Terms and Conditions
Introduction and Foundations of the Transnational Contractual Architecture
This research report deploys an exhaustive and detailed analysis of the regulatory, jurisprudential, and operational requirements applicable to the structuring of the Terms and Conditions (hereinafter, T&C), as well as to the legal architecture of corporate communications for the Sistica technological platform. The drafting of binding instruments for a company with cross-border operations in the Republic of Colombia and the United States of America cannot be conceived as an isolated exercise in contractual drafting; on the contrary, it requires a symbiotic integration with the Privacy and Personal Data Treatment Policy already established in the corporate domain, ensuring that the flow of information, the obtaining of informed consent, and the communication mechanisms with users comply with the highest legal standards of both jurisdictions.
Operating under a transnational model subjects the company to a plurality of regulatory regimes that occasionally present significant asymmetries. The optimal methodological strategy to mitigate the risk of administrative sanctions, civil litigation, and reputational damage is the adoption of a “strictest standard compliance” model. This model postulates that, in the event of a regulatory or procedural discrepancy between Colombian legislation (represented by mandatory rules such as Law 1480 of 2011, Law 1581 of 2012, and the recent Law 2300 of 2023) and the US normative corpus (led by Federal Trade Commission – FTC regulations, the CAN-SPAM Act, and state and federal jurisprudence), the Sistica platform must integrate into its T&C the rule that grants the greatest protection to the consumer and the data subject. This methodology standardizes the software’s operational processes, neutralizing the need to fragment the technological infrastructure to create parallel instances based on the end user’s geolocation.
The development of the T&C must be intrinsically linked to privacy policies, given that the acceptance of the former necessarily implies authorization for the processing of information that enables the provision of the service. Consequently, this document breaks down with extreme precision the response times, peremptory deadlines, permitted frequencies, and specific quantities that must be explicitly stipulated in corporate legal documents. Particular analytical emphasis is placed on the management of email campaigns, rigorously distinguishing between promotional mailings and transactional notifications, such as registration confirmations and client appointment reminders, which constitute the operational core of the platform.
Legal Nature and Formation of the Electronic Contract
The validity and enforceability of the Terms and Conditions depend fundamentally on the technological and legal mechanism used to perfect acceptance by the user. Comparative jurisprudence and control authorities in both jurisdictions categorically reject abusive clauses, as well as tacit or passive acceptances that seek to bind the consumer without an unequivocal manifestation of their will.
In the context of US law, jurisprudence has established critical precedents regarding the enforceability of online contracts. Courts have consistently determined that “browsewrap” agreements, characterized by relegating terms to a static hypertext link in the website’s footer, lack binding force as they do not require an affirmative action by the user demonstrating their knowledge and assent. Landmark cases, such as the Safeway v. Rodman litigation, have illustrated that failure to obtain explicit consent through terms update processes can result in multimillion-dollar adverse judgments. US legal doctrine requires the implementation of “clickwrap” mechanisms, in which the user is forced by the graphical interface to actively interact with a checkbox or click an “I Accept” button as an indispensable condition to access the platform’s services.
In parallel, in the Colombian legal system, the formation of contracts through electronic means is regulated by Law 527 of 1999 (Electronic Commerce Law), which consecrates the principle of functional equivalence, establishing that legal effects, validity, or binding force shall not be denied to a contract solely on the grounds that one or more data messages were used in its formation. This regulation bases the evidentiary validity of electronic records in judicial proceedings, provided that the reliability, integrity, and traceability of the information regarding who sent it, to whom it was addressed, and the exact moment of the transaction are guaranteed. Additionally, Law 1480 of 2011 (Consumer Statute) classifies this typology of mass agreements as “contracts of adhesion.” Article 39 of said law imposes on the producer or supplier the non-delegable obligation to leave an express record of the adhering party’s acceptance of the general conditions of the contract. A critical temporal requirement that must be integrated into the company’s processes is the regulatory mandate that obliges the supplier to deliver to the consumer a written record (which can be validly sent as a data message) with the exact terms of the operation, no later than three (3) days following the adhering party’s request.
To satisfy both regulatory frameworks, Sistica’s T&C must explicitly declare that continued use of the platform requires prior and informed acceptance, which will be cryptographically recorded and stored on the company’s servers, including the IP address, timestamp, and the specific version of the accepted legal document, constituting full proof of the contractual link.
Contractual Modification Regime and Notice Periods
The evolution of technological business models demands that legal documents possess the necessary flexibility to adapt to new functionalities, cost structure changes, or regulatory updates. However, the inclusion of contractual provisions that empower the company to unilaterally modify the T&C at any time and without prior notice constitutes a legally unsustainable practice in the current landscape.
In the United States, courts evaluate the validity of online modifications using traditional contract law doctrines, considering that a proposed modification constitutes a new offer that is not binding until formally accepted by the counterparty. The precedent set in Sifuentes v. Dropbox, Inc. determined that notifying users of a terms update via mass email, assuming that continued use of the account constitutes assent, carries extreme legal risk and can result in the unenforceability of new clauses, such as arbitration agreements. When modifications directly affect financial aspects of the end user (for example, fee increases, increases in consumer liability, reductions in available electronic transfer types, or stricter limitations on transaction frequency), federal consumer protection regulations require the institution to send a written notice to the client at least twenty-one (21) days before the change’s effective date.
From the Colombian perspective, the Consumer Statute absolutely proscribes unilateral modifications that impose disproportionate burdens on the consumer. Article 43 of Law 1480 of 2011 decrees that any clause implying the waiver of consumer rights, reversing the burden of proof to their detriment, or unjustifiably limiting the supplier’s liability, shall be reputed as an “abusive clause,” being legally ineffective and deemed unwritten. Consequently, any material update to Sistica’s T&C that alters the provision of the service or the processing of personal data (pursuant to Law 1581 of 2012) will require not only timely notification but the collection of a new explicit consent (clickwrap renewal) during the user’s next login session to the platform.
To properly structure this aspect in the T&C, it must be specified that Sistica will notify any substantial change in the conditions of service by sending an email to the registered address, granting a minimum notice period of twenty-one (21) calendar days. During this period, the user will hold the unrestricted right to terminate the contract without any penalty if they do not agree with the new stipulations.
Legal Architecture of Corporate Communications
The operational intersection between the provision of Sistica’s technological services and the execution of its digital marketing and relationship strategy represents one of the vectors of greatest exposure to legal risk. The Terms and Conditions, acting in perfect concordance with the Privacy Policy, must establish an unequivocal conceptual and instrumental differentiation between communications of a purely transactional nature and those communications that are strictly commercial or promotional. The parameters of times, permitted frequencies, and consent management vary drastically depending on the legal classification assigned to the sent message.
Classification and Legal Nature of Data Messages
The legal treatment of electronic communication requires a dissection of the message’s intent. Regulatory guidelines establish two broad categories that Sistica must integrate into its distribution algorithms:
The first category covers so-called transactional or relationship messages. In the regulatory framework, a message acquires this classification when its primary purpose is to facilitate, complete, or confirm a commercial transaction that the recipient previously agreed to enter into with the sender, or when its purpose is to provide information inherent to an ongoing contractual relationship, membership, or existing account. For the Sistica platform, this category exhaustively includes account registration confirmations, password resets, payment receipts, and appointment reminders or itinerary tracking that the client has scheduled or explicitly requested. Likewise, mandatory notifications regarding material alterations in the Terms and Conditions or the Privacy Policy, as well as critical security alerts, are included under this legal umbrella.
The second category corresponds to commercial or promotional messages. The law defines this typology as encompassing any email message or telematics communication whose primary purpose resides in the commercial advertisement or direct promotion of a product, service, or web portal for profit. In the Sistica ecosystem, this classification encompasses newsletters containing offers, emails structured to encourage cross-selling, invitations to acquire higher-value subscription plans, and automated advertising campaigns (drip campaigns).
A critical analytical consideration arises when a message merges both natures. The Federal Trade Commission (FTC) warns that if the message amalgamates commercial and transactional content, the legal assessment rests on the perception of the primary purpose. If the subject line or the beginning of the email body reasonably leads the recipient to interpret it as a commercial communication, the entire message will be subjugated to the strict requirements of anti-spam regulations, regardless of whether an appointment reminder is included at the end of the text. Consequently, to preserve the legal immunity of follow-up emails, Sistica must ensure that client appointment reminders and registration confirmations remain sterile of concurrent advertising material.
Restrictions and Quotas in the Colombian Jurisdiction: Law 2300 of 2023
In the territory of the Republic of Colombia, the legal landscape of direct communications to consumers was radically reformulated following the issuance of Law 2300 of 2023, colloquially referred to in the legislative and media environment as the “Dejen de Fregar” (Stop Bothering) law. This public order provision instituted a series of inflexible restrictions aimed at shielding the fundamental right to privacy, tranquility, and habeas data of consumers against invasive corporate marketing and collection practices.
Sistica’s Terms and Conditions, in its communications section, must expressly incorporate the following operational limitations derived from this law:
Regarding the authorized time slots, contacts pursuing commercial, advertising, or portfolio management purposes are only authorized to be executed on business days (Monday to Friday) within the margin between 7:00 a.m. and 7:00 p.m. For Saturday, the time spectrum contracts, allowing interaction exclusively between 8:00 a.m. and 3:00 p.m. Any attempt at contact for mercantile purposes during Sundays and national holidays is taxatively proscribed.
Regarding the volume or maximum frequency of contact, the regulation has drawn an unavoidable red line: the consumer, once direct contact has been established with them, cannot be approached through commercial or advertising messages on more than two (2) occasions during the span of a single calendar week. Additionally, the law proscribes multichannel harassment, determining that the company may not contact the user through various channels (for example, email and text message simultaneously) within the same week, nor more than once during the same day for these purposes.
However, to guarantee the viability of Sistica’s operational model, it is essential to crystallize in the T&C the exceptions contemplated by the regulations themselves and the resolutions of the Communications Regulation Commission (CRC). The schedule restrictions and weekly frequency quotas defined by Law 2300 are not applicable to contacts whose teleology is to inform the consumer about the timely confirmation of operations, generate alerts about anomalous transactions, or, of utmost relevance to Sistica, send information that has been expressly and unequivocally requested by the consumer. Therefore, the sending of emails for registration confirmations or the dispatch of appointment reminders scheduled by the client fall under these exceptions, allowing their execution outside restricted hours when the urgency or nature of the service demands it, provided their strictly informational character is preserved.
Requirements and Peremptory Deadlines in the US Jurisdiction: CAN-SPAM Act and FTC
For operations and the user base located in the United States, electronic communications are governed by the postulates of the “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003”, universally known as the CAN-SPAM Act. Unlike certain European regulations based on prior consent (opt-in), the architecture of the CAN-SPAM law is based on a voluntary exclusion model (opt-out), allowing companies to send commercial emails to their clients and even prospects (cold outreach), conditional upon the observance of strict transparency requirements and the provision of immediate revocation mechanisms.
Sistica’s T&C must inform the user that corporate communications will strictly comply with FTC mandates. Any email of a promotional or commercial nature must bear truthful header and routing information; this implies that the “From,” “To,” and “Reply-To” fields, as well as the originating domain, must accurately identify Sistica as the sender or initiator of the message. The subject line may not be used to deceive the recipient about the substantive content of the message, and the communication must obligatorily include the valid physical postal address of the company’s facilities, as well as a clear and conspicuous disclosure that the message constitutes a commercial advertisement.
The punitive core of the CAN-SPAM Act revolves around the unsubscribe mechanism. The regulation peremptorily demands that each commercial message offer a simple and evident way for the recipient to request the cessation of future marketing mailings. Once the user has exercised this opt-out prerogative, legislation grants Sistica a maximum and non-extendable period of ten (10) business days to systemically process the request and materialize the definitive interruption of promotional communications. In this process, the company is prohibited from demanding the payment of fees, requiring additional personally identifiable information beyond the email address, or forcing the recipient to execute complex steps other than replying to the email or visiting a single web page. Following the materialization of the opt-out, contact data may not be commercialized or transferred to third parties for marketing purposes. Violations of the provisions of the CAN-SPAM Act, including failure to comply with opt-out deadlines or falsifying headers (aggravating factors), entail severe penalties imposed by the FTC, which can amount to the exorbitant sum of $53,088 US dollars for each individual email issued in contravention of the rule, in addition to potential criminal liability in scenarios of aggravated fraud.
Regarding optimal sending frequencies in US territory, the law does not stipulate a coercive numerical limit. Nonetheless, consolidated best practices in the sector and the mitigation of risks due to consumer fatigue suggest a methodological threshold. In business-to-consumer (B2C) environments, metrics indicate that a volume of one (1) to four (4) weekly mailings maximizes retention, while in business-to-business (B2B) relationships, saturation is reached faster, with a recommended cadence of merely two (2) commercial emails per month to nurture the relationship without generating friction that leads to spam complaints.
To achieve technical harmonization of the Sistica platform in both territories, it is instructed to establish by default in the Terms and Conditions that the user agrees to receive commercial communications with a maximum frequency of two (2) emails per week, thus aligning with the impassable limit established by the Colombian jurisdiction, and adopting a conservative and respectful posture that guarantees peaceful compliance in the United States. Regarding the sending time for registration confirmation, the policies will dictate that said message will be sent immediately, understanding as such the temporal spectrum between the exact moment of registration completion and a maximum threshold of five (5) minutes, leveraging high-availability technological infrastructures to satisfy the expectation of immediacy in electronic commerce and comply with the guarantees of Article 50 of Law 1480 and the principles of Law 527. Appointment reminders and subsequent confirmations will operate in strict synchrony with the schedules autonomously defined by users within Sistica’s functionalities.
To concretely illustrate the operational guidelines regarding the communications policy that must be inserted into the T&C, the following technical and legal parameterization is presented:
| Type of Communication | Maximum Legal / Recommended Frequency | Schedule Restrictions (Colombia – Law 2300) | Opt-Out Compliance Deadline |
|---|---|---|---|
| Commercial and Promotional Emails | Two (2) per week (Strict limit in Colombia). | Monday to Friday: 7:00 a.m. – 7:00 p.m. Saturdays: 8:00 a.m. – 3:00 p.m. | Maximum ten (10) business days (CAN-SPAM US). |
| Registration and Account Creation Confirmations | Single send per creation event. | Exempt. Can be sent at any time as it is requested information (Data Message). | N/A (Transactional or essential Relationship Message). |
| Appointment Reminders and Operations Tracking | According to scheduling and service needs. | Exempt. Constitute indispensable operations support and customer service. | N/A (Do not require a promotional unsubscribe link if they contain no advertising). |
| Notices of Material Changes in T&C or Privacy | Occasional (According to corporate updates). | Exempt. Constitute contractual relationship notifications. | N/A (Constitute pre-contractual and contractual information obligations). |
Integration with the Privacy Policy, Habeas Data, and Document Retention
The Terms and Conditions must be inexorably linked and conditioned to the guidelines contained in the policy established at the domain https://sistica.com/politicas-datos/. This integration requires the platform to implement technical barriers to prevent the illicit processing of information, ensuring that data collected during the execution of services (such as appointment histories, confirmations, and browsing patterns) is used for strictly defined, limited, and informed purposes.
Guarantee of Rights and Administrative Response Times
In the Colombian legal system, Statutory Law 1581 of 2012 strictly governs the processing of personal data. This legislation confers upon data subjects unwaivable powers to know, update, rectify, and delete their data vis-à-vis the data controllers and processors. The T&C must explicitly reproduce the jurisdictional deadlines dictated by this law for the management of requests, procedurally known as Petitions, Complaints, Claims, and Suggestions (PQRS):
When a Sistica user exercises their right through a formal query to inquire about the nature of the personal information resting in the company’s databases, the platform assumes the inescapable obligation to address said request within a maximum term of ten (10) business days counted from the date of its receipt. In circumstances where the complexity of document collection prevents satisfying the query within this period, Sistica must notify the interested party before the expiration, explaining the reasons for the delay and indicating the new response date, which in no case may exceed the five (5) subsequent business days following the expiration of the first term.
On the other hand, when the data subject’s interaction rises to the category of a claim (typically driven by the desire to demand the correction of inaccurate data, the deletion of information from the system, or facing the presumption of non-compliance with legal duties by Sistica), the time frame differs. For these scenarios, the company has fifteen (15) business days to issue a substantive resolution and materialize the required action. Similarly, if the claim involves a particular difficulty, the period may be extended by informing the data subject, without the extension exceeding eight (8) additional business days. It is of vital importance to record in the T&C the mandate of Article 16 of Law 1581, which establishes a procedural requirement: the user who is the data subject or their successor in title will only be legitimized to file a formal complaint with the Superintendency of Industry and Commerce (SIC) in Colombia once they have unsuccessfully exhausted the prior procedure of direct consultation or claim before Sistica.
At the federal level in the United States, although it lacks a comprehensive dogmatic equivalent like the Colombian statute (except for broad state laws like the California Consumer Privacy Act – CCPA), the voluntary adoption of the peremptory deadlines of ten and fifteen business days structured by Law 1581 for Sistica’s entire international user base not only guarantees absolute compliance with South American authorities but projects a standard of transparency and superior operational diligence, substantially mitigating potential investigations for unfair practices by the FTC regarding improper data retention.
Policy on Conservation and Expiration of Personal Data
Defining the period during which the company will safeguard the user’s information constitutes a neuralgic aspect that prevents litigation for overreach in storage (data hoarding). The principle of purpose dictates that keeping confidential information or contact data “indefinitely” or “just in case” violates fundamental rights to privacy in the digital environment.
The doctrine of the Superintendency of Industry and Commerce in Colombia, crystallized in various sanctioning resolutions, has established that persons involved in the processing of personal data are constrained to guarantee the confidentiality of the information even posthumously to the termination of the contractual relationship. However, the SIC has specifically ruled that agreements or T&C attempting to fix an indefinite time to keep data subjects’ data are inconsistent and contrary to Law 1581. Personal information must be purged from operational databases (or subjected to strict anonymization processes) once the reasonable and necessary period to achieve the purpose that originated its collection has been exhausted.
Contrasting this principle with the US regulatory environment and corporate compliance standards applicable to commercial and financial operations, the need arises to harmonize data expiration with tax and accounting obligations. The general corporate directive in US territory requires companies to retain commercial records linked to income, expenses, accounts receivable, bank statements, sales reports, and transaction receipts for a legal term of seven (7) years. Variations exist for specific situations; for example, under the scrutiny of the Consumer Financial Protection Bureau (CFPB), records derived from commercial credit applications or factoring agreements must be zealously retained for a spectrum ranging from sixty (60) days to twelve (12) months after notifying the applicant of adverse action.
To harmoniously combine the Colombian requirement for timely deletion with the US mandate for accounting traceability, Sistica’s Terms and Conditions and Privacy Policy must adopt wording that segregates the nature of the data. It must be imperatively stipulated that: Information corresponding to marketing profiling, browsing preferences, and contact data of a promotional nature will be irreversibly deleted or anonymized at the precise moment the user revokes their consent or materializes their right to deletion. Conversely, strictly transactional information, payment receipts, service execution confirmations, records of acceptance of these terms (including electronic audit logs), and any underlying billing data will be retained under robust cryptographic security protocols for a period of seven (7) years, for the sole purpose of complying with legal obligations regarding tax, accounting, mercantile, and judicial defense matters.
Regime of Suitability, Quality, and Service Guarantees
The provision of software-based services (SaaS) and the electronic commerce of professional services are protected by regulatory frameworks that require companies to be responsible for the correct functioning of their platforms. The T&C must specify the channels and times for the user to enforce this guarantee.
In Colombia, the legal guarantee is unwaivably enshrined in Article 7 of Law 1480 of 2011, defining itself as the joint and several obligation of every producer and supplier to respond to the consumer for the quality, suitability, safety, and good condition and functioning of the products and services offered. In a scenario where the user experiences recurring technical failures in Sistica’s software, inaccessibility to the appointment system, or disruptions in the sending of confirmation emails, they enjoy the legal power to file a direct claim for the effectiveness of the guarantee. The law imposes on the Sistica platform a term of fifteen (15) business days following receipt of the claim (submitted in writing, verbally, or through enabled electronic channels) to deploy the corresponding technical analysis and issue a substantive response detailing the corrective measures to be adopted. Additionally, Article 12 of the same law decrees that, in events where the service or product is subjected to a repair process, the supplier is inescapably obliged to deliver a record to the consumer containing a meticulous description of the repair carried out and the exact date on which the service’s operability was restored. Any limitation to this responsibility in the T&C will be deemed ineffective.
In the United States, warranties in the digital realm are regulated through state contract laws (such as the Uniform Commercial Code – UCC) and general FTC oversight against deceptive practices. Although US doctrine allows, under certain strict conditions and conspicuous language (capital letters, bold type), the Disclaimer of Implied Warranties (such as merchantability or fitness for a particular purpose), the transversal application of the Colombian standard of fifteen days and liability for suitability will mitigate any exposure to class actions under the premise of defective services.
Right of Withdrawal, Payment Reversal, and the “Click to Cancel” Rule
The digital commerce ecosystem is characterized by the immediacy of acquisition, which in turn has driven the development of protective regulations focused on safeguarding the consumer against impulse purchases, unwanted services, and perpetual subscriptions that are difficult to cancel. In structuring the T&C, Sistica must maneuver with extreme precision between the cooling-off periods stipulated by Colombian legislation and the recent, and highly punitive, directives promulgated by federal authority in the United States.
The Institution of Withdrawal and its Exceptions in Colombia
Article 47 of Law 1480 of 2011 incorporates the right of withdrawal into the Colombian legal system, granting consumers who acquire goods or services through financing systems or distance sales (exhaustively including operations deployed on the internet or telesales platforms) the absolute prerogative to terminate the contract unilaterally. The established period to exercise this power is five (5) business days, counted from the date the service provision contract is concluded or from the moment the good is delivered. If the consumer exercises this right in due time and form, Sistica assumes the non-delegable obligation to refund the entire money paid without any discounts, withholdings, or the imposition of penalties of any kind.
However, in the context of providing software as a service (SaaS) or facilitating technological communication infrastructure, the T&C must articulate with legal acuity the exceptions contemplated in the same normative body. The doctrine of the Superintendency of Industry and Commerce and the literal tenor of the Consumer Statute determine that the right of withdrawal becomes inapplicable in service provision contracts whose execution has begun with the prior and express agreement of the consumer before the expiration of the five-day period. Likewise, this right decays in contracts for the supply of goods or services made to clearly personalized specifications. Therefore, Sistica’s T&C must clearly state that if the user proceeds to configure their profile, import databases, and actively use the email sending or appointment scheduling service within the first five days, it will be understood that the execution of the service has begun with their consent, configuring the grounds for exemption from the right of withdrawal.
Additionally, the mechanism of “payment reversal” must be regulated. This figure, exclusively applicable to electronic commerce where payment instruments such as credit or debit cards mediate, empowers the user to request the cancellation of the transaction only upon the concurrence of assessed grounds: when the charge is the product of a fraudulent operation, corresponds to an unsolicited transaction, the acquired service is not effectively provided, or when its inherent characteristics substantially differ from the information provided during the offer phase.
The Regulatory Revolution in the United States: “Click to Cancel” and Negative Option
The cancellation landscape in the US market has undergone a radical metamorphosis. Historically, the Federal Trade Commission (FTC) administered the “Cooling-Off Rule”, which granted consumers a period of three (3) business days to cancel sales exceeding the $25 threshold. However, this regulation is irrelevant to Sistica, given that federal law explicitly and taxatively excludes commercial transactions that are entirely perfected through the internet, mail, or through the use of telephone channels.
The true regulatory threat and the guiding principle for drafting the T&C lies in the FTC’s recent issuance of the “Rule Concerning Recurring Subscriptions and Other Negative Option Programs”, globally known as the “Click to Cancel” rule. This regulatory amendment deploys ironclad control over negative option practices, defined as those contractual clauses where the consumer’s silence, or their inaction to reject a service, is interpreted as a binding and continuous acceptance of the offer (e.g., automatic renewals and free trial periods that silently convert into paid subscriptions).
To guarantee the legal viability of the platform and avoid incurring administrative offenses, Sistica must implement in its user interface design and stipulate in its T&C the following mandates derived from the FTC rule:
First, an absolute prohibition is established against engaging in false representations or omitting material facts inherent to the offer. Second, the obligation is established to execute a clear and conspicuous disclosure of the material terms of the subscription or the negative option policies prior to the collection of any consumer data or billing information. Third, consent for the adoption of the negative option characteristics must be obtained explicitly, auditable, and separated from the rest of the contractual provisions.
Finally, the operational core of the rule requires the company to provide a cancellation mechanism that boasts, at a minimum, the same level of simplicity, accessibility, and speed as the method used by the user to initiate the original subscription. If a user managed to subscribe to Sistica’s service by making three clicks on the web platform, the process designed for subscription cancellation cannot require them to engage in telephone interactions, fill out extensive forms, or subject them to digital labyrinths to consummate their desire to unsubscribe. Failure to comply with these rigorous provisions in the United States subjects the company to draconian civil penalties that can reach up to $51,744 per proven violation. Companies have a regulatory transition period of 180 days following the rule’s publication in the Federal Register to achieve full compliance with the consent and cancellation mechanisms.
| Normative Concept | Regulatory Framework and Jurisdiction | Deadline or Execution Condition | Implication for the T&C and the Platform |
|---|---|---|---|
| Record of Acceptance (Contract of Adhesion) | Colombia (Law 1480 of 2011, Art. 39) | Three (3) business days from the request. | Sistica must possess the systemic capacity to send a backup of the accepted T&C. |
| Notice for Financial Modifications | United States (Federal Laws – Financial Protection) | Twenty-one (21) calendar days before the effective date. | Mandatory clause to report changes in the pricing model or financial responsibilities. |
| Response Deadline to Privacy Complaints (Consultations) | Colombia (Law 1581 of 2012) | Ten (10) business days (extendable by 5). | Maximum legal period to inform the data subject about the status of their personal data. |
| Response Deadline to Privacy Claims (Deletion) | Colombia (Law 1581 of 2012) | Fifteen (15) business days (extendable by 8). | Legal period to materialize the deletion or rectification of information in the databases. |
| General Retention of Financial Data | United States (General Corporate Standards) | Seven (7) years post-transaction. | Evidentiary and tax support against audits, exclusively applicable to billing and acceptance logs. |
| Attention to Effectiveness of Legal Guarantee | Colombia (Law 1480 of 2011, Art. 7) | Fifteen (15) business days from the claim. | Obligation to issue a substantive response regarding system downtime or email delivery failures. |
| Term to Exercise the Right of Withdrawal | Colombia (Law 1480 of 2011, Art. 47) | Five (5) business days from the conclusion. | Valid provided the execution of the software or scheduling has not started. |
| Cancellation Mechanism (Click to Cancel) | United States (FTC – Negative Option Rule) | Immediate and Homologous to enrollment. | Absolute prohibition against retaining the user through friction or technological barriers when canceling subscriptions. |
Additional Considerations: Local Tax Environment and Commercial Restrictions
In the structural design of the contractual relationship, the Terms and Conditions cannot be abstracted from the tax and administrative reality of the place where transactions are executed or corporate operations are domiciled. When Sistica interacts with users or suppliers in specific municipalities, as is the illustrated case of the jurisdiction of Soacha in Colombia, the billing and payment clauses must recognize the preeminence of local tax statutes.
In the municipality of Soacha, economic activity deployed through technological means may be subject to the Industry and Commerce Tax (ICA), whose rates and withholding calendars are updated annually through agreements of the Municipal Council. For the 2025 taxable year, the local tax regulatory framework specifies minimum withholding bases expressed in Tax Value Units (UVT), setting withholding for services at 4 UVT and for purchases at 27 UVT, which entails penalties assessed at up to 10 UVT for defaults in ICA withholding obligations. Therefore, the T&C must incorporate a tax indemnity and tax liability clause specifying that all rates displayed on the platform exclude applicable local taxes, and that withholdings at the source corresponding to the ICA or the value-added tax (VAT) will be calculated, declared, and assumed in accordance with the acquirer’s domicile and current tax regulations.
Similarly, although applicable in an employment or procurement context rather than to the end consumer, knowledge of state regulations in the United States enriches the drafting of B2B T&C. For example, regulations such as the “CHOICE Act” in Florida, which restructure provisions on non-competition, impose strict formal barriers and notice periods for the applicability of restrictive clauses. Although they do not directly impact software sales, they evidence a generalized tightening of US legislation against contracts of adhesion and the imposition of unbalanced obligations on the weaker party of the legal relationship. This trend reinforces the absolute need to draft transparent, balanced Terms and Conditions with pristine acceptance mechanisms, ensuring that communications, whether follow-up or commercial, are dispatched while sacredly respecting the temporal domains and explicit authorizations dictated by the laws of both nations.
© SISTICA IT SAS