Review of the Australian E-commerce Best-Practice Model, Australian Government, The Treasury.

Discussion Paper

4. Current and Emerging Consumer Challenges

Since the release of the BPM, many of the consumer protection issues identified in the Policy Framework and the BPM continue to evolve and require the ongoing attention of governments, businesses and consumers. These issues include the:

  • vulnerability of consumers to scams and the need for appropriate security for consumers’ personal and payment information;
  • growth of unsolicited commercial e-mail (spam);
  • need to ensure that consumers’ private information is handled appropriately;
  • need to ensure the disclosure and easy accessibility of the information important to consumers’ online purchasing decisions; and
  • need for consumers to have ready access to effective avenues of redress, in the event that problems with an online purchase arise.

In addition, there have been several developments to the technologies and market relationships that are important in B2C e-commerce. Of particular significance is the emergence of mobile commerce (m-commerce), due to the increased use of Internet enabled mobile handsets and wireless fidelity (WiFi) technology.

These current and emerging consumer challenges have been addressed in a variety of ways by government and the private sector, both in Australia and internationally, through initiatives ranging from legislation to self-regulatory schemes and consumer education programmes.

The Expert Group has been asked to advise the Government on ways in which it can effectively respond to the current and emerging consumer policy challenges in B2C e-commerce.

The following discussion considers each of the issues identified above, and their implications for government, businesses and consumers. Although the discussion is confined to those key issues, interested parties may comment on any matter of concern to them, which relates to consumer protection in B2C e-commerce. Submissions may contain suggestions on changes to the content or method of operation of the BPM or other action that the Government might take outside of the BPM.

4.1 Scams and Security

Consumers engaged in e-commerce are vulnerable to a range of misleading or unconscionable activities or ‘scams’, such as get-rich-quick schemes, pyramid schemes, misleading business opportunities and phoney prizes and lotteries. A distinct, but related concern of consumers is the need for secure payment methods and the protection of personal information so as to guard against the actions of hackers and the susceptibility of PCs to invading spyware24 and viruses.

4.1.1 Scams

The Internet’s wide reach, speed of communication and apparent anonymity make it an attractive medium for unscrupulous parties to engage in misleading or unconscionable conduct.

In Australia, the TPA and complementary State and Territory fair trading legislation prohibit misleading and deceptive conduct such as scams. In addition, information prepared by the Australian Government and State and Territory governments advises consumers on how to protect themselves against scams. For example, the Australian Government has produced a booklet entitled The Little Black Book of Scams that contains practical information on how consumers can identify and avoid scams. Alerts on current scams are also issued by a number of Commonwealth, State, and Territory government agencies, although there is currently no centralised mechanism for disseminating these alerts to consumers.

4.1.2 Security

A key concern of consumers when shopping online is the need to ensure the security of their personal and payment information. B2C e-commerce gives rise to security issues in the areas of:

  • Identity

    • Consumers may find it difficult to ascertain the integrity of the party with which they are dealing online. Online businesses may require guidance on how to effectively signal to consumers that they are legitimate. For instance, bank customers have been subject to spoof website deceptions aimed at obtaining customer numbers and passwords.

  • Payment

    • Consumers may be wary of sending their credit card and other personal information across the Internet. Online businesses may require guidance on how to appropriately secure their transaction processes and reassure their customers.

  • Storage

    • Consumers may be concerned about the security of their personal information which is stored by a business. Online businesses may require guidance on how to appropriately secure their customer information and reassure their customers.

  • Responsibility

    • Consumers and businesses may not be aware whose responsibility it is to secure personal and sensitive information. Consumers and businesses may require guidance on what measures each party can adopt to minimise the risks of a security breach and how best to establish their respective responsibilities in this regard.

Businesses, consumers and governments have responded to these security issues in a variety of ways. The Australian Government has promoted the importance of online security and has encouraged the private sector to take the lead in developing adequate security systems for B2C e-commerce. These efforts have been complemented by those of consumers in adopting appropriate security technologies and practices.

4.1.2.1 Business Initiatives

The most advanced work in e-commerce security has been generally undertaken by the private sector and by financial institutions in particular. In Australia, major banks have been working to establish digital certificate systems for e-commerce. This is known as the ‘Angus’ project, and is part of the global ‘Identrus’ electronic trust and payments scheme.

Credit card companies such as Visa25 and Mastercard26 now offer services that have been designed to minimise fraud and that reassure consumers about shopping online. The Internet industry has also produced information and educational resources relating to online security. In August 2003, the IIA launched its Security Portal initiative27, which provides information, links and other resources designed to assist small to medium sized businesses and individual consumers to protect themselves online. The goal of the Security Portal is to bring together the best available information on Internet security issues and solutions.

4.1.2.2 Consumer Initiatives

Consumers have a number of options for securing their PCs and online transactions. These include establishing computer passwords, installing anti-virus software, scrutinising the information on websites and using safe payment mechanisms such as escrow services.

However, while consumers may be familiar with these security tools they may not always be aware of how to utilise or configure them effectively or may not employ the correct tool to meet a particular security threat. For example, consumers may place a password on their computer in the expectation that it will prevent unauthorised access but may not be aware of the potential for unauthorised access via the Internet. Similarly, consumers may load anti-virus and firewall software onto their PC in the expectation that it will combat viruses but may not be aware that the software must be updated routinely (often weekly) with antidotes to the latest computer viruses circulating the Internet.

With the growing popularity of broadband, consumers may not be aware that a continuous Internet connection poses greater risks than low speed access to the Internet. Broadband connections allow unwanted intruders to gain entry more swiftly to the consumer’s PC and to attempt more methods of attack. A connection to the Internet that is always live poses potentially significant security risks for consumers. Because Australian consumers are in the early phase of adopting broadband, they may not be aware of the potential risks stemming from high speed Internet access nor be familiar with the protective measures available, such as firewalls28.

4.1.2.3 Government Initiatives

The Australian Government has encouraged businesses and consumers to adopt secure trading practices in B2C e-commerce. The BPM states that businesses should provide security appropriate for protecting consumers’ personal and payment information and should ensure that consumers have access to information about the security and authentication mechanisms that a business uses in clear, simple language. In addition, the Privacy Act 1988 (the Privacy Act) requires that businesses take reasonable steps to protect the personal information of their customers.

NOIE has also pursued a series of awareness-raising initiatives that inform businesses about the proper use of security measures to protect their information systems from threats such as hackers, viruses and service denial attacks. For example, the publication Trusting the Internet, released by NOIE in July 2002, helps small business owners and operators to understand online security issues.

The Expert Group is interested in determining to what extent Australian consumers and their personal information are secure when purchasing online.

4.2 Unsolicited Commercial Electronic Messaging

Unsolicited commercial electronic messaging (known as spam) is a major issue facing both businesses and consumers. For instance, more than 50 per cent of e-mails sent world-wide are currently spam. Spam, whether delivered by e-mail, mobile messaging or other means poses an increasing threat to the Internet, and impairs the privacy, security and integrity of online transactions.

  • Privacy

    • Spam is an intrusive form of marketing and, as such, infringes on consumers’ privacy. Often spammers collect or use personal information without the consent of the individual.

    The Privacy Amendment (Private Sector) Act 2000, which came into force on 21 December 2001, has the potential to reduce the amount of commercial spam. The Act contains the National Privacy Principles (NPPs). NPP 2.1(c) allows an organisation to use personal information for the secondary purpose of direct marketing without the consent of the individual, provided (amongst other things) the organisation can establish that it was not practicable to obtain the individual’s consent.

    The Federal Privacy Commissioner has released Guidelines to the National Privacy Principles29. In relation to spam, the guidelines state that

    ...as the cost of e-mailing is negligible, ordinarily it will not be ‘impracticable’ to seek consent where an organisation chooses online methods of contact or communication.

    Section 4.3 of this paper discusses the issue of privacy, the Privacy Amendment (Private Sector) Act 2000 and the NPPs in more detail.

  • Security

    • Spam has been known to carry viruses, worms and other forms of malicious codes which may cause significant damage to consumers’ PCs.

  • Integrity

    • Individuals are able to use the Internet to promote fraud through spam. Spam can promote scams such as pyramid schemes and through promotional campaigns. Some spam promotes scams that are specific to Internet users, such as modem-jacking, spoofing and scams involving online auctions.

To date, there has been no specific legislation designed and intended to deal with spam. Some content-based legislation has application to spam including the Broadcasting Services Act 1992, Interactive Gambling Act 2001, Crimes Act 1914, and the TPA (which prohibits misleading and deceptive conduct). There are also several other educational, market-based, and self-regulatory solutions that address aspects of spam. The Government’s Scamwatch website ( www.scamwatch.gov.au) for instance informs consumers how to identify and deal with online scams. State and Territory fair trading agencies have also produced fact sheets and other resources to assist consumers in identifying and avoiding spam and online scams.

Educational information is also provided privately by participants in the e-commerce market. Market-based solutions such as filtering software provide a means of curtailing the amount of unsolicited commercial e-mail that consumers receive.

To provide an effective legislative response to spam, in September 2003 the Government introduced the Spam Bill 2003 to Parliament which, when enacted, will provide:

  • an opt-in regime for commercial electronic messaging firmly based on the principle of consent;
  • a recognition of pre-existing business relationships and a restricted but appropriate recognition of other circumstances where consent can be implied;
  • limited exemptions for governments, political parties, charities and educational institutions dealing with their students;
  • a requirement for accurate identification of the message's originator and an unsubscribe facility where appropriate;
  • a ban on electronic address harvesting tools, their use for the purposes of spamming, and harvested address lists;
  • support for the development of appropriate industry codes;
  • a flexible and dynamic civil sanctions regime including warnings, infringement notices and court awarded penalties, which will be enforced by the Australian Communications Authority (ACA). The courts can also compensate those who have suffered losses, and recover the financial gains made by spammers.

The legislation will link in with other strands of a multi-layered strategy being pursued by Government in the form of educational and public awareness programs, the promotion of anti-spamming technologies, industry codes, and international cooperation.30

It is anticipated that the Bill will be passed during 2003. The sanctions provisions will take effect 120 days after Royal Assent to enable the educational programs to be implemented and for organisations to implement any necessary changes to accommodate the legislative requirements.

One aspect of these educational programs will be to advise businesses on the minimum requirements they must meet in commercial electronic messaging, and what other options they may wish to consider, although these have not been stipulated in the legislation.

In relation to advertising and marketing, the BPM states that businesses should:

  • only send commercial e-mail to people with whom they have an existing relationship or to people who have already said that they want to receive commercial e-mail;
  • provide customers with accurate and easily accessible information that identifies them and how they can be contacted; and
  • have simple procedures so that consumers can let them know they do not want to receive commercial e-mail.

Presuming that the Spam Bill 2003 is passed into law, these recommendations will in essence become the minimum requirements in commercial electronic messaging, and what then constitutes best practice will need to be re-examined.

In addition, industry codes of conduct are emerging which address the problem of spam in e-commerce, including in m-commerce.

The IIA has developed a draft code of practice on privacy that prohibits its members from sending direct marketing messages without the recipient’s permission. Similarly, the Australian Direct Marketing Association (ADMA) code of practice contains a range of restrictions on how consumer information is obtained and used by ADMA members in direct marketing campaigns. Finally, the telecommunications industry has developed a code of practice, under the auspices of the Australian Communications Industry Forum (ACIF), which deals with the issue of SMS spam. The Spam Bill 2003 provides the ACA with the ability to promote the development of, and to recognise, industry codes which complement the operation of the legislation in dealing with the issue of spam.

4.2.2 The International Experience in Combating Spam

Measures to regulate spam have been introduced in Korea, Japan, the US and the European Union (EU). In the US, approximately half the States have passed laws regulating spam. For example, legislation in Virginia now provides criminal sanctions for bulk spammers. At the Federal level, while Congress has considered a number of anti-spam bills, none of these have been passed.

In May 2002, the European Parliament agreed with the position of the Council of the EU that unsolicited commercial communications sent by e-mail, SMS, facsimile or by automated calling machines should not be permitted without the prior permission of the user – known as a qualified opt-in approach. This position is embodied in the EU Directive on Privacy and Electronic Communications. Several EU member states have passed anti-spam legislation that adheres to the spirit of the Directive.

The EU Directive is focused on the protection of individual and societal rights, particularly with respect to personal and data privacy, and is essentially technology neutral. In providing a framework to promote consistent legislation by member states, the EU approach to spam differs from that in the US, where such a broad framework is lacking.

Both South Korea and Japan have had some success in reducing the volume of locally sourced spam, through the use of targeted legislation and substantial penalties, but both have the advantage of being essentially ‘islands’ in terms of their language. Both still experience significant problems with spam originating from overseas, including from the US and China.

4.3 Privacy

An important concern for consumers contemplating shopping online is the way in which businesses will handle their personal and sensitive information and the potential for its misuse. Advances in information technology and the Internet have made it easier to collect, store, manipulate and disseminate personal information. In some instances consumers may be unaware when personal information has been obtained from them, as with the use of ‘cookies’31 and clickstream technologies32.

The Government has developed a legal and regulatory framework to protect the privacy of consumers’ personal information when dealing with private sector organisations. This framework applies equally to e-commerce and to offline transactions and is contained in the Privacy Amendment (Private Sector) Act 2000, which contains amendments to the Privacy Act.

The amendments to the Privacy Act establish the National Privacy Principles (NPPs) as the minimum privacy standards to which the private sector must adhere. The NPPs protect consumers by ensuring that personal information is collected, stored and handled fairly by private sector organisations. The amendments also establish a co-regulatory national scheme for the handling of personal information, which enables organisations or industry sectors to develop privacy codes that can operate in place of the legislative requirements and be tailored to their own industry needs. Of specific relevance to e-commerce is the draft privacy code developed by the IIA, which has been submitted for registration under this scheme33.

The NPPs apply to organisations (including not for profit organisations) with an annual turnover of more than $3 million. The provisions also apply to all health service providers and those small businesses trading in personal information or related to a larger business.

The BPM currently states that, as a minimum, businesses must adhere to the Federal Privacy Commissioner’s National Principles for the Fair Handling of Personal Information. However, these have now been surpassed as best practice in information privacy by the NPPs. The BPM also states that businesses should provide consumers with clear and easily accessible information online about the way they handle personal information.

4.4 Information Disclosure and Signposting

The need for consumers to have adequate information upon which to base their online purchasing decisions is an important requirement for achieving consumer sovereignty in e-commerce – that is, the ability of consumers to make independent, well-informed choices when shopping online.

Purchasing online differs in many ways from the traditional retail experience to which consumers are accustomed. Without face to face contact with the business, consumers obtain most of their information about an online retailer from its website. The website should therefore display, in a manner that makes it easily accessible, information that is typically implicit in conventional retail transactions, such as the physical location of the business. The display of this information on the website is also important in facilitating offline commerce, as consumers will often use the Internet to gather information on products or services prior to making a purchase using conventional means.

While the BPM does provide guidance on the information that should be displayed on B2C websites, it does not indicate how or where this information should appear. The decision not to include guidelines on signposting (positioning of information) in the BPM reflected the formative nature of B2C e-commerce at the time the BPM was being developed.

The Federal Privacy Commissioner’s Guidelines to the National Privacy Principles address the issue of signposting in the context of compliance with NPP 1.334. The Guidelines suggest that

    If an organisation collects personal information using a cookie, web bug or other means, it could give the NPP 1.3 information in a statement clearly available on the website; for example, it could be linked directly from the homepage and other pages that make use of the devices.

In respect of forms located on a website, the guidelines suggest that the NPP 1.3 information

    …could be on the same page as the form or prominently linked to it; for example it could come up before the individual completes the transaction.

Internationally, in May 2002 the OECD released Best Practice Examples under the OECD Guidelines on Consumer Protection in the Context of Electronic Commerce35. This document provides additional practical guidance to governments, businesses and consumers on the operation of the OECD Guidelines. It describes a series of hypothetical online shopping situations and indicates, amongst other things, whether information is appropriately signposted and sufficiently accessible.

4.5 Redress

If a problem arises in an e-commerce transaction, consumers require access to swift, inexpensive and effective avenues for redress. Traditional means of obtaining redress, such as litigation through the court system, often suffer from being relatively expensive to employ and slow in yielding results. Another difficulty faced by consumers is that much e-commerce is cross-border in nature, whereas most redress mechanisms are based on national jurisdictions36. However, progress on international B2C alternative dispute resolution (ADR) has been made by the private sector, particularly through the Global Business Dialogue on Electronic Commerce forum37.

In Australia, consumers often have access to redress through a range of non-traditional redress mechanisms as well as through the courts. Such alternative forms of dispute resolution (known as ADR) can bridge the gap between internal complaint handling by businesses and formal litigation. ADR is increasingly being used to resolve complaints cheaply, speedily and effectively. Examples of ADR mechanisms are industry-based dispute resolution mechanisms, online dispute resolution (ODR) services38, and chargeback facilities offered by credit card issuers.

4.5.1 Chargebacks

Chargebacks are a common means for consumers to obtain redress when shopping online. Chargebacks allow a credit card holder who has paid for goods or services using the credit card to dispute certain or all aspects of the transaction through the card issuer. Chargebacks allow consumers to bypass legal proceedings and may encourage the cooperative resolution of consumer complaints by traders wishing to retain their status with the card company. Common reasons for chargebacks include: fraud; dispute over the quality of the merchandise; non-receipt of the merchandise by the card holder; and incorrect amounts being charged to the card.

Chargebacks can be time-consuming and potentially costly for small businesses. Therefore, legitimate businesses have strong incentives to take measures to minimise the potential for chargebacks to be issued. These include simple measures such as providing consumers with sufficient contact information on e-commerce websites to enable the consumer to resolve any issues directly with the merchant.

4.5.2 Dispute Resolution in Electronic Commerce

The Australian Government’s Policy Framework recognised the importance of adequate redress to consumers. In it, the Government undertook to assess how best it could support the development of effective industry based dispute resolution mechanisms for e-commerce. In October 2001, the Expert Group on Electronic Commerce released a discussion paper entitled Dispute Resolution in Electronic Commerce39 that served as the basis for public consultation on the importance of dispute resolution mechanisms for B2C e-commerce.

The discussion paper considered the range of issues relevant to dispute resolution in e-commerce and focused on ways of obtaining redress for consumers when cross-border transactions encounter problems. The paper sought to examine the nature and extent of e-commerce consumer complaints and the role of governments, individual businesses and industry associations in dispute resolution. A number of international initiatives in e-commerce dispute resolution were also examined.

The submissions received in response to the discussion paper suggested that e-commerce complaints represented a very small but growing area of overall consumer complaints. Most submissions supported the need to undertake further research on this issue. In light of these recommendations and the findings of related studies on ODR40, the Expert Group wishes to revisit the issue of consumer redress in the context of the review of the BPM.

Currently, the BPM states that businesses should provide consumers with clear and easily accessible information on any independent customer dispute resolution mechanism to which the business subscribes. The BPM does not require businesses to subscribe to any such mechanism, although it does state that businesses should have internal complaint handling procedures and inform consumers of these procedures. While the BPM does not provide any guidance as to which jurisdiction a cross-border complaint should be heard, it does require that any law, jurisdiction or forum which is specified by the business be clearly and conspicuously disclosed to the consumer.

The Expert Group wishes to consult with interested parties on: the extent to which Australian online businesses are providing consumers with adequate redress mechanisms; the satisfaction of consumers in using them; and ways in which the Government can support the development of effective forms of consumer redress in e-commerce.

4.6 M-commerce

Mobile phones have been rapidly adopted by Australians. They are a key technology, providing flexibility in the way individuals communicate and transact with businesses. To date, they have been mainly used for voice applications and short message services (SMS) and their use as an Internet enabling device has been limited.

However, improvements in the rates at which data can be carried by mobile networks and the move to broadband services promise to greatly enhance the functions and services available to consumers when using their mobile phones. These improvements are embodied in the ‘2.5 generation’ mobile services and to a greater extent in ‘third generation’41 mobile services that are currently being introduced, and in the ‘fourth generation’ services that are now being developed.

These technological advances and improvements are likely to lead to the growth of m-commerce. M-commerce is regarded as a subset of e-commerce and refers to electronic transactions carried out via a mobile terminal such as a phone, a personal digital assistant (PDA), or a laptop configured for wireless access to the Internet.

While mobile phones (in particular) and PDAs are the devices likely to be most commonly used in m-commerce transactions, another technology with considerable potential for m-commerce is WiFi. Although not a true mobile technology, WiFi does permit fast wireless access to the Internet within particular locations and, in principle, will allow equipment to be completely interoperable, regardless of the brand or the type of terminal. WiFi ‘hotspots’ have begun to appear in Australia, predominantly at cafes, airport lounges and hotels.

M-commerce is expected to have a range of applications, including in mobile entertainment, location based services, financial services, information services, payment services, security systems monitoring, and gambling. Consequently, m-commerce extends beyond traditional telephony and represents a convergence of communications and transaction services.

While m-commerce presents significant opportunities for consumers and businesses, it may pose new consumer protection challenges, particularly in the following areas.

  • Security

    • Memory limitations, bandwidth constraints and various network configurations can impair the security of a mobile transaction. Consumers making macro-payments must have confidence in the authentication, integrity, and authorisation of mobile online credit card transactions. In addition, as m-commerce transactions are conducted anonymously through mobile devices, proof of identity and the risk of fraud are matters of potential concern42. The convergence of mobile phones, PDAs and electronic wallets may raise the risk of identity theft. The challenge for policy makers will be to determine how best to support the efforts of industry in developing secure payment methods for m-commerce.

    Section 4.1.2 of this paper contains a more general discussion of payment security issues in e-commerce.

  • Payment and Contractual Models

    • The use of m-commerce by consumers to make payments is at a very early stage. However, a range of new contractual relationships and business models are developing for the provision of m-commerce services43. These relationships can become complex, involving third party credit providers and other service providers in addition to the telecommunications service provider. A lack of clarity could arise between the consumer’s telecommunications service provider and other application service providers over their service quality obligations to the consumer. It is therefore important that m-commerce contractual arrangements are transparent to consumers.

  • Privacy and Marketing

    • Wireless devices present new challenges due to their mobility and the amount of individualised and personal information generated by their use in m-commerce, including payment information and details of shopping patterns. The wireless network can be used to determine a consumer’s approximate location at any time and to foresee their likely destination. This capability enables the delivery of so-called ‘location-based services’, in which advertising and other information that is pertinent to the user’s immediate surroundings is sent to the wireless device. Coupled with the ability of the devices to collect personal information, this raises issues of privacy, security and consent.

    Of these issues, one of the most significant is likely to be the use of mobile networks to deliver spam to consumers. To date, SMS spam has not been a major concern in Australia, presumably due to the costs incurred by the sender. As costs fall this may change, and there is already anecdotal evidence44 of increasing SMS spam in Australia. A related issue is potential accidental charging for user information SMS. The challenge for policy makers is to ensure that consumers’ existing rights to privacy continue to be protected when they engage in m-commerce transactions.

Section 4.3 of this paper discusses the issue of information privacy in e-commerce more broadly.

  • Disclosure

    • The relatively small size of mobile phone handset screens, their limited memory and general inability to facilitate hard copy storage may constrain the provision of contractual and other information relevant to transactions. Policy makers need to ensure that consumers are as well informed when transacting via m-commerce as they are when engaging in other forms of commerce.

    Issues of information disclosure in e-commerce are discussed more broadly in section 4.4 of this paper.

  • Dispute Resolution Mechanisms

    • As in conventional forms of commerce, it is important for consumers to have their m-commerce complaints and inquiries dealt with fairly and effectively. The emergence of new contractual relationships in m-commerce means that consumers may not be aware of the avenues of redress available to them in their dealings with service providers. It will be important for consumers to be fully informed of their rights and any available redress mechanisms when engaging in m-commerce.

    The broader issue of redress in e-commerce is discussed in section 4.5 of this paper.

In keeping with the principle of functional equivalence and technology neutrality identified in the Australian Government’s Policy Framework, it will be important to ensure that consumers engaged in m-commerce transactions are afforded at least the same level of protection as in other forms of commerce. This will involve addressing those consumer protection issues which are unique to m-commerce, some of which are described above.

The Government and industry will need to effectively respond to these challenges while not stifling business innovation in what is a rapidly evolving transaction medium. Self-regulatory initiatives are likely to be important in achieving this goal.

An important contribution in this regard has been the development in Australia of a number of self-regulatory schemes which cover wireless messaging. In June 2003, the ACA registered the Short Message Service (SMS) Issues Industry Code of Practice45, which promotes the responsible use of SMS for marketing purposes. Telecommunications carriers can face penalties if they fail to comply with an ACA direction to abide by the code.

Also in June 2003, ADMA released its Mobile Marketing code46, which regulates message content and content providers. The ADMA code requires its members to gain the express consent of consumers before sending mobile marketing messages, and contains guidelines for mobile marketing to children. Compliance with the code is mandatory for all ADMA members and is monitored by the ADMA Code Authority, an independent body made up of consumer and industry representatives.

4.6.1 The BPM and M-commerce

The BPM is a self-regulatory initiative for protecting consumers in B2C e-commerce. As m-commerce is a subset of e-commerce, the provisions of the BPM are potentially relevant to transactions carried out via mobile devices. However, the BPM was introduced at a time when consumers primarily accessed the Internet via their PCs, and its guidance principles may not be completely transferable to m-commerce technology.

Many of the BPM’s principles encourage businesses to provide consumers with adequate information upon which to base their purchasing decisions. When a consumer accesses a B2C website via a PC there is ample space to disclose such information. However, the small screen size of mobile handsets and PDAs poses problems for information disclosure. The BPM may therefore need to be augmented with advice as to how its information disclosure requirements can be satisfied when small screen devices are used.

In addition to information disclosure, m-commerce may pose new challenges for consumers and businesses in the areas of privacy, security, payment, content restrictions for minors, direct marketing and redress. These issues may require appropriate treatment in the relevant provisions of the BPM.

The Expert Group is seeking comments on whether and how the BPM should be modified to ensure its relevance to m-commerce. Interested parties are also encouraged to provide suggestions on other ways in which a robust framework for consumer protection in m-commerce can be achieved.

4.7 Questions for Discussion on Current and Emerging Consumer Challenges

Questions for Consumers:

Scams and Security

  1. How do you safeguard yourself against online scams?
  2. Are you aware of the potential risks of using broadband services? If so, what tools and practices do you employ to protect yourself?

Unsolicited Commercial E-mail

  1. Are you concerned about the amount of spam you receive? What tools and practices do you employ to minimise the amount of spam you receive?

Privacy

  1. Are you aware of data harvesting devices used on the Internet that can potentially undermine your privacy, such as cookies, web-bugs and clickstream technologies? If so, how have you addressed these concerns?
  2. In your experience, do Australian online businesses provide adequate information about the way in which they handle personal information?

Information Disclosure

  1. When shopping online have you been able to easily locate important pieces of information such as privacy and returns policies?

Redress

  1. Do you have greater confidence in purchasing from those online businesses that offer access to external ADR mechanisms?
  2. Does the availability of chargebacks generally give you greater confidence when purchasing online?

M-commerce

  1. Do you have any concerns about using m-commerce services?
  2. To what extent are you aware of the terms, conditions and charges that apply to mobile devices? Can you suggest any ways of improving business disclosure of terms, conditions and charges?

Questions for Businesses:

Scams and Security

  1. What security challenges, if any, have you faced in dealing with your customers over the Internet? How has your business responded to these challenges?
  2. In your opinion does the BPM offer valuable guidance in the area of security?
  3. What initiatives, aside from the BPM, do you consider are necessary to address consumers’ security concerns in e-commerce?

Unsolicited Commercial E-mail

  1. How has your business responded to consumer concerns regarding spam?

Privacy

  1. What challenges, if any, have you encountered in ensuring the privacy of your customers’ information supplied to you over the Internet? How has your business responded to these challenges?
  2. What initiatives, aside from the Privacy Act and the BPM, do you consider are necessary to address consumers’ privacy concerns in e-commerce?

Information Disclosure

  1. What challenges, if any, have you faced in disclosing information to your online customers? How has your business responded to these challenges?
  2. Does your business require guidance on where to disclose and signpost information?
  3. Does your business require practical guidance on how to comply with the information disclosure requirements of the BPM?

Redress

  1. What challenges, if any, have you experienced in the area of redress for your online customers? How has your business responded to these challenges?
  2. What additional guidance and support do you believe you require to develop appropriate redress mechanisms?

M-commerce

  1. What do you consider to be the challenges in dealing with your customers over the wireless Internet? How has your business responded to these challenges?
  2. What practical steps can the Government take to support businesses so that consumers have confidence when engaging in m-commerce?

24 Spyware is software that monitors and transmits what consumers are doing on the Internet without their consent.

25 Further information is available at www.visa.com.au/tips/index.shtml.

26 Further information is available at
www.mastercard.com/au/cardholderservices/ securecode/.

27 The Security Portal can be accessed at
www.security.iia.net.au.

28 A firewall is software or hardware designed to prevent external access to a computer.

29 The Guidelines are available on the Internet at
www.privacy.gov.au/news/pab.html#3.2.

30 Further information on these measures is available at
www.noie.gov.au/projects/confidence/
Improving/Spam.htm.

31 A cookie is a mechanism that allows a website to record consumers’ comings and goings, usually without the consent or knowledge of the consumer.

32 A clickstream is a term used to describe the virtual path or trail a user makes when surfing a website or the Internet. Clickstream analysis allows marketers to determine consumers’ usage patterns.

33 The draft IIA code was submitted for registration by the Office of the Federal Privacy Commissioner in March 2003. It is available at
www.iia.net.au/privacycode.html.

34 NPP 1.3 imposes requirements on organisations to notify individuals when collecting information from them directly. It states that an

    …organisation must take reasonable steps to ensure that the individual is made aware of the identity of the organisation, the fact that he or she is able to gain access to the information, the purpose for which the information is collected, the organisations (or the type of organisations) to which the organisation usually discloses information of that kind, any law that requires the particular information to be collected, and the main consequences (if any) for the individual if all or part of the information is not provided.

35 The Best Practice Examples under the OECD Guidelines on Consumer Protection in the Context of Electronic Commerce are available on the Internet at www.olis.oecd.org/olis/2002doc.nsf/
43bb6130e5e86e5fc12569fa005d004c/
3b2fd5f3ef38740ec1256bbc0050ec39/
$FILE/JT00126337.PDF.

36 Internationally, governments have worked together over the past decade on an agreement on cross-jurisdictional redress known as the draft Hague Convention on Jurisdiction and the Enforcement of Civil Judgments. This document is intended to harmonise the rules for cross-border litigation between private parties. In 2002, due to difficulties in reaching agreement on the Hague Convention, several governments formed an informal expert working group to draft a limited agreement with a narrow scope that would yield the most immediate benefits for international business. This draft agreement is intended to cover disputes arising over B2B contracts.

37 The Global Business Dialogue on Electronic Commerce is a worldwide, CEO-led, business initiative, established in January 1999 to assist in the creation of a policy framework for the development of a global online economy. The GBDe has worked towards an agreement with consumer groups on a common set of principles on which international ADR systems can be based. It is proposed that this agreement will be based on ADR guidelines first developed by the GBDe in 2001 and progressively refined in successive years. Guidelines developed by the GBDe during 2002 included recommendations for Internet merchants, service providers and governments on the use and development of ADR systems. Further information is available at www.gbde.org/adr.html.

38 In 2001, Consumers International released an inventory of online dispute resolution services for cross border B2C disputes entitled Disputes in Cyberspace 2001. The publication is available at
www.consumersinternational.org/Publications/
ViewADocument_search.asp?langid=1&regid=135&ID=35.

39 The discussion paper is available on the Internet at www.ecommerce.treasury.gov.au/.

40 The Consumers International, Disputes in Cyberspace 2001 report, concluded that many online dispute resolution service providers need to improve their services in the areas of independence, transparency, and accountability. The report recommended that to be useful to consumers, ODR schemes need to: cover all types of B2C disputes; be offered at no or low cost to the consumer; be available for initiation by consumers; be visible, accessible, and easy to use; operate in a timely fashion; and produce results that satisfy the consumer’s need for redress. Finally, the report suggested that ODR providers need guidance when designing their services, and both businesses and consumers need benchmarks by which to judge the various ODR services available to them.

41 3G is an International Telecommunication Union specification for the third generation of mobile communications technology. Essentially, 3G services provide increased bandwidth of up to 384 Kbps. Fourth generation mobile phones will offer even greater bandwidth that will facilitate high speed Internet access through the mobile phone.

42 The Australian Communications Authority currently regulates proof of identity issues in relation to customers of pre-paid mobile services under the Telecommunications (Service Provider – Identity Checks for Pre-paid Public Mobile Telecommunications Services) Determination 2000.

43 M-commerce payments are usually described as being either micro-payments or macro-payments. Micro-payments are those where the consumer is billed by the mobile service provider and typically relate to low value transactions such as the purchase of ring-tones. Macro-payments are usually made by credit card and are used for more expensive purchases.

44 For further information refer to The Spam Problem and How it Can be Countered, National Office for the Information Economy, 2003.

45 The Short Message Service (SMS) Issues code is available on the Internet at
www.aca.gov.au/telcomm/industry_codes/
codes/abtem21.htm.

46 The Mobile Marketing code is available on the Internet at
www.adma.com.au/asp/index.asp?pgid=3494.

Next: Conclusion
Previous: The Best Practice Model
Contents

Contact the Review

By Mail:

Review of Australian E-commerce Best Practice Model
Competition and Consumer Policy Division
Department of the Treasury
Langton Crescent
PARKES  ACT  2600

Telephone (02) 6263 2812

Facsimile (02) 6263 3964