E-commerce retailers and online marketplaces selling goods to consumers in the Kingdom of Saudi Arabia should note that Executive Regulations to the Saudi E-Commerce Law 2019 have now been published. These regulations provide further details of the obligations such businesses will need to comply with, including the need to publish certain information and policies. This article sets out a summary of the key requirements of the regulations that businesses will have to comply with.

We previously published an article on the E-Commerce Law, which can be accessed here.

Background

On January 31 2020, the Ministry of Commerce and Investment (the Ministry) of the Kingdom of Saudi Arabia (the Kingdom) issued the Executive Regulations (the Regulations) to the E-Commerce Law (Royal Decree No. M/126 dated 10 July 2019) (the Law).

The Law has been in effect since 24 October 2019 and provides a standalone framework for regulating e-commerce in the Kingdom. It applies to consumers and e-commerce service providers, whether established in the Kingdom or not (provided they are selling to consumers in the Kingdom) and places a number of obligations on these service providers to ensure transparency, and protection of consumer transactions and data.

The Regulations expand on the general guidelines set out in the Law, particularly in relation to the protection of consumer personal data, the content required for terms and conditions and electronic advertising, and registering the E-store on the Ministry's commercial register. As such, any business selling online to Saudi consumers, or involved in facilitating such sales, should familiarize itself with the Law and the Regulations.

The Regulations: E-Commerce Stores

Businesses selling goods and services online will need to consider the following to comply:

  • Put in place measures to protect consumer personal data: There is currently no standalone data protection law in the Kingdom, but the Regulations now apply a level of protection for consumer personal data in the context of electronic commerce. The Regulations define consumer personal data as "any data - of whatever source or form - that identifies or is identifiable to a specific consumer". It includes names, ID numbers, addresses, contact numbers, numbers of licenses, registrations, personal properties, bank accounts, credits cards, photographs and videos.

Measures that must be taken to protect consumer personal data include:

  1. applying technical, administrative and organisational measures which are proportionate to the nature of the data;
  2. not keeping personal data unless it is to fulfil the service provider's obligations;
  3. not using the personal data for other purposes, such as advertising or marketing, without obtaining explicit consent from the consumer; and
  4. if the consumer's personal data is hacked, notifying the Ministry within three (3) days from the date the service provider is made aware of the hack.

The reference to "explicit consent" is significant. Businesses will not be able to operate an "opt-out" mechanism if they want to use customer data for marketing purposes but will need to obtain a clear opt-in.

  • Add a privacy policy on the E-store: The privacy policy should include information on the measures taken by the service provider to protect consumers' personal data and how it compiles the consumers profiles on its E-store (e.g. use of cookies).
  • Put in place a procedure to deal with consumer complaints: A complaints procedure must be described on the E-store.
  • Add information to the Terms and Conditions: Online terms must include the right for the consumer to cancel the contract if permissible under the Law (or otherwise, mentioning that the contract cannot be canceled); the contract term and termination date; and any provisions of payment and recurring instalments, if any.
  • Add details to the invoice: The invoice must include the description of the product or service; date of conclusion of the contract; total price of the produce and service and any VAT; shipping, transportation and delivery charges, if any; the date when the product is intended to be delivered or the service rendered; the name of the carrier conducting the product delivery and any available tracking information; any means of payment.
  • Allow consumers to unsubscribe from electronic advertisements: In addition to the information set out in the Law, e-advertisements must include the ability for consumers to request that the service provider stops sending them e-advertisements (i.e. an "unsubscribe" button). E-advertisements must also clearly indicate that they are advertising material.
  • Register on the Ministry's commercial register: The Regulations specify how businesses can register the E-store on the Ministry's commercial register. Businesses have thirty (30) days to enter their main E-store onto the register from the date of its creation. This only applies to businesses with a Saudi trade licence (in other words, businesses operating outside the Kingdom which are selling to customers inside the Kingdom do not need to register, although interestingly the Regulations provide that they may choose to do so however it is unclear what, if any, benefit would be gained from doing so).

The Regulations: intermediary platforms

The Regulations impose a number of obligations on platforms that act as an intermediary between a Service Provider and a Customer. These platforms are described in broad terms, being "any website or application that provides services for the facilitation of e-commerce transactions, such as online advertisement services or the promotion of products or services, or enabling the acceptance of orders or payments, or any other service that facilitates the practice of e-commerce". Whilst this would clearly catch intermediary platforms such as online marketplaces (ebay, Amazon, Uber, Google Play, App Store, etc.) the wording appears broad enough to capture payment gateways, click-through advertisements and other types of services that help to support the e-commerce ecosystem.

The requirements incumbent upon intermediaries include:

  • public information requirements: you must:
    • clearly publish terms and conditions of use;
    • publish the methods of storing personal data and restrictions to its use - in other words, having a privacy policy;
    • publish a complaints handling and dispute resolution policy (for customers and merchants);
  • notification of changes: there is a requirement to give at least one week's notice in advance to registered users in relation to any material modification to the services provided;
  • know-your-client: there are obligations in relation to gathering and storing merchant information;
  • take-down obligations: content which infringes the law and the platform terms and conditions of use must be deleted;
  • cyber security: the intermediary must:
    • ensure that cyber security measures are in place and rapidly deal with any breach or security incident;
    • notify the Ministry of Commerce and Investment if there is a security breach, as well as those affected by the breach within three days of becoming aware of it;
  • record keeping: maintain "adequate data" on contracts concluded by the platform and store the data for no less than three years from the date of concluding the contract (it is not clear what "adequate data" means).

Consumer rights

The Regulations limit a consumer's ability to notify a business if he or she has made an error in its electronic communication to a period of 24 hours and provides that certain contract types cannot be cancelled by the consumer as a matter of legal right (of course, the vendor might decide to apply a more generous cancellation policy).

The non-cancellable contracts include: contracts relating to hotel reservations; vehicle rental contracts; contracts for event organisation; customised products or products which require modification; products that cannot be resold for health reasons; products sold at auction; products or services where the price is subject to market fluctuations (such as orders for gold).

Optimise your E-store

We recommend that businesses targeting e-commerce activities at the Kingdom should:

  • review and update their procedures and systems to protect consumer personal data;
  • prepare a privacy policy, if they don't already have one in place on their website;
  • amend their electronic advertising and include an "unsubscribe" option;
  • update their terms and conditions and invoices in line with the Regulations;
  • register their E-store on the commercial register; and
  • ensure that they hold the appropriate licence from the Ministry, if based in the Kingdom.

It is worth reiterating that the fines for breach of the Law are substantial - up to one million Saudi riyals and/or permanent or temporary suspension of the ability to conduct e-commerce in the Kingdom.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.