The regulations governing the conduct of business online in Singapore are set out in various statutory laws. The following regulations are of particular significance in Singapore:

The Singapore Parliament is responsible for passing legislation in this area. The legislation passed by parliament often empowers government ministers or statutory bodies to make further, more detailed regulations in specific areas of the law.

The main statutory body responsible is the Infocomm Media Development Authority (IMDA).

The most common steps a company must take to set up an existing/new business online are:

This depends on the nature of the business, but an online business can typically expect to contract:

When designing websites and applications, developers must ensure that they comply with the PDPA. The design of the website or app should include an appropriate way to obtain the necessary consent to collect, use and/or disclose the personal data of users for the purposes of the website or app, such as through push notifications or consent portals.

More guidance is provided in the Advisory Guidelines on Key Concepts in the PDPA, which are published by the Personal Data Protection Commission (PDPC).

Developers must also be aware of the Internet Regulatory Framework of the Infocomm Media Development Authority. Although this does not apply to the design of websites or apps specifically, this framework regulates content issues of concern to Singapore such as those relating to public interest, race, religion, and content that would be harmful to children.

If a third party is engaged to develop the app. the contract with the app developer should address the intellectual property (IP) rights and licences relating to the app, its development, distribution and maintenance.

Once the app has been developed, the online business can distribute it through its own website, or through an established app store such as those provided by Apple, Google and Microsoft. Use of the app is typically governed by an end-user licence agreement. If the app provides for any in-app transactions, an agreement with a third-party payment systems provider may be required.

Section 11 of the Electronic Transactions Act expressly provides that contracts can be formed electronically. The same general rules of contract formation apply to online contracts (that is, offer, acceptance, consideration, intention to create binding legal relations and certainty of terms.).

Under section 5(2) of the Electronics Transactions Act, parties can agree:

There is no "cooling off" period that applies specifically to electronically-formed contracts. However, a consumer can cancel a contract regulated by the Consumer Protection (Fair Trading) (Cancellation of Contracts) Regulations 2009 within a five-day cancellation period. Contracts regulated under these Regulations include direct sales contracts, long-term holiday product contracts, time share contracts or time share-related contracts.

In Chwee Kin Keong v Digilandmall.com Pte Ltd [2005] SGCA 2, the Singapore Court of Appeal held that the contract was formed when the retailer sent out automated e-mail responses containing the confirmation of purchase. In this case, the offer was made when the purchaser placed an order. This offer was then accepted when the retailer responded with a confirmation of the order. On acceptance, a binding contract was formed (assuming other elements of contract formation are met, that is consideration and intention to create legal relations). This case confirms that contracts can be formed electronically.

The contracts that must be signed by hand and cannot be signed electronically are set out in the First Schedule to the Electronic Transactions Act 2010 (2020 Rev. Ed.) and include:

There are no limitations on the choice of language for electronic contracts in Singapore.

See Question 1 for the relevant regulations governing the conduct of business online in Singapore for both business-to-consumer (B2C) and business-to-business (B2B) businesses.

The difference between B2C and B2B contracts are as follows:

The differences between the supply of goods, services and digital products are as follows:

The data retention requirements in the PDPA apply to all contracts and transactions generally and are not specific to online contracts. Section 25 of the PDPA requires organisations to cease retaining documents containing personal data, or remove the ways in which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that:

Other data retention requirements also exist for tax and other financial purposes, including under the Companies Act (Cap. 50) and the Goods and Services Tax Act 1993 (2020 Rev. Ed.).

The Cybersecurity Certification Scheme for Organisations, set up by the Cyber Security Agency of Singapore, recognises organisations with good cybersecurity practices. Under this scheme, organisations can be accredited with the Cyber Essentials mark, which recognises organisations which have put in place cyber hygiene measures, and the Cyber Trust mark, which recognises organisations with comprehensive cybersecurity measures and practices.

In addition, website providers can also apply industry-accepted standards, such as the ISO standards for information security management and e-commerce accreditation schemes such as SSL certificate and PCI DSS compliance.

The same remedies are available for a breach of an electronic contract as those that apply to breach of contracts generally. These include:

There are no differences between the remedies available to businesses and to consumers for breaches of electronic contracts.

E-signatures are recognised in Singapore.

The applicable legislation is section 8 of the Electronic Transactions Act 2010 (2020 Rev Ed) (ETA), which provides the electronic methods (such as e-signatures) that can be used by people to indicate their intention with regard to electronic documents. Section 116A of the Evidence Act 1893 (2020 Rev Ed) also imposes a presumption of the accuracy of electronic records, provided that the devices or processes in question are deemed to ordinarily produce or accurately communicate electronic records if properly used.

A ''signature'' is defined as a method (electronic or otherwise) used to identify a person and to indicate the intention of that person in respect of information contained in a record.

There is no set format for e-signatures, save that the signature method used must be compliant with section 8 of the ETA.

Certain contracts must be signed by hand and cannot be signed electronically (section 4 and the First Schedule, ETA). These include, for example:

The PDPA establishes the law for the protection of personal data in Singapore. It governs the collection, use and disclosure of individuals' personal data by organisations..

The PDPA does not impose any obligation on:

Further, he PDPA does not apply in respect of:

For further information on data protection laws in Singapore, see Data Protection in Singapore: Overview.

"Personal data" in the PDPA is defined as data, whether true or not, about an individual who can be identified:

The PDPA sets out certain conditions for the collection of personal data. For example, the data subject must either give consent or be deemed to have given consent to the collection, use or disclosure of their data. The PDPA also sets out circumstances in which consent is deemed to be provided by the data subject . These include circumstances where the collection, use or disclosure of personal data about the individual is reasonably necessary for the performance of a contract between that individual and the organisation .

The PDPA does not expressly restrict the storage of data in the cloud. However, organisations are responsible for complying with all obligations under the PDPA in respect of personal data processed by cloud service providers on their behalf and for their purposes. These include obligations such as ensuring the accuracy and protection of the personal data.

Government bodies can access or compel disclosure of personal data in Singapore in specific scenarios. This covers situations where the disclosure is necessary in the public interest, or necessary for law enforcement purposes.

In particular, section 20 of the Criminal Procedure Code (2020 Rev Ed) empowers the police to order the "production of any document or other thing" for the purposes of criminal investigations. Under section 50 of the PDPA, the PDPC can also, on a complaint or of its own motion, exercise powers of investigations, which include compelling the production of specific documents or information considered relevant to the investigation.

The PDPA does not expressly include cookies in its definition of personal data. However, cookies can qualify as personal data if they fall within the broad definition of personal data, that is, if they identify an individual either by themselves or together with other information, which the organisation has or is likely to have access to. Likewise, digital fingerprinting and online behavioural advertising technologies will fall under the ambit of the PDPA insofar as they deal with personal data.

The PDPC of Singapore has issued guidance that expressly discusses cookies as a way in which personal data is collected, used or disclosed. In essence, the Commission recognises that many internet activities today are dependent on the use of cookies and that unnecessarily restricting the use of cookies will impede the use of the internet. However, because cookies can potentially collect personal data, organisations must be mindful of using them for individuals' online activities.

If cookies containing personal data arise from individuals who voluntarily provide it, their consent can be deemed to be provided for the purpose for which the personal data was provided. However, the obligation to obtain an individual's consent to collect personal data rests with the organisation that is collecting it, whether itself or through data intermediaries. Where an organisation operates a website that a third party uses to collect personal data, and the website operator itself is not collecting this personal data, the obligation is on the third party organisation to obtain the required consent.

The PDPA sets out measures that apply to the security of personal data generally. An organisation (including companies and internet providers) must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. The PDPC has also published a series of guidelines to assist organisations in ensuring internet transactions' security, including:

With the proliferation of online financial and payment services, the Monetary Authority of Singapore (MAS) has published the Technology Risk Management (TRM) Guidelines. These guidelines target financial institutions, requiring them to maintain a high level of reliability, availability and recoverability of critical IT systems, and deploy strong authentication processes to protect customer data, transactions and systems.

The use of encryption in respect of personal data is neither required nor prohibited in Singapore. That said, according to the guidelines issued by the PDPC, the use of encryption is encouraged to protect personal data. In assessing whether the technological protection measures (such as encryption) taken by an organisation are sufficient, the commercially reasonable standard and prevailing industry practices in the sector will be considered.

Traders are generally free to accept electronic payments, although these are subject to a complex set of regulatory requirements such as those imposed by the Payment Services Act 2019.

If the system involves personal data, the PDPA will also apply (see Question 14).

MAS has released the "E-Payments User Protection Guidelines" which provide general guidance and should be read in conjunction with the relevant legislation and subsidiary legislation, codes, and notices. The aim of this guideline is to protect users of electronic payments from security threats and fraud and to provide more security to electronic payment transactions for individuals and micro-enterprises. For example, users who use e-payment systems must provide accurate contact information and protect their passwords, while businesses using e-payment must monitor transactions and cultivate good security measures.

The Payment Services Act was passed in 2019 to regulate the provision of payment services. "Payment services" are defined in the First Schedule of the Act to include account issuance services, domestic money transfer services, and e-money issuance services. Under the Act, providers of payment services must hold a licence and comply with requirements calibrated according to the risks that specific payment services and business models pose.

The Payment Services (Amendment) Bill was passed in 2021 to regulate digital payment token service providers. The aim of these amendments was to deal with the anti-money laundering and countering terrorist financing risks that are often associated with cryptocurrencies. Key amendments include the imposition of additional requirements in respect of licensees providing digital payment token services, as well as expanding the general duty to use reasonable care not to provide false information to both individuals as well as corporate entities.

There are no specific rules or guidance for websites whose intended audience is children.

However, internet service providers, as a condition of their Class Licence (Broadcasting (Class Licence) Notification, Schedule 2A(1)(a)), must offer optional internet filtering services to prevent children from being exposed to undesirable content. As such, any site aimed at children must not include this content to avoid being filtered out.

The issue of valid consent under the PDPA would be will be relevant where any personal data of children is collected, used or disclosed. The PDPC has issued guidelines advising organisations to consider whether a minor can effectively provide consent on their own behalf for purposes of the PDPA. As a general rule, a minor who is at least 13 years old is deemed to typically have sufficient understanding to be able to consent on their own behalf.

The Singapore Code of Advertising Practice (SCAP) includes specific guidelines on advertisements that are targeted at children and young people. See Question 31 for more details.

There are no specific laws that protect companies in Singapore that resell or market online digital content, services or software licences provided by overseas suppliers.

As copyright issues may arise from the reproduction and communication to the public of these materials, companies in Singapore must ensure that they have the relevant rights to distribute and/or market the materials supplied.

There is no legislation which imposes limitations on linking to third party websites and other practices such as framing, caching, and spidering. However, online businesses should have regard to possible legal issues which can arise from such practices, such as copyright infringement or unauthorised access of computers under the Computer Misuse Act 1993 (2020 Rev Ed).

The issue of whether the use of metatags or advertising keywords can be limited by an action for trade mark infringement and/or passing off has not yet been decided in Singapore.

However, in contrast to jurisdictions that have found liability for trade mark infringement in the use of metatags on the basis of the "initial interest confusion" doctrine, this doctrine has been rejected by the Singapore courts. As such, it is unlikely that the use of metatags in Singapore is limited by an action for trade mark infringement.

With regard to advertising keywords, as Singapore's Trade Marks Act 1998 (2020 Rev Ed) is largely modelled after the UK Trade Marks Act 1994, it is likely that the case law from the UK on these issues will be persuasive. If so, an action on trade mark infringement can only be made out if the advertiser's use of such advertising keywords, identical to the registered trade mark, adversely affects or is liable to adversely affect the registered mark's essential function of indicating origin.

There are no specific regulations in place regarding the licensing of domain names. General contract law applies.

For Singapore's .sg domain name registry, a person based outside Singapore can register an ".sg" domain name in this category, provided that it appoints a local agent with a valid Singapore postal address as the Administrative Contact.

However, for a ".per.sg" domain name, a registrant must be an individual and must be either a Singapore citizen or a permanent resident aged 18 or over.

A domain registration does not automatically entitle the owner of the domain to a trade mark of the domain name.

It is possible to register domain names as trade marks with the Intellectual Property Office of Singapore, provided they meet the requirements for registration set out in the Trade Marks Act (Cap. 332). Once registered, the proprietor will acquire all the rights and remedies associated with ownership of the trade mark.

The use of a domain name can give rise to unregistered trade mark rights (passing off) for the owner/user of the domain name if, over time, it acquires the attributes of a trade mark (for example, if it serves as a ''badge of origin'' to distinguish the trade mark owner/user's goods or services from others).

It is possible to apply for and obtain a business name through the website of the Accounting and Corporate Regulatory Authority of Singapore (ACRA). The Business Names Registration Act 2014 (2020 Rev Ed) sets out various restrictions on business names, including names which in the opinion of the Registrar of Business Names are:

Additionally, business names that imply a connection to a public authority or the government or contain ''unsavoury'' words or expressions will also be refused registration by ACRA.

There are no statutes that regulate the jurisdiction for internet transactions or disputes specifically. In the absence of an exclusive jurisdiction clause, the Singapore court will apply the common law principles to determine the most appropriate forum for the dispute (that is, the forum with the most real and substantial connection with the dispute). The factors that the court can consider in determining the most appropriate forum include:

There are no statutes specifically regulating the governing law for internet transactions or disputes. General common law principles apply.

To determine the governing law of transactions or disputes, the court must:

There are no limitations on ADR/ODR options available to online traders and their customers in Singapore.

Online traders and customers can benefit from the ADR services provided by the general ADR institutions such as the Singapore Mediation Centre and the Singapore International Arbitration Centre.

There is no general requirement on online traders to notify customers of the availability of ADR/ODR methods.

For arbitration, tribunals can generally award any remedy or relief that can be ordered by the High Court. This includes damages, declarations, injunctions and costs, as well as other interim remedies. For a detailed explanation, see: Arbitration Procedures and Practice in Singapore.

For mediation, parties have full control over the outcome of the dispute, and are free to come to come to a suitable agreement that will be binding on both parties. Singapore is also a Contracting State to the United Nations Convention on International Settlement Agreements resulting from Mediation (also known as the "Singapore Convention on Mediation"), which allows businesses to easily enforce their settlement agreements in accordance with the rules of procedure and conditions laid down in it.

The internet service providers and internet content providers in Singapore are regulated by the IMDA. The IMDA's regulatory framework for the internet is embodied in the Broadcasting (Class Licence) Notification (Class Licence Notification). Under the Class Licence Notification, internet content providers and internet service providers are deemed automatically licensed and must observe and comply with the Internet Class Licence Conditions and the Internet Code of Practice, which outline what is regarded as offensive or harmful in Singapore.

Internet content and service providers must generally ensure that prohibited material is not broadcast over the internet to users in Singapore. This includes material which is objectionable on the grounds of public interest, public security, and national harmony.

In its approach to internet regulation, the IMDA encourages self-regulation and therefore encourages content providers in Singapore to develop industry codes of practice to facilitate greater self-regulation.

All advertising and marketing activities (on broadcast media or otherwise) are guided by the Singapore Code of Advertising Practice (SCAP). The SCAP is issued by the Advertising Standards Authority of Singapore (ASAS), an advisory council under the Consumers Association of Singapore and was drafted against the background of international law and practice, including the International Code of Advertising Practice issued by the International Chamber of Commerce. The purpose of the SCAP is to promote a high standard of ethics in advertising by self-regulation. As such, the ASAS relies principally on a system of guidance and voluntary compliance, rather than punitive measures, to facilitate observance of the SCAP.

Although the SCAP does not have the force of law, it has been endorsed by organisations representing advertisers, advertising agencies and the media. The SCAP includes general guidelines that all advertisements must comply with, as well as certain industry-specific guidelines. Generally, under the SCAP, all advertisements (regardless of industry and mode of advertisement), must meet the following requirements:

Tthe SCAP includes specific guidelines for advertising and marketing communication that appear on social media (see Guidelines on Interactive Marketing Communication and Social Media), which impose disclosure requirements for certain types of sponsorship arrangements and commercial relationships.

The types of services or products that are specifically regulated when advertised/sold online are:

The Sale of Infant Food Ethics Committee Singapore Code of Ethics also sets out obligations on industry players with respect to infant formulas. Notable terms include restrictions on financial inducement (such as discount vouchers) and guidelines on how infant formulas should be displayed in supermarket aisles.In addition to the above regulations, the Singapore Code of Advertising Practice imposes additional specific guidelines for the advertising products such as medicinal products, slimming products and services, hair and scalp products, alcoholic drinks, trading, financial products and services, and audiotext services.

The Spam Control Act imposes the following requirements on bulk commercial messages sent electronically:

There are no specific language requirements for a website that targets the Singapore market. However, as English is the working language in Singapore, most websites that target the Singapore market tend to be in English.

In Singapore, Goods and Services Tax (GST) is levied on the import of goods (collected by the Singapore Customs), as well as almost all supplies of goods and services in Singapore. GST applies whether or not the sale is concluded online, although certain selected goods and services (such as financial services) are exempted.

Generally speaking, a business in Singapore must register for GST when either:

If the taxable turnover for the past calendar year is more than SGD1 million, registration must be done within 30 days of the end of the calendar year.

If the business can reasonably expect its taxable turnover in the next 12 months to be more than SGD1 million, registration must be done within 30 days from the date of the forecast or expectation. For example, if the company signs a contract for more than SGD1 million, registration must be done within 30 days of the signing of that contract.

However, even if the business does not exceed SGD1 million in taxable turnover, it can still voluntarily register for GST. The advantage of voluntary registration is that the business can enjoy the benefits of claiming input tax incurred in the course of business. This is especially advantageous for businesses that are dealing in purely zero-rated supplies (exports or international services).

The key areas of liability for website content are:

The determination of liability will vary depending on the type breach/infringement in question. For example:

There are no specific legislative requirements setting out the legal information that must be provided by a website operator.

However, when website operators engage in various activities governed by specific legislation, they must comply with these specific legislative requirements. For example, when a website operator engages in the collection of personal data, the relevant requirements of the PDPA apply, such as those requiring the organisation to seek consent from the individuals or comply with the withdrawal of any consent.

Where the website operator is an internet service provider or internet content provider, the requirements under Broadcasting (Class Licence) Notification (Class Licence Notification) may apply (see Question 31).

The website operator is responsible for the content on its website. However, in certain circumstances website operators can rely on several exceptions. For example, section 26 of the Electronic Transactions Act provides immunity to network service providers (NSPs) in respect of certain civil or criminal liabilities for third party content to which the NSP merely provides access.

In addition, under the ''safe harbour" provisions of the Copyright Act, NSPs can enjoy immunity from copyright infringement for activities that are integral to its functions such as transmission, routing and provision of connections, system caching and storage and information location.

In general, an online business will not be liable for posts or content uploaded by third parties/users. However, businesses providing online communication services and social media platforms may soon be liable for egregious content on their websites, following the recently-passed Online Safety (Miscellaneous Amendments) Bill, which is expected to come into force in 2023.

An online retailer can limit its liability to consumers and businesses through:

Issues like incorrect pricing and misleading claims will be resolved through contractual principles, and may also be covered by the Consumer Protection (Fair Trading) Act (CPFTA), where a consumer who has entered into a consumer transaction involving an unfair practice can bring an action against the supplier, regardless of whether the transaction was concluded online.

Under the Copyright Act, owners and exclusive licensees of copyright can apply to the High Court of Singapore for an order requiring an ISP to take reasonable steps to disable access to a "flagrantly infringing online location" (FIOL).

FIOLs are defined in the Copyright Act as online locations that have been or are being used to flagrantly commit or facilitate rights infringements.

Relevant orders that can be granted include site-blocking orders, as well as "dynamic" injunctions that require the ISPs to block new domain names, URLs and/or IP addresses that provide access to essentially the same websites. Both were granted by the Singapore High Court in Disney Enterprises, Inc and others v M1 Limited and others, where Disney and five other major film studios applied for site-block orders against the five main retail ISPs in Singapoe.

There are no rules that apply specifically to products or services supplied online.

Insurances which an online business will usually require include:

There are currently no specific legislative proposals to reform digital business law in Singapore.

However, the Singapore Government has long been supportive of Singaporean businesses' efforts to digitise. For example: