The Nordic Consumer Ombudsmen’s Position on Internet Commerce and Marketing
May 2010
See print-friendly version of the Position (pdf)
Table of contents
1. General principles
Marketing
2. Forms and methods of marketing
2.1. Identification of advertising
2.2. Design and placement of advertising
2.3. Sending of electronic marketing (SMS, e-mail and the like)
3. Marking of websites (Trustmarks)
Commerce
4. Duty to inform
5. Right of withdrawal
6. Contractual terms
6.1. Electronic contracts
6.2. Price information
6.3. Entering into a contract, receipt and order confirmation
6.4. Language
6.5. Payment
6.6. Customer service
6.7. Personal data
7. Children and youth
8. Responsibility for content of website
The Nordic Consumer Ombudsmen decided on a common Position concerning Internet commerce and marketing for the first time in 1998; this was last modified in October 2002.
This document is a revision of the previous Position, which is hereby nullified.
In this Position, the Consumer Ombudsmen have summarised some important regulations and principles which should or must be followed by businesses who deal with consumers in order to fulfil the common requirement of sound marketing practice. This Position is a supplement to national legislation and practice developed around Internet commerce and marketing. This Position does not seek to reproduce the very detailed legislation in this area. Businesses are therefore advised to seek information on the national regulations; cf. the Appendix to this Position.
The expressions “should” and “shall/must” are used differently throughout the Position. The expression “shall/must” is used for requirements following from the marketing acts and any other consumer protection legislation. “Should” denotes a recommendation. The Consumer Ombudsmen have not taken a position on whether failure to follow a recommendation will in all cases be in conflict with the law, but will assess this issue specifically.
This common Position concerns commerce and marketing via the Internet in the Nordic countries (Norway, Sweden, Finland, Denmark and Iceland). The Standpoint shall in the broadest possible sense be perceived as technologically neutral. In similar communication systems, the Position applies accordingly in an adapted form.(1)
The generally applicable consumer protection regulations, such as legislation on contractual terms, the right of withdrawal, purchases, service, marketing, price information, personal data etc. are also applicable to e-commerce and Internet marketing.(2)
Marketing
All marketing directed at consumers shall be designed in a clear, understandable manner and must not be insufficient or misleading, so that the consumer is able to assess the marketed product and any offers or promotional measures.
2.1. Identification of advertising
2.1.1. All marketing shall be designed and presented in such a way that it clearly appears as marketing.(3)
Integration of marketing in a standard software setup or marketing presented in such a way that it appears to be part of a standard software setup may be affected by this point.
Examples of this include using dialogue boxes in marketing (for instance a window announcing incoming messages, or a window appearing as an error message) or sound signals to announce incoming messages, which however are only meant to attract attention to the marketing.
2.1.2. Websites should not propose the installation of software, if it has no connection with the visit to the site. Installation of software must in all circumstances only occur following the user’s explicit and active acceptance.
2.1.3. The owner of any website is as a rule responsible for the marketing materials found on it, including when others are permitted to upload materials.
2.1.4. In systems designed for the exchange of information between private individuals, such as chat rooms, newsgroups, blogs etc., marketing must only be included if it clearly appears as marketing and it is clear on whose behalf it is done. If private individuals receive payment for marketing the products of a company in such forums, this shall be clearly stated. The owner of the website may share responsibility for this.(4)
2.2 Design and placement of advertising
2.2.1. Advertising must not be unreasonably intrusive.
Whether or not this is the case shall be determined according to design, content, use of sound, images, animation and other circumstances.
Advertising will often be seen as unreasonably intrusive if it directly affects work in progress on the consumer’s technical equipment, including the computer itself, changing settings and so on.
2.2.1.1. Marketing which is not an integral part of an Internet page shall be easy to remove, for instance by selecting “Close”. Furthermore, especially prominent advertisements, such as whole-page advertisements, shall disappear on their own after a short while.
2.2.1.2. There should be a limit to how many times an individual user may be exposed to any marketing message. The number will depend on the marketing format used.
2.2.2. Methods must not be used which divest the consumer of control and/or prevent the consumer from navigating away from a certain website.
Examples of such methods are redirecting consumers to other websites than the ones they themselves have indicated as URL (unwanted redirecting) and use of methods which control the consumers’ browsing to or from specific Internet pages. Expressions used in connection with this are “mousetrapping” and “pagejacking”. The concept of “unwanted redirecting” may be seen as covering several different actions.
2.2.3. Marketing should not interrupt or interpose into editorial material or other content of an informative or instructive nature on the website. Marketing must not cover over editorial text.
2.2.4. If the marketing material only applies within a limited time period, this shall be clearly stated.
2.2.5. Businesses should keep any marketing materials, which have been published on the Internet, for a certain length of time.(5)
2.2.6. If a website allows for comparison of different categories of sellers/vendors, goods or services, the criteria for the search results must be clearly stated, including any limitations in the comparison. Likewise, it shall be evident who is responsible for e.g. the price comparison.
2.3. Sending of electronic marketing (SMS, e-mail and the like)(6)
2.3.1. As a rule, prior active consent is required before the business may send advertising via e-mail or similar communication methods.(7)
2.3.2. The consumer’s consent shall be active, voluntary, explicit and informed, meaning that:
2.3.2.1. The consent shall be an expression of an active step taken by the consumer, so that the consumer’s commitment is not given passively, e.g. with a pre-ticked acceptance box.
2.3.2.2. Agreeing to receive marketing materials must not be set as a precondition for entering a contract.(8)
2.3.2.3. If the consent is given in the standard terms and conditions, it is not considered to be given voluntarily or sufficiently emphasised for the consent to be considered as informed.
2.3.2.4. It shall be clear to the recipient which medium will be used as well as what the content of the marketing will be.(9)
2.3.2.5. The business must not encourage or reward consumers for forwarding advertisements, or sending “tips” to other consumers of the business’s activity.
2.3.3. To avoid abuse and to ensure that users only register themselves, a “double opt-in” solution should be used, in which the user receives a message that must be confirmed before the consent is activated.
2.3.4. Regardless of the requirement of consent, a business who has received a consumer’s electronic address in connection with the sale of a good or service may send the consumer electronic marketing materials.
However, the consumer must have given his/her electronic address in connection with the sale, and in giving his/her electronic address the consumer must have been informed that it would be used for marketing purposes.
The marketing must only pertain to the business’s own corresponding products or services.
The consumer shall have the opportunity to refuse the marketing easily and free of charge, both when giving his/her electronic address and in all following contact.
2.3.5. Any electronic advertising shall include sufficient information about the sender to enable the consumer to identify it.(10)
2.3.6. All electronic advertisements shall be identifiable as marketing as soon as it is received. This means that it must not be necessary for the recipient to open e.g. an e-mail in order to realise that it involves marketing.
An electronic advertisement must not give the impression of being a personal message from e.g. a friend or a family member.
2.3.7. Any electronic advertising should contain instructions on how to refuse future advertising easily and free of charge. The opt-out system should be designed in such a way that anyone who uses it will receive a confirmation.(11)
3.3. The Nordic Consumer Ombudsmen welcome labelling systems that may contribute to increasing consumers’ trust in e-commerce. The requirements which the businesses must fulfil in order to be included in a labelling system shall not only refer to the rights that consumers are already guaranteed through legislation, but must actually give the consumers better protection.
3.4. The labelling system shall be open to all businesses who desire to be part of it and who fulfil the criteria.
3.5. Labelling systems shall include effective controls to ensure that businesses comply with the applicable regulations.
Commerce
4.1. It follows from each country’s legislation that certain information shall be given before, during and after entering into a contract. It is necessary that the business become familiar with these requirements of information found in the national legislation. The information which the business is required to provide includes – but is not limited to – the following:
4.1.1.1. Name and address of the business, company registration number and information enabling rapid correspondence with the business, such as e-mail address.
4.1.1.2. The most important properties of the product or service.
4.1.1.3. All expenses associated with the purchase, including all taxes and delivery costs. (A breakdown of the costs may (12) be included and must be calculated to a total price.)
4.1.1.4. All significant contractual terms (e.g. delivery time, payment terms, maturity, termination terms etc.).
4.1.1.5. Information concerning whether there is a right of withdrawal, as well as more detailed terms on how to use this right. See section 5 for more details on this.
4.2. The business should state to which countries it delivers.
4.3. See section 6.4 on receipts and order confirmations.
5.1. The business shall give the consumer the opportunity to terminate the contract for at least 14 days, cf. section 5.6.(14, 15)
5.2. Prior to a purchase, the business shall, among other things, inform the consumer of whether or not there is a right of withdrawal associated with that specific purchase.
5.3. After the purchase is made, the business shall give the consumer more detailed information on paper or in another durable medium.
5.4. There must not be any requirements pertaining to form for how the consumer may utilise his/her right of withdrawal.
5.5. The 14 days’ right of withdrawal is counted from the latest of the following points in time:
5.5.1. the day the consumer receives the goods,
5.5.2. the day a contract regarding a service or ongoing delivery of a service is entered into or
5.5.3. the day the consumer receives the subsequent statutory information, including information about the right of withdrawal.
5.6. A number of contracts are exempted from the regulations of the right of withdrawal. For example, there is no right of withdrawal for contracts concerning transport, accommodation, meals, recreational activities, foods, or games and lotteries.
5.7. If the consumer exercises the right of withdrawal, the business shall refund him/her the full amount, including the forwarding costs. The consumer is typically required to pay the shipping costs for returning the item to the business, (16) but shall otherwise be left in a position as though the purchase was never made. The refund shall occur as soon as possible and no later than 30 days (17) after the day the business has received the returned item.
6.1. Electronic contracts
6.1.1. Contractual terms shall include the most important rights and duties of the consumer and business. There shall also be a reasonable balance between the rights and duties of the parties, so that the contractual terms are not perceived as unreasonable and may thus be disregarded.
6.1.2. The contractual terms shall be readily available on the business’s website and be designed so that they are easily grasped and understood.
6.1.3. The consumer shall have the opportunity to easily keep a record of all given information and contractual terms in physical or machine-readable form. (18)
6.1.4. The business should keep a record of the contractual terms, so that the consumer may have access to them in the event of a conflict. (19)
6.1.5. The business should date their contractual terms so that it is clear when any changes have occurred in them.
6.1.6. The contract function shall be clearly distinct from other functions.
6.1.7. The entering into the contract should be designed in such a way that the consumer must go through the contractual terms to proceed with entering the contract, for instance by scrolling down over the terms.
Alternatively, the contractual terms may be presented via a link. Regardless of the method, the consumer must actively accept the contractual terms, for instance by ticking a box. Such a box must not be pre-ticked.
6.1.8. The entering into the contract shall allow the consumer to find and correct any errors or to cancel the action before the contract is entered. (20) It should also be possible within a reasonable time after the contract is entered to correct typographical errors, such as errors in name, address, time or number of items.
6.1.9. The consumer shall be fully aware of all the terms before the contract is entered, including what is ordered and at what price (including delivery costs, taxes and fees etc.). See also section 6.2 on price information.
6.1.10. The business should always give the expected delivery time before the contract is entered. Unless otherwise agreed, the delivery time of the good/service shall be within 30 days of the time that the order was made.
6.1.11. A business is as a rule bound by the information given prior to and in connection with entering into the contract.
6.1.12. The consumer shall be aware of when the contract is entered into, e.g. by clicking a “Confirm Order” link.
6.1.13. Requirements pertaining to form must not be set for the consumer’s termination of contracts.
6.2. Price information
6.2.1. On the first screen display containing price information, the given price shall include all costs and fees that can be directly attributed to the relevant good or service. Costs that cannot be attributed to that particular good shall not be included in this price. This applies for instance to delivery costs. It shall be stated in immediate connection to the price whatever further costs apply, as well as the principles for calculation in this instance.
6.2.2. Price information given in Internet shops is as a rule binding for the business. (21) Thus, when the consumer accepts the offers on the page, a binding contract is entered.
6.2.3. Before entering into the contract, a total price must be given. The total price includes delivery costs and any other costs that cannot be directly attributed to the good or service.
6.3. Entering into a contract, receipt and order confirmation
6.3.1. When the consumer accepts an offer in the Internet shop, a binding contract is entered between the parties. If one of the parties has made a mistake and the other party realised or should have realised this, the contract may be disregarded.
6.3.2. A business shall without unnecessary delay after receiving an electronic order send an electronic receipt stating that the order has been received and in what the order consists. (22)
6.3.3. If the business’s Internet shop is not designed so that the consumer may directly accept an offer, for instance if the consumer must send an e-mail to the business to obtain a specific offer, the question of whether a binding contract has been entered will be subject to a specific assessment of the correspondence between the parties, seen in the light of that country’s legislation. Subsequently, however, an actual order confirmation containing information on what is ordered as well as price and payment shall always be sent.
6.3.4. An order confirmation is often used to fulfil the information requirements concerning the right of withdrawal which must be given following a purchase. (23)
6.4. Language
6.4.1. The language alternatives for entering into a contract shall be stated on the website. (24)
6.4.2. All contractual terms shall at least be found in the language used in connection with the entering into a contract.
6.4.3. After entering into a contract, the consumer should be able to communicate with the business in the same language in which the contract is entered.
6.5. Payment
6.5.1. Transmission of charge card information and other codes associated with online payment systems should always be strongly encrypted. (25) The same applies for the subsequent records of payment information on servers connected to the Internet.
6.5.2. Other payment data such as customer information and order information should likewise be protected by encryption or in another way which will ensure that the information is not openly available/legible to unauthorised persons on the Internet. Any terms from the Data Authority on encryption shall of course always be adhered to, just as encryption shall always be used if sensitive personal data or national identification numbers are transferred via websites.
6.5.3. When using charge/credit cards and other electronic payment forms, the consumer shall always with e.g. a receipt be able to identify each payment using information such as date of transaction, payment recipient and transaction amount.
6.5.4. In payment systems in which the business sends a payment request to a payment issuer, the business should not send this request until the product/service has been sent to the consumer.
6.5.5. Payment shall normally not occur until the product/service has been sent. Standard terms of pre-payment may be perceived as unreasonable. In the assessment of terms, the following points will be emphasised:
6.5.5.1. The need: whether the business can document an actual need for pre-payment
6.5.5.2. The amount of money
6.5.5.3. The time aspect: how far ahead of delivery time the amount should be pre-paid
6.5.5.4. Security: whether security is required for the pre-payment
6.5.6. If the consumer has paid for the product/service before it is delivered, the business shall quickly, within 30 days, (26) refund the entire amount if the consumer maintains that the item has not arrived, or if the consumer utilises an agreed-upon or statutory right of withdrawal.
6.5.7. If payment is made using a charge card (debit or credit card (27)), the consumer may in a number of cases raise a reimbursement claim against the credit provider and/or card issuer. This may for instance occur if the business has not sent the good, or if a too large amount of money has been deducted. This follows from the regulations in the credit contract/purchase legislation on objections toward creditors, or possibly legislation on payment services or national guidelines. Beyond this, in some cases the international credit card issuers give their card users further opportunity to be reimbursed for the amount of money that is paid to the business.
6.6. Customer service
6.6.1. The business shall make it easy for the consumer to contact the business. It is a requirement that the business give an e-mail address on the website through which the consumer can communicate with the business.(28)
As a supplement to an e-mail address, the business may provide a mail form on the website. The consumer should be able to save this form in a simple way, or automatically be sent a copy of the form to his/her own e-mail address.
Besides an e-mail address, the business shall provide other information enabling rapid, direct and specific correspondence with the business. This may be a telephone number, a type of online questionnaire or a direct chat function, all of which are to be answered quickly.
The business shall at the request of the consumer provide him/her with a non-electronic method of communication, enabling the consumer to communicate directly with the business.(29)
6.6.2. The consumer shall as a minimum be able to utilise the right of withdrawal, make a complaint or terminate contracts using the same form of communication as when he/she entered the contract. The business should immediately confirm receipt of such communication in writing. See also sections 5.4 and 6.1.13.
6.6.3. Queries and complaints should be replied to and processed within a reasonable amount of time after being received by the business. If the business cannot make a decision concerning the query right away, the consumer should be informed of the further progression of the case.
The consumer should be able to contact the business without further expenses, regardless of the form of communication.
If a complaint cannot be accommodated, the consumer should receive an explanation of this and be instructed on how he/she may complain, e.g. internally in the company, to a complaints board or to the courts.
Exclusion of the consumer from a service or refusal to enter a contract with a consumer must only occur based on unbiased and non-discriminatory criteria. The consumer should always receive a written explanation. A rejection stemming from the consumer’s utilising his/her statutory rights must not occur.´
6.7. Personal data (30)
Businesses who gather personal data on their website should have a personal data policy. The personal data policy should be written in clear and easily understandable language, and should be easy to find on the website.
The regulations in the currently applicable personal data legislation of the Nordic countries shall be observed.
The recommendations in sections 1-6 of this Position apply to marketing directed at children and youth along with the additional restrictions that follow from this section. In addition, the particular regulations set by each individual country for marketing directed at children and youth apply.
7.1. Marketing directed toward children and youth under 18 years of age shall be designed with particular attention to the natural credulity and lack of experience and critical sense of children and youth, which make them easy to influence.
7.2. The business must make a specific assessment of the marketing, and in connection with this take into consideration whether the form and content of the marketing and the nature of the product give reason for particular care in order to protect this target group.
7.3. The business must design the marketing so that it is obvious to the targeted age group that it is in fact marketing. The business must not use hyperlinks to pages containing material that is not suitable for children or youth or is not in compliance with applicable law.
7.4. The same applies in cases of marketing which to a large extent appeals to children and youth.
7.5. Marketing must not directly encourage children to buy the products being marketed or to convince their parents or other adults to buy the products for them. (31)
7.6. The business must not use or contribute to the use of product placement or other forms of hidden advertising for products etc. directed at children and youth, in for instance games or other entertainment, on their own or others’ websites.
7.7. Games etc. should not be interrupted by advertising. If there are sponsors behind entertainment elements directed at children, this should be announced, but not focused upon in an exaggerated or excessive way. The announcements should be of a neutral nature.
7.8. Acquisition of personal data from minors may as a rule only occur with consent from the guardian. However, youth of ages 15 and above may usually give consent on their own, as it is considered that youth of this age are normally mature enough to understand the consequences of consenting to submitting information on the Internet.
The consent shall be specified so that it is stated clearly and unambiguously for what the consent is given, including what information must be processed due to the consent, by whom and for what purpose.
Giving consent requires an active step to be taken by the youth or his/her guardian. It is not a requirement that this be in writing, but it is the business which must prove that in that specific situation, consent was given.
7.9. Neither should businesses:
7.9.1. Send directly addressed advertising to children
7.9.2. Encourage children or youth to give information about themselves, their families or friends
7.9.3. Offer rewards to children or youth for presenting personal data or
7.9.4. Use questionnaires, competitions or other, equivalent methods of obtaining personal data from children.
7.10. Entering into legally binding actions or other financial obligations normally require the parents’ (guardian’s) consent in compliance with the regulations stated in guardianship legislation.
7.11. Businesses whose websites are directed at children and youth and who encourage online chatting etc. have an enhanced responsibility to provide information about rules of caution on the Internet as well as good Internet etiquette. Businesses should also have procedures for reviewing their own websites to remove any activity or material posted on the site that is not suitable for children or youth or is not in compliance with applicable law.
8.1. A business is as a main rule responsible for the material presented on its website, regardless of whether the information is provided by others.
8.2. Businesses should not link their website to pages or materials which upon cursory examination do not meet the standards in legislation.
8.3. When a website links to other websites, it should be clear to the consumer when he/she leaves the current website. (32)
1. The Position will for instance also be relevant for purchases and marketing done via mobile telephone.
2. E.g. gifts, competitions with prizes, games and so on, to the extent they are permitted by national regulations.
3. Cf. the principle of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, hereafter the Directive on electronic commerce, Article 6 as well as any other national legislation.
4. This will, however, as a starting point assume that the owner of the website either is or should be familiar with the applicable conditions.
5. Certain parts of the legislation contain the requirement that the business be able to document information used in the marketing.
6. The question of the legality of electronic mail is exempted from the country of origin principle in the Directive on electronic commerce.
7. The ban on sending electronic marketing without consent applies to natural persons. In Denmark, the ban applies to both natural and legal persons.
8. In Finland, it is legal in some specific situations to set as a precondition for entering a contract that the consumer must consent to receive marketing materials.
9. In Finland and Norway, it is also a requirement to state how many electronic advertisements one will receive on average per week.
10. The requirement follows from Article 6 of the Directive on electronic commerce and the European Parliament and Council’s Directive 2005/29/EC of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market, hereafter referred to as the UCP Directive, Article 7, No. 4.
11. In Sweden, it is a legal requirement that electronic marketing contain a valid address to which the recipient can communicate that the marketing is unwanted. This is usually fulfilled by inserting a “no thanks” link.
12. In Norway, a breakdown of the various costs is required.
13. Since there are differences between Danish, Norwegian, Swedish and Finnish legislation in the area of the right of withdrawal, this section exclusively concerns the areas that are common for all of them. For more information on each country’s legislation in this area, reference is made to the websites of the various Consumer Ombudsmen, the addresses of which are found in Appendix 2 of the Position.
14. In Sweden, the requirement is 14 calendar days and 7 working days. If the last day of the period for the exercise of the right withdrawal falls on a holiday, the period shall expire on the next working day.
15. To the extent that the right of withdrawal applies to services or goods that are made or customised to a consumer’s individual needs, different regulations apply in each country.
16. In Finland, the business must also pay the return shipping costs.
17. In Norway, the business must repay the amount no later than 14 days after the item has been returned.
18. Cf. Article 10(3) of the Directive on electronic commerce.
19. In Denmark, the consumer has the right to receive the contractual terms on paper upon request at any time during the contract.
20. Cf. Article 11 (2) of the Directive on electronic commerce.
21. This is true unless the consumer realised or should have realised that the price was not correctly stated.
22. The requirement follows from Article 11 of the Directive on electronic commerce.
23. In Finland, other information required in an order confirmation is defined in the Consumer Protection Act (Ch. 6, Section 14). An order confirmation shall always contain information about the right of withdrawal.
24. The requirement follows from Article 10(1) of the Directive on electronic commerce.
25. In Norway, encryption is a requirement.
26. In Norway, the time limit is no later than 14 days.
27. In Finland, this only applies for credit cards.
28. This requirement follows from Article 5(1) of the Directive on electronic commerce.
29. Reference is made to the European Court of Justice’s ruling of 16 October 2008, Case C-298/07, deutche internet versicherung AG.
30. For a brief overview of Danish regulations, reference is made to Appendix 1. Some of the principles of the Appendix will also be applicable to the other Nordic countries.
31. This follows from the UCP Directive, Appendix 1, section 28.
32. This is the case when e.g. one is redirected to an external website or with so-called “framing”, in which information from an external website is presented on the business’s own website.
A Brief Overview of Danish Regulations
1. Personal data
It is necessary for businesses to familiarise themselves with the detailed requirements for treatment of personal data occurring nationally. The present paragraph is not exhaustive, but addresses only the most important principles:
1.1. Businesses which gather personal data on their websites – the data controllers – should have a personal data policy on their websites. The personal data policy should be written in clear and easily understandable language, and should be easy to locate. Reference to the personal data policy should be made from the front page. From each location on the website in which personal data is gathered, there shall be a direct reference to the personal data policy.
1.2. Certain information should be given directly on the screen prior to the acquisition of personal data. This information concerns the data controllers’ identity, the purpose of acquiring the information, whether giving the information is obligatory or voluntary, the recipient/categories of recipients, the right to object to, correct and view the data, information on automatic data collection procedures, and the security level.
1.3. The information should be given in all languages used on the website, particularly in places where personal data is collected.
1.4. The personal data policy should, among other things, include information on the following:
1.4.1. The name and address of the company – both the geographic and electronic address.
1.4.2. The purpose of the acquisition – if there are several purposes, all of them should be stated.
1.4.3. Whether giving the information is obligatory or voluntary. There must not be any consequences for the consumer if he/she decides not to give voluntary information.
1.4.4. The recipients/categories of recipients of the information, whether the information is disclosed, and, if so, to whom and why disclosure occurs; at the same time, there shall also be the opportunity to object to this, for instance by ticking a box.
1.4.5. Whether the company uses cookies.
1.4.6. That the consumer has the right to access information pertaining to him/her and demand this information corrected/deleted, and to whom this shall be communicated.
1.4.7. That the consumer has the right to object, and to whom this shall be communicated.
1.4.8. The data security of the company, including data security for transmission of information, and if the information is disclosed to another country, the data security in that country.
1.4.9. Other circumstances of significance to the consumer.
1.5. A company wishing to disclose information about a consumer to another company for the purpose of marketing, or to use information on behalf of another company for marketing purposes, shall follow the regulations given in the personal data legislation.
The company’s communication with the consumer shall furthermore occur in compliance with the requirements of the Marketing Practices Act; see section 2.3.
1.6. Providing personal data should not be set as a condition for obtaining information which in any case is required by law to be given, or for gaining access to the contents of a website.
1.7. As a rule, it is up to each business to determine what security measures are necessary in a given situation with information being transmitted via the Internet.
1.8. The company shall have technical and organisational security measures for protection of the customer data they hold; these include measures against the accidental or illegal destruction, loss or corruption of the information, as well as against unauthorised access, violation or other forms of handling data that are in conflict with applicable legislation.
1.9. If, following a security flaw, a business has made customer data available for unauthorised parties, the business should inform those affected.
1.10. Regarding personal data and children, see section 7.
Links to the Nordic Consumer Ombudsmen’s websites with information on national legislation and guidelines:
Denmark:
www.forbrugerombudsmanden.dk
Finland:
www.kuluttajavirasto.fi, under “English”, “Businesses” and “E-commerce”.
Norway:
www.forbrukerombudet.no under “English”
Sweden:
www.konsumentverket.se
Authorities overseeing the personal data legislation of the Nordic countries
Denmark:
The Danish Data Protection Agency: www.datatilsynet.dk
Particular reference can be made to the Danish Data Protection Agency’s recommendations for acquisition of personal data on the Internet, and the Danish Data Protection Agency’s requirements and recommendations of 16 June 2008 in connection with transmission of personal data via the Internet in the private sector.
Finland:
The Data Protection Ombudsman: www.tietosuoja.fi - English
Norway:
The Data Inspectorate: www.datatilsynet.no
Sweden:
The Swedish Data Inspection Board: www.datainspektionen.se
Labelling systems in the Nordic countries:
Denmark:
The e-mark: www.emaerket.dk
Sweden:
www.tryggehandel.se
International guidelines for good Internet conduct:
OECD’s guidelines for good Internet conduct - www.oecd.org
ICC’s guidelines for online advertising – www.iccwbo.org