November 2, 2012

The 7 Key Legal Considerations for Online Business

This article outlines some critical legal issues that you must consider if you are taking your business online. If you are reading this article from the perspective of an established business, skim sections 1 – 2, but be sure to read sections 3 – 7 carefully. If you started your online business recently or are looking to begin soon, all of the sections below are very important.

1. CHOICE OF ENTITY AND ESTABLISHMENT

The most common business vehicle that entrepreneurs choose in Australia is the company. The biggest benefit of incorporating is “limited liability”. By incorporating, the shareholders in the company limit their personal liability for mistakes that the company (or its directors) make, to the money invested to buy shares in the company (this immunity is limited in some special circumstances). Usually, a startup sells shares to the founders for a nominal sum. For example, if a founder pays $20 for twenty shares in a company, that’s all the money he or she stands to lose if the company gets into trouble. We note that most founders also fund their companies by lending it money for working capital and other expenses. If you operate a website as an individual, without the “corporate veil”, all of your personal assets are at stake because there is no limited liability protection. If something goes wrong with your website, and someone sues you, every one of your assets (home, car etc.) will be on the line, and you risk bankruptcy. The way that you structure the ownership of the shareholding in your company also matters. There can be significant asset protection and tax benefits derived from holding shares through a trust. Structuring arrangements are highly variable depending on individual circumstances, so you should ensure that your lawyer considers this on your behalf.

TAKEAWAY:

  • Consider which entity will operate the website.
  • Carefully consider how you will own shares in that entity.

2. SHAREHOLDER AGREEMENT

If your company has more than one shareholder, you need a shareholder agreement. A shareholder agreement is a contract that regulates the obligations and rights of members of a company, and it provides an important mechanism for governing issues not catered for in the company’s constitution or the Corporations Act. Amongst other things, shareholder agreements cover:

  • exit strategies for members (i.e. agreements to sell shares on particular occurrences like an acquisition offer or death of a founder);
  • how company directors are appointed and removed;
  • the requirements and conditions of any shareholder loans;
  • the dividend distribution policy of the company;
  • restrictions on competition with the company; and
  • how shareholders are obligated to spend time on company activities.

Disagreements between reasonable people usually arise from misunderstandings. The most important function of a shareholder agreement is to prevent disagreement. The process of drafting a shareholders agreement will always uncover important issues that co-founders have not considered (usually based on “what if” scenarios). When these issues are dealt with before there is something at stake, they are always much easier to reach agreement on. If agreement can’t be reached, better to know before everyone has jumped into bed together.

TAKEAWAY:

If your company has more than one shareholder, you need to go through the process of drafting a shareholder agreement. It is a tool to prevent disagreement.

3. INTELLECTUAL PROPERTY

Intellectual property law governs the rights to ideas like website or software code and trademarks. If a business is based primarily on the Internet, apart from the goodwill of its users, the only other significant source of value is the intellectual property (IP) that is used to build and market the website. It is crucial to understand who actually owns the IP for your website – especially if you have worked with a web developer to build it for you. It’s not unusual for a developer to retain ownership to the IP that they use to build a site for a customer. Often, customers agree to this when they agree to the developer’s “Terms of Business” document (the fine print that no one ever reads). In that case, your business will only have a license to use the developer’s IP in certain ways, and the terms of that license may prevent you from taking commercial action like switching web hosts, or using alternative developers. If you are using the IP for your site on a licensed basis, you need to understand what you can and can’t do with it.

TAKEAWAY:

  • Understand who actually owns the IP required for your website to operate.
  • Understand what restrictions there might be on any licenses to vital IP.
  • You need to protect the IP that you own (particularly trademarks).

4. MANAGING WEB DEVELOPERS

In many cases, a business will engage a web developer to complete the website and handle all the technical work associated with its upkeep. If this is how you run your website, make sure you always have access to a copy of the code used to run your site – even if you don’t understand a line of it. This is particularly important if you use developers who are located offshore. The global economy that’s evolved around information technology has created a very competitive market for web development, but if there’s a disagreement, it’s usually so expensive and difficult to take legal action in an offshore jurisdiction that it’s effectively impossible to do so. If a business does not use the appropriate risk management techniques, the developer will gain enormous leverage over his or her client, and a power imbalance like that can be a magnet for bad behavior. Every business using an offshore developer should stay in a position where they can terminate the engagement of their developer with minimal inconvenience. To do that, you need to have a copy of all your code so that another developer can get it up and running as soon as possible. The two most important ways you can keep control are:

  • to maintain a “private repository” on github.com or bitbucket.org, so your developer can easily “push” you the code operating your website; and
  • to maintain a backup server that only you control, which maintains a copy of all the data for your website.

Payments to your developer should be subject to their compliance with these measures.

TAKEAWAY:

  • Always have the latest copy of your website’s code on your computer.
  • Maintain and exclusively control a backup server for all your data.

5. WEBSITE TERMS

Website terms form the basis for the agreement between the website operator and any website user. You need to have these terms – they allow you to control and exclude risks by defining the relationship to your advantage. It’s easy to find website terms to copy and paste, but it’s very unlikely that they’ll cover all the issues that your particular business needs covered, in fact, you may inadvertently put yourself at higher risk. We have seen clients operating online businesses in Australia where the jurisdiction for disputes in their ‘pasted’ terms and conditions was California in the United States! One of the most important clauses in your terms is the one that excludes and limits liabilities if you breach your obligations under the contract. With the exception of certain legislative mandates that you can’t exclude, you can often limit your liability to the cost of replacement of the goods or services that you provide a user. If you don’t limit your liability in this way, your liability will be unlimited. Another important consideration is clearly defining the jurisdiction for any dispute between you and your users to the most convenient Courts. This is a significant disincentive for a user in another country to start legal action against you, since they would need to litigate in a foreign jurisdiction. Without such a clause, there is no reason that a user cannot sue you under the laws of the United States, obtain a judgment in their favour, and then enforce the judgment against you in Australia. Every business model is based on relationships between transacting parties who have certain rights and obligations. It’s important to critically assess the relationships created by your business model, particularly if it’s new. The Internet is a vast laboratory for experimentation with new business models, but the corollary of this opportunity is that businesses need to pay attention to unusual legal risks that they might be exposing themselves to when they put up their website. You should ask your lawyer to assess the risks of your business model. It’s important to do this, because it is not unusual for legislation to impose rights and obligations on parties that they themselves never actually agree to. A good example of this is Privacy law, which will be discussed later in this article.

TAKEAWAY

You should always get a lawyer to draft terms for your website. This should not be underestimated. It is critical that the risks of new business models are closely examined.

6. PRIVACY

If your business collects information about customers or users and stores it electronically (almost all businesses do), you need to consider privacy law. The storage and use of “personal information” is covered by the Privacy Act 1988 (Cth) (Act). The definition of personal information in the Act is very broad (and imprecise): personal information is any information that identifies a person or could be used to identify a person. This includes obvious categories of information like names and addresses, but reaches as far as information like dates of birth and post codes in circumstances where data can be cross referenced to deduce someone’s identity. Amongst other things, the Privacy Act requires businesses dealing with personal information to maintain a “Privacy Policy”. The recently proposed changes to Privacy Law make it a far more pressing consideration for Australian businesses – a regime that has been criticized as “toothless” will include fines of up to $1.1 million for breaches if the new bill is passed in its current form (which looks likely as at 1 November 2012).

TAKEAWAY

It is likely that your business is legally obligated to maintain a Privacy Policy, especially if it is operating a website.

7. STORING DATA OFFSHOR

Business owners should ask themselves the following question: where are the actual machines that store my data located? The march of cloud computing is well underway. Increasing numbers of Australian businesses are storing data “offsite”, and for many businesses, “offsite” also means “offshore”. Some of the most advanced data hosting services are located outside of Australia, Amazon being the notable example. The efficiencies of cloud computing are clear from a commercial perspective, but many people are unaware that storing (or disclosing) certain types of information to parties outside of Australia is a major legal issue. The new Australian Privacy Principle number 8 (which looks set to replace the current principle 9) increases the responsibility of any Australian business storing data offshore. Under the new principle, if an Australian business discloses personal information to a foreign entity, and the foreign entity breaches the Australian Privacy Principles in respect of that personal information, the Australian business will be treated as if it has breached the law itself. It is possible to gain consent from individuals to avoid this liability, but the threshold for consent is much higher than under current law. Currently, a business can gain consent by mentioning that it may offshore personal information in its terms and conditions of business. Under the new law, in order to gain consent, the business must make it clear to an individual that the business will disclose to foreign entities and will not be required to take reasonable steps to ensure compliance of foreign entities with the Australian Privacy Principles. Some experts are of the view that a legally conservative approach would be to put this disclaimer into an entirely new document outside of the terms to be agreed to specifically by individuals.

TAKEAWAY

If you are storing personal information offshore, you need a Privacy Policy that effectively gains consent for disclosures to foreign entities.