What legal precautions should be taken when engaging in e-commerce? The first thing is to define “e-commerce”: offering, marketing or selling products or services through the use of electronic means (or any other technology). This definition is taken from the Mexican Standard that regulates e-commerce (NMX-COE-001-SCFI-2018).
This means that e-commerce includes everything from online stores to those who offer goods or services on Facebook (through their personal profile, in a group, company page or any other means). In all these operations, the following legal precautions must be taken:
1 Respect the stipulations of the Federal Consumer Protection Law (PROFECO Law) in its articles 76 bis and 76 bis 1.
The aforementioned articles contain the seller’s obligations such as the duty of confidentiality, to provide his physical address and contact information, and to state the terms and conditions of the sale.
It also states that the seller must have mechanisms in place to:
1.1 That the consumer can verify the intention of its acquisition.
1.2 Be a support of proof of the transaction (i.e., that there was a deal).
1.3 The consumer can submit requests, complaints or claims.
1.4 Guarantee the protection and confidentiality of the buyer’s information.
What if you do not comply with the above? You may be subject to sanctions by the Federal Consumer Protection Agency (PROFECO), and claims by the consumer.
2 Have terms and conditions.
This is nothing more than an electronic contract between buyer and seller. Its differences with respect to a physical and conventional contract are:
2.1 It must contemplate the obligations imposed by the aforementioned articles 76 bis and 76 bis 1 of the PROFECO Law.
2.2 There must be a mechanism to help the consumer prove that he/she accepted the contract. Since the option of having a handwritten signature to the contract is discarded.
2.3 To the extent possible, comply with the requirements of the Mexican Standard for electronic commerce. We say “as far as possible” because this standard is not yet an “official standard” (NOM), i.e., it is not yet mandatory. But it is an indicator criteria for good commercial practices.
And if the above is not complied with? PROFECO can sanction you and you will not have a contract that could limit or specify your obligations as a seller.
3 Comply with the regulations on Personal Data Protection.
Notice that I wrote “Comply with the regulations on…” and not “Have a privacy notice”. Since having a privacy notice is not complying with the regulations on personal data protection, that is only the tip of the iceberg.
Under this tip of the iceberg you must have, among other things: (i) an internal policy (with technical and administrative guidelines to follow), (ii) a person in charge of the personal data protection department (and have a contract with him), (iii) a data inventory (with the respective controls of who has access to which data), and (iv) letters of consent to share data with third parties.
What if the above is not complied with? You may be subject to a sanction by the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI).
If the INAI carries out an inspection, it will obviously not be enough to see whether or not there is a privacy notice. It will make the requirements of merit to confirm whether or not all the regulations on the matter are complied with.
One might think that there is little chance that INAI and PROFECO will randomly decide to inspect any particular business. And this is probably the case. But these agencies do not only respond to random procedures, they also (or mainly) become active if someone asks them to do so. And that someone may be a dissatisfied consumer, or the competition….
