UK consumer protection regulator identifies unfair cloud services terms
The CMA identified that, although nearly nine in ten consumers had not experienced any problems with cloud storage services, some providers were using contract terms and practices that may breach UK consumer protection law.
The CMA's review involved evaluating cloud storage terms against UK consumer protection law, in particular, the Consumer Rights Act 2015 (CRA) which regulates the use of unfair terms in consumer contracts. The CRA 'blacklists' certain terms that are considered automatically unenforceable. Other terms are subject to a 'fairness test'. Any unfair terms will not be legally binding and may lead to enforcement action and claims in the courts.
Alongside its report, the CMA published an open letter to cloud service providers suggesting that they review their terms and conditions for fairness. They also published a checklist of key issues, as summarised below.
Although the CMA's views are not binding (ultimately, only a court can decide whether a particular term or practice is unfair), cloud providers should consider the guidance carefully. Other sectors should also take note of the report's findings. Many of the concerns raised by the CMA are not specific to cloud storage terms - the kinds of 'unfair' terms that CMA identifies are often found in many other digital services, website and app terms.
Providers must make available to consumers upfront all mandatory pre-contractual information (such as service description, identity of the provider and the price) in a clear and comprehensible manner.
Providers must be clear about how and when a contract will renew and what options consumers have to cancel. In particular, providers must:
allow consumers to opt-out of automatic renewal at any time;
notify consumers about renewal a reasonable time before it occurs, and before payment is taken, so consumers have a choice as to whether to renew;
ensure that a notice of renewal includes details of any changes to the price or service; and
allow consumers to exercise their statutory cancellation rights.
Providers will often want wide discretion to make changes to their terms. However, any unilateral variation is likely to be unfair unless there are compelling reasons, e.g. to ensure security and operability of the service or to meet legal requirements. The guidance makes clear that providers should:
only be able to make changes to the terms or the service for valid reasons that are clearly set out in the contract;
ensure that consumers receive adequate notice of changes; and
ensure that consumers who do not wish to accept changes can cancel, obtain a refund for any services not yet provided and retrieve their data.
Providers may also wish to give themselves flexibility to suspend and terminate services. However, again this may be unfair. Providers should:
only terminate without notice if the consumer commits a material breach of contract or there is a real risk of harm or loss to the provider if the contract continues;
clearly and narrowly define the circumstances in which the provider may suspend or terminate the contract or service with notice;
give consumers adequate notice of suspension or termination (except where there are serious grounds for immediate suspension or termination without notice);
give consumers a reasonable opportunity to remedy minor or potential breaches before the service or contract is terminated or suspended by the provider; and
allow consumers to obtain a pro-rated refund of any prepayments if the service or contract is suspended or terminated by the provider and the consumer is not at fault.
Exclusion and limitation of liability clauses often raise questions of fairness. CMA recommends that providers should:
not exclude or limit a consumer's statutory rights and remedies under the CRA, (e.g., not exclude or limit liability for a failure to provide the service with reasonable skill and care, or in accordance with the service description);
not unreasonably limit or exclude liability, e.g. include an unreasonably low cap;
clearly set out the circumstances when liability will not be excluded, as well as explaining any applicable limitations or restrictions; and
avoid unnecessary 'legal jargon'. For example, familiar terms that state that liability is excluded to the extent permitted by law" are potentially unfair because it may be impossible for a consumer to know, without expert legal advice, what liability is or is not excluded by law.
Often because providers operate on a global basis they want to create uniform terms and conditions that specify their home country or state as the default choice of law. However, to be compliant with UK consumer law, the terms must allow for consumers to bring legal proceedings in their local courts and for local law to apply.
Providers must make their terms clear and comprehensible to enable consumers to make informed choices. In particular, providers should: (i) draft terms in plain English, (ii) use short sentences, (iii) use easily understood subheadings and cover similar issues in the same section, (iv) ensure disadvantageous terms are given appropriate prominence, (v) minimise cross-reference to other terms or documents; and (vi) ensure terms do not just name regulatory or legal provisions, but actually explain the effects of those provisions.
Lastly, on the positive side, despite concerns expressed by some consumers in terms of data security and privacy, the CMA identified little evidence of actual security or privacy problems with cloud storage services.
In terms of next steps, the CMA states that certain named cloud providers have already given commitments to the CMA to develop fairer terms. The CMA will continue to engage with a number of other providers in the coming months. The CMA will also share its findings with the UK government and the European Commission as part of wider policy initiatives on consumer terms and conditions.
This is not just a question of compliance. As the CMA points out, having clear and fair terms can help providers prevent disputes and reputational damage. Moreover, in a competitive market, more reasonable terms may help differentiate a provider from its rivals. There is a renewed focus on consumer protection and trust in this fast moving digital age and providers need to keep up with the direction of travel.