Insights | June 3, 2022

Roschier Insights Seminar: Legal issues relating to ecommerce

At a recent hybrid event, experienced professionals discussed issues relating to ecommerce. Guest speaker Jonas Forth, from All Things Commerce Ltd, talked about changes and challenges for the Moomin webstore due to COVID-19 and recent changes in legislation.

Markku Tuominen discussed issues concerning IPR infringement in ecommerce, Mikael Segercrantz  introduced the latest changes to the Finnish Consumer Protection Act, and Johanna Lilja presented the new instructions on website cookies. Kaisu Korpua opened the event and moderated the seminar.

Key takeaways

Changes and challenges for the Moomin webstore

All Things Commerce Helsinki Ltd is a part of Moomin Characters Ab Ltd and processes data to develop the brand and business. Multiple products are available in Moomin webstores worldwide and Moomin wishes to reach their fans all over the world. The Moomin webstore platform experienced changes approximately two years ago when webstores from different countries started to be connected and this provided opportunities for data processing.

Moomin pays careful attention to collecting data and the General Data Protection Regulation. Due to a substantial number of regulations and continuous developments in the law in this area, the webstore service providers have to constantly pay attention to the developments and comply with legal requirements. This may require quite significant action by the organizations.

Interference in sales of counterfeit goods in ecommerce

The protection of intellectual property rights is a vital aspect in enforcement actions against infringements. There are multiple pages on websites that may have protection. For example, there are the domain name and trademarks and these should be registered. Additionally, the website may include copyrights.

To obtain a sufficient scope of protection for a trademark, the list of goods and services must contain key items from the point of view of business. Additionally, global operations might require worldwide protection. However, the main focus of the protection should be directed towards the key countries in which business is conducted.

Infringements can be detected on ecommerce platforms, social media or in separate online stores. There are multiple tools for monitoring infringements online with an option to proceed with actions inside a platform. Other potential ways of interfering in infringements include sending cease and desist letters, notice and takedown notifications to service providers as well as court and administrative proceedings.

Providing guidelines to detect the differences between authentic and counterfeit goods, maintaining a database containing information on all authorized partners, and providing training for employees and partners to detect counterfeit goods makes the enforcement process more efficient.

Latest changes to the Finnish Consumer Protection Act

The new Finnish Consumer Protection Act entered into force on 1 January 2022 and provided updates in respect of the current provisions and new provisions regarding goods with digital elements as well as digital content and digital services. The amendments originate from the European Union and aim to harmonize consumer protection within the EU.

One of the relevant changes concerns the duration of the liability of sellers in respect of the defectiveness of products. Due to the changes, liability has changed from 6 months to 12 months. The change may have an effect on warranties and there may be a need to extend the duration of warranties to provide additional benefits to consumers.

Another relevant change concerns conditions that must be met to change terms in respect of digital content and digital services. The trader has the right to make changes to the terms in certain cases indicated in the new Act without the other party’s specific consent. However, if the change has a negative impact on the consumer’s ability to access or use the digital content or services, a clear and understandable notice with necessary details must be provided to the consumer.

There are also other essential changes and clarifications in the new Act. Some changes have been made concerning remedies available to the consumer if a product is defective. There are also new provisions relating to conformity criteria, clarifications to warranties and new requirements regarding a trader’s obligation to provide updates to goods with digital elements.

The EU Omnibus Directive is currently at the implementation stage and the estimated date on which local provisions will enter into force is 28 May 2022. When implemented, the Directive will lead to changes to the current Finnish law. New obligations for online activities are planned for traders. Additionally, it is expected that there will be provisions for new available sanctions against traders in order to secure rights for consumers.

New instructions on website cookies

In Finland, the General Data Protection Regulation (GDPR) and the Finnish Electronic Communications Services Act contain the applicable legislation for the use and monitoring of cookies. Additionally, the Finnish Transport and Communication Agency TRAFICOM has provided further guidance on the use of cookies and other data stored on users’ terminal devices. The TRAFICOM’s cookie guidance has been updated and the new version was provided in Autumn 2021. TRAFICOM’s new guidance changed Finland’s cookie regime from EU’s most lenient to one of the strictest overnight. Furthermore, following the CJEU case law, browser settings accepting the use of cookies can no longer be considered as valid consent, but the consent – where required – must meet GDPR requirements for consent.

Cookies are divided into necessary cookies and non-necessary cookies. “Necessary cookies” are required to carry out a service on a website, and the use of necessary cookies does not require the end-user’s consent. TRAFICOM’s guidance does not list which cookies must be categorized as necessary since whether cookies are necessary must always be assessed on a case-by-case basis. In a web shop context, authentication cookies relating to a single sign-in, personalization cookies concerning the choice of language and the layout, and cookies concerning data security might be seen as necessary cookies. Additionally, cookies that enable the website to remember a user’s shopping cart might be considered necessary in some cases.

All cookies that are not necessary for carrying out a service on a website are to be regarded as “non-necessary cookies”. In order to use non-necessary cookies, the service provider must obtain the user’s consent. Some examples of cookies which would most likely be regarded as non-necessary cookies in a web shop context would be cookies relating to personal advertising, analytics cookies, third-party cookies and cookies concerning a chat function.

In practice, consent for cookies can be requested by using banners or pop-ups. The cookie banner should include certain information, such as sufficient information about what kind of cookies is used and for what purpose. The users should also be informed of the duration of each cookie and to whom the data stored through cookies is disclosed. Active opt-in consent is required for the use of cookies. The information in respect of the consent should be stored as there may be a need to prove the existence of the consent. An option to revoke the provided consent should be available at any time and revoking the consent should be as easy as providing it.

In addition to administrative sanctions under ePrivacy rules, such as an order to discontinue the wrongful act enforced with a conditional fine, wrongful cookie practices might lead to GDPR sanctions, and some EU countries’ data protection authorities have imposed fines regarding improper cookie practices. Non-profit organizations play a role in cookie practices as well, since, for example, a non-profit organization called NOYB has filed complaints concerning the cookie banners.

Since the Finnish Electronic Communications Services Act is based on the EU Directive on privacy and electronic communications (ePrivacy Directive), the cookies practices vary within the EU. The regulation on Privacy and Electronic Communications (ePrivacy Regulation) was supposed to enter into force simultaneously with the GDPR but the regulation proposal is still at draft stage. Upon entry into force, the ePrivacy regulation would harmonize the cookie practices within EU countries.