The Malta Communications Authority (MCA) is the designated supervisory body responsible to monitor and ensure compliance with the eCommerce Act & eCommerce Regulations whilst the Malta Competition and Consumer Affairs Authority (MCCAA) is the entity responsible for ensuring conformity with the Consumer Rights Regulations.
A contract is normally made up of an offer, acceptance, and intention to create a legal relationship, regardless of whether it is in writing, or in some other tangible form, or as in this case in electronic form. However, for an electronic contract to be legally binding it needs to conform to the requirements established at law, primarily those under the Civil Code, the Commercial Code and the eCommerce Act. The latter further strengthens the legal framework for electronic contracts by establishing precise rules, in line with the EU eCommerce Directive. The eCommerce Act makes specific reference to the formation of contracts with consumers, introducing a number of provisions aimed at safeguarding consumers entering into contracts electronically. It also facilitates the uptake of eCommerce by allowing for trade to occur at a distance without the need for the trader and the consumer to be at the same physical location.
Yes, the eCommerce Act establishes that a contract concluded electronically is valid at law and not only in cases where both the offer and the acceptance are communicated by electronic means, but also where only the offer or the acceptance is communicated electronically. However, there are areas where this does not apply.
It must be noted that although orders concluded via email could meet the three criteria for ‘information society services’, the eCommerce Act clearly specifies that such orders (via email) do not qualify as electronic contracts. This means that the obligations which would normally apply to ‘information society service providers’ (individuals or organisations selling over the internet) would not be relevant for orders handled solely through email.
The eCommerce Act provides that an electronic contract is concluded when the consumer has received, electronically, an acknowledgement of receipt of the order from the trader. It further states that a contract is concluded when the consumer can actually access and view the trader’s acknowledgement. It is to be noted that the trader is required to acknowledge receipt of the order without undue delay and by electronic means. The acknowledgement referred to here is the email that the online trader sends to the customer confirming the order, which is usually sent automatically by the trader’s ordering system. You may wish to view the order confirmation template for reference.
Yes, but there are rules governing such a practice. Commercial communications are forms of communication (Example: emails) aimed at promoting goods and services. The eCommerce Regulations  stipulate that these must be clearly recognisable as being commercial communications and must visibly identify the person on whose behalf the marketing communication is being sent, together with the promotional offer.
When you send commercial communications, you should include the details as to how customers can opt in or opt out of such a practice, on your website. These should be visible at every point where customers are asked to provide information when accessing your website, as set out in the eCommerce Regulations .
Respecting Customer Rights
Traders operating within the Financial Services sector, should also refer to reg. 5 of the Distance Selling (Retail Financial Services) Regulations.
a) Your trading identity, such as the trading name (Example: eBay, Amazon, ASOS etc);
b) The geographic address of your commercial activity to enable your customers to communicate and, if necessary, to address any complaints with you. In cases where there is no physical store or shop, the address should refer to the personal residence of the individual who appears on the trading licence or authorisation. A P.O. box is not accepted as an address under the above-mentioned law;
c) The details through which customers can contact you for information, queries or any complaints, including an e-mail address, that allows customers to rapidly contact and communicate with you, in a direct and effective manner;
d) If you are registered in a trade or similar public register, the name of the register as well as the registration number or any equivalent means of identification in that register;
e) If you are subject to an authorisation scheme, you will need to provide the particulars of the relevant supervisory public authority (Example: an Internet Service Provider would be authorized by the Malta Communications Authority, a hotel would be authorized by the Malta Tourism Authority, etc.);
f) If you offer services which are part of a regulated profession, you will need to mention the professional body or institution with which you are registered. You will also need to provide a reference to the applicable rules in the Member State of establishment and the means to access them via a link to the website or even a copy of the official document which can be downloaded through the website;
g) If you subscribe to any codes of conduct you will need to provide information on how a consumer can access these electronically;
h) The Value Added Tax registration number of your commercial activity, where applicable;
i) An appropriate description of the main characteristics of the goods or services.
j) If you provide digital content (Example: music, films, games, computer programs, videos or text), you will need to specify the functionality, including applicable technical protection measures, and any relevant interoperability with hardware and software that you are aware of or can reasonably be expected to have been aware of. You also have to inform the customer of any optional additional and built-in purchases (Examples: in-app purchases such as add-ons or extra levels in a video game or subscriptions to audio-visual content services that offer pay-per-view content at an extra cost);
k) Prices should be clearly indicated and be inclusive of tax. Where this is not possible, you need to indicate all charges that may be payable, specifying the manner in which the price is to be calculated, as well as, where applicable, all additional freight, delivery or postal charges and any other costs. In case of subscriptions or contracts of an indeterminate nature (Example: newspaper subscription, etc) you will need to provide the total monthly costs and the costs per billing period, if the two do not match. Where total costs cannot be reasonably determined in advance (Example: where cost depends on usage), you will need to specify the manner in which these will be calculated. If you fail to inform the customer of any of these costs, then s/he will not be obliged to honour those costs;
l) The payment methods and delivery arrangements that you provide, enabling the customer to select the option that best suits his/her needs;
m) The period within which you will deliver the goods or services (Example: within 1 day or one week, etc). You are required to indicate a time-frame from the conclusion of the contract (that is, from when the customer confirms the order), without having to necessarily indicate a specific calendar date;
n) For goods or services for which the right of withdrawal applies, you need to specify the conditions, time limit and procedures for exercising that right in line with the provisions at law and to provide the customer with the model withdrawal form. It is mandatory for a trader to provide customers with this form;
o) In the case of withdrawal, you must also inform the customer, prior to the conclusion of the contract, whether the cost of returning back the goods will be borne by you or not. If the consumer is paying for the cost of returning the goods, for items that cannot normally be returned by post (Example: bulky items such as a washing machine, etc), you will need to specify the costs involved to return back the item or an approximation of the costs should these not be reasonably quantifiable in advance;
p) Where the right of withdrawal does not apply, you are obliged to inform the customer that s/he will not benefit from the right of withdrawal (Example: supply of goods made to the specifications of the consumer or where these are clearly personalised, etc.) You can view the full list of exceptions here;
q) Where a customer could lose his/her right of withdrawal, you will need to inform the customer of the circumstances under which this could occur (Example: removing tags from clothes, unsealing the product, etc);
r) In cases where the consumer has expressly requested for the performance of services to commence during the withdrawal period, you will need to inform the customer that s/he will have to incur the cost of what has already been provided to him/her before the customer exercised the right of withdrawal;
s) A reminder that a legal guarantee for the conformity of goods exists and where applicable, you also need to inform the customer about the existence and the conditions of after-sale customer assistance and commercial guarantees;
t) Where applicable, you will need to specify the duration of the contract and in cases where the contract is of an indefinite nature or extended automatically, you will need to inform the customer about the conditions for terminating the contract;
u) Where applicable you are obliged to inform the customer of the minimum duration of the contract;
v) Where applicable, you need to inform customers of any out-of-court remedies that you may be subject to, explaining the process for gaining access to these remedies (Example: reference to consumer assistance provided by the Malta Communications Authority or the Office for Consumer Affairs within the Malta Competition and Consumer Affairs Authority, etc.).
Although the law does not specify where the above information should be located on the website, the law still provides that this is to be indicated in a clear and comprehensible manner. It is recommended to have the information in points from (a) to (h) available in a dedicated section which is, ideally, linked to the home page, such as the ‘About’ page or similar.
Points (i) to (k) and (s) is information which is to be made available from the product page and not in a blanket clause in the general terms and conditions.
Considering that the right of withdrawal mentioned in points (n) to (r) is key information to the customer, such a reference to the right of withdrawal should be clearly indicated. A reference within the general terms and conditions which is downloadable through a link and in which the customer has to search for the relevant clauses on the right of withdrawal, is unlikely to be clear to the customer. The customer should be able to read this information on the website itself. The model withdrawal form can however be provided via an internal link.
The remaining points should ideally be placed in the ‘Terms & Conditions’ section or similar. Nevertheless, a link to the general terms and conditions should be made available from the product page. A link at the very end of the website page to these terms is not sufficient.
If the above information is not readily available on your website or is difficult to locate, it can be a source of anxiety for potential customers who might instead decide to abandon the sale. You need to bear in mind that when shopping over the internet, customers cannot handle or try out the products bought and therefore you need to ensure that customers feel reassured by your website’s clear information in all circumstances.
Notwithstanding the above, it must be noted that the Consumer Rights Regulations clearly state that for contracts falling under the definition of ‘information society service’ the information specified in points, (h), (i), (s) & (t) above should be made available in order to allow the customer to review the contents in the shopping cart, without being obliged to navigate away from the ‘order’ page.
It is also important to ensure that the text on the button used for making the ‘order’, clearly conveys the message that, placing the order entails an obligation to pay (Recommended text: ‘buy now’, ‘pay now’, ‘commit to buy’, ‘confirm purchase’) .
When customising the content and presentation of an eCommerce website for mobile devices with small screens (Example: smartphones), you need to provide, as a minimum, the information contained in points (a), (i), (k), (n) & (t) above, prior to the conclusion of the contract.
- The technical means for identifying and amending the order details (Example: quantity, size, etc.) prior to placing the order. This will ensure that customers are able to amend mistakes they make;
- The different steps to follow to conclude a contract so that customers are aware of the process involved and the stage at which they will commit themselves;
- Whether you will be filing the concluded contract and whether it will be accessible by the customer;
- Any applicable terms and conditions available in a way which permits the customer to store and reproduce them;
- The language/s in which the contract may be concluded.
It should be noted that these requirements do not apply to contracts concluded exclusively by exchange of email or by some other similar technology. Such contracts are governed by contract law and are outside the scope of these guides.
In such cases, you are obliged at law to obtain the customer’s express consent for any additional payments besides the cost for the service the customer subscribed to.
Yes, but a number of exceptions exist where the customer cannot benefit from the right of withdrawal or can lose this right under certain conditions. The Consumer Rights Regulations empowers the consumer to cancel a contract within fourteen days (14) from the date of the delivery of the good/s or from conclusion of the contract in the case of services, without incurring any penalty and without the need to justify the returning back of the goods or the cancellation of the contract (Example: if goods are received or the service contract is concluded on 1st June, the last day for withdrawal would be 15th June).
If you are operating within the Financial Services sector, you should also refer to reg. 7 of the Distance Selling (Retail Financial Services) Regulations.
It must be noted that if you fail to provide all the information concerning the right of withdrawal, the withdrawal period will extend to twelve (12) months from the end of the initial withdrawal period (Example: if a consumer buys a product on 1st July and is not informed of his right to cancel the contract, the consumer would have up to the 15th July of the following year to exercise his right of withdrawal). However, if you inform the consumer of his/her right of withdrawal during the twelve month period from when the product was delivered, the withdrawal period would instead expire fourteen days after the day the consumer was given the information. In addition, you need to make it clear whether the consumer will be paying for the cost of returning the goods, unless you decide to bear the cost. Failure to do so will exempt the consumer from incurring such a cost.
If the customer informs you either by filling in the model withdrawal form  or by making an unequivocal statement (Example: by letter, email, phone, etc), of his/her decision to withdraw from the contract before the expiry of the withdrawal period, the consumer shall be deemed to have exercised the right of withdrawal. In such cases, the burden of proof is on the customer.
You are obliged to honour the contract and deliver the good as specified in the agreement with the consumer. Therefore, in cases where the delivered good is faulty or does not conform to the specifications agreed upon during the purchasing process, the Consumer Affairs Act provides the consumer with various remedies for rectifying the matter. The consumer shall be entitled to either have the goods brought into conformity free of charge by repair or replacement, unless this solution is impossible or disproportionate. If the product cannot be repaired or replaced within a reasonable time, or only at significant inconvenience to the consumer, or cannot be repaired or replaced at all, the consumer may opt to either have an appropriate reduction in price or to have the contract revoked and refunded accordingly. The Act allows the consumer a time frame of two years within which s/he can seek redress from the trader in case of non-conformity with the contract.
Yes, unless otherwise agreed, the Consumer Rights Regulations establish that a trader must execute an order within a maximum of thirty (30) days from the day after a contract was concluded. If you fail to deliver the product at the time agreed with the consumer or within the time limit mentioned above, you will have to agree on a new delivery date, appropriate to the circumstances, with the consumer. Failure to deliver by the extended date will entitle the consumer to terminate the contract immediately. You must then refund the consumer of any payment made in the shortest time possible.
Generally, as a minimum, a contract for goods or services should provide terms and conditions which address the following:
- Information on how to search and locate products on the website;
- The currency used on the website ;
- Payment options available;
- Delivery options available, including tariffs, time, place and who is responsible for the delivery;
- Returns and refunds;
- Rights of either party to terminate the contract;
- Confidentiality provisions, particularly if the contract is of a sensitive nature.
It is advisable to provide consumers with a link on the website displaying the terms and conditions and other relevant information. This must, however, be clearly visible to the consumer before the contract is concluded, and it is further recommended that special emphasis is made with the consumer to view the terms and conditions before confirming the order. Many traders address this requirement adequately by requiring the consumer to scroll through the terms and conditions and tick an “I agree” or “I have read” box before s/he can proceed with the order, to indicate acceptance or otherwise to the terms and conditions. It is advisable to seek help from a lawyer when drafting such a policy.
 For clauses (d) & (e), refer also to ‘Licensing and Authorisations’ section of the FAQs.
 Clauses (a) to (f) emanate from the Electronic Commerce Regulations, s.l. 426.02, reg. 5.
 Clause (g) emanates from the Electronic Commerce Act, cap. 426, art.11 (2).
 Clause (h) emanates from the Electronic Commerce Act, cap. 426, first schedule and art.11.
 The Consumer Rights Regulations (s.l. 378.17) define ‘digital content’ as data produced and supplied in digital form and it doesn’t make any distinction between access through downloading or streaming.
 DG Justice provides traders with guidance with regard to pre-contractual information for online digital products that traders should make available to consumers. Traders are encouraged to use the information categories with their icons, the table-like display and the order of the information items as shown in this link: http://ec.europa.eu/justice/consumer-marketing/files/model_digital_products_info_complete_en.pdf.
 Clause (k) emanates from the Consumer Rights Regulations, s.l. 378.17, reg. 5 (e) and 5(6).
 Clauses (l) and (m) emanate from the Consumer Rights Regulations, s.l. 378.17, reg.5 (g) and reg. 20 (1).
 You may refer to part A of the Schedule as referred to in reg. 5 (4) of the Consumer Rights Regulations, s.l. 378.17. However, the instructions in part A are not mandatory and you may amend the wording accordingly.
 Clause (n) emanates from the Consumer Rights Regulation, s.l. 378.17, part B of the Schedule and reg. 5 (1) (h).
 Clause (o) emanates from the Consumer Rights Regulations, s.l. 378.17, reg. 5 (i).
 Clauses (p) and (q) emanate from the Consumer Rights Regulations, s.l. 378.17, reg. 5 (k) and reg. 18.
 Clause (r) emanates from the Consumer Rights Regulations, s.l. 378.17, reg. 5 (j).
 Clause (s) emanates from the Consumer Rights Regulations, s.l. 378.17, reg. 5 (l) and (m).
 Clause (t) emanates from the Consumer Rights Regulations, s.l. 378.17, reg. 5 (o).
 Consumer Rights Regulations, s.l. 378.17, reg. 5 (p).
 Consumer Rights Regulations , s.l.378.17, reg. 9 (2).
 Consumer Rights Regulations, s.l. 378.17, reg. 9 (4).
 Electronic Commerce Act, cap. 426, first schedule & art.11.
 Consumer Rights Regulations, s.l. 378.17, reg. 18.
 Consumer Rights Regulations, s.l. 378.17, reg. 10.
 Although public holidays, Saturdays and Sundays are included in the withdrawal period, if it ends on one of these days, the withdrawal period would then expire on the following working day.
 Consumer Rights Regulations, s.l. 378.17, reg.5 (1) (h), Schedule, part B.
Licensing and Authorisations
The Trading Licences Act requires anybody carrying out a commercial activity (whether from a brick and mortar shop or an online shop) to obtain a trading licence, unless the nature of the business falls under the remit of a specific Authority. Should that be the case, the licence/s will need to be obtained from the Authority that regulates that specific sector.
Handling Customer Data
The Data Protection Act allows the customer, at any time, to oppose or withdraw consent to personal data processing for the purpose of an activity that is carried out in the public interest or that concerning a legitimate interest of the trader, if the consumer has indisputable valid grounds to object to the processing of such data.
2. What information should I provide a customer from whom I am requesting personal data?
You are obliged to provide a customer from whom you have requested personal data, with at least the following information, unless you have already made it available to the customer:
- Your trading identity and business location, and of any other person authorised by you to act on your behalf;
- The purpose for which the customer’s personal data is being collected;
- Information about the recipients of the customer’s personal data;
- Whether the information being requested is mandatory or voluntary and the consequences of failure to reply;
- The right of the customer to access or request amendments, and where applicable, to request removal of data concerning the customer.
3.What obligations do I have when I obtain personal data from sources other than the customer himself?
In the event that you obtain a customer’s personal data from sources other than the consumer himself, you are obliged to provide him/her with the following information unless s/he is already in possession:
- Your trading identity and business location, and of any other person authorised by you to act on your behalf;
- The purpose for which the consumer’s personal data is being collected;
- Any additional information relating to the type of data, the recipients and the right to access, amend and where applicable to erase the personal data of the consumer.
However, the above information need not be provided if the personal data requested is only used for statistical or historical purposes or if such information would be impossible or would involve a disproportionate effort.
4. What happens if I do not process personal data in accordance with the requirements in the Data Protection Act?
In such cases, you will be legally responsible, at the request of the customer, to immediately rectify, block or erase such personal data. Besides, you need to notify any changes or deletions to third parties to whom the data has been disclosed, unless this proves impossible or would involve a disproportionate effort.
5. Under which circumstances can I process sensitive personal data?
Sensitive personal data is personal data that reveals race or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health, or sex life and may only be processed if the customer has given his/her explicit consent to processing or has made the data public. You may only process this special category of data if the appropriate safeguards are implemented and if the handling of this data is necessary:
- For the trader to be able to comply with his duties or exercise his rights under any law regulating the conditions of employment; or
- For protecting the vital interests of a customer, especially if the customer is physically or legally incapable of giving his/her consent;
- For legal claims to be established, exercised or defended.
According to the Processing of Personal Data (Electronic Communcation Sector Regulations), if you store information or gain access to information stored on a customer’s terminal device, commonly known as cookies, you shall be required to obtain the customer’s consent, except where such tracking technologies are required to:
- Carry out or facilitate the transmission of a communication over an electronic communication network (Example: session cookie); or
- Provide an information society service explicitly requested by the customer (Example: first party user input session cookies or authentication cookies).
When none of the above exemptions applies, you need to introduce a mechanism to seek the users’ ( customers or visitors) consent. The most common and acceptable approach from a data protection point of view, is the placing of a banner or a pop-up window on the landing page providing the necessary information to the user about the processing of cookies. Valid consent shall involve a positive action and may take the form of either a mouse click on a radio button or by proceeding to continue browsing the website. Such action shall mean that the user agrees with the terms and conditions you set out on your website contained in a comprehensive cookies policy.
If your website collects and processes personal data, it is strongly recommended to include a policy that explains how a customer’s personal information will be treated. It is simply a way of communicating your business’ position regarding data protection, for example, whether it treats personal data as strictly confidential or whether it trades in personal data. It is also the logical place to explain the purposes for which you use personal data and any likely disclosures. This will provide customers with further reassurance about the way in which information is being collected and used. In addition, you would be satisfying the obligation set out in the Data Protection Act with regard to information that you must make available to the customerwhilst protecting your business from legal challenges and unnecessary problems.
 Data Protection Act, cap.440, art. 11.
 Data Protection Act, cap.440, art. 19.
 Data Protection Act, cap.440, art. 20.
 Data Protection Act, cap.440, art.20 (4).
 Data Protection Act, cap.440, art. 22.
 Data Protection Act, cap.440, art. 12 to 18.
 Data Protection Act, cap. 440 – art. 19.
Selling Safely Online
Following are some safety measures you can adopt to ensure that your online store is protected:
- Use strong passwords throughout the system – passwords of at least eight or more characters long utilising a combination of different cases, numbers and special characters are recommended, such as 13@#FY?&9!;
- Change passwords regularly, for example once a month;
- Utilise different passwords for different accounts;
- Monitor log files carefully to detect any attempts of malicious behaviour;
- Implement Transport Layer Security (TLS) protocols;
- Engage the services of a qualified security assessor in order to scan the website for any possible Trojans and to identify any weaknesses and vulnerabilities that would need to be addressed.
The above information is only meant as guidance and we strongly recommend traders seek expert advice prior to undertaking an online project.
When in doubt on the validity of the transaction, you should:
- Call the acquiring bank or institution (the bank or institution that has issued the card) to confirm the cardholder’s authority for the placed order;
- Ask the customer for additional information such as telephone number that you could call to contact him/her to verify the authenticity of the person that has initiated the purchasing process;
- Request a consumer’s utility bill/statement indicating the delivery address.
It is advisable to establish effective procedures for cardholder verification. This not only reduces the risk of fraud, but also builds consumer confidence and loyalty. Customers will feel reassured that the trader is adopting all the necessary measures to ensure the security of transactions.
Further information about online security can be viewed in the Planning your IT requirements section under ‘Trading safely over the internet‘.