. It covers all areas other than online contract formation/cancellation, and like the BBBCode, includes a strong section aimed at protecting children. Its rules on consumer privacy, redress, and transactional security are significantly more detailed and comprehensive than those of the BBBCode. Indeed, its rules on security are much more comprehensive than any of the other codes examined: it recommends use of the highly detailed BSI Standard on information security management, in addition to requiring adherence to a number of specific security-related rules. While not as comprehensive as the BBBCode in the areas of information disclosure, misleading/deceptive business practices, it is generally more so than most other codes.
The WebTrader Code addresses most areas, but fails to address contract formation/cancellation (other than cancellation rights where the price changes) and provides no rules regarding the protection of children. It is most comprehensive in the area of complaints resolution, and, by linking to other Codes and Statutes, in the areas of misleading/deceptive practices (advertising and sales promotion) and data protection. It is much less comprehensive in the areas of information disclosure, contract fulfilment, unsolicited commercial email, and dispute resolution.
The WebTrust Code is difficult to compare because it takes a completely different approach to consumer protection, focussing almost exclusively on disclosure and internal controls, rather than end-results from the consumer perspective. It thus provides a completely different type and level of detail from most of the other codes and standards considered. For example, on information disclosure, instead of providing a comprehensive listing of specific disclosures that must be made, it offers a general statement with examples. Areas that it fails to cover include misleading/deceptive business practices, unsolicited commercial email, dispute resolution, and the protection of children. Contract formation, consumer privacy, complaints handling and dispute resolution are only partially addressed. More thoroughly covered are the areas of contract fulfilment and transactional security.
TRUSTe does not purport to cover more than consumer privacy. On this issue, however, it is not as comprehensive as some other codes which deal with more than data protection – it is similar to the BBBCode in this respect. TRUSTe’s code, however, does require use of a particular dispute resolution process for consumer privacy complaints, and in this respect provides more than does the BBBCode.
The Better Internet Business Code is not at all comprehensive, and is markedly less so than the BBBCode. It addresses only four relevant issues, and in each case doing so exceedingly briefly, as follows: no “unlawful acts”, no “misleading or deceitful statements”, no “spam”, and a minimum 30 day refund on items sold on the Internet. It requires nothing in terms of information disclosure, contract formation/cancellation, contract fulfilment, consumer privacy, transactional security, complaints handling, dispute resolution, or children. In contrast, the BIB seal is remarkably sophisticated and suggests far more than the Code actually delivers. In addition to the words “Better Internet Bureau”, the seal states “Certified Quality Site”. Not only is this misleading in and of itself, but it clearly takes advantage of the goodwill generated by the Better Business Bureau and may well violate the BBB’s trademark rights.
The Better Cyber Bureau (“Safengine”) Code is similarly superficial, addressing only transactional security, contract formation, and consumer complaints handling/dispute resolution, and in each case doing so less than comprehensively. While the Safengine Seal is significantly different from other seals, it again suggests more than it delivers, and therefore may generate unwarranted consumer trust.

IV. FORMAT/STRUCTURE OF BBBONLINE DRAFT CODE

As the above analysis indicates, the BBBCode is relatively comprehensive in its coverage of consumer issues in ecommerce. However, the value of this comprehensiveness is diminished to some extent by the structure of the draft code: the subject matter of the five Principles is not 100% clear from the titles, and not all relevant rules are provided in the section where one might expect them to appear. For example, a number of disclosure requirements are set out in other sections (e.g., disclosure of safety warnings is found under Principle 2, which addresses misleading/deceptive practices, rather than Principle 1 which addresses information disclosure; disclosure of the entity conducting compliance reviews is found under “Compliance” rather than Principle 1; provision of clear billing information is found under Principle 4 but not Principle 1; the rule re: limiting retention of consumer information is set out under Principle 4 “Aim to Please!”, instead of Principle 3 “Have Respectful Information Practices!”).
Thus, it is essential for someone trying to determine the Code’s requirements in any particular area to review the entire Code. While this is not a herculean task (since the Code is not long, is drafted in fairly concise language, and uses subheadings to advantage), it would be more helpful to cross-reference those provisions that logically fall under more than one heading.
Moreover, it is not always clear whether a given requirement applies only to the subject-matter of the subheading under which it appears, or more generally to the subject-matter of the entire Principle. For example, the following clause appears under Principle 1, subheading “Information about the Online Transaction Itself”: “When online businesses provide consumers with the ability to conduct a transaction in more than one language, they must assure that all material information appears in all the languages provided.” It is not clear whether “material information” is limited to “information about the transaction itself”, or applies to all information, including that relating to the business and the goods and services offered.
The BBBCode is divided into six sections, as follows:
Principle 1: Disclose! Disclose! Disclose! Principle 2: Tell the Whole Truth and Nothing but the Truth! Principle 3: Have Respectful Information Practices! Principle 4: Aim to Please!Principle 5: Take Special Care with Children!

Compliance

It is not clear why Compliance is not presented as a Principle, especially in light of its stated importance (“Failure to properly identify the compliance review entity shall be considered a violation of the Code.”).
Under Principle 1, BBB provides most of the information disclosure requirements (however, as noted above, many appear in other sections). These requirements are categorized by type (e.g., about the business, about goods and services offered, about the transaction itself), rather than by the stage at which they must be made (e.g., to all consumers accessing the website, vs. to consumers on verge of making transaction, vs. to customers after transaction made). This is not necessarily a drawback, as long as BBB sets out in each case the minimum requirement in terms of timeliness of the disclosure. Our review indicates that such is usually but not always the case. Similarly, BBB repeats the general information requirements of clarity, conspicuousness, etc. with each disclosure requirement rather than setting the general requirements out up front, as we have done in Appendix B. The risk of the BBB approach is that failure to specify the general and/or timeliness requirements with respect to a specific disclosure rule may significantly weaken that rule.
Clearly, BBBOnline is attempting through its catchy titles not only to attract the attention of readers, but to put a positive light on the requirements of the code. The downside of this approach is that it may obscure the actual content of the provisions.
We also note that the BBBCode sets out a summary listing of the five Principles up front, before launching into the detailed requirements of each. While readers can be expected to appreciate that the Code involves more than this summary, there is a risk of misinterpretation unless the summary is clearly identified as such. In comparison, the Canadian Principles note as follows with their summary: “This summary must be read in conjunction with the full text of the principles, which follows.”
Also potentially prone to misinterpretation is the infrequent use by BBBOnline of the term “should” (and in one case, the term “can”) in a document that otherwise uses the terms “shall” and “must” throughout. While it may seem clear that in such a context, the use of “should” clearly indicates an intention to recommend rather than demand, such intention is not otherwise brought to the attention of the reader. All but the most careful readers may fail to notice the “should” statements, and may thus assume incorrectly that they represent requirements. In contrast, the Ziff-Davis Standard clearly indicates which of its provisions constitute minimum standards, and which constitute best practices. In keeping with its own principles of clarity and disclosure, BBBOnline should highlight any non-binding clauses in its Code.
Finally, the BBBCode provisions are not (yet) numbered, unlike those of other codes. This lack of numbering makes it difficult to refer to specific sections, and may make the code more difficult to read.

V. FORMAT/STRUCTURE OF OTHER CODES

The structure and format of other general consumer ecommerce codes reflects both the perspective of the drafters, and the target audience. For example, the Canadian Principles and OECD Guidelines identify discrete subject areas more on the basis of law and government policy, reflecting the perspective of their drafters and the needs of OECD members. Unlike the BBBCode, section headings provide no directives in and of themselves; they simply identify the subject area.
The format of the CICA WebTrust Code, on the other hand, reflects a preoccupation of accountants with internal company controls aimed at providing “reasonable assurance” that certain results will be achieved. Thus, instead of setting out a comprehensive list of required results, the WebTrust Code focuses on execution of transactions in accordance with disclosed business practices, effective operational controls, and monitoring of those controls. This Code is divided into three sections, titled “Business Practice Disclosure”, “Transaction Integrity”, and “Information Protection”. Because of the generality of these headings, and the lack of sub-headings, it can be difficult to pinpoint a particular clause. This structure may make sense to accountants and possibly some businesses, but it is not “consumer-friendly”, and is likely to be difficult for small businesses to easily understand and adopt.
The format of the Ziff-Davis Standard is once again distinct, with clauses covering scope, purpose, and uses of the Standard, as well as conformance and definitions/terminology. The Z-D Standard requires such clarification because of its requirement for an “Information Centre”, and its inclusion of best practices as well as minimum standards in the standard. Another interesting approach taken by the Z-D Standard is to include explanatory notes with each clause. These notes are distinctively highlighted so as not to confuse the reader, and provide a useful purpose statement for each clause.
TrustUK’s accreditation criteria (Core Principles for Online Codes of Practice, and Core Principles for Redress Mechanisms, Monitoring and Enforcement) are well-laid out and clearly identified. This is the longest and most complicated code of all examined (other than the formal Australian and BSI Standards), yet one of the easiest to navigate and understand. All sections are numbered, and ordered in a logical fashion.
The WebTrader Code is similar to the BBBCode insofar as it uses plain and concise language, but is even more brief and to-the-point on the topics it covers. Clear headings are provided for each subject area, and given the brevity of each, the lack of paragraph numbering is not a problem – this code is easy to navigate and understand. Unlike the BBBCode, however, WebTrader does not attempt to categorize its provisions other than into the 18 topics covered. Should this Code become any more detailed, such categorization would be useful. However, as the BBBCode example shows, categorization of rules comes at a price if not done properly and with appropriate cross-referencing.

VI. ADEQUACY OF BBBONLINE DRAFT CODE PROVISIONS

Information Disclosure
The BBBCode provisions on information disclosure are generally excellent, covering such key requirements as clarity, ease of understanding, conspicuousness, comprehensiveness, accuracy, and capability of being retained by the consumer. Unlike most other codes, the BBBCode includes provisions requiring disclosure in all pertinent languages, and disclosure of the entity that conducted the site’s compliance review. This latter requirement is particularly important where there is no requirement under the code for compliance assessment by a neutral third party. BBB also requires disclosure of the site’s policy on unsolicited commercial email, an increasing frustration for many online shoppers, and requires that all billing information be provided “in an easy-to-understand format so the consumer can determine to which transaction and which company the bill relates”. Unlike other Codes, BBBOnline’s also addresses the issue of ongoing subscriptions, requiring in such cases that the business provide consumers with “easy-to-understand subscription cancellation information…”.
Improvements, however, could be made in the following areas:

the Code’s provisions on capability of retention by the consumer are not written in binding language. Unlike most other provisions, they use the term “should” rather than “shall”. It is not clear whether this is intentional or not, and if so, why it would not be a requirement of the Code that information “appear in a format that allows the consumer to maintain a record of it through printing or storing if the customer is properly equipped to do so”.
the Code could state that information disclosed about the business must be sufficient for follow-up inquiries, dispute resolution and legal action (this is merely implied);
the Code’s provision under “Information about goods and services offered online” does not clearly state that such information should be complete, but does go on to state that “Complete and accurate information means enough information so that a consumer understands the goods or services being offered through an online transaction”. It is possible that the word “complete” was unintentionally omitted from the first clause in this draft.
the Code requires businesses to “disclose information about how consumers can make their transaction payments”, but does not require businesses to disclose relevant implications of different payment options, such as its credit card payment policy.
businesses are not required to provide notice to the customer of potential additional charges beyond the control of the business, but material to the consumer’s purchasing decision. Instead, they are merely encouraged, “when possible and at a reasonable cost” to give such notice.

Misleading/Deceptive Practices

This is an area in which the BBBCode is clearly superior to all of the other codes examined. One of five Principles is devoted to this topic, and covers not only advertising standards, but also the covert use of technology to deceive consumers, affect consumers’ navigational choices, or deceptively draw consumers to certain websites. The potential for deceptive use of technology raises important issues in electronic commerce, which few consumers are likely aware of given the hidden nature of the practices. Businesses need to be told that such practices are unacceptable. The BBBCode gets high marks for its attention to these online consumer problems.
Misleading advertising is a significant problem for consumers both online and offline. As it has done offline, BBB addresses this issue in the online context, and does so more than adequately. Only the WebTrader and TrustUK codes provide similar levels of protection in this area, by incorporating relevant Codes administered by the Advertising Standards Authority in the UK. The OECD Guidelines provide more general directives on misleading advertising, while the Canadian Principles merely require that the terms and conditions of sale be clearly distinguished from marketing and promotional material or messages.
The Ziff-Davis Standard takes a different and much less rigorous approach to online advertising, requiring only that “In the merchant’s information centre, the merchant shall notify customers of its policy on accepting payments or other consideration from third parties for placement of any content related to the third parties’ products/services that is not clearly identifiable as advertising.”
Online Contract Formation/Cancellation
This is one area in which the BBBCode is inadequate, from the consumer perspective. Given the potential for keystroke or clicking errors, as well as for misunderstanding, in the online context, it is essential that online vendors confirm a consumer’s intent to transact before engaging the consumer in a binding transaction. Electronic commerce is still in its early stages; many consumers are still unfamiliar with the medium and may not appreciate the consequences of their online actions. Yet, the BBBCode does not appear to require business subscribers to take proper precautions in this respect. Instead, it merely encourages them (through the use of the term “should” instead of “shall”) to:

provide the consumer with an opportunity to confirm her intent to enter into the online transaction,
confirm key details of the order, and
correct and modify the order.

Moreover, the BBBCode provides consumers with cancellation or refund rights only where “a delay in shipping occurs”. This is insufficient consumer protection in the online context.
A separate provision in the draft BBBCode, however, raises questions as to exactly what BBBOnline intends to provide in this respect. Under Principle 1, “Terms of the Online Transaction”, the Code states as follows:
“Upon consummation of a transaction by a consumer, online businesses shall provide the consumer with a confirmation notice of the transaction. Online businesses shall give notice that they provide this confirmation prior to the completion of a transaction.”
Needless to say, this provision is ambiguous both in its own wording, and in relation to the other permissive provision referred to above. Confirmation should be required both before and after the transaction is completed. Beforehand, the purpose is to ensure intentional contract formation; afterward, the purpose is to facilitate contract fulfilment and redress as necessary. The BBBCode requires clarification and modification in order to resolve this drafting problem.
Consumers must have an opportunity, before concluding the transaction, to, in the words of the OECD Guidelines, “identify and correct any errors or modify the order, express an informed and deliberate consent to the purchase, and retain a complete and accurate record of the transaction”. Moreover, as the OECD Guidelines state, “the consumer should be able to cancel the transaction before concluding the purchase”.
In keeping with the OECD Guidelines, the Canadian Principles require online vendors to “make clear what constitutes an offer, and what constitutes acceptance of an offer”, so as “to ensure that the consumer’s agreement to contract is fully informed and intentional”. They go on to require “in inadvertent sales transactions in which consumers acted reasonably, the vendor should allow the consumer a reasonable period of time to cancel the transaction once the consumer has become aware of it”. Even WebTrust requires “controls to provide reasonable assurance that positive acknowledgement is receive from the customer before the order is processed”, and Safengine (the Better Cyber Bureau) includes as one of its very few requirements that “some type of confirmation form” be used for all online transactions.
It should be noted that the BBBCode does require businesses offering subscriptions online to provide consumers with “an easy to use means to cancel an ongoing subscription, and timely confirmation of such cancellation”. We found this provision in no other code.
Contract Fulfilment/Return Policy
The BBBCode deals with contract fulfilment issues succinctly, by requiring that “online businesses shall comply with all commitments, representations, and other promises made to a consumer”. In addition, it requires confirmation of sales transactions either at the time of the transaction or immediately following via email. Such confirmation must include sufficient information for purchasers to obtain the status of the order, and must be capable of being printed by the consumer.
While not as detailed as some Codes in the area of contract fulfilment (e.g., WebTrust, Ziff-Davis), the BBBCode is more detailed than others (Canadian Principles, WebTrader).
However, the BBBCode does not set a high standard when it comes to return policies. As noted above under “Contract Formation/Cancellation, the BBBCode requires that businesses offer refunds where there is a delay in shipping. Otherwise, however, the Code does not require businesses to adopt any sort of return policy. Indeed, under the information disclosure provision on return policies, the Code states “If the business does not offer a return policy, it shall clearly disclose that fact.”. (In the section on dispute resolution, however, businesses are encouraged to consider refunds as one method of satisfying customers in the event of problems with the transaction.)
The BBBCode’s provisions in this respect are inadequate, and do not meet the standard set by other codes, such as WebTrader, which requires full refunds within 30 days where goods turn out to be faulty or different from those ordered, or the Canadian Principles, which require prompt refunds for unauthorized transactions, transactions in which the consumer did not receive what she paid for, and transactions in which the vendor failed to provide relevant information. The WebTrader Code also provides consumers with cancellation/refund rights where the price changes or where the business cannot deliver within the agreed time.
Consumer Privacy (Data Protection)
This is one area in which the BBBCode is clearly inadequate. As noted above in our examination of the comprehensiveness of the BBBCode, numerous important elements of effective data protection are missing. These gaps become most evident when the BBBCode is compared with the CSA Privacy Code (which forms the basis of Bill C-6, proposed federal legislation in Canada, as well as the privacy section of the Canadian Principles reviewed here), or the TrustUK privacy provisions, which appear to be based on a set of principles similar to the CSA Code. Both the TrustUK Code and the WebTrader Code require compliance with the UK Data Protection Act, the provisions of which we have not examined.
Like TRUSTe, the BBBCode focuses on posting and adhering to a privacy policy, rather than meeting all the requirements of fair information practices. While stating up front that the business’s privacy policy must be “consistent with the following fair information principles: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress”, the BBBCode uses permissive (“should”) language for three of the five principles, requiring only that:

consumers be given the opportunity to opt-out of have their personal information shared with a third party for future marketing purposes;
notice be provided as to “what access consumers have to the information collected”;
“mechanisms to correct inaccurate individually identifiable information” be established;
business that collect personal information “state how they protect the quality and integrity of the information collected as well as the confidentiality of that information from unauthorized access”.

In addition, under its “Aim to Please!” principle, the BBBCode prohibits retention of consumer information without affirmative consent where the consumer does not consummate the transaction.
Two of these five requirements constitute information disclosure rules, rather than substantive privacy protection. Hence, the only clear, substantive, and binding privacy protection offered by the BBBCode involves opting-out of disclosures for marketing purposes, the correction of inaccurate information, and the retention of consumer information where the consumer does not complete the transaction. This is woefully inadequate.
In contrast, the CSA Privacy Code and the TrustUK privacy provisions set out a much more comprehensive list of privacy protections, including the following fundamental elements of fair information practices which are not even recommended in the BBBCode:

limiting collection of personal information to that which is necessary for the purposes understood and consented to by the consumer;
no use or disclosure of personal information without the informed consent of the individual;
no unnecessary retention of personal information;
measures to ensure the security of personal information held;
personal information held must be accurate and where necessary, up-to-date;
individuals must be provided, upon request, with reasonable access to their personal information held by the organization;
incorrect information must be deleted or corrected promptly;
individuals must be able to hold the organization accountable for privacy violations, and challenge its compliance with these policies through a fair and effective redress mechanism.

Even TRUSTe’s privacy code, which is also deficient when compared with the CSA Code, is superior to the BBBCode, insofar as it requires:
– key disclosures (rather than just recommending them, as BBB does),
– that consumers be given an opportunity to opt out of internal secondary uses as well as third party distribution for secondary purposes (not just marketing purposes),
– that appropriate security measures be taken to protect personal information;
– that appropriate measures be taken to ensure the accuracy, completeness and timeliness of personal information collected online and that users can verify that inaccuracies have been corrected.
Hence, the BBBCode fails to measure up to established standards in the area of privacy protection.
Out of interest, we also briefly examined BBBOnline’s Privacy Seal requirements, to see how they measure up to the standards established by other codes such as the CSA Privacy Code. While significantly stronger than the draft BBBCode, the BBBOnline Privacy Seal is still deficient in some key areas. Like the TRUSTe Code, it focuses on disclosures rather than on substantive consumer rights to privacy. Neither the collection, use nor disclosure of consumer information is adequately limited (e.g., to that consented to by the individual), and there is no rule restricting the retention of personal information to that which is necessary. However, the BBBOnline Privacy Seal, like TRUSTe, does require special privacy protections for children, along with a separate Children’s Privacy Seal.
Transactional Security
The BBBCode provisions on security require that online businesses “use secure and encrypted channels for the maintenance and transfer of personally identifiable information such as a credit card number”, and “provide safeguards to ensure that any third parties involved in fulfilling a transaction maintain equal or superior security to that used by the business”.
Security provisions in other codes range from extremely basic (“The site must be secure for sending personal information”: WebTrader) to extremely detailed (BSI Information Security Management Standard, recommended by TrustUK). Most of the codes examined (Ziff-Davis, WebTrust, WebTrader, TRUSTe) require only that the business ensure the security of its own site and/or transmissions. However, like the BBBCode, the Canadian Principles and TrustUK Code explicitly address the need for all parties involved in the transaction to adopt appropriate security measures. BBB’s and TrustUK’s provisions in this respect are superior to those of the other codes insofar as they clearly place a responsibility on the business to ensure that third parties involved in the transaction adopt similar security safeguards.
Security of information collected is one aspect of privacy protection, addressed in most privacy policies, including that in the BBBCode. Transactional security involves measures to protect information in transmission, to ensure authenticity of the parties, and to ensure integrity of the transaction. Some codes address these concepts separately, while others treat them as a single issue. By taking the former approach, the BBBCode provides clearer and more specific direction to businesses; it recognizes that different measures will be needed to ensure different types of security (e.g., security of stored information from unauthorized access vs. security of credit card information in transit).
The overall issue of information security management is the subject of a British Standard, BS 7799-2, which specifies requirements for establishing, implementing and documenting information security management systems. This Standard is not limited in application to online businesses. An outline of it is provided in Appendix A. The controls described in this Standard are extremely detailed, addressing all aspects of a business operation, from management accountability and organization processes to systems development and maintenance. The Standard itself is far more lengthy and detailed than most of the general ecommerce codes examined in this study. While certainly desirable, it is unrealistic to expect businesses (especially small businesses) to adopt a standard of this nature as part of a general, mass-marketed ecommerce code.
It is interesting, however, that the TrustUK Code recommends use of the BSI Standard “as a basis for [the business’s] security standards”, and that both the TrustUK and WebTrust codes include a number of provisions on security which focus, like the BSI Standard, on internal business controls.
Consumer Redress
The Better Business Bureau emphasizes effective complaints resolution as an essential component of good business practices, and prides itself on its efforts to resolve customer disputes. It is therefore surprising that the BBBCode would be so deficient in the area of consumer redress. All that is required under the draft code is:

“an easy-to-find and easy-to-understand notice of how a consumer can contract the business to resolve any dissatisfaction related to the transaction”
“an effective internal consumer dispute resolution mechanism”;
“good faith effort[s] to resolve any disputes…”; and
“additional means to satisfy a consumer should the business’s internal consumer dispute resolution mechanism not result in customer satisfaction. Such additional means could include: money-back guarantees, third-party alternative dispute resolution, escrow services, chargeback mechanisms, or insurance policies….”

Complaints Handling
With respect, first, to internal complaints handling, the BBBCode is barely adequate. On one hand, it offers a concise summary of the overall requirement for an effective complaints handling process. On the other hand, it fails to provide sufficient detail on what constitutes an effective complaints handling process, leaving the question of what constitutes “effective” open to interpretation.
A similar approach to complaints handling (broad statements only) is taken by the Canadian Principles, the OECD Guidelines, and the TrustUK Code. In contrast, the WebTrader Code provides an unusual amount of detail on an effective complaints handling process, listing eight necessary components (fair, confidential, effective, easy to use and well publicized, speedy, informative, simple to understand and use, and checked, to see that it is working well), and linking the online reader to a UK government document providing more detailed guidance as to an effective complaints handling process.
The WebTrader Code comes closest to the standard established by the Australian Standard on Complaints Handling (AS/NZS 4269). This Standard is not specific to online businesses, but it is nevertheless entirely applicable. As described in Appendix A, the Australian Standard sets out thirteen “essential elements” of an effective complaints handling process, and expands on each. While it is arguable to what extent the BBBCode’s requirements for an “effective” mechanism and “good faith” efforts to resolve complaints meet the criteria set out in the Australian Standard, it is clear that many important elements of effective complaints handling have been overlooked in the BBBCode (as in most other codes).
For example, the BBBCode does not require that businesses respond to complaints in a timely fashion. Interestingly, this is one requirement that some otherwise even more deficient codes (Ziff-Davis; Better Cyber Bureau) do contain. Perhaps BBBOnline expected that the Code’s requirement for businesses to “respond, promptly and substantively, to the consumer’s questions” met this need. However, “complaints” are not necessary “questions”, and the two matters are in any case dealt with separately in the BBBCode. Nor does the BBBCode require that the complaints process be “easy to use”, as do both the TrustUK and WebTrader codes.
Dispute Resolution (post-complaint)
The BBBCode is even less adequate with respect to dispute resolution, once the internal complaints process has failed. It simply requires “additional means to satisfy a consumer”, leaving the determination of what those “additional means” are up to the business. BBBOnline explains this initial approach to dispute resolution by noting that there are many ways to resolve disputes, and that technological advances will likely provide others in the future. BBBOnline states in a Note that it “sought to make this paragraph performance based rather than force one option (ADR) on the business”.
The creators of TrustUK, the OECD Guidelines, the Canadian Principles, and TRUSTe, on the other hand, consider third party dispute resolution to be an integral element of effective consumer redress in the context of a code of online business practices. (WebTrader simply requires subscribing businesses to cooperate with Which? legal services, and neither the Ziff-Davis nor WebTrust codes address this issue.) Indeed, TrustUK’s accreditation criteria require that all unresolved complaints be referred to the Code owner for independent resolution – in other words, that the Code owner administer or oversee some kind of independent third party dispute resolution process. Given that BBBOnline already offers such a service under its “Reliability” seal (indeed, requires its Reliability seal holders to participate in it), it is odd that the Code would not make this process a central aspect of its redress provisions. Like BBBOnline’s Reliability seal program, both TRUSTe and the Better Cyber Bureau require subscribing businesses to engage in their dispute resolution processes as necessary, although the efficacy of these particular processes is questionable.
TrustUK also sets out, for Code owners, a list of criteria that their dispute resolution mechanisms must meet. According to TrustUK, redress mechanisms should be effective, free or low cost, independent, quick (with time limits for each stage), easy to use (clear rules), well-publicized, transparent (annual report to be published), and binding on subscribers. Both TrustUK and the Canadian Principles specifically state that use of the dispute resolution process must not remove the complainant’s right to take the matter to court. The Australian Complaints Handling Standard also lists criteria, albeit somewhat different, for an effective dispute resolution process (see Appendix A).
BBBOnline Reliability Seal Complaints and Dispute Resolution Rules
As noted above, BBBOnline has expressed an intention to incorporate the new Code of Online Business Practices into its existing Online Reliability Seal program. BBBOnline’s Reliability seal program requires that participants “have a satisfactory complaint handling record with the BBB”, “respond promptly to all consumer complaints”, and offer dispute resolution through the BBB or another provider that meets BBB criteria. Those criteria are:

Full Disclosure (of types of disputes covered, contact information for the arbitration forum, fees, standards used as the basis for the decision, and legal implications of signing the arbitration clause);
Requirement that the consumer separately sign the arbitration clause; and
Fair and Impartial Resolution (independent and impartial administration, due process, reasonable costs, feedback to BBBOnline on case resolution).

While a vast improvement over the draft Code provisions, the Reliability Seal requirements still do not meet the highest standards of complaints handling and dispute resolution. Numerous requirements of an effective complaints handling mechanism are simply not addressed, and some of the key elements of effective dispute resolution are left unclear (e.g., low cost, ease of access and use, availability of information on past performance) in the criteria set out above. Thus, even in the context of the BBBOnline Reliability Seal Program, there is room for improvement in the area of consumer redress.
Unsolicited Commercial Email
The BBBCode’s provision on unsolicited commercial email (“UCE”) requires that subscribing businesses “provide an easy to use and understand “Do Not Contact” policy – a policy that enables those customers who do not wish to be contacted online to ‘opt out’ online from future solicitations”, and that the businesses “subscribe to a bona-fide email suppression list”. It is not clear what is meant by “email suppression list” – this needs to be clarified.
The “opt-out” approach taken by BBBOnline is common among those codes that address UCE (e.g., OECD Guidelines, WebTrader, TrustUK). TRUSTe, while not specifically addressing UCE, effectively does so via the requirement that consumers be able to opt out of “internal secondary uses”. The Canadian Principles do explicitly address UCE, but do not explicitly choose the opt out approach. They state instead that “Vendors should not transmit commercial email without the consent of consumers, or unless a vendor has an existing relationship with a consumer”. (It is not clear from this statement whether consent can be obtained implicitly via an “opt-out” approach.)
Alternative approaches to UCE are (a) to simply prohibit it, or (b) to require express, positive consent from the consumer (the “opt-in” approach). Interestingly, one of the few requirements of the Better Internet Bureau is that the business does not engage in “any mass distribution of email known as “spam” (the term “spam”, however, could be interpreted broadly or narrowly). TrustUK, while requiring consumer opt-out mechanisms, also prohibits outright the sending of “unsolicited commercial email which is random and untargeted” (one possible definition of “spam”). Given the increasing annoyance and cost imposed on consumers by such untargeted “spamming”, such a rule is appropriate and should be adopted by BBB and other codes.
While “opt in” approaches are preferable from the consumer perspective, “opt-out”approaches can work if applied rigorously and in good faith. It is important, for example, that consumers be made aware of their rights to refuse UCE, and of the method by which to exercise those rights. (The BBBCode requires the business to describe its UCE practices). It’s also important that UCE be clearly identifiable as such – a requirement found only in the TrustUK code, of all the codes examined.
The BBBCode provisions on UCE, while adequate and better than some other codes, are not in our view optimal. At a minimum, the existing provisions should be supplemented with an outright prohibition on random and untargeted UCE, as well as a requirement that all UCE be clearly identified as such. BBB could also encourage adoption of an “opt in” approach, as a best practice.
Protection of Children
Not all Codes address the special protections that are needed to avoid exploitation of children’s natural credulity, lack of experience and level of risk awareness. Of those reviewed, only the BBBCode, the TrustUK Code, TRUSTe, and the OECD Guidelines address the issue. Unlike the first three, which set out detailed rules, the OECD Guidelines merely state that “Businesses should take special care in advertising or marketing that is targeted to children, the elderly, the seriously ill, and others who may not have the capacity to fully understand the information with which they are presented”.
The BBBCode devotes an entire Principle to children, and requires subscribers to adhere to a separate Code of Practice on advertising to children (“Children’s Advertising Review Unit (CARU) Self Regulatory Guidelines for Children’s Advertising”). TRUSTe requires adherence to an additional set of requirements (“children’s seal requirements”), and display of a separate children’s seal, if the site is aimed at children under 13. TrustUK requires that accredited Codes include “specific requirements relating to the fair treatment of children”, and sets out six provisions that must be included. The TrustUK, TRUSTe, and BBBCode (CARU Code) provisions on children all include rules limiting the collection of information from children, and requiring verifiable parental consent. It should be noted that in the United States, recent passage of the Children’s Online Privacy Protection Act of 1998 establishes legal requirements in respect of such activities. The CARU Code also provides a lengthy and detailed set of rules regarding advertising directed at children.
The BBBCode therefore scores highly in the area of children’s protection.
Compliance Assessment and Oversight
A Code is meaningful only if the entities that claim to comply with it actually do so. Business self-declaration is insufficient particularly when it comes to reliability seals; independent third party compliance assessment is an essential component of any such scheme. This is recognized:

by TrustUK in its accreditation criteria, under which Code owners are responsible for monitoring and enforcing their Codes, and under which TrustUK is responsible for monitoring Code owners and withdrawing accreditation as necessary;
by TRUSTe, in its oversight and complaint resolution procedures; and
by WebTrust, in its quarterly audit requirement.

All that the BBBCode requires, however, is that the entity that conducted the compliance assessment review be disclosed. In other words, businesses must state that they are declaring themselves to be compliant with the Code, if they choose not to obtain a third party compliance assessment. While such disclosure is essential where self-declaration is permitted, it is not at all clear that consumer misunderstanding will be thus averted, especially if self-declaration is accompanied by a mark indicating third party accreditation.
Assessing the BBBCode in the context of the BBBOnline Reliability Seal program, however, changes the results. Under the Reliability seal program, BBBOnline is the entity responsible for compliance assessment. It monitors the subscriber’s complaint handling and dispute resolution record, and has the power to revoke the seal where a subscriber does not satisfactorily comply. It does not, however, engage in audits (like WebTrust), “seeding” (like TRUSTe), or monitoring of subscribers’ business practices (as required by TrustUK); compliance assessment is purely complaints based. In this respect, the BBB approach to compliance assessment may be seen to be lacking.
TrustUK requires that Code owners “have in place an effective system to enforce the provisions of the Code of Practice to ensure compliance with it”, which system must include:

monitoring of subscribers’ compliance with the Code;
“effective and meaningful sanctions”;
“a commitment from the subscriber to comply with the Code and an undertaking from them to take appropriate action to amend procedures to bring them in line with the Code at the request of the Code owner…”
“the ability to terminate membership of or involvement with the Code owner…where the subscriber fails to take action to ensure compliance with the Code or is found to be seriously or consistently in breach of the Code”.

In addition, TrustUK requires that Code owners report quarterly to TrustUK on the compliance of their subscribers/members with their Code of Practice.
For its part, TRUSTe conducts periodic reviews of member sites, and periodically “seeds” member sites (submits personal information online) to verify that the site is following its stated privacy policies. When and where it deems appropriate (e.g., where violations are found or suspected), TRUSTe may also require an on-site compliance review by an independent auditing firm. Where licensees fail to correct problems, TRUSTe may revoke the trustmark. However, the criteria for revocation are left unclear, such that revocation decisions are left entirely within the discretion of TRUSTe.
The WebTrust seal program is all about compliance assessment. Entities are permitted to continue displaying the WebTrust seal only if the “assurance examination” is updated on a regular basis, which shall in no case be less than quarterly, and if the entity gives notice of any significant and relevant changes in its business policies, practices, processes and controls during the interval between compliance assessments.

VI. CONCLUSION

The BBBOnline draft Code of Online Business Practices receives a mixed review when measured against emerging standards as well as other existing codes. It is strong in some respects but weak in others. The Code is particularly strong in the areas of information disclosure, misleading and deceptive practices, and the protection of children. It is particularly weak in the areas of consumer privacy and redress. Depending on how each of these components is valued, the BBBCode may be considered adequate or inadequate. It is certainly superior to many other codes and seal programs currently offered in the marketplace, but remains deficient in some key respects. It is hoped that the worst of these deficiencies, at least, will be corrected before the draft Code is finalized and put into practice.
When assessed as part of the BBBOnline Reliability Seal program, the redress and compliance aspects of the draft Code are substantially strengthened, but still don’t meet the highest standards of complaints handling, dispute resolution, and compliance assessment.
APPENDIX A:
OUTLINE OF SELECTED CODES AND STANDARDS
BBBOnline draft Code of Online Business Practices
http://www.bbbonline.org
– speaks to online merchants only
– logo provided to approved members; may be withdrawn if non-compliance
– links to other Code (re: Children’s Advert)

A Garland For Consumers: Will The Garland Case Provide Safeguards For Vulnerable Consumers?

Download File: garland.pdf [size: 0.18 mb]

Introduction

A Garland For Consumers?
In October of 1998, the Supreme Court of Canada found that the Late Payment Penalties (LPP) charged by Consumers’ Gas may constitute a criminal interest rate contrary to section 347 of the Criminal Code. The decision, in Garland v. Consumers’ Gas, was unexpected insofar as the LPP had been continuously approved by the Ontario Energy Board since its adoption in 1975. It also brings in its wake, however, an important opportunity to revisit the need to provide safeguards for vulnerable consumers.
The decision is an illustration of how consumers, who possess little bargaining power, may be protected from exorbitant usurious penalties and charges for late payment. After all, such punitive transaction costs often catapult the customer into further default. As many consumers simply cannot pay, rising debt threatens their access to commodities which are vital to the maintenance of their standard of living.
Further, the conclusion that the Garland case may have only a limited impact on consumer credit protection, raises a host of ancillary issues concerning the billing practices of utilities. This discussion, therefore, goes beyond the examination of the legal decision and its policy implications. It also attempts to recognize the need for the creation of consumer credit protections, implemented within a comprehensive framework.
Chapter One will assess the scope of section 347 of the Criminal Code by describing the legislative history surrounding its adoption, and the actual construction of the section. Canadian case law will also be detailed, with a particular emphasis on the Supreme Court’s reasoning with respect to the LPP in Garland. Chapter Two will briefly compare and contrast the Canadian experience with how consumers in the United States and the United Kingdom are protected from usurious charges. Chapter Three will focus on the policy implications of Garland, from a consumer standpoint. In turn, Chapter Four will look at industrial implications by examining the policies of specific companies in a variety of industries. In conclusion, the study will recommend actions which may be taken to further protect consumers from exploitive credit arrangements. Although Garland is clearly a step in the right direction, its application is not a sufficient response to the needs of consumers.

Consumer Protection after the OECD Guidelines

What’s Next? Consumer Protection after the OECD Guidelines

Speaking Notes – Philippa Lawson
Public Voice 99 Conference

We need first to be clear on what our goal is. Our goal is not simply to promote electronic commerce as a way of improving economic opportunity and choice – that, our business colleagues are doing very well. We, the public voice, recognize that the social and economic transformations brought about by electronic commerce may not all be positive, and that the public interest lies not in promoting a particular mode of commerce over others, but rather in maximizing the benefits (e.g., improving worldwide access to the Internet) and minimizing the costs (e.g., socioeconomic dislocation, privacy invasion, barriers to consumer redress) of an inevitable market development.

Electronic commerce is happening; we don’t need to promote it. Our goal, in respect of consumer protection, should therefore be to minimize the consumer problems associated with ecommerce. It is in the interests of both business and consumers to focus on this goal.

In this context, the OECD Guidelines are just one piece of a much larger puzzle, a first step on the way toward a truly consumer-friendly electronic marketplace. Much more work still needs to be done.
Gaps remain in the OECD Guidelines, largely as a result of the compromise that was necessary to achieve consensus on this document. A critical gap is on the issue of jurisdiction: will consumers be able to rely upon the laws and courts of their own country with respect to electronic transactions that they conducted in that country? Another gap involves the failure to set out consumer rights and liabilities in the event that the merchant does not comply with the Guidelines (e.g., fails to provide full or accurate information, fails to provide a reasonable opportunity to cancel or correct an error in the order, or simply fails to deliver).
There are a number of challenges ahead, including:

a) finding the right mixture of legislation and self-regulation in the implementation of these Guidelines;
b) dealing with a likely proliferation of certification schemes and reliability marks – who is the consumer to trust?
c) developing international standards of consumer protection, so as to avoid the creation of “consumer fraud havens, or trade disputes over the legitimacy of national consumer protection laws; and
d) ensuring that authentication and security mechanisms respect consumer privacy.
We have a number of tasks ahead in order to achieve our goal of minimizing consumer problems in the electronic marketplace. We must:-continue to remind policy makers that market forces won’t solve all consumer protection issues, that market forces in fact create problems for consumer, and that governments ave a responsibility to protect consumers from market abuses, both within countries and across borders;

continue to work domestically to implement the OECD Guidelines and other necessary and corollary protections (such as the consumer’s right to reimbursement when the merchant fails to deliver);
continue to monitor and report on problems encountered with electronic commerce (here the OECD can play an important role);
continue to educate consumers about the risks associated with ecommerce, and about their rights and remedies; and
continue to assist our governments in expanding cross-border cooperation in the enforcement of both consumer protection laws and court judgements.

In addition, we need:

within the OECD, to ensure that the critical role played by the Consumer Policy Committee is appreciated and that this Committee is provided with sufficient resources to do its job well into the future, and to work with the OECD to improve the mechanisms by which the public voice can be heard;
to find an appropriate multilateral forum within which to “internationalize” the OECD Guidelines, beyond this relatively small group of countries;
to ensure that minimum standards of consumer protection, including data protection, are treated as minimum standards, and don’t become ceilings above which protections risk being challenged as trade barriers, leading to a “race to the bottom”;
to become more active at the international level, as BIAC, AGB, GBDe and other business groups have done, to ensure that the public voice is heard as loudly as the business voice in policy-making fora;
to work with business to help them develop effective self-regulatory regimes, as well as an appreciation of the need for consumer protection and privacy laws;
to work with government and business to develop international standards for voluntary codes, complaint and dispute resolution processes, which will be such an important element of consumer-friendly ecommerce. Such “standards for standards” will be important,
- so that consumers can judge the effectiveness of self-regulatory efforts,
- so that they can easily identify hollow assurances and misleading claims,
- so that they can navigate among a potentially large and diverse array of reliability marks and certification schemes, and
- so that business has some kind of baseline for its self-regulatory efforts.

The time is ripe for an international initiative in this respect, so as to avoid marketplace confusion (and its potentially damaging effect on electronic commerce) due to a proliferation of self-regulatory schemes of varying effectiveness, to build consumer confidence in this new medium, and more importantly, to ensure that such confidence is deserved.
END

Improving Internet Access: The Canadian Approach

hilippa Lawson
Public Interest Advocacy Centre, Ottawa, Canada

Paper for “Computers, Freedom and Privacy: The Global Internet”

The Internet holds great promise as a facilitator of social and economic development. Indeed, we are already experiencing the tremendous empowering effect that it can have on otherwise disadvantaged individuals and groups: witness, for example, the successful campaign by citizens’ groups to derail the Multilateral Agreement on Investment, the growth of community networking, and the explosion of individual websites. The potential of this new medium to empower citizens, as well as reduce government expense, improve delivery of services, and enhance competitiveness, has not escaped notice.
But with this great promise comes danger. If Internet access remains a preserve of a social elite, existing social disparities will only widen. If we fail to achieve universal access to the Internet, those who are already privileged will be further empowered, while those who lack basic amenities such as telephone service will be further disadvantaged.
In the new knowledge-based economy, democratic governments are recognizing the importance of universal access. In the race for global competitiveness, they understand the benefits of a connected and knowledgeable workforce, a vibrant electronic marketplace, and a citizenry able to use information and communications technologies in new and innovative ways. As we come to depend increasingly upon electronic communications, the realization of democracy comes to depend upon universal access.
Unfortunately, universal access to the information highway is one of those things that the market cannot achieve without government intervention. Left to its own devices, the market provides amply for those of us with financial resources, but offers limited access to those without. It provides abundant and cheap service to urban dwellers, but offers limited and expensive options to rural and remote dwellers. The evidence of this disparity in access is most stark at the international level, but it is also present domestically.
Allowing market forces alone to shape the Internet is undesirable for a second reason: it paves the way for domination of the electronic media by commercial interests. If it is to be meaningful, access must be to more than an electronic marketplace. The “electronic commons” must include public space, within which citizens can share ideas and information freely, away from commercial pressures and above the hubbub of the marketplace.

Canadian Statistics

Canada is proud of its achievements in respect of telephone service penetration. Under a system of monopoly regulation, we have achieved an overall penetration rate of over 98%, excluding Indian reserves and the far north.(1) This rate falls to 94% for households at the lower end of the income scale. Penetration of cable TV is also high in Canada, with 74% households subscribing (65% of low income households).(2)
Canada is also one of the most connected nations in the world: recent surveys indicate that 40%-55% of Canadians have Internet access, and that over 25% of Canadian households have Internet accounts.(3) Not surprisingly, this rate is significantly lower for low income households (16% vs. 46% for higher income), the less educated (12% vs. 44% for University educated), and seniors (6% vs. 39% for those under 25 years).(4)
Low income Internet users tend to rely more on access from school and public sites, while higher income users access the Internet from home and work. Rural dwellers are less likely to have access from the home than are urban dwellers.(5)
Recent surveys indicate that the rate of growth of Internet access in Canada is levelling off, although use by those connected continues to grow.(6) If true, this is a disturbing trend. Efforts are clearly needed to avoid the entrenchment of existing social disparities in Internet access.

Market Developments

The telecommunications industry in Canada is in transition: competition in the provision of long distance service is vigorous, while competitors for local telecommunications service are just getting off the ground. Long distance rates have plummeted, while local rates have more than doubled since competition was introduced. Wireless competitors are attracting more and more consumers, although they are not yet considered a substitute for basic wireline service.
The market for Internet access in Canada is also booming. Recent indications suggest that there are 700-800 Internet Service Providers (ISPs) in Canada, of which 100 account for 90% of users and 80% of traffic.(7) Some of the largest Canadian ISPs are affiliates of telephone companies. In addition to commercial ISPs, Canada has a variety of non-profit, community-based networks. For example, Web Networks, a non-profit online community of over 3500 Canadian non-profits and social activists, offers full service Internet access for a monthly fee.(8) At the other end of the spectrum, dozens of local community networks offer low fee or free access to community information, services and discussion groups as well as the Internet. In 1997, two thirds of Canadian Internet subscribers obtained service from an independent ISP, 21% from the telephone company ISP, 5% from the cableTV ISP, and 4% from community networks.(9)

Community Networks

Community networking is a growing movement in Canada, with approximately 50 community networks now in operation, and over 100 more in development. According to Telecommunities Canada, the national voice for community networks, close to half a million Canadians have been or are members of a community network, while many more access the information or use the services provided by these grassroots organizations. It is noteworthy that community networking in Canada predates commercial ISPs.(10)
Community networks are defined generally by their local focus, non-profit status, non-commercial nature, open membership, equitable (in many cases, free) access policies, partnerships with other community-based organizations, provision of a broad range of information of interest to the local community, and encouragement of the free exchange of ideas and information among members. They permit low speed, text-based access as well as graphical interfacing, so that citizens with early model computers and modems can still access the network. All community networks share the primary goal of providing access to those who cannot otherwise afford Internet access. They tend to rely heavily on volunteers.
The most advanced community networks in Canada offer access to an extensive array of local information and services, as well as access to the WorldWideWeb. They provide training in computer use, facilities for those in need, e-mail service, discussion forums, and much more.
Partnerships with other community organizations form the basis of much service and information delivery on the network, while corporate partnerships bring valuable donations of equipment and services. The National Capital Freenet (NCF), for example, benefits from the donation by Mitel Corporation of its telephone lines and Internet connectivity after business hours. The NCF’s partnership with local libraries means that it can offer some 61 public access terminals throughout the city of Ottawa.
Some community networks rely primarily on government grants for their operations, others on donations, and others on membership fees. Financial sustainability is an ongoing issue, especially for those community nets wishing to maintain a policy of free access to this non-commercial electronic space.

Regulatory Developments

The Canadian Radio-Television and Telecommunications Commission (CRTC) is under a statutory mandate to regulate the provision of telecommunications services where market forces cannot be relied upon “to render reliable and affordable telecommunications services of high quality accessible to Canadians in both urban and rural areas in all regions of Canada”.(11) The CRTC has overseen the introduction of competition in both long distance and local telecommunications markets, and is currently examining regulatory issues arising out of new media such as the Internet.(12)
Long distance rates have been deregulated, and funds have been established for the continued subsidization of basic local residential telephone rates in a competitively neutral manner.(13) In light of rising rates for basic local service, the Commission is monitoring telephone penetration and disconnection rates, with a view to establishing discount rates for low income households (similar to the Lifeline and LinkUp programs in the USA) should the need arise.(14) Selective regulation of the telecommunications market will continue to be needed in order to address systemic market failures and inadequacies that threaten to impede access.
Competition should be allowed to flourish where it can best achieve our ultimate goals of affordable, universal access. But this doesn’t mean turning a blind eye to the market. Indeed, governments must guard vigilantly against anti-competitive behaviour and harmful mergers in the markets for computer hardware and software, as well as Internet service provision. The outcome of the Microsoft anti-trust case, for example, will have important ramifications for access. Healthy competition in the markets for computer products is essential in order to avoid monopolistic pricing and other practices harmful to consumers.
The CRTC has established regulatory safeguards against anti-competitive behaviour by incumbent firms and other market players, while the Bureau of Competition – Canada’s anti-trust authority – reviews mergers and investigates and prosecutes violations of the Competition Act. Both bodies are currently dealing with complaints of predatory pricing of ADSL-based retail Internet access by affiliates of Bell Canada.(15)

Government Initiatives

The Canadian government, eager to capitalize on our comparative advantage in the development and use of communications technologies, has publicly committed itself to making Canada the most connected nation in the world by the year 2000. The government’s agenda of “Connecting Canadians” includes a number of strategies for improving Internet access, and relies upon funding partnerships with the private sector as well as other levels of government.
Under the Community Access Program (CAP), 5000 rural and remote communities and up to 5000 urban centres are to have public Internet access sites by early 2001. The program is designed to provide Canadians with affordable public access to the Internet and the skills to use it effectively. Matching grants are provided to local non-profit organizations who then act as “on-ramps” to the Information Highway. Close to 4,000 CAP sites have been established to date, most in libraries, schools or community centres. Each site is staffed with trained personnel.
All CAP sites provide Internet access to the public, some for free and others for a fee. Terminals also typically offer access to government services, educational resources, and in one quarter of cases, public e-mail. Training in computer use, Internet navigation and/or web page development is offered by three-quarters of CAP sites.
CAP sites have been successful in raising public awareness about the Internet, and in providing access and training to citizens in a number of communities. However, their sustainability in the absence of continued government funding is questionable. One third of CAP sites recently surveyed in New Brunswick indicated that they would have to close immediately if government funding were withdrawn. Only 18% thought that they could remain in operation without cutbacks (e.g., to training services). Efforts are therefore underway to develop models for the sustainability of CAP sites. Approaches include user fees, private sponsorships, and partnerships with other community organizations, educational institutions and government programs (e.g., employment offices) with a view to reducing cost. The imposition of user fees is particularly controversial as it risks defeating the main purpose of community access sites: to provide a means of access to those who can’t afford a home computer.
SchoolNet provides Canadian schools and public libraries with on-line access to Internet-based resources. The government aims to have all of Canada’s 16,500 schools and 3,400 libraries connected to the Internet by March 31, 1999.
What it means to be “connected”, however, is not at all clear. While some schools have been able to take advantage of this new resource, most haven’t yet determined how or why they want to use the Internet. In a time of significant cutbacks to education budgets, most schools don’t have the money to train teachers in Internet usage, or support staff in equipment maintenance. Teachers have yet to be provided with the necessary training for this program to achieve its potential.
As part of the SchoolNet program, Computers for Schools provides Canada’s schools and libraries with surplus computers and software from governments and the private sector. In workshops set up across the country, students are given on-the-job experience refurbishing computers for use by schools and libraries.
VolNet is a new program jointly administered by government, private and voluntary sector interests. It aims to connect 10,000 charitable and non-profit organizations to the Internet by early 2001, thereby helping them to play a stronger role in Canadian society. In addition to Internet access, the program will provide recycled computer equipment, Internet skills development, free or low-cost software, and electronic information.
Under the Smart Communities initiative, the federal government seeks to assist communities in the effective use of information and communications technologies with a view to transforming the social and economic circumstances of the community. The goals of this program are lofty, and include empowering citizens, stimulating economic growth, and improving education and health care. It is expected that financial and technical assistance will initially be provided to selected communities across the country, with a view to establishing 20 demonstration “smart communities” by the year 2000.
This program appears to be a response by the Canadian government to the international “Smart Communities” movement, to which other countries have already dedicated substantial government resources. Canada does not want to be seen as lagging in any respect. However, it has been noted that many of Canada’s community networks are already fulfilling the role of “Smart Communities”. It is unclear how this new initiative differs from the grassroots community network movement, except that it involves more “top-down” direction, at least initially. The Report of the Panel on Smart Communities to the Canadian government stated:
Given the innovation already apparent among Canadian communities, it is fair to question the need for any kind of national overview of plan. Indeed, it is reasonable to assume that over the next few years, left to their own devices, Canadian might well see the blooming of several hundred community initiatives. However, rather than taking a laissez-faire approach, Canadians should actively promote the adoption of best practices across and beyond communities to share knowledge and experience more quickly and effectively.(16)
It remains to be seen how the “Smart Communities” initiative will interrelate with existing community networking initiatives.
Provincial governments have their own array of programs designed, in part, to improve access by their citizens to the Internet. For example, Ontario’s Telecommunications Access Partnerships “provides assistance to encourage businesses, economic sectors, public institutions and communities to work together in innovative ways on information highway projects”. In British Columbia, an “Electronic Highway Accord” among government, industry, labour and community groups sets out a vision, guiding principles, objectives and targeted outcomes, with a view to providing all British Columbians with “affordable electronic access to networks and services enabling them to communicate, learn, be entertained, work, and prosper in an information-based society”.(17) Under the guidance of this Accord, the B.C. government has provided significant financial assistance to community networks and related initiatives. Other provinces have similar programs.

Public Interest Group Proposals

A number of academics and public interest advocates concerned about access in Canada have developed a proposal for a “National Access Strategy”,(18) which builds upon the initiatives described above. This coalition views the government’s connectedness agenda as too narrow, leaving “serious gaps in terms of the conception of access, who is served, the consultative process, formative assessments, and governance.” Their proposed strategy focuses on access as a multi-dimensional phenomenon aimed at empowering citizens, especially those who are currently marginalized. It emphasizes social discourse rather than service delivery, communication rather than commerce, and equity rather than efficiency. It calls for much greater government support of non-profit community initiatives to improve access, and the establishment of an independent, public interest body responsible for implementing the national access strategy.
Other public interest advocates argue that the efficiency, effectiveness and sustainability of access initiatives can be improved through greater use of partnerships, both within and outside of government, but that ongoing government funding of community initiatives is both necessary and appropriate.(19)

Conclusions

There is a great deal happening in Canada, both at the grassroots and the government policy level, to improve Internet access. Community networks and libraries have been in the forefront of this movement, while governments are providing significant funding, direction, training, and other resources for the expansion of access at all levels. Key issues that remain to be resolved include the sustainability of government-funded initiatives, the provision of training and resources in order that schools can take advantage of new computer facilities, and the preservation of non-commercial, public space on the Internet to which all citizens have access. Canada has set an ambitious goal for itself: to be the most connected nation in the world by the year 2000. We’re well on the way, but there is still much work to be done.
1. Penetration in many northern communities and Indian reserves is much lower.
2. Statistics Canada, Household Facilities by Income and Other Characteristics, 1997; Cat. no. 13-218-XPB, Table 1.0.
3. Comquest Research, Latest Canadian Internet Trends, Feb.1999 (www.comquest.ca); Ekos Research, The Information Highway and the Canadian Communications Household, Dec.1998.
4. Ekos Research, op cit.
5. Comquest Research, op cit.; Ekos Research, op cit.
6. Comquest Research, op cit.
7. Canadian Association of Internet Service Providers (www.caip.ca).
8. See www.web.net
9. Ekos Research, op cit.
10. The National Capital Freenet was formed in 1992, with the Vancouver Community Network and the Chebucto Community Network (Halifax) coming on stream in 1993.
11. Telecommunications Act, S.C. 1993, c.38; s. 7.
12. See the CRTC website (www.crtc.gc.ca) for information on past and current proceedings.
13. The existing Funds only operate in territories where competition has been introduced. The CRTC is currently deliberating on the appropriate model for subsidizing service delivery in high cost areas within and outside of these territories. In addition, the current system of collecting contributions only from long distance providers (based on minutes sold) is being reconsidered.
14. Anti-poverty, seniors, and other consumer groups have argued for some time now that affordability of basic phone service is already a serious problem for large numbers of Canadian households, and that measures such as a targeted subsidy are needed now. They point out that penetration rates are misleading, given the essential nature of the service: people can’t afford the price, but at the same time, they can’t afford to do without telephone service. The most recent Canadian statistics indicate that app. 126,000 Canadian households are doing without telephone service because they can’t afford it.
15. Competing ISPs argue that Bell is abusing its market dominance by offering ADSL-based Internet access to retail customers for a fraction of the cost to either Bell or its ISP competitors. It remains to be seen how this dispute will be resolved.
16. Nov. 1998, p.10 (see http://smartcommunities.ic.gc.ca)
17. www.ista.gov.bc.ca/pubs/accord.html
18. “Key Elements of a National Access Strategy: A Public Interest Proposal” (August 1998); www.fis.utoronto.ca/research/ipirp/ua/
19. See Andrew Reddick, “Community Networking and Access Initiatives in Canada” (PIAC, 1998).

PIAC study seeks public input

Threatened or sued for complaining about a product or service? Let us know!

THE ISSUE

Ontario Consumer Protection Law Reform

General

Issues Not Addressed in the Consultation Paper

Questions Posed in the Consultation Paper

Delivery of Legally Required Notices and Binding Communications

Consequences of Refusing to Deal Electronically

Integrity of Electronic Signatures

Liability generally

Remedies and Enforcement

Bailiffs

Collection Practices

Comments on Building Trust and Confidence in e-commerce

A Framework for Electronic Authentication in Canada (September 27, 2000)

Letter Re: Uniform Electronic Commerce Act and Consumer Protection

Existing Requirements to Provide Information to Consumers

Consumer consent to receive information electronically

Consequences of Refusing to Deal Electronically

Integrity of Electronic Signatures

Conclusion

Electronic Authentication: An Element of Canada’s Trust Agenda

Comments on Electronic Authentication: An Element of Canada’s Trust Agenda

General

Certification Authority Power

Competition

Will PKI be Privacy Respecting or Privacy Invading?

Principles

Standards

Government PKI

Raising Consumer Awareness and Use

Next Steps

PIAC Submission to Senate Committee, on Privacy and Security on the Internet

Privacy and Security on the Internet Submission to the Senate Subcommittee on Communications

Background on PIAC

Consumer Privacy on the Internet

Online Data Security

Online Investigative Services

Identity Theft

Responses to the Privacy Problem

Technological Fixes

Voluntary Codes of Practice

Legislation

Implementation of Bill C-6

The International Context

Privacy as a Human Right

Recommendations

Recommended Reading

Comparative Analysis of BBBOnline Draft Code

Comparative Analysis of BBBOnline Draft Code of Online Business Practices with Other Consumer ECommerce Codes and Standards

INTRODUCTION

Standards

II. COMPREHENSIVENESS OF BBBONLINE DRAFT CODE

III. COMPREHENSIVENESS OF OTHER CODES AND STANDARDS RELATIVE TO BBBONLINE DRAFT CODE

IV. FORMAT/STRUCTURE OF BBBONLINE DRAFT CODE

Compliance

V. FORMAT/STRUCTURE OF OTHER CODES

VI. ADEQUACY OF BBBONLINE DRAFT CODE PROVISIONS

Misleading/Deceptive Practices

VI. CONCLUSION

A Garland For Consumers: Will The Garland Case Provide Safeguards For Vulnerable Consumers?

Introduction

Consumer Protection after the OECD Guidelines

What’s Next? Consumer Protection after the OECD Guidelines

Improving Internet Access: The Canadian Approach

Paper for “Computers, Freedom and Privacy: The Global Internet”

Canadian Statistics

Market Developments

Community Networks

Regulatory Developments

Government Initiatives

Public Interest Group Proposals

Conclusions

Privacy and Security on the Internet
Submission to the Senate Subcommittee on Communications