Business owners can set up their operations onshore in mainland UAE, in one of the many freezones which fall under the onshore regulations, or in the Abu Dhabi Global Market (ADGM) or the Dubai International Financial Center (DIFC) freezones, which have a separate legislative and regulatory regime largely based on the laws of England and Wales. Different rules and regulations apply depending on the jurisdiction in which the business is set up. For this Q&A, we examine only UAE onshore laws.

A non-comprehensive list of the various regulations applicable to doing business online includes:

Federal Decree Law No. 46/2021 on Electronic Transactions and Trust Services (E-Transactions Law).

The main legislative body in the UAE is the Federal National Council, which enacts all UAE Federal Laws. The process of issuing a new law starts at a ministerial level. Ministries prepare a draft law and submit it to the National Council for approval. Once approved, the draft law is then presented to the Council of Ministers for discussion. It is then submitted to the president for review and signature and to the Supreme Council for ratification. The draft law becomes law three months after its publication in the Official Gazette unless indicated otherwise.

Several regulatory bodies can issue new regulations that affect businesses and consumers.

The Central Bank of the UAE (CBUAE) regulates banks, financial institutions and payment service providers and has wide powers to monitor and sanction non-compliant financial institutions.

The Securities and Commodities Authority (SCA) issues regulations and instructions to companies operating in the securities field.

The UAE is comprised of seven emirates and each one has an economic department that acts as the principal authority for the supervision and development of the economy. In Dubai for example, the Department of Economy and Tourism (DET) is responsible for monitoring compliance with enacted laws and regulations such suppliers' compliance with the Consumer Protection Law. Each emirate in the UAE has a freezone in which the authority is responsible for supervising every business incorporated in that emirate.

The Telecommunications and Digital Government Regulatory Authority (TDRA) acts as the regulator for the telecommunications and digital government sector in the UAE. It is also responsible for implementing the E-Transactions Law and regulating the use of domain names and virtual private networks (VPNs).

Companies looking to set up new online businesses in the UAE should:

Companies looking to set up an existing business online can do so by amending the activities on their existing licence and adding a trading activity. This is only possible if the trading activity is compatible with the existing licensed activity. If deemed incompatible, a new licence will be needed.

The online business can expect to contract with:

There are no specific laws that might affect the design of a website or a mobile application.

The development of an application can either be outsourced to a third-party service provider or developed by the owner or founder. If outsourced, most developers do not assign ownership of the code they create, and therefore the app developer agreement is important.

The legal implications are different depending on whether the the app developer agreement is a technology assignment agreement or a licence agreement/service agreement.

There are certain provisions that are found in most agreements, including:

The E-Transactions Law provides that electronic contracts have the same effect as regular, non-electronic contracts and are legally enforceable in the UAE. It also confirms that the offer and acceptance to contract can be expressed electronically and the contract remains valid and enforceable even if it is concluded electronically.

Under the E-Transactions Law, transactions can be concluded in whole or in part by an automated electronic medium and the contracts will be legally valid despite the lack of personal interaction with the counterparty.

However, certain requirements exist for an electronic document to be deemed validly safeguarded. It must be:

The E-Transactions law does not distinguish between click-wrap, browse-wrap, shrink-wrap and electronic contracts. As the law is silent on these, it is assumed that they are deemed to be enforceable.

The E-Transactions law does not exclude any type of contract from being formed electronically. The Executive Regulations of the E-Transactions law have not been issued yet and it remains to be seen whether any exclusions will be provided for.

The Consumer Protection Law provides that data, advertisements and contracts relating to consumers must be made in Arabic, with other languages used as supplementary languages.

The E-Transactions Law governs contracting on the internet for both business-to-business (B2B) and business-to-consumer (B2C) contracts in mainland UAE. Its aim is to facilitate all types of electronic transactions and protect the rights of customers who undertake them. It also encourages digital transformation, investment and providing electronic services to the public.

The Consumer Protection Law applies to all goods and services and any related operations that are carried out by way of electronic commerce.

The collection and processing of personal data through electronic contracts is subject to the same rules and regulations as for non-electronic contracts.

No specific period is set for the retention of personal data, but the PDPL prohibits businesses from keeping personal data after fulfilling the purpose for which it was processed.

Such data can only be kept if the identity of the data subject is anonymised. Under the PDPL, anonymisation means processing the data in a way that can no longer be linked to the data subject, who becomes unidentifiable.

Certain types of information are required by law to be retained for a minimum period. For example, Federal Law No. 2/2019 on the Use of the Information and Communication Technology (ICT) in Health Fields (Health Data Law) provides that health data must be retained for at least 25 years following the date of the last health procedure performed on the patient.

Employee data must be retained for at least two years after termination of employment.

There is no cybersecurity accreditation body in the UAE and no private site accreditations whether local or international that currently perform these services in the UAE.

No specific rules and regulations govern the breach of an electronic contract in the UAE. Any breach would be dealt with by the same provisions as for a written contract.

The E-Transactions Law states that any person can use any form of electronic authentication unless the law says otherwise. Electronic signatures are assigned the same weight and treatment as handwritten signatures, which reinforces the notion that legal documents that are digitally signed are legally enforceable and hold legal validity.

In a departure from Federal Law 1/2006 (which was abrogated by the E-Transactions Law), electronic signatures or stamps can now be used when contracting with UAE government entities.

An electronic signature is defined in the E-Transactions Law as a signature consisting of letters, figures, codes, sound, fingerprint or a processing system of electronic form attached or logically linked to an electronic document, which verifies the identity of the signatory and their acceptance of the content of the data associated with it.

There are various formats for e-signatures under the E-Transactions Law, including Qualified Electronic Signatures and Approved Electronic Signatures.

The E-Transactions law does not exclude any type of contract from being signed electronically. The Executive Regulations of the E-Transactions law have not been issued yet and it remains to be seen whether any exclusions will be provided for.

The processing, collection, and use of personal data in the UAE is governed by the PDPL. The PDPL is the first comprehensive federal data privacy regulation in the UAE and came into effect on 2 January 2022. The Executive Regulations, which were expected in the second quarter of 2022, had not been published at the time of writing. From the date of their issue, controllers (entities and individuals who collect personal data) and processors (entities and individuals who process personal data on behalf of the controllers) will be given a grace period of six months to comply with the PDPL requirements.

The scope of application of the PDPL is wide as it applies to:

Personal data is defined in Article 1 of the PDPL as any data relating to an identified natural person, or one who can be identified directly or indirectly through linking data, using identifiers such as name, voice, picture, identification number, online identifier, geographic location, or one or more special features that express the physical, psychological, economic, cultural or social identity of the person. It also includes sensitive personal data and biometric data. Biometric data is data which results from processing and allows identification of the data subject from facial images or dactyloscopic data.

Sensitive personal data directly or indirectly reveals a natural person's family, racial origin, political or philosophical opinions, religious beliefs, criminal records, biometric data, or any data related to the health of that person, such as their physical, psychological, mental, genetic or sexual condition, including information related to health care services provided to them that reveals their health status.

The PDPL provides data subjects with the possibility of withdrawing consent. Data subjects should be made aware of this right when providing their consent. In addition, withdrawing consent should not require undue effort on the part of the data subject and should be at least as easy as the process of giving consent. Withdrawal of consent does not affect the lawfulness of any processing carried out before the date of withdrawal.

In addition to the withdrawal right and similar to most global data protection laws, data subjects have various other rights such as the right to data portability, rectification or erasure of personal data, restriction and objection to personal data processing, and so on.

There are additional limitations in relation to the transfer of personal data outside the UAE, automated processing and the processing of sensitive personal data. Under the PDPL, personal data can be transferred outside the UAE if the recipient territory has an adequate level of protection or if the UAE accedes to bilateral and multilateral agreements relating to personal data protection with the countries to which the data is to be transferred.

While it is not expressly stated in the PDPL to be the case, it is anticipated that the data office or the Executive Regulations will provide details of jurisdictions and international organisations considered to have an "adequate" level of protection.

If the country to which personal data is being transferred does not have an adequate level of protection and no bilateral agreements with the UAE, personal data can still be transferred if:

Certain limitations exist when processing sensitive personal data:

It is common practice in the UAE for matters relating to national security or public security to give government bodies certain rights they may not usually have. This means that there are cases where the disclosure of personal data can be mandated by government bodies, such as competent judicial authorities.

Examples of the above can be found in the PDPL where it is clearly mentioned that controllers must provide the UAE data office, based on a decision from the competent judicial authority, with any information requested in the exercise of its competencies as provided for in the PDPL.

While there are no regulations that govern the use of cookies or tracking technologies in the UAE, these fall under the PDPL as they involve a certain level of data collection and processing.

The PDPL is clear that while it is prohibited to process personal data without the consent of a data subject, there are several cases in which the processing is considered lawful without having to obtain consent (exclusions). As long as business owners either obtain the data subject's consent to the use of cookies/tracking technologies or process data for a purpose that falls within the listed exclusions, they are considered to be in compliance with the PDPL.

Exclusions include processing data:

There is a broad statutory security obligation imposed on service providers to guarantee internet transactions' security. However, regulations do not impose specific security measures and generally leave it to service providers to determine their security requirements on a case-by-case basis and as per their own risk assessment.

Specific security measures may be imposed as part of contractual obligations, notably when service providers are engaging with governmental entities.

The use of encryption for illegal purposes is prohibited and sanctioned under the Cybercrime Law. However, UAE regulators recognise and encourage the use of encryption for legitimate security purposes, particularly in relation to protecting personal data and government data.

Service providers offering payment services (including electronic payments) are regulated and must be licensed by the Central Bank of the UAE. The licensing and operating requirements will depend on the type of payment services offered (for example, stored value, card scheme and currency exchange).

The UAE has issued in recent years multiple regulations to monitor and control the payment industry. For example, Circular No.15/2021 dated 6 June 2021, the Retail Payment Services and Card Schemes. Additionally, Financial Free Zones such as the DIFC and the ADGM have their own regulatory and licensing regime in relation to payment service providers incorporated under their jurisdictions.

There are no specific, stand-alone regulations governing child digital safety. However, some articles in various regulations relate to children's safety, notably the Cybercrime Law which protects children from content against public morals, including pornography, and sets out hefty violation penalties.

As a general rule, a minor is defined by the Wadeema Law as a person below the age of 18. As such, any person below 18 years old does not have legal capacity to enter into agreements (including online transactions) and must obtain their guardian's consent.

While there are no specific regulations surrounding consent given online, in line with international best practice, websites generally require the user to be over 18 to provide consent. Online users below the age of 18 require a guardian's consent.

Concern about children's digital safety is also reflected by the TDRA's position. The TDRA sets out several content categories that must not be aimed at children and requires internet service providers to alert the relevant authorities about content in these categories that is contrary to the best interests of the child and against public morals.

As for handling children's data, there are currently no specific data protection regulations for minors in the UAE. However, the Executive Regulations of the PDPL (which are yet to be issued) are expected to include specific provisions targeting the way personal data of minors is handled.

There are no specific laws in the UAE in relation to reselling or marketing online digital content, service or software licences provided by a supplier outside the UAE. These types of activities will generally be subject to Federal Law No. 3 of 2022 Regulating Commercial Agencies (where applicable) and the Copyright Law.

There are no statutory limitations on linking to a third-party website and other practices such as framing, caching and spidering. Generally, linking to third-party websites is common practice in the UAE. To mitigate the risks resulting from it, most websites include disclaimers and exclusion of liability in their terms of use to inform website users that it is not responsible for the content and activity of linked third party websites and that users, once redirected to third party websites, will be subject to different T&Cs.

There are no statutory limitations on the use of metatags or advertising keywords and there is no case law in this regard. Where a dispute around metatags and advertising keywords arises, UAE courts will likely apply existing laws in relation to anti-competitive practices and intellectual property to address the issue.

The TDRA is the oversight body for domain name licences. Applicants wishing to obtain a domain name licence must meet the various eligibility requirements, set out in the Domain Name Eligibility Policy. Notable requirements are the responsibility to ensure the right to use the domain name and that registration does not infringe any third party rights or contravene applicable laws.

Certain domain names may have specific eligibility requirements depending on the suffix of their third level domain. For example, .co.ae indicates commercial entities, which will have different eligibility requirements to IT service providers, which are .net.ae.

The period of a domain name licence is dependent on the terms of the particular licence, ranging from one to five years. A registrant will be entitled to renew or update information on the relevant domain name licence at its expiry or termination, provided that the registrant meets the eligibility requirements to retain the licence.

The TDRA reserves the right to revoke a domain name licence for breaches of policy, where a registrant violates any relevant laws or where their application was not legitimate.

Under the Domain Name Eligibility Policy, a successful domain name does not of itself give rise to any intellectual property or other rights in the name of the subject of the domain name licence, or any part of the domain name. Domain name choice often takes into account ownership of and reference to a trade mark already in use due to the .aeDA's general eligibility requirements. However, businesses should be aware that:

The .aeDA's Domain Name Dispute Resolution Policy can be consulted for solutions to these problems.

A business name must mirror the nature and form of a business and distinguish one business from another. There are some restrictions found in the Company Name Reservation Rules and Guidelines. A business name must:

A business name can be applied for and reserved, for a fee, through the Department of Economic Development in each emirate or through its website or mobile app before establishing a business in the UAE. Before obtaining a business name it is advisable to check that the proposed name does not belong to another business.

There are additional limitations and requirements to consider which may be imposed by specific free zones.

To determine the jurisdiction and governing law for internet transactions, UAE courts apply the same rules as those for offline transactions. At the outset, UAE courts look at the explicitly agreed on jurisdiction and governing law between the parties in the agreement. This is usually covered in the T&Cs of a website. Where no reference to governing law and jurisdiction is included in the contractual documents between the parties, UAE courts determines the governing law and jurisdiction on a case-by-case basis and tries to identify the parties' intention based on the facts of the transaction.

See above, Jurisdiction.

In addition, where UAE courts determine that the governing law is the law of the UAE, the Consumer Protection Law is generally relevant and applies to both B2B and B2C transactions. "Consumer" is broadly defined under the Consumer Protection Law and relates to both natural and juristic persons.

There are multiple ADR methods available in the UAE, both onshore and in financial free zones.

Parties can agree to resolve disputes arising from online transactions through the Dubai International Arbitration Centre (DIAC), which is the most popular arbitration choice under UAE law particularly following the abolition of the DIFC-LCIA Arbitration Centre in September 2021.

In April 2021, the UAE introduced Federal Law No.6 of 2021 on Mediation for the Settlement of Civil and Commercial Disputes (Mediation Law). The Mediation Law puts in place a clear framework for conducting mediation procedures, providing an additional and attractive dispute resolution method. It is therefore anticipated that mediation will become increasingly common, including in relation to online disputes where online traders and customers explicitly agree on mediation.

One particular advantage of resolving disputes through arbitration in the UAE is the availability of remedial measures (which are rarely granted by UAE national courts) such as injunctions, restitution, and specific performance, subject to meeting certain conditions as set out in the applicable governing law.

Online advertising (including on social media and mobile apps) is subject to various regulations including:

Based on the regulators and the courts' position, we can confirm that the above regulations undoubtedly apply to digital content and advertising (even where the regulation does not explicitly say so).

These regulations include various conventional prohibitions and restrictions in relation to online content. For example, online content (including advertisements) inciting violence and terrorism, circulating false information, promoting child pornography and abusing women and children is strictly prohibited.

Other limitations specific to the UAE (and which may not be customary under other jurisdictions) include the prohibition on publishing:

In addition to the prohibitions and limitation set out in Question 31, certain types of services or products are subject to additional advertising requirements.

For example, any medication advertised online must be regulated by relevant authorities and certain health advertisements may be subject to the approval of the Ministry of Health.

As regards financial services, unlicensed financial products must not be advertised. In particular, the Cybercrime Law prohibits the advertising of cryptocurrencies unless they are recognised in the UAE and duly licensed by competent authorities.

The TDRA has issued anti-spam policies in relation to unsolicited electronic communications generally requiring advertisers to obtain consent before sending out text messages. Other requirements must be complied with (for example, providing the ability to unsubscribe, cut off-times and sender names). Failure to comply will subject the advertiser to hefty penalties. In other words, the UAE imposes an opt-in approach rather than an opt-out approach. This means that advertisers must obtain customers' consent before sending out any promotional SMS messages. Merely enabling customers to unsubscribe (without initially obtaining consent) is not sufficient. While the TDRA mostly relates to SMS advertisements, it likely applies to email advertisements as well.

Advertising standards provide that the language used in the advertisement must be classical Arabic or the local Emirati dialect.

Additionally, the Consumer Protection Law requires service providers to issue invoices in Arabic.

These language requirements are limited to advertisements and invoices. This does not necessarily mean that the whole website must be in Arabic. However, most websites with an Arab target audience provide for an Arabic version of the site. This is the recommended approach as most websites have a promotional aspect and may be deemed an advertisement (and therefore subject to the Arabic language requirement imposed by advertising standards).

Sales concluded online in the UAE are subject to a value added tax (VAT) of 5% (as of January 2018).

The UAE Ministry of Finance is the regulatory body that supervises the collection of VAT and with whom online companies must register to obtain their tax registration number. They must also register with the UAE Federal Tax Authority.

Online companies must register and obtain a Tax Registration Number if their taxable supplies in the last 12 months exceeds or is expected to exceed AED375,000 in the next 30 days.

The advertising restrictions set out in Question 31 and Question 32 also apply to online content in general.

In addition to these restrictions, there are certain intellectual property considerations in relation to online content. The Intellectual Property Law of 2022 provides a clearer framework in relation to digital content by including digital content (smart apps, databases and so on) under the types of works protected as copyright.

Consequently, websites must be cautious about third-party IP infringements and must refrain from posting any content belonging to third parties without obtaining the appropriate licences.

Under the Cybercrime Law, anyone who publishes illegal content or who facilitates its publication (for example, the platform/website) is subject to penalties that vary in severity depending on the violation. This means that websites are responsible for monitoring user-generated and advertising content to ensure that it does not expose itself to any liability under applicable laws.

Under the Consumer Protection Law, websites facilitating online purchases must have T&Cs governing their transactions.

With the introduction of the PDPL, websites must now have a privacy policy setting out at a minimum:

While there are no requirements on the inclusion of terms of use, these are commonly available on websites in line with international best practices, as they guarantee a certain level of protection in relation to content rules and intellectual property rights.

Both the person who uploads the content (for example, users and advertisers) and the platform facilitating the publication of the content can be held liable under the Cybercrime Law (see Question 38).

ISPs must monitor the distribution of illicit internet material and issue warnings about them. Where the illegal activity continues, the account can be disconnected. ISPs have an obligation to co-operate with various authorities including the TDRA to track and stop illicit material being circulated online.

There is no specific product liability legislation available in the UAE in relation to products sold online. Product liability is mainly covered under the Consumer Law and certain articles of the Civil Code and Penal Code, which apply to products supplied both online and offline.

There are no statutory obligations on online businesses to secure a specific type of insurance. However, depending on the volume of transactions concluded on the website and the personal data collected, many online businesses seek cybersecurity insurance to mitigate their risks in relation to unauthorised access to and breach of their network.

The UAE is undergoing the largest legal reform in many years. Other legal developments affecting digital business directly or indirectly are anticipated, particularly the awaited Executive Regulations of the Consumer Protection Law and the PDPL.