Article nav
Download PDF Get a free consultation

Introduction

Are you a programmer ready to take your software ideas and expertise to the next level? Perhaps you have an amazing idea for an app or an ingenious product that the market would love? If so, we’ve created this guide for your inner entrepreneur to develop and grow your product safe in the knowledge that you understand your basic legal obligations. At the end of 2016, YouGov interviewed over 1000 UK SMEs and we had the stats analysed by the Centre of Business and Economics Research (CEBR). According to this research, the UK Tech Sector loses nearly £170 million per year through not taking care of their legal business. But fear not! In here you should find invaluable information around how to avoid many of the common pitfalls that blight today’s startup tech scene. It is worth noting that these stages vary from business to business and that there may be some overlap between guides or things that are not relevant to your business in particular. If you’re unsure whether or not something applies to you, just ask! And so, without further ado, let us begin…

Complying with B2B and B2C Regulations

Who are you selling to?

One of the key questions that need to be answered at the outset is “What is your marketplace?” Often as your product is developed over time the answer to this question can change. Your consumer product may turn out to be more suitable for other businesses to include as part of their products or you may find that your business product can be exploited directly to consumers. The question of whether to sell to businesses (B2B) or to Consumers (B2C)? It is fundamental in terms of product development, marketing, pricing and exploitation but most importantly, to create the correct legal terms and conditions for trading. Remember, for all your business transactions, irrespective of whether you’re trading B2B or B2C, it is wise to have contracts that cover all your business’s dealings both internally and externally. Nevertheless, B2C transactions are generally governed by much stricter consumer protection rules than B2B transactions although there are a range of rules that apply to B2B transactions as well which we will explore.

What are you selling them?

If you are selling to consumers (B2C) you must be aware of the The Consumer Rights Act 2015 (CRA), which replaced the Supply of Good Act 1979 for consumers, creates a host of rules and stiff penalties for breaching them. The CRA implies a whole range of terms (most used to be in the old Sale of Goods Act 1979) into your sales terms, for example, goods to be of satisfactory quality and fit for a particular purpose. The CRA sets the standards for supplying services to consumers with reasonable care and skill and can even affect fixing the price and the time in which to perform services.

Depending on whether you provide Goods, Services or Digital Content, there are a host of CRA requirements dealing with things such as returns, cancellations, cooling-off periods, delivery, repair and replacement that you need to be aware of. Prior to selling any of your B2C products, you must prepare your terms of sale or review your existing ones to be sure that you are compliant.

If you are supplying goods, the CRA implies the following terms (most used to be in the old Sale of Goods Act 1979) into your sales terms:

  • Goods to be of satisfactory quality
  • Goods to be fit for a particular purpose
  • Goods to be as described
  • Goods to match a sample
  • Trader to have the right to supply the goods

The CRA has also added new things such as:

  • Duty to provide certain pre-contract information
  • Goods must match a model seen or examined by the consumer
  • A standard for installed goods which must be installed incorrectly

Services: If you are supplying services to consumers you must perform the service with reasonable care and skill. Unless the method of fixing the price is set out in the contract, the consumer must pay a reasonable price for the services and unless the method of fixing the time it is set out in the contract, you must perform the services within a reasonable time.

Anything you say or write (about the trader or about the service) to the consumer, and which the consumer relies upon when deciding to enter the contract or make a decision about the service after the contract, is to be treated as a term of the contract

Digital Content: Because of the CRA, Digital Content is treated similarly to goods giving a consumer buying digital content the same rights as if she was buying goods, regardless of the way in which it is supplied.

If you supply Digital Content to consumers the following terms will be implied into your terms of sale: terms as to satisfactory quality, fitness for purpose, trader’s right to supply, compliance with description and compliance with pre-contract information provided under the CRA.

Depending on whether you provide Goods, Services or Digital Content, there are a host of other CRA requirements dealing with things such as returns, cancellations, cooling-off periods, delivery, repair and replacement etc that you need to be aware of. Remember that you can get LawBite to prepare terms of sale or review your existing ones to be sure that you are compliant.

Laws relevant to B2B trading

Even where your dealings are with another business and you are confident that do not need to adhere to the Consumer Rights Act 2015, your B2B contracts and trading terms are still affected by a wide range of regulations. For instance, the Sale of Goods Act 1979 (SGA) and the Unfair Contract Terms Act 1977 (UCTA) are of particular importance to B2B transactions.

The SGA implies a number of important terms into sale of goods contracts, particularly in relation to title and quality and it lays down a large number of presumptions, which, in the absence of express drafting to the contrary, apply to a sale of goods contract.

The UCTA limits the extent to which you can avoid liability for things such as breach of contract, negligence and other breaches of duty by putting clauses in a contract such as disclaimers, exclusion clauses and limitation of liability clauses.

The Equality Act 2010 deals with discrimination in the provision of goods, services and facilities and, amongst other things, prohibits service providers from doing anything that constitutes discrimination, harassment or victimisation.

The Late Payment of Commercial Debts (Interest) Act 1998 addresses implied terms dealing with interest, fixed sum and costs into business-to-business contracts for the supply of goods and services

The Bribery Act 2010 not only prohibits obvious bribery practices but you need to take care that what you consider to be normal corporate hospitality is not considered to be an offence under this Act. Taking a client for a nice meal is generally acceptable, but sending lavish gifts is a no no.

All websites (whether B2B or B2C) which use cookies need to provide information about what those cookies are and how they are used in order to comply with recent updates to the Privacy and Electronic Communications (EC Directive) Regulations 2003. This usually means having a cookie policy as part of your privacy policy on your website.

Data Protection

Data Protection Act 1998

The Data Protection Act 1998 (DPA), which came into force in 2000, is of particular importance to technology companies that may be dealing with data, in particular, people’s personal data. The Information Commissioner (Commissioner) is responsible for enforcing and overseeing the DPA and The Office of the Information Commissioner (ICO) has issued a useful Guide to Data Protection which you should be aware of.

The DPA deals with the protection of individuals with regards to the processing of personal data and the free movement of personal data. It is an extensive data protection regime imposing extensive obligations on those who collect personal data, as well as conferring broad rights on individuals about whom data is collected.

The DPA applies to the “processing” of “personal data”. With both terms being very widely defined, it means that practically any business operating in the UK, which holds information about individuals (whether employees, customers or anyone else) is affected by the DPA. Breaches of the DPA can result in criminal as well as civil liability.

All of the obligations under the DPA fall on the data controller which is the person who (either alone, jointly or in common with other persons) determines the purpose and manner in which personal data is processed. A data processor processes personal data on behalf of a data controller. The DPA does not impose obligations directly on the data processor as it recognises that not everyone is equally accountable but it does require the data controller to pass on obligations to the data processor. The ICO has issued a handy guide on the difference, which you should familiarise yourself with here.

If you deal with any type of data you should consider the DPA and you should be aware that the DPA applies to many different types of data and a wide range of processing activities. The DPA imposes a wide range of obligations on data controllers to ensure that data is processed properly. Depending on how you intend to use personal data, you may also have to register with the ICO. You can check whether you need to register with the ICO here: https://ico.org.uk/for-organisations/register/self-assessment/

Transferring personal data outside of the EEA is also a heavily regulated activity and can happen even if you are not conducting any international business, but simply by having customer details stored on servers overseas. You need to make sure that you have a mechanism in place to allow this transfer to happen legally.

Summary of (New EU) General Data Protection Regulation (GDPR)

I know what you’re thinking. This is all way too simple. If only the EU could come up with an even more complicated law on data protection that could really test us. Well, they have, the new ‘General Data Protection Regulation’ (GDPR). ‘Damn’, I hear you say, ‘we’ll will miss out because we are leaving the EU!’ Nope. First of all, the new law comes into effect in the UK in May 2018, before the 2 year period for Brexit ends. In addition, the law is consumer-friendly and is, therefore, unlikely to be unravelled by the Government. Finally, if we want to continue to trade as freely as possible with the EU this will undoubtedly be one of those laws we have to continue to comply with, especially given that our sites will be accessible by EU citizens. So, you are not going to miss any of the fun of complying with GDPR. So here’s what you need to know...

In essence, the new data protection regime moves the dial even further in favour of the User. Among many other changes here are some key elements you need to know before it comes into effect:

  1. Your business will need to implement technical and organisational measures such as document processing activities and appoint a Data Protection Officer if it is a public authority or if the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”.
  2. Your business will need to implement technical and organisational measures such as document processing activities and appoint a Data Protection Officer if it is a public authority or if the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”.
  3. Under GDPR, you will have an obligation to put in place organisational measures to show how you integrated data protection into your processing activities.
  4. This means that privacy in a service or product should be taken into account from the start of a product concept.
  5. Data subjects will have greater access to their data – you can no longer charge them £10 for that purpose.
  6. Data subjects will have a ‘right to be forgotten’ or a ‘right to erasure’ of their data.
  7. The regime around giving consent is tougher. Businesses will need to ensure that data subjects can withdraw their consent to their data being processed. Businesses must also ensure that consent is “explicit” for processing sensitive data. The onus will be on the business to show that the consent was given. Where personal data is processed for direct marketing the data subject will have a right to object. The right to object will have to be explicitly brought to their attention.
  8. Parental consent will be required for the processing of personal data of children under the age of 16. The Individual EU Member States may lower the age requiring parental consent to 13.
  9. Fines for major breaches of the GDPR could reach up to the higher of 4% of annual worldwide turnover and EUR20 million. Other infringements could attract a fine of up to the higher of 2% of annual worldwide turnover and EUR10m.

As you can see, it’s probably wise to start thinking about how you’ll be taking steps to ensure you’re complying with GDPR now to save yourself the headache later...

VAT Registration

When your total turnover reaches the VAT registration threshold (£83,000 for a 12 month period in 2016/17), you need to register for VAT with HMRC by the end of the following month. So although this may not be the first thing you need to worry about when starting out, you need to be mindful to take action when you cross the threshold as you grow.

Selling Internationally

When your total turnover reaches the VAT registration threshold (£83,000 for a 12 month period in 2016/17), you need to register for VAT with HMRC by the end of the following month. So although this may not be the first thing you need to worry about when starting out, you need to be mindful to take action when you cross the threshold as you grow.

When your total turnover reaches the VAT registration threshold (£83,000 for a 12 month period in 2016/17), you need to register for VAT with HMRC by the end of the following month. So although this may not be the first thing you need to worry about when starting out, you need to be mindful to take action when you cross the threshold as you grow.

Conclusion

We hope you’ve enjoyed our brief guide to what you need to comply with when you’re running your tech company. We would recommend you seek professional advice if you’re confused about any of the above- don’t get bitten. LawBite can assist with your organisation’s legal queries for around half the price of a standard law firm, with relevant documents and advice. If you’re unsure of what you need or whether something applies to you, we offer a free consultation with one of our software experts too

Contributors:

Lizzie Knight, Head of Marketing
Andrew Smith, Software and Corporate LawBrief (LawBite lawyer)
Amna Ahmed, Software and Commercial LawBrief (LawBite lawyer)