Digital business in France: overview
A Q&A guide to digital business in France.
The Q&A gives a high level overview of matters relating to regulations and regulatory bodies for doing business online, setting up an online business, electronic contracts and signatures, data retention requirements, security of online transactions and personal data, licensing of domain names, jurisdiction and governing law, advertising, tax, liability for content online, insurance, and proposals for reform.
To compare answers across multiple jurisdictions, visit the Digital Business Country Q&A tool.
This Q&A is part of the global guide to digital business law. For a full list of jurisdictional Q&As visit www.practicallaw.com/digital-business-guide.
The French law governing the conduct of business online is set out in a number of different statutory instruments. Some of these are specific to online business, whereas others apply to all business activities.
The main applicable regulations are the following:
Act No. 2004-575 of 21 June 2004 on Confidence in Digital Economy, which concerns the provision of mandatory online information, and the obligations and liability of content and hosting providers.
Act No. 2014-344 of 17 March 2014 on Consumers Rights implementing the Consumers Rights Directive 2011/83/EU, which sets out the main rules for conducting e-commerce with consumers.
Act No. 78-17 of 6 January 1978 (as amended) on Information Technology, Data Files and Civil Liberties (applicable to data protection issues).
Act No. 94-665 of 4 August 1994 (French Language Act) which provides that all information communicated to consumers must be in French.
French Consumers Code, which contains provisions in relation to unfair and aggressive commercial practices, unfair clauses, mandatory information to provide to consumers, and advertising and marketing rules.
French Civil Code, which contains provisions in relation to the formation of electronic contracts, e-signatures, general tort and contractual liability.
Telecommunications and Posts Code, which contains provisions in relation to email marketing.
French Commercial and Civil Code in a business-to-business context, which contains provisions in relation to unfair competition rules.
Intellectual Property Code, which contains both legislative and regulatory provisions in relation to trade mark, copyright, and database rights.
All regulations in France are adopted by the French Parliament. However, the Parliament can authorise the government to adopt legislation by ordinance. The Parliament will then validate the law once it has been published.
The French government is also entitled to publish decrees and ministerial orders to detail the practical application of these legislations.
In addition, French administrative bodies can issue binding recommendations and are entitled to issue controls and sanctions if the legislation is not observed.
In particular, the Office of Fair Trading (DGCCRF) handles all breaches of the consumers and anti-trust legislation. This French authority gives no binding advices and draft circulars.
The Data Protection Authority (CNIL), according to the Act No. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties, is responsible for controlling all breaches of data protection regulations. Moreover, this administrative authority establishes and publishes the simplified standards and proposes legislative or regulatory measures to the government to adapt the protection of liberties to developments in computer processes and techniques.
The French Advertising Regulation Authority (ARPP) is a self-regulatory organisation, which aims to maintain high standards in terms of legal, honest, and truthful advertising. It elaborates ethical standards and secures their proper implementation.
Setting up a business online
There are no mandatory legal requirements to set up a business online. However, the following steps should be taken before launching a new business online.
Legal audit. A first step is to verify that the concept of the contemplated business and its intended way of functioning is compliant with applicable legislation and regulations in France.
A legal audit focusing on IP rights must also be conducted. This audit is designed to verify that the individual/entity launching such online business owns all necessary IP rights and authorisations to create and operate its website.
The audit must also verify what personal data are collected and how they are collected to assess what formalities must be carried out with the French Data Protection Authority (CNIL).
Finally, since the online operator must be clearly identified, the operator must determine which entity will be responsible for operating the business. No specific registration is needed before launching a business online (except the registration required to create the appropriate corporate body and those required for specific businesses like travel agencies or for other regulated products). If the entity launching the website is a corporate entity, this entity must be incorporated.
Drafting of legal documents. The following legal documents must be drafted and included in the website:
Terms of sales (if relevant).
Legal disclaimer with mandatory information (mentions légales).
These legal documents must be drafted to include all mandatory information that needs to be delivered to consumers under consumer, data protection and internet laws. They also have the purpose of setting the contractual rules between the users of the website and the operator/seller.
Data protection declaration and formalities. If personal data are collected, formalities with the CNIL may be necessary. Generally speaking, simple declarations must be filed but for certain specific processing (for example, transfer of data outside of EU), a prior authorisation from the CNIL may be needed.
The General Data Protection Regulation was adopted by the European Parliament on 27 April 2016. This regulation, which will come into force in 2018, provides that the notification of the files and its characteristics to the CNIL is no longer required, except for the specific cases.
The operator of a new online business can generally expect to contract with the following parties:
IT services companies. Launching a business online usually involves contracting with different parties to create the website such as developers, integrators, software as a service (SaaS) providers. All these services can be performed by IT services companies or by individual contractors. The contracts will include the main obligations of the parties (development, IP rights and licensing, liability, indemnities, penalties, reversibility, Service Level Agreement, termination, and so on).
Hosting providers. Hosting agreements are necessary to host the website online. Such contracts must be thoroughly reviewed from a technical standpoint to ensure that the hosting capacities and bandwidth of the hosting provider are adequate for the website. Services level agreements are also usually required.
Licences with third party content or services providers. The new online business must obtain licences for any third party content that is not freely available (for example, images, sounds, trade marks, domain names and databases). Licences can also be negotiated for simple software or plug-ins implemented on the website that do not require a SaaS agreement.
The main steps to take to develop and distribute an app are identical to the processes referred to in Question 4.
If the individual/entity procures the development of the app by a third party, it must ensure that it owns all necessary IP rights and authorisations to use and operate the app in accordance with its business needs.
If contracting with an app store is necessary, the terms and conditions of the relevant app store are crucial. The app store may require:
That the app meets specific technical requirements to be distributed through its channel.
Specific distribution requirements.
An agreement with a third party payment services provider may also be necessary.
Running a business online
Requirements for electronic contract formation
Generally speaking, electronic contracts are subject to the general contract formation rules including those in the Civil Code. The Civil Code includes provisions concerning the capacity of the parties, the validity of the parties' consent, existing objects and the lawful purpose.
Provisions of the Civil Code include the additional requirements for electronic contracts. In a business-to-business context, the parties can deviate from these requirements.
The offer must include the following information:
The necessary steps to conclude the agreement.
The technical means offered for the customer to review and correct information before ordering (for example, the customer must be able to check the details of the order and the total price, and to correct potential errors before expressly consenting to the order).
The different languages offered to conclude the contract.
If the contract is to be archived, the terms of this process and the means by which the filed contract may be accessed.
The means of consulting online the professional rules and commercial conditions that the seller wishes the parties to be bound by.
In addition, the business/seller must acknowledge receipt of the order without undue delay and by electronic means. The order, the confirmation of the acceptance and the acknowledgement of receipt are deemed to be received when the parties to whom they are addressed are able to access them.
The Consumers Code requires additional information in a business-to-customer context. This covers in particular:
The main characteristics of the product or service.
The price of the goods or the services, inclusive of all taxes.
The date or the time-period in which the seller undertakes to deliver the goods (when not delivered immediately).
The contact details of the seller (for example address, telephone, fax number, electronic address).
The means of payment accepted.
The duration or the availability of spare parts.
For digital content, the seller has to inform the consumer of the digital content's functionalities, including the technical protection measures, where applicable, and the interoperability.
The conditions applicable to the legal and contractual warranties.
The existence of an after-sales service (if applicable).
The conditions, time limit and procedures for exercising the right of withdrawal.
That the consumer will have to bear the cost of returning the goods in case of withdrawal from the contract (where applicable).
When the "right of regret" is not provided, confirmation that the consumer will not benefit from a right of withdrawal.
The cost of using any means of distance communication fused to conclude the contract (for example, premium rate calls).
The existence of relevant codes of conduct.
The conditions for terminating the contract.
Where applicable, the possibility of having recourse to an out-of-court complaint and redress mechanism, to which the trader is subject, and the methods for having access to it.
Before placing an order, a button or similar function labelled in an easily legible manner with the words "order with obligation to pay" or a similar unambiguous indication that placing the order imposes an obligation to pay the seller.
The following information must be provided to the consumers on the order pages and not only in the terms of sale (ideally on the first page rather than at the end of the ordering process, but in any case before the purchase):
The main characteristics of the product.
The total price of the product, inclusive of all taxes, as well as any applicable delivery fees. This must appear at the first page as the Office of Fair Trading (DGCCRF) considers providing additional fees at the end of the ordering process to be unfair.
Means of payment accepted.
Any delivery restrictions that can apply.
Required format of electronic contracts
There is no required format for concluding an electronic contract but in a business-to-customer context the seller must provide the consumer with a durable medium, including all the information referred above (see above, Requirements for electronic contract formation), at the latest at the time of delivery.
A durable medium is any instrument which enables the consumer to store/print information in a way that is accessible for future reference and which allows for the information to be reproduced unchanged (for example, as a pdf or an email, including the mandatory information (in practice this is included in the terms of sale)). Under recent case law, a durable medium cannot be a mere hypertext link to a website page of the seller.
Cooling off period
There is no legal cooling off statutory period in a business-to-business context.
In a business-to-customer context, the consumer has 14 days from the conclusion of the agreement or from the day on which the consumer acquires the physical possession of the goods to notify the seller of his/her withdrawal from the contract and a further 14 days from this date of notification to return the product.
The seller must reimburse the consumer by the same means of payment as used in the initial transaction, unless the consumer has expressly agreed otherwise.
The seller can choose that the return costs are borne either by him or the consumer. If the seller opts for the consumer to pay the costs of returns, he must inform the consumer of that choice.
There are some exceptions to this right of withdrawal, such as personalised goods, items that cannot be returned for hygiene reasons, and newspapers. In particular, there is no right of withdrawal where the contract is for services which have already been performed with the consumer prior to his express consent (with the acknowledgement that he will lose the right of withdrawal once the contract has been fully performed by the seller). This is also the case for the purchase of digital content such as apps.
The enforceability of click-wrap, browse-wrap and shrink-wrap agreement in France
The click-wrap agreement implies that the user by clicking accepts the terms and conditions before proceeding with its purchase. The browse-wrap agreement supposes that the user is merely notified of the terms and told that by continuing to browse he or she deemed to have accepted them. The shrink-wrap agreement implies that the terms are presented on packaging, on tangible media, or during the download. The user, who cannot proceed with the installation unless he or she accepts the terms, has generally not seen the terms before his purchase.
For these three agreements, it is necessary to distinguish a business-to-consumer from a business-to-business context.
In a business-to-consumer relation, the consumer must receive the mandatory information on a durable medium. Therefore, a business practice consisting of making the information referred to in that provision accessible to the consumer only via a hyperlink on a website of the undertaking concerned does not meet the requirements of that provision, since that information is neither "given" by that undertaking nor "received" by the consumer.
On the contrary, in a business-to-business relation, the method of accepting the general terms and conditions of a contract of sale by "click-wrapping" constitutes a communication by electronic means which provides a durable record of the agreement.
The general rules of the Civil Code on electronic contract formation are identical in a business-to-customer and a business-to-business context (see Question 6). The Consumers Code also imposes a requirement to communicate the mandatory information when contracting with a consumer (see Question 6).
For more information in relation to governing law in an international context, see Question 25.
French law imposes the following retention periods:
Business-to-customer agreements exceeding EUR120: ten years from delivery (Article L.213-1, Consumers Code).
Business-to-business agreements: there is no specific data retention rule in relation to electronic contracts. However, the Commercial Code specifies that accounting documents and supporting documentation must be kept for ten years. In any case, a minimum retention of five years (corresponding to statute of limitation) is recommended (Article L.110-4, Commercial Code).
Personal data will be retained in a form that allows the identification of the data subjects for a period no longer than is necessary for the purposes for which they are obtained and processed. Thus, the period depends on the type of the personal data collected.
The remedies for breach of an electronic contract are identical to those available for breach of any other type of contract.
Under French civil law, legal remedies are mainly cancellation, unenforceability, specific performance and/or damages. Damages are only intended to cure the breach, and punitive damages do not exist.
Under Article 1316-4 of the Civil Code, an e-signature has the same evidentiary strength as handwritten signature if the e-signature uses a reliable process of identification, ensuring that it is linked with the electronic document. A photocopy of a scanned document is not usually considered a reliable process for ensuring the authentication of the signatory.
However, French legal rules allow the following agreements to be evidenced by any means:
Any contract not exceeding EUR1500 (Article 1341, Civil Code).
Business-to-business contracts (Article L.110-3, Commercial Code).
Moreover, a scanned signed or even unsigned document can still have some evidentiary value for all contracts. Under Article 1147 of the Civil Code, any written evidence (for example, a scanned signature, invoices, and so on) can be confirmed in front of a judge by complementary evidence to enforce an agreement (for example, emails, testimony, and so on).
Definition of e-signatures
According to the Civil Code, an e-signature constitutes a reliable means of identification which guarantees a link with the agreement that it is attached to.
When an e-signature is created in accordance with conditions set out in the Decree No. 2001-272, the reliability of the e-signature (that is, the identity of the signatory and the validity of the signature) is presumed, until proven to the contrary.
Any e-signature process which does not comply with provisions of Decree No. 2001-272 is possible but, in the event of a dispute, its reliability must be evidenced by the party relying on it.
Format of e-signatures
To be considered as a presumed reliable e-signature, an e-signature must meet the following conditions (Decree No. 2001-272):
Capable of identifying the signatory.
Uniquely linked to the signatory.
Created using means that the signatory can prove is under his sole control.
Linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.
In order to fulfil those conditions, the secured e-signature must, among others:
Be issued by a secure signature-creation device. The device must be certified by the French Network and Information Security Agency (FNISA).
Be verified by using a qualified certificate issued by a certification service provider.
The official list of entities delivering certified secured e-signatures is available at www.lsti-certification.fr/images/liste_entreprise/Liste%20PSCe.pdf.
In a normal business context, having an e-signature system which is not presumed reliable is generally sufficient, as use of a presumed reliable signature is generally limited to specific cases and agreements.
The use of e-signatures in electronic contracts
The use of e-signatures in electronic contracts is increasing in France. For example, when a consumer buys a product on a website, he will receive a text message with a confidential number, allowing the completion of the transaction. Thus, the signatory can be identified. This proceeding is also applicable to employment contracts. However, these e-signatures are only signatures considered as having an evidential value but not as e-signatures recognised by law within the conditions detailed above. Due to the legal and technical requirements of e-signatures, e-signatures remain in the scope of regulated specific business activities where the evidential nature of the signature has a significant importance (such as notaries, lawyers, banking institutions).
Implications of running a business online
Cyber security/privacy protection/data protection
The Act on Information Technology, Data Files and Civil Liberties of 1978 governs the collection and use of personal data.
French data protection law generally applies when:
The data controller is established in France.
The data controller, although not established in a French territory or in any other member state of the EU, uses a means of processing data located on French territory (with the exception of processing data used only for the purposes of transit through this territory or that of any other member state of the EU).
From 25 May 2018, the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons regarding the processing of personal data and the free movement of such data must be applied.
Under the Act on Information Technology, Data Files and Civil Liberties, the law applies to the (automatic or non-automatic) processing of personal data that are or can be contained in a personal data filing system, with the exception of processing carried out for the exercise of exclusively private activities.
Personal data means any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to them. In order to determine whether a person is identifiable, all methods that the data controller or any other person uses or to which they can have access must be taken into consideration.
This means that data that cannot initially be considered as personal data (for example, localisation data) can become personal data if such data is paired with other data that can reveal the identity of the user.
Under French law users must be informed of:
How their personal data are collected and used.
How they can access and rectify their personal data.
Their right to oppose to the processing of their personal data.
Some personal data cannot be collected unless specific legal conditions are met (in particular, sensitive data, that is data that reveals race and ethnicity, political, philosophical, or religious opinions, trade union affiliation, health or sexual life). Such data cannot be collected or processed. However, in exceptional circumstances specified in the Data Protection Act, such sensitive data can be collected and processed. For example, such data can be collected and processed:
With the express consent of the person concerned (simple acceptance of terms and conditions by the user is not considered to be an express consent).
Where the processing of the data relates to matters such as health, justice, protection of human life and so on.
The data must be obtained for specified, explicit and legitimate purposes, and cannot subsequently be processed in a manner that is incompatible with those purposes.
Storage of personal data is possible provided that it complies with data protection laws in terms of information, use and conservation.
There are no specific restrictions in relation to storing data in the cloud. However, if cloud services are procured from a cloud services provider, storage of personal data must be covered by an agreement between the data controller and such cloud provider. In addition, if these data are eventually transferred outside of the EU or outside a country in which the Data Protection Authority (CNIL) considers that an adequate level of data protection exists, authorisation from CNIL may be necessary and the data controller will need to execute standard contractual clauses based on EU regulations.
Under Article 32 II of the Data Protection Act (as modified by Order 2011-1012 of 24 August 2011 on electronic communications), the prior consent of a user is now required unless cookies are used for the sole purpose of carrying out the transmission of a communication or as strictly necessary to provide an explicitly requested information society service. This would cover cookies used, for example, to facilitate shopping cart functionality, or to remember language preferences.
As consent is needed, such consent can result from the appropriate use of browser settings (that is, soft opt-in regime). However, in a public statement published on the Data Protection Authority's (CNIL) website, the authority considers that browser settings accepting all cookies without distinguishing their purpose cannot be regarded as valid consent. In the CNIL's view, given today's lack of consistency in the development of a standard browser setting procedure for cookies, operators cannot rely on this mechanism to obtain valid user consent, except for internal cookies.
The following measures can be adopted to guarantee the security of internet transactions:
Read legal notices on the website to verify the name and the address of the professional.
In any situation, the express consent of the user is required before storing credit card numbers.
The Data Protection Authority (CNIL) requires verifying that the URL address begins by https:// or a padlock symbol appears in the lower right hand corner of the browser.
If possible, credit cards numbers must only be stored for the duration of the transaction. In any case, credit card details can be stored for a maximum of 15 months maximum and must be stored in a specific and separate filing location. The card code verification (CCV) number can never be stored.
CNIL recommend using additional security measures for internet transactions such as "3D Secure".
Pursuant to the security principle provided in Article 34 of the Data Protection Act, the Data Protection Authority (CNIL) also requires the encryption of all credit card numbers that are stored by an e-commerce operator. The CNIL requires a "strong" encryption level, which means that only the editor of the e-commerce site can decrypt the numbers.
In practice, e-commerce providers will use a third party payment service provider accredited by the PCI-DSS standard to ensure that their internet transactions are secure and encrypted.
Generally speaking, only a judge can compel an internet, hosting or content provider to disclose of personal data.
However, recent laws were adopted in France (that is, the Law of military programme of 18 December 2013 and the Law for the fight against terrorism of 13 November 2014) to authorise government bodies to compel disclosure of personal data for certain purposes (such as national security, terrorism, national business intelligence, mass and organised crime). In such situations, the government must first access metadata not identifying a person and only if a threat is discovered, authorities can decide, after consulting a governmental agency, to identify the person linked to these metadata.
Regulations on electronic payments including anti-money laundering obligations and statutory notifications exist in France but they do not directly concern parties in e-commerce transactions. They are only applicable to payment services providers or financial institutions.
Regulations generally require e-commerce providers to guarantee the security of internet transactions (see Question 18).
However, the only obligation for an e-commerce trader is to use an IT solution accredited in France, to receive payment and to accept French credit and debit cards (cartes bancaires). This is usually done by a service contract negotiated with the bank of the provider. Another solution is to use a third party provider to receive payments on the website. In this situation, it is highly recommended to use a third party provider accredited under the PCI-DSS standard.
The Law of 16 July 1949 on publications aimed at children (the 1949 Law) as amended by the Law of 17 May 2011 set all the rules and guidance applicable if the site is aimed at children in Article 2. The 1949 Law as amended prohibits any content presenting a risk for youth, including any:
Discrimination or hatred incitement towards a particular person or a group.
Violation of human dignity.
Incentive to use, posses or traffic narcotics.
Incentive to violence, or any infringement of criminal law.
Act likely to harm physical, mental or moral fulfilment of children and youth.
Moreover, a site aimed at children must not include any advertisement likely to demoralize youth and children.
The general contract formation rules which provide that a minor can only be made liable for a daily life purchase and publicity rules which prevent any advertisement for alcohol or any other illegal or immoral product are also applicable.
There is generally no prohibition on linking or framing a third party website, provided third-party intellectual property rights are not infringed.
In this respect, the position in France on linking reflects the jurisprudence of the CJEU (Svensson C-466/12; BestWater International C-348/13). Such practices are possible if the following conditions are met:
The content is freely available on the other website.
The content was originally communicated on the Internet with the consent of the IP owner.
There are no specific regulations regarding the licensing of domain names. Any licence required can be negotiated between the registrant and the relevant third party.
Domain names must be registered with the relevant registry and, according to the general charter of the French registrar (AFNIC), a natural person or corporate entity residing or established in the EU or in Iceland, Liechtenstein, Norway, or Switzerland can register a ".fr" domain name.
Domain names do not have specific protection under the French Intellectual Property Code but are still taken into consideration and protected by French case law.
The courts recognise, for example, that is not possible to register a trade mark which is identical to an existing domain name which is in regular use by its owner. However, the domain name registrant wishing to oppose the registration must demonstrate a risk of confusion between the domain name and the new trade mark. To be protected, the domain name must be known within the entire French territory.
French case law also prohibits the registration of a domain name which "counterfeits" an existing trade mark or commercial name, and outlaws cybersquatting or typo-squatting.
The same rationale applicable to domain names also applies to business name registrations. As such, it is not possible to register a business name which has already been registered in respect of businesses engaging in the same type of activity. The existence of a trade mark identical or similar to the contemplated business name should also be taken into consideration.
The registration of a business name is made at the competent Commercial Registry (designated by city) at the same time as the incorporation of the company. At this stage, an availability check can be performed on the proposed business name. It is possible to change the business name at a future date.
Jurisdiction and governing law
Within the European context, under Article 5 of Regulation (EC) 44/2001 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (Brussels Regulation), the applicable jurisdiction for internet transactions is the jurisdiction in which the obligation is performed. In the case of the sales of the goods, it will therefore be where the goods where delivered or should have been delivered. In the case of provision of services, it will be where the services were provided or should have been provided. However, the parties are always free to choose another jurisdiction to govern their internet transactions. In an international context, French private international law rules apply in the absence of a specific international convention or specific agreement between the parties.
Despite any choice of jurisdiction made by the parties, a consumer can always bring proceedings against the other party to a contract either in the courts of the member state in which that party is domiciled or the courts where the consumer is domiciled (Article 16, Brussels Regulation).
According to Article 10 of the Regulation (EC) 593/2008 on the law applicable to contractual obligations (Rome I), the existence and validity of a contract are determined according to the governing law stated in the contract itself.
The parties are free to choose the law which will govern their international contract. In the event that the parties do not designate which law governs the contract, the applicable law is determined in accordance with rules set out in Rome I (in particular, the procedure set out under Article 4).
The decision on governing law is different in the case of business-to-customer agreements. According to Article 6 of Rome I, the governing law in a business-to-customer contract is the law of the country where the consumer has his habitual residence, provided that the seller directed his/her activity to that country. The parties are free to specify a different governing law within the contract, but the consumer will have the benefit of the provisions of his national legislation in the event that these are more favourable than the provisions of the chosen governing law.
The Federation of E-commerce and Distance Selling (FEVAD) is the specific e-commerce Ombudsman which deals with consumers' conflicts with online traders. However, the Ombudsman merely provides a mediation procedure to allow parties to reach an agreement regarding the dispute. The powers of FEVAD are limited to providing advice based on the principles of the FEVAD charter. The Ombudsman has no specific powers to award remedies as is possible in arbitration proceedings.
In any case, in alternative dispute resolution, the parties negotiate and establish the remedies.
It is expected that the ADR Directive modifying the existing e-commerce Ombudsman procedure will be implemented in 2015. The ADR Directive will introduce a sectorial Ombudsman, impose qualification requirements and conditions for the trader to have its own Ombudsman, and will levy a fine for the failure by traders to make an ADR procedure available to consumers.
Under Regulation (EU) 524/2013 of 21 May 2013 on online dispute resolution for consumer disputes, the consumers have access to ODR for resolving their contractual disputes with traders. A web-based platform has been developed by the European Commission (https://webgate.ec.europa.eu/odr/main/?event=main.home.show&=false) and has been available since 15 February 2016.
Businesses established in the EU that sell goods or services to consumers online must comply with the ADR/ODR legislation. Online traders that commit or are obliged to use ADR/ODR must inform consumers of the dispute resolution body by which they are covered. They should do this on their websites and in the general terms and conditions of sales or service contracts. They must provide a link from their website to the ODR platform. To signpost the ODR platform, traders can use web-banners available on the EU website: http://europa.eu/youreurope/promo/odr-banners/index_en.htm.
The main legal provisions relating to advertising in France are the provisions of the Consumers Code on misleading and aggressive commercial practices (implementing Directive 2005/29/EC concerning unfair business-to-consumer commercial practices in the internal market (Unfair Commercial Practices Directive).
Under the Unfair Commercial Practices Directive, (implemented identically under the French Consumers Code), an unfair commercial practice is a practice contrary to the requirements of professional diligence that materially distorts the economic behaviour of the average consumer. The Directive specifies two categories of unfair commercial practices including:
Misleading commercial practices.
Aggressive commercial practices.
Annex 1 of the Unfair Commercial Practices Directive sets out a further 31 misleading and aggressive practices which have been deemed to be unfair in all circumstances.
Generally speaking, commercial practices and advertising are permitted as long as they do not constitute an unfair commercial practice under French law.
Recommendations of the Office of Fair Trading (DGCCRF) as well as non-binding recommendations of the Advertising Regulatory Authority (ARPP) are also relevant, and must be observed to ensure compliance with French regulations and avoid being judged to have committed unfair commercial practices.
Provided that an online sales promotion is not deemed to be an unfair commercial practice, there are no specific restrictions on launching a promotion online.
However, the laws on comparative advertising must also be respected. According to Article L.122-1 of the Consumers Code, a comparative advertisement is only lawful if:
The advertisement is not misleading to the consumer.
The comparison is between products and services with the same purpose.
The comparison is objective and based on essential, relevant, verifiable and representative characteristics of the product or service.
Price comparisons are permitted under the Consumers Code.
There are prohibitions relating to the advertising of certain kinds of products, for example, cigarettes or alcohol. There are also strict regulatory rules for advertising products such as medication, e-cigarettes or financial services.
While the prohibitions are set out in the legislation, enforcement of the advertising rules falls to the Office of Fair Trading (DGCCRF).
To sell products or services which are covered by regulatory rules and authorisations (including for example, medication, financial services and casino and paid for lottery games), accreditation from the relevant French governmental agency (or a professional chamber) must be obtained.
Marketing via emails and text messages is regulated by the Data Protection Act and the Post and Telecommunications Act.
As a general rule, opt-in (informed and active consent) is required, though there are some exceptions to this rule. Opt-in must be free, specific and based on sufficient information. The Data Protection Authority recommends using a specific ticked box to collect opt-in consent for email and text messages marketing.
The ability to "opt-out" must be offered in each marketing communication. An opt-out link must be functional and any elections to "opt-out" must be honoured.
Decree No. 2015-556 of 19 May 2016 creates a national register for persons who do not wish to be contacted through telemarketing or SMS operations. Any professional operating in France must now update its marketing list to ensure that it excludes those listed on the national register.
The Foreign Company Tax Service (Service des impôts des entreprises étrangères) (SIEE) is a competent service of the Tax minister responsible for registering foreign companies. Companies must register before concluding sales online.
French companies are usually registered for VAT and tax administration services at the time of incorporation.
Protecting an online business
Liability for content online
General tort and contractual liability from Civil Code govern the liability of content providers, known as "editors", for the content they post on a website.
However, a different statutory liability regime applies to website hosts who merely store the content of the website (that is, technical hosting providers or large content platforms) under the Law on confidence on digital economy of 21 June 2004 (LCEN).
Under Article 6 of the LCEN, hosting providers are only liable if they do not promptly take down illicit content once notified of the existence of that content on their platform.
To the extent that a website operator is not creating and editing the content published to the site but only stores information and content posted by users (such as announcements or profiles), that website operator can be deemed to be a host only. If this is the case, the website operator benefits from the reduced liability attaching to hosts.
The mandatory legal information which must be included on website is (Article 6, Law on confidence on digital economy (LCEN)):
Name, address telephone of the operator.
If the operator is a corporate entity, its registration number, share capital, and address of main headquarters.
The name of the director of publication of the website (which must be a natural person, not a company).
The name, address and telephone of the website host.
Moreover, the following additional information are required for consumer-facing websites (Article 19, LCEN):
Name and first name of the professional, or if it is a corporate entity, its company name.
The address, e-mail address and telephone number.
The registration number (if required), share capital and address of main headquarters.
The individual VAT identification number (if subject to the Value Added Tax in accordance with Article 286ter of the French Tax Code).
If the activity is subject to an authorisation scheme, the name and the address of the authorities that issued the authorisation.
If the professional is a member of a regulated profession, the references of the professional applicable rules, the professional title, the state in which it has been granted and the name of the professional order.
The prices must be provided in a clear and unambiguous manner, in particular if taxes and delivery costs are included.
In a business-to-customer context, liability clauses are generally considered as unfair and the website operator remains liable for any mistake on the website. The only exemption from liability for mistake is in the case of a gross mistake which can be recognised by anyone (for example, a common product with an average value of EUR10,000 priced on the website at EUR100).
An ISP has no obligation to:
Monitor the information that they transmit or store.
Research the facts or circumstances which reveal illegal activities.
However, an ISP must implement an easily accessible system which enables website users to alert the ISP to instances of offences and crimes being committed on a website. Offences of particular concern include crimes against humanity, incitement to racial hatred, child pornography and offences against freedom of the press. An ISP must promptly inform the competent public authorities of any of these illegal activities performed by the users of their services of which they are alerted.
An ISP cannot shut down a website or remove content without a court or administrative order to block or shut down the website. The injunction to shut down the website will be issued only if the editor or the hosting provider is not identifiable or competent.
Once the court has issued this order, it is immediately enforceable. It is the responsibility of the ISP to shut down the website containing contentious information.
Liability for products / services supplied online
Liability for counterfeit goods
Generally speaking, all services supplied online must always respect laws applicable in France and may incur liability if any supplied service is unlawful. However, with regard to online liability in France, the nature of hosting provider or editor of the website responsible for the unlawful content or service is always essential to assess the liability of such website.
For example, counterfeiting goods is prohibited. If a counterfeit product is sold on an auction site, it is necessary to determine whether the website can be qualified as a hosting provider or an editor (see Question 36). In accordance with European case law (CJEU, 12 July 2011, C-324/09), if the operator has not played an active role, it will be qualified as a hosting provider and will benefit from the reduced liability attaching to hosts. On contrary, if the operator provides assistance [to the seller] which entails, in particular, optimising the presentation of the offers in question or promoting them, he plays an active role and is considered as an editor.
Crawlers, bots and spiders liability
Online businesses can obtain the same insurance policies as other businesses (in particular, insurance for civil professional liability).
However, most of the insurers for professional civil liability also offer specific e-commerce insurance. An insurance broker can be consulted before launching an on-line website in order to assess the most appropriate insurance depending on the activities at stake.
Data Protection Authority (CNIL)
Description. This is the official and updated website from the Data Protection Authority, and includes a translation of the Data Protection Act.
Description. This is the official website of the EU. The site includes an English version of the standard contractual clauses for data transfers outside of the EU.
French Language Act (English version)
Description. This is an unofficial website, updated by a foundation that provides information on English teaching methods, sponsors educational programmes, and promotes opportunities for people living in the United States to learn English. This website includes an unofficial translation of the French Language Act.
Description. Legifrance is the official website providing French, European and international legislation which is under the editorial control of the General Secretariat of the Government. The site includes translations of the:
- Civil Code.
- Commercial Code 2013.
- Consumer Code 2005 (which includes some major reforms).
- Intellectual Property Code.
Directive 2005/29/EC concerning unfair business-to-consumer commercial practices in the internal market (Unfair Commercial Practices Directive)
Description. This is the official site of the EU, linking to the English version of the Unfair Commercial Practices Directive.
Directive 2011/83/EU on consumer rights (Consumer Rights Directive)
Description. This is the official site of the European Union, linking to the English version of the Consumer Rights Directive. Most of the requirements for e-commerce rules and consumers are included here.
Advertising Regulatory Authority
Description. This is the official and updated website from the Advertising Regulatory Authority. The ARPP is the professional regulatory body for advertising in France. The website provides many recommendations on public ethical and advertising rules.
Benjamin Znaty, Associate
Bird & Bird
Professional qualifications. French Lawyer at the Paris Bar
Areas of practice. IT and commercial law, IT contracts, internet law, e-commerce, advertising and general consumer law.
Non-professional qualifications. Masters Degree in Computer Law; LLM in Intellectual Property and Technology
Assisted a manufacturer in relation to a global e-commerce project.
Assisted a luxury beauty product manufacturer in negotiations of a new e-commerce co-operation contract.
Assisted a French tourism marketplace in development of its online business activity in Europe.
Languages. English, French
Professional associations/memberships. Paris Bar Pro-Bono fund (Barreau de Paris Solidarité), Association for the development of the legal internet (ADIJ).
New French Digital Republic Bill to officially recognise e-sports (June 2016).