Selling on the Internet

Region: Ontario Answer # 350

Electronic commerce, or e-commerce, as it is more commonly known, involves the buying and selling of products or services over the Internet.

Selling goods and services on the Internet poses some risks for both business owners and customers. However, e-commerce can be effective and worthwhile, provided that you take the necessary steps to protect your business and to reassure your customers that it is safe to do business with you through the Internet.

The following information outlines some of the steps which can be taken to make e-commerce relatively safe and effective. However, you may wish consult with a lawyer practising in this field before launching a new e-commerce website.

Electronic safeguards in your website

The first step to take is to build electronic safeguards in your website. For example, your website creator can design order forms so that the computer will reject fake addresses, incorrect credit card numbers or other information which does not appear to be correct. This will make it more difficult for people to place fake orders with your business.

Exit, print or download the order form

Another step to take is to allow a customer to exit the order form screen at any time while they are filling it out. This way, if a customer changes their mind about an order, they can easily cancel the order before it is sent to your company.

In addition, once the order is submitted, the customer should be permitted to print or download a copy for their records.

Credit card security

Many people are concerned about credit card security on the Internet. While it is possible for someone to steal a credit card number being sent over the Internet or stored on an Internet server, it is probably no more of a security threat to use your credit card over the Internet than it is to use a credit card in any conventional transaction such as at a restaurant or gas station.

Current Internet technologies have made credit card transactions very secure. Businesses that want to accept credit card payments through their website should address their customers’ concerns about using credit cards over the Internet. You can do this by providing information on your website stating what you have done to protect credit card transactions. For example, many software programs now scramble Internet messages. This is called encryption. If encrypted information is copied as it is sent from one website to another, it will not be understood. This is one way that a business can protect credit card transactions. Your website developer can implement encryption on your business website. If your website cannot support encryption technology, it is a good idea to let users know that there may be a risk in sending confidential information to you.

Clear contracts

Another thing you can do to protect your business in e-commerce is to make the terms of your order form or contract very clear. The customer should know what they are buying when they agree to your terms. By being very clear and precise, you will minimize the number of orders that are returned, and you will be able to prove that you had a contract. This will help you protect your legal rights in a contract dispute.

Know the law

Business owners who market goods and services on the Internet must also be aware of the many laws which may affect how they can do business. These include laws regarding business registrations, consumer protection, language and labelling regulations and many others. You should familiarize yourself with the laws that apply in Ontario as well as those that apply in other provinces, states or countries where you plan on marketing or distributing your products and services.

Terms of Service

A Terms of Service (also called a Terms & Conditions) is a legal document provided by a business to their customers. It describes the business’ products, services, sales process, and specific rules regarding cancellations, refunds, and returns. The Terms of Service is usually posted on a dedicated page on the business website. Also, it will often explain how customers should interact with the website, and how the business protects its property and content. Most online businesses will include its Privacy Policy with a Terms of Service.

In Ontario, a Terms of Service must follow the minimum standards of the Personal Information Protection and Electronic Documents Act (PIPEDA), and the Consumer Protection Act (CPA). PIPEDA deals specifically with the collection and storage of personal information online. The CPA protects customers from a number of situations, including:

  • faulty goods,
  • misrepresentation, and
  • delayed deliveries.

A Terms of Service can set out specific requirements for a business and customers, and can include clauses regarding payment processing, limiting liability exposure, and protecting access to intellectual property. In order for the seller to protect themselves, their business will often rely on a Terms of Service in cases of customer disputes or complaints. Without a Terms of Service, the business will have to rely on the default rules in the CPA and PIPEDA. Relying on the CPA and PIPEDA will likely not be in the interests of the business since these laws were designed to protect customers, not sellers.

Usually, a Terms of Service will be broken down into sections and clauses. The language in a Terms of Service should be clear and concise, and in plain language. Over the past few years, institutions such as the European Union have pressured online businesses to ensure their Terms of Service documents are clear and legible for readers.


Privacy Policy

Because of the onerous restrictions imposed by (PIPEDA), most online business should have a Privacy Policy. It is a central legal document for protecting a business’ online activities. Like a Terms of Service, a Privacy Policy is a legal document often posted on a dedicated page of the business website. The Privacy Policy describes, how user information is stored, and steps for customers to request access to their information. It should describe exactly how and why the business collects user information, what information the business collects, what is done with that information, and how it is stored. The Privacy Policy should also outline the business’ accountability procedure and disclosure procedure. Often, a Privacy Policy will also include contact information for the company’s Privacy Officer and complaints process.

As consumer attitudes change, more and more information is being freely exchanged online. Aware of this evolution, governments have been pushed to crack down on businesses which collect or disclose information without user consent. In this evolving landscape, having a clear and comprehensive Privacy Policy can prove essential for online businesses to protect themselves and their customers.

A company’s Privacy Policy must be compliant with the requirements and restrictions of PIPEDA. In general, PIPEDA requires businesses to:

  • seek consent before collecting user information,
  • only collect necessary information, and
  • only disclose information when necessary for legal or business purposes.

Businesses which advertise online must also follow Canada’s anti-spam legislation (CASL). Lastly, In Ontario, businesses should also be aware of the Personal Health Information Protection Act, which regulates the collection and disclosure of medical information in the province.

Companies that conduct online business internationally should also take into account privacy legislation in their customers’ jurisdictions. Of specific concern, the European Union’s General Data Protection Regulation (GDPR) imposes onerous requirements on companies with European customers. Before conducting online business in a foreign country, you should consult with a legal practitioner from the specific region in which you desire to operate.

Export controls

Business owners who export goods, services or technology also must be aware of special laws, which may control what they can do. Even software programs that are transmitted electronically are subject to certain restrictions imposed by export control regulations. Canadian laws may prohibit the export, without an export permit, of controlled technologies such as products that incorporate encryption, and the export of other items to certain countries listed on Canada’s Area Control List or subject to embargo by the United Nations.

For more information regarding Canada’s laws and conducting business on the Internet, refer to Canada Revenue Agency.

Before offering products and services over the Internet, businesses should get professional advice from a lawyer.


Screen Shot 2016-04-23 at 11.36.31 AM



You now have 3 options:

Was your question answered?

Yes    No

What information would you like to see added?

Submit an Edit Request

What are your changes?*

Page loaded. Thank you