Recently, the Competition and Consumer Authority of Vietnam (“VCC“) has issued several administrative penalty decisions against enterprises for violations of the 2023 Law on Protection of Consumers’ Rights. Although the penalties imposed were not particularly significant, these cases indicate that regulators are increasingly focusing on new compliance requirements relating to consumer data, digital marketing activities, and customer-facing terms and conditions.
These areas have broad implications for e-commerce enterprises, digital platforms, fintech companies, digital banks, mobile application providers, and businesses engaged in online marketing activities.
1. Consumers’ Right to Choose Regarding the Use of Personal Information
One of the violations sanctioned by the VCC involved a business’s failure to provide consumers with the ability to choose whether to consent to the use of their personal information for advertising and marketing purposes.
Pursuant to Article 18.4.b of the 2023 Law on Protection of Consumers’ Rights, business organizations and individuals are required to provide consumers with the option to permit or refuse the use of their information for advertising, promotion of products, goods and services, and other commercial activities.
Many businesses primarily focused on obtaining the customers’ consents before collecting customer data. However, the regulatory framework not only governs the collection of personal data under personal data protection regulations, but also places significant restrictions on how such data may be used for commercial purposes under the Law on Protection of Consumers’ Rights.
Recommendations
Based on recent enforcement actions by the VCC and our experience conducting compliance reviews for technology companies, e-commerce platforms, financial institutions (including banks, credit institutions and payment intermediary service providers), we have observed that compliance risks often arise from seemingly minor details in system design and implementation.
Enterprises should consider:
(i) Reviewing all account registration forms, subscription forms and order forms to ensure that consumers are given a genuine and active choice regarding the receipt of marketing communications.
(ii) Avoiding the use of pre-ticked boxes or similar mechanisms that presume a consumer’s consent to receive promotional materials.
(iii) Reviewing privacy policies to ensure that the purposes for which data is collected and used are clearly, comprehensively and transparently described.
(iv) Establishing simple and user-friendly mechanisms that allow consumers to withdraw their consent at any time.
(v) For businesses utilizing CRM systems, Customer Data Platforms (CDPs), or marketing automation tools, reassessing customer segmentation and data utilization practices from the perspective of both the 2023 Law on Protection of Consumers’ Rights and applicable personal data protection legislation.
In practice, many businesses invest substantially in data security and cybersecurity measures, but often overlook the legal validity of consumer consent under the Law on Protection of Consumers’ Rights. This is one of the areas that is currently attracting increased regulatory scrutiny.
2. Transparency in Product Promotion Through Influencers (KOLs/KOCs)
Another noteworthy issue is the regulator’s enforcement against businesses that fail to disclose sponsorship arrangements with influencers engaged in product promotion activities.
Under Article 10.1.h of the 2023 Law on Protection of Consumers’ Rights, failure to disclose sponsorship or commercial relationships between a business and an influencer constitutes a prohibited act.
This is one of the new requirements that may have a significant impact on marketing activities conducted through TikTok, Facebook, YouTube and other social media platforms.
As consumers increasingly rely on reviews and recommendations from KOLs and KOCs when making purchasing decisions, legislators have sought to ensure that consumers can distinguish between independent opinions and paid promotional content.
Recommendations
This is currently a significant compliance risk area for businesses operating in the retail, FMCG, technology, cosmetics, health supplements and e-commerce sectors.
Enterprises should consider:
(i) Reviewing all cooperation agreements with KOLs, KOCs, influencers and affiliate partners.
(ii) Including contractual provisions requiring clear disclosure of sponsorship arrangements and commercial partnerships.
(iii) Developing internal guidelines governing how sponsorship disclosures should be made across different platforms.
(iv) Implementing approval procedures for marketing and promotional content before publication.
(v) Providing training to marketing teams on the requirements introduced under the 2023 Law on Protection of Consumers’ Rights.
Importantly, legal liability may not be limited to the individual KOL or KOC. In many circumstances, the sponsoring business itself may also be subject to regulatory scrutiny if the promotional content is found to violate applicable legal requirements.
3. Risks Associated with Standard Terms and Conditions and Terms of Use
Another violation that has attracted regulatory scrutiny concerns the inclusion of provisions in standard terms and conditions that are not permitted under applicable law.
Article 25 of the 2023 Law on Protection of Consumers’ Rights prohibits a number of clauses from being included in standard form contracts and general transaction terms and conditions. These include provisions that exclude or limit a business’s liability, restrict consumers’ rights to lodge complaints, or allow a business to unilaterally amend the terms of a transaction.
This issue is frequently observed on e-commerce websites, mobile applications, digital platforms and other online services.
In practice, many businesses continue to use terms and conditions that were adapted from foreign jurisdictions or drafted many years ago, without updating them to reflect recent developments in Vietnamese consumer protection laws.
Recommendations
Enterprises should consider conducting a comprehensive review of the following documents:
(i) Website Terms of Use;
(ii) Sales and purchase policies;
(iii) Return and refund policies;
(iv) General terms and conditions;
(v) Standard form contracts;
(vi) Membership policies and customer loyalty programmes.
Particular attention should be paid to provisions relating to:
(i) Limitation or exclusion of liability;
(ii) The right to unilaterally amend policies or terms;
(iii) The right to refuse service;
(iv) Warranty disclaimer provisions;
(v) Dispute resolution clauses;
(vi) Clauses governing the collection and use of consumer data.
Based on our practical experience, many contractual provisions that enterprises have relied upon for years may no longer be compliant with the requirements of the 2023 Law on Protection of Consumers’ Rights. The risks extend beyond administrative penalties and may also affect the enforceability of such provisions in disputes with customers.
Conclusion
The enforcement actions discussed above demonstrate that, in addition to reviewing compliance with personal data protection regulations, businesses should be aware that regulators are increasingly focusing on business activities conducted in the digital environment. Particular attention is being paid to the use of consumer data, influencer marketing practices, and electronic transaction terms and conditions.
For enterprises, now is an appropriate time to undertake a comprehensive compliance review of their websites, mobile applications, privacy policies, marketing activities and standard contractual documentation. Proactively identifying and addressing compliance risks at an early stage can not only reduce the risk of regulatory sanctions but also strengthen the confidence of customers, investors and business partners in an increasingly stringent compliance landscape.
For further information, please contact:
Thanh Minh VU, Partner, LNT & Partners
Minh.Vu@LNTpartners.com
