EU Geo-Blocking Regulation Changes
The goal of the EU single market is to enable businesses to connect with customers across all EU member states. The internet and e-commerce have made this easier than ever before. As part of its Digital Single Market strategy, the European Commission strives to ensure that the EU single market vision remains a reality in the online space. The European Commission pushes back on certain practices it believes are hindering the EU single market vision. Geo-blocking is one such practice that the EU is attempting to tackle through a new regulation.
The Geo-blocking Regulation was passed after the EU noticed that the practice of geo-blocking resulted in direct and indirect online sales discrimination against consumers in various EU member states, undermining the goal of the EU single market. Geo-blocking is the practice of businesses prohibiting customers, based on their geographic location, from accessing their goods and services. The Geo-blocking Regulation prohibits geo-blocking customers in EU member states, aiming to ensure equal access for all EU customers to goods and services, regardless of their nationality, place of residency, or the country of origin of the debit or credit card (or other payment instrument) used.
From 3 December 2018, merchants operating in the EU will be prohibited from geo-blocking EU consumers’ payments or website/app access under the Geo-blocking Regulation. This means that EU merchants will no longer be able to refuse to transact with an EU customer based on the customer’s nationality.
If you are a merchant operating in the EU and offer goods and services to customers in some EU countries, it’s likely that you may be impacted by the Geo-blocking Regulation. There are some exempted business types under the Geo-blocking Regulation, namely, providers of audiovisual services, healthcare services, and transport services. If you are unsure whether your business falls within the scope of these exemptions, we recommend that you speak to your legal advisors regarding your particular circumstances. In this article, we will set out what you need to know about the Geo-blocking Regulation and what actions you should consider taking in order to be compliant after 3 December 2018.
Merchants are not allowed to intentionally block payments from customers, using payment methods the merchant would generally accept, because they are in certain EU member states. Example: If your business sells t-shirts online to customers around the EU and accepts credit cards of a specific/given brand in France, you are not allowed to actively block credit card payments of that brand from customers based in Italy (as inferred from customers’ IP addresses, specified addresses, or the bank issuer of the card used for payment).
Businesses can’t block access to their website or app based on an EU customer’s location or IP address, unless permitted by national or EU law. This prohibition includes a ban on automatically redirecting EU customers to a local version of a website without their explicit consent.
Example: If a customer based in Spain wishes to access a company’s German website (i.e., website aimed at the German market), the German company cannot block access or redirect the customer to a Spanish market version of the website without the customer’s explicit consent. Even where this explicit consent is obtained, the original version of the website should still remain accessible to the customer.
Yes, the option to purchase goods or services must be available to all EU customers. However, the Geo-blocking Regulation does not require merchants to deliver the goods or services to customers all over the EU—merchants remain free to choose the geographical area in which they will physically deliver the goods or services.
Example: If a business specifies that it delivers goods to Irish and UK addresses only and a Swedish customer makes a purchase, the business is only expected to deliver goods to a UK or Irish address. The Swedish customer must make arrangements for collection or onward delivery from the UK or Irish address.
To avoid any confusion, merchants’ websites should clearly indicate the countries eligible for delivery.
Yes, the Geo-blocking Regulation acknowledges that merchants may have to take certain precautions for the purposes of fraud prevention. As such, it allows merchants to:
Withhold the delivery of goods or provision of services when a merchant has justifiable, objective reasons that a payment transaction has not been properly initiated, e.g., where a merchant, who has considered many different features of a transaction (as opposed to relying solely on the nationality of the customer or location in which the card was issued) determines that some of these features are indicators of fraud.
Refuse or apply different conditions to a payment if it fails to pass the Strong Customer Authentication (SCA) requirements set out in PSD2 (for more information on strong customer authentication, take a look at our Stripe Guide to SCA here).
It should be noted that SCA is a new method of authenticating online payments (or verifying a customer’s identity before accepting an online payment) that will become mandatory for most transactions in the EU starting in September 2019. In short, SCA requires payments to be authenticated by customers using information or devices that only the customer would know/own, e.g., a password, a mobile phone, and a biometric such as a fingerprint. This exception may not be readily available for merchants to rely upon until the payments industry rolls out SCA in its entirety in September 2019. We will keep you updated on further developments of SCA on Stripe.
Businesses offering goods and services to customers in the EU will need to make sure their websites/apps do not discriminate against online customers in the EU. They should consider reviewing their website and app details, checkout accessibility, payment fraud prevention tools, and IP blocking tools with reference to the Geo-blocking Regulation prohibitions. In particular, businesses should ensure that their:
- Websites/apps clearly inform customers of their delivery restrictions;
- Fraud prevention tools do not auto-refuse or auto-decline credit or debit cards (or other payments instruments generally accepted on the website) from certain EU member states; and
- IP-blocking tools do not auto-block customers from certain EU member states accessing their website or app (unless permitted by national or EU law) or auto-redirect customers to a local version of their website without explicit customer consent.
If you have any questions or would just like to know more, please feel free to reach out to us.
Finally, this post is provided for information purposes only and should not be treated as legal advice. If you require legal advice in relation to any issues raised in this note, we recommend that you speak to your professional legal services provider.