Patrick McGrath

BA,LLB(Hons) MComLaw(Hons)
Patrick McGrath

Phone +64 9 300 1257
Mobile +64 21 619 540
patrick@mcgrathlaw.co.nz

Vulcan Building Chambers
Level 4 Vulcan Buildings
Cnr Vulcan Lane and
Queen St

PO Box 3320
Auckland 1140
New Zealand

Setting Up Business Online

Paper presented for the Auckland District Law Society, March 2003

1. INTRODUCTION

Clients wishing to do business online will need advice on key legal issues surrounding the production and maintenance of a website, such as name protection, protection of the client's intellectual property and avoidance of breaching the intellectual property rights of others, contracts with website developers and hosts, trading terms and conditions, and privacy policies.

2. SELECTING AND SECURING A DOMAIN NAME

A domain name is an internet site's registered address, a user-friendly textual equivalent to the site's 10 digit numerical IP (Internetworking Protocol) address.

For example:

Domain Name Numerical IP address
shieffangland.co.nz 192.32.66.132


Various organisations exist which act as registries for different categories of domain names and the manner in which disputes as to eligibility for a name will be resolved differs accordingly. This needs to be considered when choosing a domain name and in deciding what to do if it is found that the domain the client wishes to register is taken. Registry organisations do not normally look into whether an applicant has "legitimate rights" to a name.

The generic Top Level Domains (gTLDs), such as .com, .net, and .org, are managed by various companies. For example, Verisign Inc. operates the .com registry and Nulevel LLC operates .biz. The registry operators have agreements with more than 100 companies who sell domains and are known as registrars.

Registration of a gTLD requires as a condition that the domain name owner agrees to abide by the Uniform Domain Name Dispute Resolution Policy ("UDRP") of the overall body responsible for domain names, the Internet Corporation for Assigned Names and Numbers ("ICANN"). Disputes under the UDRP are resolved by approved dispute resolution service providers, the most well known of which is the United Nations World Intellectual Property Organisation (WIPO) Arbitration and Mediation Centre.

Under the UDRP, a party can put a stop to another's use of a domain name or have the domain name transferred to the first party if:

· The domain name is identical or confusingly similar to a trade mark or service mark in which the complainant has rights (including common law rights);

· The respondent has no rights or legitimate interest in respect of the domain name; and

· The domain name has been registered in bad faith and is being used in bad faith.

Arbitrations take place online, usually at a fraction of the cost of an equivalent dispute in court.

The more than 250 country code Top Level Domains (ccTLDs) such as .nz, .uk, .au are administered by organisations in each of the relevant countries. Some of these have disputes resolution policies along the lines of the UDRP. Others do not, in which case disputes are resolved in the ordinary courts.

Country code .nz domain names (eg .co.nz, .org.nz, ac.nz), are allocated by New Zealand Registry Services Limited under a management contract with InternetNZ. NZ Registry Services controls the register. There are currently about 25 retailers of .nz domain names, who act as agents for people seeking to register and are known as registrars. At present, there is no dispute resolution policy for "nz" domain names and disputes are resolved through the courts.

Clients should act quickly to register a desired domain name. If they do not already have a trade mark they should register one. They should consider registering the domain name (and variations on the domain name) in various jurisdictions if they intend to do business in those jurisdictions (eg .com, .co.nz, .com.au). Registering variations on the spelling, particularly common mis-spellings, will prevent cybersquatters from registering domain names with those mis-spellings. For instance, in a recent case, Paws Incorporated v John Zuccarini, a cybersquatter, Mr Zuccarini, registered the domain name "garfeild.com", a mis-spelling of "garfield" as in the Garfield comic strip. Zuccarini is a prolific cybersquatter who has lost over 100 cases under the UDRP. Pornography was displayed at the site and Zuccarini misdirected visitors to the official "Garfield" site towards his own. The owner of the "Garfield" comic strip, who also owned the trade mark "Garfield", was successful in having "garfeild.com" transferred to it under the UDRP.

If it is found someone else has registered the name in bad faith the client should be advised to take action quickly. Delay may count against it, particularly in seeking injunctive relief.

If the other party has legitimate rights to the name, consider a commercial arrangement to have the name assigned, or a licensing arrangement.

3. COMPLIANCE CHECK CONTENT

As the client selects or works up material for display on the website, the following should be considered. They are issues the website owner will need to consider when selecting and developing material for the website. They should be considered at an early stage, although a final compliance check should be done just before the website goes live:

a) Copyright

The client's copyright in its material must be protected and breaching the copyright of others should be avoided. Check that the client is the copyright owner in the material or, if not, that the client is licensed by the copyright owner to use the material, and check that the licence covers use on a website.

As to material developed in-house, the starting position is that the author is the copyright owner. However, the material is likely to be produced by employees. Where employees produce a literary, dramatic, musical or artistic work, the employer owns the copyright, subject to any agreement to the contrary.

The © symbol along with the name of the copyright owner and the date the work was created, should be used to assert copyright as should the terms and conditions relating to the website (discussed below).

b) Trade marks

Check that the client has valid trade mark rights and use the ® (registered trade mark) and "TM" symbols as appropriate.

c) Trade representations

Check that statements to be made on the website do not breach the Fair Trading Act 1986 or the Consumer Guarantees Act 1993, and do not amount to the tort of negligence of statement or deceit.

d) Defamation

There was never much doubt that defamation could be committed on the internet and this was shown to be the case at New Zealand law in O'Brien v Brown in which the defendant, Mr Brown, was ordered to pay damages of $30,000.00 for defamatory remarks made about the then CEO of Domainz (the company then responsible for .nz domains), which remarks were posted on a website. Mr Brown argued unsuccessfully that the defence of qualified privilege applied, based on freedom of expression and the context of the culture of the internet.

In Dow Jones & Company Inc v Gutnick, the High Court of Australia ruled that the plaintiff's defamation case against Dow Jones should proceed in Victoria, Australia. The alleged defamation arose out of publication by Dow Jones of comments concerning Mr Gutnick in an article entitled "Unholy Gains" in "Barron's Online". Dow Jones' web-servers were in New Jersey and they argued the case should be held there, where defamation laws are relatively liberal. However, the article was able to be downloaded in Victoria, Mr Gutnick's place of residence. The High Court ruled that this gave the Victorian courts jurisdiction over the matter.

e) Hyperlinking

The client may wish to take advantage of the common internet practice of allowing users to click on an icon or under a word or phrase and jump to other sites. For instance, the websites of some law firms contain material produced by the law firm plus links to news sites containing information relevant to legal topics. Arguably, hyperlinking, in particular deep linking, the practice of linking to another site which by-passes the other site's home page and so does not make it clear that the user has moved to another site, may breach copyright or amount to passing off or breach of the Fair Trading Act. As the status of linking remains unclear, licences should be obtained from the owners of sites to which the client proposes to link.

f) Industry specific laws and codes of practice

The proposed content of the website should be developed with any industry specific laws or codes of conduct in mind. For example, a site containing advertising or information on food should be checked against the Australia New Zealand Food Standards Code, which is mandatory code. Some voluntary codes which may need to be checked are the Code of Practice for Direct Marketing in New Zealand, the Advertising Standards Authority Codes and the Ministry of Consumer Affairs' Model Code for Consumer Protection in Electronic Commerce.

g) Objectionable Material

It goes without saying that content displayed on a website should not breach the Films, Videos and Publications Classification Act 1993.

4. WEBSITE DEVELOPMENT AGREEMENT

Creating and maintaining a website requires fairly sophisticated design skills and programming skills. Few businesses will have the expertise to develop their own websites and most will contract for the services of a website development company.
There should be a written agreement between the owner and developer which should clearly set out their rights and responsibilities covering the following core issues:

· Functional requirements - the parties should agree upon the features of the website and what it is to achieve, and write these into the contract. This will include matters such as capacity, scalability, compatibility and response times.

· Timeframe - definite milestones should be agreed upon, covering initial design work through to acceptance testing and final payment.

· Charges - if the development services are provided on a time and materials basis the customer bears the financial risk of the project running over time and over budget. The supplier bears the risk if the services are provided on a fixed price basis.

· Copyright - who owns copyright in the website is an important issue. Under s21(3) of the Copyright Act 1994, where a business commissions and pays, or agrees to pay, for the taking of a photograph or the preparation of graphics, drawings, computer programmes or video images for a website, the commissioning party owns copyright, but this is subject to any agreement to the contrary. Copyright in written text is owned by the author. That will be the web developer if the developer is engaged to write text for the site. Again, this is subject to agreement to the contrary.

It is not uncommon for website developers to contract out of the commissioning rule and retain copyright ownership, merely licensing use of the website to the "owner". This puts the customer in an disadvantageous position should a dispute arise and leaves the customer with nothing at the end of the licence term. Further, if the customer has commissioned the developer to provide features unique to the customer's site and these features give the customer a competitive advantage, the customer will want to protect that advantage by retaining ownership of copyright.

One approach is to provide that the customer owns the IP rights in the website, but the developer retains ownership of its pre-existing material (software, templates, and data) used in the course of the developing the site. This sort of arrangement may be the best fit, giving the developer ownership of the background application that runs the web page, which will usually be based on standard software suitable for use with many different customers. The customer, on the other hand, will normally want to have ownership of the presentation layer (the material visible on the screen to end users).

· Support - the website will need to be supported, often by the web developer, and the agreement should cover the terms upon which bug fixes and upgrades will be provided. Whether or not the customer is to have the ability to change content on the site should also be covered, as should access to the source code. If the customer does not have access to the source code, at least in respect of those parts of the website which the customer owns, the customer will be locked into an arrangement with the developer as it will be difficult to terminate the arrangement and have the website supported by an alternative supplier.

5. WEBSITE HOSTING AGREEMENT

Once the website is created, computer space is required to host the software that constitutes the site. The customer can have the site on the customer's internal server or it may reside externally on computer space leased from a third party, usually an ISP. The developer may also be the host. Having the site hosted externally is more secure as third parties do not have access to the website owner's information stored on its computer, but a hosting arrangement may make it more difficult to have the website updated.

The parties should enter into a Website Hosting Agreement covering:

· The required performance criteria eg exclusive server space, bandwidth, security, availability and capacity for peak traffic flow;

· Term - normally there will be a periodic, renewable term.

· Availability - the host will normally agree to use best (or reasonable) endeavours to ensure that sufficient capacity is maintained to enable users to access the customers' website. Charges may be reduced where service is interrupted.

· Security - what level of security against hacking is the host required to provide?

· Reporting - arrangements should be included as to the host's reporting of matters such as faults, access and usage.

· Indemnities - the host is likely to seek an indemnity from the customer that hosting the website will not put it in breach of the intellectual property rights of third parties.

6. TERMS AND CONDITIONS

The website should contain terms and conditions setting out the basis upon which access is provided and, if goods or services are sold via the website, the terms of sale. The terms and conditions that need to be included will vary according to the nature of the business. A website which merely provides information will often have a fairly short form of terms and conditions. Sites selling goods should have more comprehensive terms.

Below is an outline of the key terms which should be considered:

a) Agreement
State that in using the website the user accepts the terms. The most secure method of ensuring the terms are accepted is to not allow further access to the website without the user first having clicked through the terms and conditions and clicking the "I accept" button. Bringing the terms and conditions, particularly any onerous terms, to the attention of the user is an important issue which is discussed in Judge Harvey's paper under the heading "Presentation of the Click Wrap Contract".

b) Consent to electronic communications
Section 8 of the ETA provides that information is not denied legal effect solely because it is in electronic form. This applies to all electronic communications (not just statutory requirements that information be in writing), but arguments could still possibly arise as to whether the parties intended their electronic communications to be legally effective. Avoid these with a term to the effect that the parties agree to communicate electronically and that the user agrees to accepting communications from the website owner by email or by notices posted on the website. It may be necessary to specify which communications can take place electronically and which cannot. For instance, the terms and conditions may specify that a legal obligation to provide information in written form can only be met if the information is provided by way of a form set up on the website. A site enabling job applications online might state that original hardcopy versions of qualifications and written references must be provided.

Have the user agree that any legal obligation to the user to provide information in writing can be met electronically in accordance with the Electronic Transactions Act 2002. This will satisfy the requirements for consent in ss16 and 20. However, before the website owner chooses to meet a legal requirement for writing electronically, it would need to satisfy itself that the legal requirement concerned is not one of the excluded requirements contained in the Schedules to the ETA, and in any case will have to satisfy the requirements in ss18-20 that the electronic information be readily accessible so as to be useable for subsequent reference.

The website owner should specify that any electronic communications from the user are received when they come to the attention of the website owner, perhaps specifying the name(s) or position of persons in the company, to avoid problems associated with designating an information system under s 11(a) and problems with communications going astray due to computer malfunction or otherwise.

c) Disclaimer
A website focusing on providing information only, such as a law firm website, should state that the information is general information and does not constitute specific advice.

Both information websites and those from which goods or services can be purchased should disclaim all warranties (express or implied) "to the fullest extent permitted by law," including any loss or damage the user may suffer out of the use of, or inability to use, the site or any site linked to the website.

d) Intellectual property
Copyright on the website (including text, graphics, logos, icons, sound recordings and software) should be claimed as owned by the website owner or licensed to it (assuming this is the case). The information on the website will normally be provided for personal use and the website owner may want to restrict further distribution of the material and will certainly want to prohibit any commercialisation of it without prior written consent.

e) Hyperlinking
Consider (at least) a statement to the effect that the website owner is not responsible for linked websites and that the availability of other sites through the website does not amount to an endorsement or recommendation of the other sites.

Some clients may wish to go further and set out quite detailed terms upon which third parties may set up links to the website. Normally, these conditions will include a prohibition on deep linking, an acknowledgment that copyright remains with the original website owner and that the person linking to the website will maintain trade mark and copyright symbols showing the material belongs to the original website owner, and prohibiting any tampering with the material when it is displayed.

f) Choice of law and jurisdiction
State the laws of the country which are to apply to any disputes concerning the terms and conditions and the website and state the Courts of the country which are to have jurisdiction over any dispute. Normally, New Zealand law and New Zealand Courts will be selected for a New Zealand based client, but the client should be advised that the laws of other states may override New Zealand law in some cases, so relevant laws of major overseas markets should be checked if the client is aiming to do substantial business in those markets. In the reverse situation, the implied warranties in the Consumer Guarantees Act 1993 are likely to be implied in respect of any goods sold into New Zealand regardless of any disclaimers of liability which may be contained in an overseas seller's website terms and conditions, and to attempt to contract out of the Consumer Guarantees Act is a crime.

g) Offer and acceptance
Where goods are sold via a website it will be important to include terms and conditions setting out how the contract is formed. Having an ordering procedure and terms and conditions consistent with the display of goods on the website being an invitation to treat, with the customer making an offer, and the website owner accepting the offer, is probably the safest way to proceed as it enables the retailer to choose not to accept the offer if the goods have been displayed incorrectly or at the wrong price. Consider terms which make it clear that:

· The customer may offer to purchase goods displayed on the site at the price specified;

· The customer's order must contain the required information shown on the order form - usually name, delivery address, credit card details. In the case of a purchase by a company, there may be a field requiring the purchaser to state their position with the company and/or confirm they have the authority to bind the company;

· Following receipt of the customer's order, the website owner will at their discretion accept or reject the offer to purchase;

· Occasionally items displayed on the website may not be available or may be mispriced. Following the placing of an order the company will verify prices and availability and these will be confirmed with the sending of an email accepting the purchase of the goods described, and the prices specified. The contract is formed at a point specified by the website owner. The retailer may wish to state that it is formed when the acceptance email is dispatched, ie imposing a "postal acceptance" rule on the buyer and placing on the buyer the risk of the email being lost;

· Title in the goods does not pass until payment is received and that risk of loss or damage passes to the customer upon dispatch;

· The goods are only offered for sale to persons who can make legally binding contracts;

· The parties contract out of the Consumer Guarantees Act if contracting business to business.

h) Privacy policy
Privacy in the context of the Internet is a subject which has generated considerable debate and substantial litigation overseas. Various surveys have identified privacy concerns as an inhibitor on the growth of e-commerce, with consumers reluctant to risk losing control of their personal information despite the convenience offered by the online environment.
The Honourable Justice Michael Kirby, writing in 1998, referred to the stripping away of protections to privacy rights in the digital age as follows:

"The speed, power, accessibility and storage capacity for personal information identifying an individual are now greatly increased. Some of the chief protections for privacy in the past arose from the sheer costs of retrieving personal information; the impermanency of the forms in which that information was stored; and the inconvenience experienced in procuring access (assuming that its existence was known). Other protections for privacy arose from the incompatibility of collections with available indices and the effective undiscoverability of most personal data. These practical safeguards for privacy largely disappear in the digital age. A vast amount of data, identified to a particular individual, can now be collated by the determined investigator. The individual then assumes a virtual existence in cyberspace instead of what is sometimes described as "meat space". The individual takes on a digital persona made up of a collection of otherwise unconnected and previously unconnectable data."

A number of well known overseas e-tailors have been involved in litigation concerning alleged breaches of duties of privacy owed to customers, including Amazon.com and toy e-tailors Toysrus.com and Toysmart, but the most well known was litigation involving DoubleClick Inc, the Internet's largest advertising-placement company. In late 1999, DoubleClick began combining and cross-referencing personal information from the web browsing habits of users with the database of a direct marketing firm, Abacus, which it had recently acquired. DoubleClick intended to match home addresses, names and purchasing habits to individuals' web usage patterns. Much of the information DoubleClick had compiled had been obtained through the use of "cookies". When a user enters a website using "cookies", information they may be asked to enter into the website, such as their name and interests, is compiled by the website owner and the file is sent back to the user's computer. The next time the user goes to the same website, the cookie is sent to the web server, which can use the user's personal information to customise web pages or send the user ads geared to the user's interests as stated or as evident from previous browsing habits.

The resulting consumer backlash and suits filed by ten US States saw DoubleClick's share price dropped by a third. It eventually settled the case by paying US $450,000.00 and allowing an outside company to audit its privacy policies for several years, but under the agreement DoubleClick was still able to track users provided it disclosed more clearly how this was done and gave individuals access to the profiles created about them.

Website owners in New Zealand should have policies in place, which comply with the Privacy Act 1993 and, in particular, the 12 Information Privacy Principles contained in s6. Of particular relevance are:

· Principle 3 - reasonable steps must be taken to ensure that individuals are aware of the fact that information is being collected, the purpose for which it is being collected, the intended recipients of the information, and the individual's right of access to and correction of the information;

· Principle 5 - personal information must be held securely and reasonable steps must be taken to prevent loss of, and access to, the information by unauthorised persons;

· Principle 6 - individuals are entitled to obtain confirmation of whether or not personal information on them is held and, if it is, to have access to that information.

· Principle 7 - right to request correction of the personal information and to request that there be attached to the information a statement of any corrections requested but not made.

· Principle 9 - personal information obtained in connection with one purpose shall not be used for any other purpose;

· Principle 11 - personal information should not be disclosed to third parties.

The Principles are subject to exceptions contained in the Act, such as the exception that disclosure is permitted where necessary for the maintenance or enforcement of law.

Each website should have a written policy dealing with these matters. Giving notice of the privacy policy raises the same issues as are raised regarding notice of other terms and conditions. The safest way to proceed is to require the user to click through the privacy policy and accept it before proceeding, although few websites do this in practice, opting for the method of having the privacy policy available to be viewed by the user if the user chooses.

The content of privacy policies will vary according to the nature of the information the website owner collects. A short form website policy may:

· Contain a commitment that any information received will be treated confidentially;

· State that information collected via the website is only used for the purpose for which it is collected and will not be disclosed to third parties or used for any other purpose without consent, except as required by law.

· State that general information about site use, traffic patterns, demand for products and services and information may be collected, but in such a way as persons are not personally identified;

· State that users are entitled to have access to personal information held on them and to request correction of information they believe it to be inaccurate.

· State whether or not name and address information is compiled and used for marketing purposes. If so, users should be told that they can tell the website owner not to send marketing material, that this will be acted on, and contact details for doing so should be provided.

More comprehensive policies might go further and include the above plus:

· Whether or not cookies are used, what they are, and what information is collected through them;

· A statement that cookies can be disabled and the consequences of that - usually access to the site is denied;

· A statement of what information is recorded, for example, the type of browser used by the customer, the type of operating system they use, the date and time they access the site, the pages they have downloaded and the internet address from which they accessed the site. This is kept as summary statistics it may be referred to as "non-personal" information.

· A statement of the personal information which is collected eg information contained in online forms or correspondence.

Patrick McGrath, Auckland