The French law governing the conduct of business online is set out in various statutory instruments (some of which are specific to online business, some of which apply to all business activities). The main applicable regulations are as follows:

Additional regulations may apply to specific sectors (for example, French Tourism Code which includes specific information obligations applicable to the online travel market).

All regulations in France must be adopted by the French Parliament. However, the Parliament can authorise the government to adopt legislation by ordinance. The Parliament then ratifies the ordinance once it has been published.

The French Government can also publish decrees and ministerial orders setting out the practical application of these legislative provisions.

In addition, French administrative bodies can issue binding recommendations and are entitled to control their application and issue sanctions if the legislation is not observed.

In particular, the French General Directorate for Competition Policy, Consumer Affairs and Fraud Control (Direction générale de la Concurrence, de la Consommation et de la Répression des Fraudes) (DGCCRF) handles all breaches of the consumer and anti-trust legislation. The DGCCRF also publishes non-binding advice and circulars in respect of the application of the relevant legislation.

Under the Data Protection Act, the French Data Protection Authority (Commission Nationale de l'Informatique et Libertés) (CNIL) is responsible for controlling compliance with data protection regulations. This administrative authority establishes and publishes simplified standards and recommends legislative and regulatory measures to the government.

The French Advertising Regulation Authority (Autorité de Régulation Professionnelle de la Publicité) (ARPP) is the advertising self-regulatory organisation in charge of maintaining standards concerning legal, honest and truthful advertising. It sets ethical standards and secures their proper implementation.

The French Competition Authority (Autorité de la Concurrence) is an independent institution overseeing competition and consumer matters, and is the arbiter of competition law in France. It establishes and publishes advice, recommendations, studies and binding decisions on competition issues, including for online businesses.

In addition, EU laws adopted by the European Parliament, the Council of the European Union or the European Commission are directly enforceable in France.

There are no mandatory legal requirements for setting up a business online. However, the following steps should be taken before launching a new business online.

The objects and operations of the contemplated business must be compliant with applicable legislation and regulations in France. In addition, the specific entity which will be responsible for operating the business must be identified. If the entity launching the website is a corporate entity, this entity must be incorporated.

A legal audit focusing on IP rights must also be conducted to verify that the individual/entity launching the online business owns all necessary IP rights and authorisations to create and operate its website.

The audit must also investigate whether there are specific data protection requirements applicable to any personal data which is to be collected by the business.

No specific registration is needed before launching a business online apart from the registration required to create the appropriate corporate body and any required for specific businesses such as travel agencies or for other regulated products)..

The following legal documents must be drafted and included on the website:

These legal documents must include all mandatory information that must legally be delivered to consumers under consumer, data protection and internet laws. They also have the purpose of setting the contractual rules between the users of the website and the operator/seller.

If personal data is collected by the online business, it must ensure compliance with the General Data Protection Regulation ((EU) 2016/679) (GDPR. under which notifications to the CNIL are no longer generally required, except in specific cases. The GDPR imposes several obligations, such as:

The operator of a new online business can generally expect to contract with the following parties:

The French law concerning improving a website's or app's accessibility for disabled people is set out in a number of different statutory instruments. The main applicable regulations concerning disabled people are as follows:

To make their sites and applications accessible to disabled people, companies should comply with one of the following two standards:

Under French Law, websites and apps aimed at children (including their design features) are strictly regulated by:

French law also regulates images of children on online video platforms (YouTube, TikTok, Instagram and so on) (Law No. 2020-1266 of 19 October 2020 aiming to regulate the commercial exploitation of images of children under 16 on online platforms).

To protect children against violent or pornographic online content, a French law in force since September 2022 aimed at strengthening parental control over online access, provides measures intended to facilitate the use of control devices by parents. Manufacturers must install such monitoring on devices connected to the internet (Decree No. 2022-1212 of 2 September 2022).

The main steps required are identical to the processes set out in Question 4. If the individual/entity procures the development of the app by a third party, it must ensure that it owns all necessary IP rights and authorisations to use and operate the app in accordance with its business needs.

If contracting with an app store is necessary, the T&Cs of the relevant app store must be clearly given to the consumer. The app store may require:

An agreement with a third-party payment services provider may also be necessary.

Electronic contracts are generally subject to the general contract formation rules including those in the Civil Code. The Civil Code includes provisions concerning the capacity of the parties, the validity of the parties' consent and the content of the contract (including the consideration).

Provisions of the Civil Code include the additional requirements for electronic contracts. In a B2B context, the parties can agree to deviate from these requirements.

The offer must include the following information:

In addition, the business or seller must acknowledge receipt of the order by electronic means without undue delay. The order, the confirmation of the acceptance and the acknowledgement of receipt are deemed to be received when the parties to whom they are addressed can access them.

The Consumer Code requires additional information in a business-to-customer (B2C) context. This covers in particular the:

Before placing an order, a button or similar function labelled (in an easily legible manner) with the words "order with obligation to pay" or a similar unambiguous indication that placing the order imposes an obligation to pay the seller.

The seller must provide the following information to consumers during the ordering process and not only in the terms of sale (ideally on the first page rather than at the end of the ordering process, but in any case before the purchase):

Other requirements applicable to certain online platform businesses for example:

There is no required format for concluding an electronic contract but in a B2C context the seller must provide the consumer with a durable medium, including all the information referred above (see above, Requirements), at the latest at the time of delivery.

A durable medium is any instrument which enables the consumer to store/print information in a way that is accessible for future reference and which allows for the information to be reproduced unchanged (for example, as a pdf or an email, including the mandatory information (in practice this is included in the terms of sale)). Under recent case law, a durable medium cannot be a mere hypertext link to a seller's website page.

Under click-wrap agreements, the user accepts the T&Cs before proceeding with the purchase by clicking on a button.

Under a browse-wrap agreement, the user is merely notified of the terms and told that by continuing to browse they are deemed to have accepted them.

In shrink-wrap agreements, the terms are presented on packaging, on tangible media, or during the download. The user, who cannot proceed with the installation unless they accept the terms, has generally not seen the terms before the purchase.

Consent requirements for such agreements depend on whether they are in a B2C or a B2B context.

In a B2C relationship, the consumer must receive the mandatory information on a durable medium. Therefore, any business practice consisting of making the information accessible to the consumer only via a hyperlink on a website does not meet the requirements of that provision, since that information is neither "given" by the undertaking nor "received" by the consumer.

Under the Omnibus Directive, the obligation to provide this information has been extended to digital contents or services, with new mandatory information added, for example, information on commercial guarantees (Ordinance 2021/1734).

Conversely, in a B2B relationship, the method of accepting the general T&Cs of a contract of sale by click-wrapping is deemed to constitute a communication by electronic means which provides a durable record of the agreement.

Aside from certain specific contracts, most contracts can be formed electronically. Those which cannot be formed electronically and must be signed by the parties before a notary as a matter of valid proof, include:

(Article 1175, Civil Code.)

In addition, the French Language Act provides that the use of the French language is mandatory for, among other things, product descriptions, instructions for use, invoices and receipts and guarantees, and for contracts concluded by public or private legal persons.

The general rules of the Civil Code on electronic contract formation apply to both B2C and B2B contracts (see Question 7). The Consumer Code also requires the seller to communicate the mandatory information when contracting with a consumer (see Question 7).

For more information in relation to governing law in an international context, see Question 29

French law imposes the following retention periods:

Personal data can only be retained in a form that allows the identification of the data subjects for no longer than is necessary for the purposes for which that data is obtained and processed. Thus, the retention period will also depend on the type of the personal data collected.

There is no governmental or official trusted site accreditation for websites available in France. To date, accreditations are only offered by private companies.

The remedies for breach of an electronic contract are identical to those available for breach of any other type of contract. Under French civil law, legal remedies are mainly invalidity, termination, unenforceability, specific performance and damages. Damages are only intended to cure the breach and punitive damages do not exist in French law.

Under Article 1367 of the Civil Code, an e-signature has the same evidentiary strength as a handwritten signature if the e-signature uses a reliable process of identification, ensuring that it is linked with the electronic document. A photocopy of a scanned document is not usually considered a reliable process for ensuring the authentication of the signatory.

However, French legal rules allow the following agreements to be evidenced by any means:

Moreover, a scanned signed or even unsigned document can still have some evidentiary value for all contracts. Under Article 1361 of the Civil Code, any written evidence (for example, a scanned signature, invoices, and so on) can be confirmed in front of a judge by complementary evidence to enforce an agreement (for example, emails, testimony and so on).

The Electronic Identification Regulation (Regulation (EU) 910/2014) as enacted by the EU applies in France.

Under the Civil Code, an e-signature constitutes a reliable means of identification which guarantees a link with the agreement to which it is attached. The simple e-signature is a signature which is not advanced or qualified, and it is defined as data in electronic form which is attached to, or logically associated with, other data in electronic form and which is used by the signatory to sign. The validity of a simple electronic signature must be demonstrated by its author.

An advanced electronic signature must meet the following requirements:

The validity of an advanced signature must also be evidenced by its author. However, given the requirements of an advanced electronic signature, proof will be easier to provide than would be the case with a simple electronic signature.

The qualified e-signature, which is an advanced signature that is created by a qualified electronic signature creation device, is based on a qualified certificate for electronic signatures.

To be considered as a presumed reliable e-signature, a qualified e-signature must meet the following conditions (Decree No. 2017-1416):

To fulfil those conditions, the qualified e-signature must, among other things:

The official list of entities delivering certified secured e-signatures is available at: https://www.entreprises.gouv.fr/files/files/directions_services/biens-double-usage/Liste-PSCe.pdf.

In a normal business context, having an e-signature system which is not presumed reliable is generally sufficient, as use of a presumed reliable signature is generally limited to specific cases and agreements.

The use of e-signatures in electronic contracts is increasing in France. For example, when a consumer buys a product on a website, they will receive a text message with a confidential number, allowing the completion of the transaction. This means that the signatory can be identified. This procedure is also applicable to employment contracts. However, these e-signatures are only signatures considered as having an evidential value but not as e-signatures recognised by law within the conditions set out above.

Due to the legal and technical requirements of e-signatures, e-signatures remain in the scope of regulated specific business activities where the evidential nature of the signature has a significant importance (such as notaries, lawyers, banking institutions).

As a result of the COVID-19 pandemic, Articles 20 and 20-1 of Decree No. 71-941 relating to deeds drawn up by notaries were amended to allow for a remote notarial power of attorney. As of 22 November 2020, notaries have been authorised to certify authentic powers of attorney without the physical presence of the parties.

Except for certain acts linked to French administration requiring a certain type of certified e-signature (public tenders, tax filings, and so on) there is no restriction on the use of e-signatures under French law.

The Data Protection Act governs the collection and use of personal data. It generally applies when:

The GDPR must also be applied. The GDPR applies to organisations which have EU "establishments", where personal data is processed "in the context of the activities" of the establishment. Non-EU established organisations are subject to the GDPR where they process personal data about EU data subjects in connection with:

Under the Data Protection Act, the law applies to the (automatic or non-automatic) processing of personal data that are, or can be, contained in a personal data filing system, with the exception of processing carried out for the exercise of exclusively private activities.

Personal data means any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to them. To determine whether a person is identifiable, all methods that the data controller or any other person uses, or to which they can have access, must be taken into consideration. This means that data that cannot initially be considered as personal data (for example, localisation data) can become personal data if such data is paired with other data that can reveal the identity of the user.

This law also identifies special categories of sensitive personal data which consist of data relating to a natural person's racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, or to a natural person's genetic or biometric data, or data concerning their health, sexual life, or sexual orientation.

The GDPR provides an extensive list of information that must be provided to the data subject, including:

In addition, French law provides that users must be informed of their right to decide on what will happen to their data after their death.

Specific categories of personal data (such as sensitive data) cannot be collected unless specific legal conditions are met. For example, such data can be collected and processed with the express consent of the concerned person (simple acceptance of T&Cs by the user is not considered to be express consent).

Data must be obtained for specified, explicit and legitimate purposes, and cannot subsequently be processed in a manner that is incompatible with those purposes.

Storage of personal data is possible provided that the individual is informed of the data retention period and that such period is not excessive with respect to the purposes of the data processing.

There are no specific restrictions in relation to storing data in the cloud. However, if cloud services are provided by a provider acting as a data processor according to the GDPR, the data processing, including the storage of personal data, must be covered by a data processing agreement compliant with Article 28 of the GDPR concluded between the data controller and the cloud provider.

In addition, there is a "transfer" of personal data within the meaning of Article V of the GDPR if the data controller/data processor (the "exporter"):

Compliance with the GDPR requires the exporter to ensure, before any such transfer, that there are appropriate adequate safeguards in place, such as an adequacy decision from the European Commission or the conclusion of standard contractual clauses established by the European Commission.

Self-certification mechanisms such as the Privacy Shield mechanism have been held invalid. Following the "Schrems II decision" of the Court of Justice of the European Union (CJEU), data exporters are required to perform for each transfer of personal data to a non-EEA/UK country, a transfer impact assessment evaluating whether the legislation in the third country might prevent the non-EU data importer from complying with GDPR requirements.

See also Data Protection in the EU: Overview.

Generally speaking, only a judge can compel an internet, hosting or content provider to disclose personal data. However, some French laws authorise government bodies to compel disclosure of personal data for certain purposes (such as national security, terrorism, national business intelligence, mass and organised crime). In such situations, the government must first access metadata not identifying a person, and only if a threat is discovered can the authorities then decide, after consulting a governmental agency, to identify the person linked to that metadata.

The EU Data Act Regulation proposal adopted on 23 February 2022 aims at implementing safeguards against unlawful access to non-personal data in the cloud by third country governments.

The main laws and regulations regarding the use of cookies and tracking technologies are the following:

The use and installation of cookies or other tracking technologies is allowed but requires obtaining users' prior freely given, specific, informed and unambiguous consent before cookies can be placed or stored in users' terminal equipment (Article 32-II, Data Protection Act).

This prior consent does not apply to cookies that are:

Regarding cookies and/or trackers used to measure traffic or test different versions of the site or application, the CNIL guidelines provide that the purpose of the system measuring traffic, to be exempted from consent, must be limited to:

The personal data collected must not be cross-referenced with other processing operations (customer data or statistics on visits to other sites, for example) or provided to third parties. The use of trackers must also be strictly limited to the production of anonymous statistics. The scope of such a system must be limited to a single website or mobile application publisher and must not allow the tracking of the website user’s browsing on other websites or mobile applications.

Under the CNIL's guidance, for the consent to be valid; it must fulfil the following conditions:

Individuals must be provided with effective means to opt-out of cookies and must be able to object to the use of cookies as easily as they have given consent to the use of cookies. The interface for collecting consent should include not only an "accept all" button but also a "refuse all" button.

The CNIL suggests that websites which generally retain consent to trackers for a certain period, should also retain the user's refusal for a certain period, so that the user is not asked again each time they visit.

In addition, to ensure that the user is fully aware of the scope of their consent, the CNIL recommends that, when tracking devices are used on sites other than the one visited, consent should be obtained from each of the sites affected by the tracking.

The above rules apply regardless of the type of terminal used to access the website.

The following measures can be adopted to guarantee the security of internet transactions:

The French Ministry of Economy also recommends using two-factor authentication.

Under Article 32 of the GDPR, the controller and the processor must implement adequate security measures to ensure a level of security appropriate to the risk. Such measures may include:

The controller must implement security measures to ensure the security of personal data (Article 34, Data Protection Act). All credit card numbers that are stored by an e-commerce operator must be encrypted using "strong" encryption , which means that only the editor of the e-commerce site can decrypt the numbers.

In practice, e-commerce providers use a third-party payment service provider accredited by the PCI-DSS standard to ensure that their internet transactions are secure and encrypted.

Regulations on electronic payments including anti-money laundering obligations and statutory notifications exist in France but they do not directly concern parties in e-commerce transactions. They are only applicable to payment services providers or financial institutions. Regulations generally require e-commerce providers to guarantee the security of internet transactions (see Question 19).

However, the only obligation for an e-commerce trader is to use an IT solution accredited in France to receive payment and to accept French credit and debit cards (cartes bancaires). This is usually done by a service contract negotiated with the bank of the provider. Another solution is to use a third-party provider to receive payments on the website. In this situation, it is highly recommended to use a third-party provider accredited under the PCI-DSS standard.

The Law of 16 July 1949 (see Question 1) prohibits any content that presents a risk for young people being contained in a publication aimed at children, which includes any of the following:

A website aimed at children must not include any advertisement likely to "demoralise" youths or children.

The contract formation legislation (which provides that a minor can only be made liable for daily life purchases and further provides certain publicity rules which prevent any advertisements for alcohol or any other illegal or immoral products) also applies.

Under the GDPR, children under the age of 13 cannot by themselves give consent to the processing of their personal data in relation to online services. Under French law, processing personal data of children under the age of 15 is lawful to the extent that the consent is given jointly by the minor concerned and those holding parental authority over them (see Article 45 of the Data Protection Act).

Digital advertising communications, in whatever form, must comply with the International Chamber of Commerce's and the ARPP's ethical rules that specifically apply to children and adolescents. For example:

In addition, the DSA creates an obligation for online platforms accessible by minors to take appropriate measures to ensure a high level of privacy, safety, and security for minors (see also Question 38).

There is generally no law specifically protecting companies reselling or marketing online digital content, services or software licences provided by a supplier outside the jurisdiction.

There is generally no prohibition on linking or framing a third-party website, provided third-party intellectual property (IP) rights are not infringed.

In this respect, the position in France on linking reflects the jurisprudence of the CJEU (Svensson C-466/12; BestWater International C-348/13). Such practices are possible if the the content:

Any technical measures that prevent users from extracting or framing content are sufficient to preclude linking to a third-party website. Traders must also review the terms of use of the third-party website for restrictions.

The use of metatags or advertising keywords is limited in application by the standard principles set out in the Civil Code and the Intellectual Property Code, and by French case law. The standard principles limiting the use of metatags and the advertising keywords are as follows:

There are no specific regulations regarding the licensing of domain names (provided they comply with IP rights and were not registered in bad faith ). Any licence required can be negotiated between the registrant and the relevant party.

Domain names must be registered with the relevant registry and according to the general charter of the French registrar (Association française pour le nommage Internet en coopération) (AFNIC), a natural person or corporate entity residing or established in the EU or in Iceland, Liechtenstein, Norway, or Switzerland can register a domain name with the ".fr" extension.

Domain names do not have specific protection under the Intellectual Property Code but are still taken into consideration and protected by French case law.

For example, the courts consider that is not possible to register a trade mark that is identical to an existing domain name which is in regular use by its owner. However, the domain name registrant wishing to oppose the registration must demonstrate a risk of confusion between the domain name and the new trade mark. To be protected, the domain name must be known within the entire French territory.

French case law also prohibits the registration of a domain name which "counterfeits" an existing trade mark or commercial name, and outlaws cybersquatting or typo-squatting.

The same rationale applicable to domain names also applies to business name registrations. As such, it is not possible to register a business name which has already been registered in respect of businesses engaging in the same type of activity. The existence of a trade mark identical or similar to the contemplated business name should also be taken into consideration.

The registration of a business name is made at the competent Commercial Registry (designated by city) at the same time as the incorporation of the company. At this stage, an availability check can be performed on the proposed business name. It is possible to change the business name at a future date.

B2B agreements. Within the European context, under Article 5 of Regulation (EC) 44/2001 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (Brussels I Regulation), the applicable jurisdiction for internet transactions is the jurisdiction in which the obligation is performed:

However, the parties are always free to choose another jurisdiction to govern their internet transactions. In an international context, French private international law rules apply in the absence of a specific international convention or specific agreement between the parties.

B2C agreements. Despite any choice of jurisdiction made by the parties, a consumer can always bring proceedings either in the courts of the member state in which the other party is domiciled or the courts where the consumer is domiciled (Article 16, Brussels I Regulation). If the agreement contains a choice of jurisdiction provision, this ability must be mentioned in this provision.

B2B agreements. Under Article 10 of Regulation 593/2008/EC on the law applicable to contractual obligations (Rome I), the existence and validity of a contract are determined according to the governing law stated in the contract.

The parties are free to choose the law which will govern their international contract. In the event that the parties do not designate which law governs the contract, the applicable law is determined in accordance with rules set out in Rome I (in particular, the procedure set out under Article 4).

B2C agreements. The decision on governing law is different in the case of B2C agreements. Under Article 6 of Rome I, the governing law in a B2C contract is the law of the country where the consumer has their habitual residence, provided that the seller directed their activity to that country. The parties are free to specify a different governing law in the contract, but the consumer will have the benefit of the provisions of their national legislation in the event that these are more favourable than the provisions of the chosen governing law and this option must be mentioned in the contractual provision, if applicable.

Under French consumer law, businesses must set up their own consumer mediation system or offer the consumer recourse to any other suitably qualified consumer mediator (Article 612-1, Consumer Code).

The Federation of E-commerce and Distance Selling (Fédération des Entreprises de Vente a Distance) (FEVAD) is the specific e-commerce ombudsman which deals with consumers' conflicts with online traders. However, the ombudsman merely provides a mediation procedure that allows parties to reach an agreement regarding the dispute. The powers of FEVAD are limited to providing advice based on the principles of the FEVAD charter. The ombudsman has no specific powers to award remedies as would be possible in arbitration proceedings. In any case, in ADR, the parties negotiate and establish the remedies.

The ADR Directive modifying the existing e-commerce Ombudsman procedure was implemented in 2015. It introduced a sectorial Ombudsman, imposed qualification requirements and conditions for the trader to have its own Ombudsman, and levied a fine for the failure by traders to make an ADR procedure available to consumers.

Under the Online Dispute Regulation ((EU) 524/2013) (ODR Regulation), consumers have access to ODR for resolving their contractual disputes with traders. A web-based platform has been developed by the European Commission (https://webgate.ec.europa.eu/odr/main/?event=main.home.show&=false) and has been available since 15 February 2016.

Businesses established in the EU that sell goods or services to consumers online must comply with the ADR/ODR legislation. Online traders that commit or are obliged to use ADR/ODR must inform consumers of the dispute resolution body by which they are covered. They should do this on their websites and in the general T&Cs of sales or service contracts. They must provide a link from their website to the ODR platform.

To signpost the ODR platform, traders can use web-banners available on the EU website (http://europa.eu/youreurope/promo/odr-banners/index_en.htm).

Under French law, in alternative dispute resolution, the parties negotiate and establish the remedies. However, the Code of Civil Procedure provides for two possible remedies against the arbitral award: appeal and annulment. The Council of State has also held that a right of appeal is automatically open with regard to arbitral awards made in administrative matters.

Commercial practices and advertising are generally permitted as long as they do not constitute an unfair commercial practice under French law.

The main legal provisions relating to advertising in France are the provisions of the Consumer Code on misleading and aggressive commercial practices (identically implementing the Unfair Commercial Practices Directive (2005/29/EC).

Under the Unfair Commercial Practices Directive, an unfair commercial practice is a practice contrary to the requirements of professional diligence that materially distorts the economic behaviour of the average consumer. The Directive distinguishes two categories of unfair commercial practices:

Annex 1 of the Unfair Commercial Practices Directive sets out a further 31 misleading and aggressive practices which have been deemed to be unfair in all circumstances.

Recommendations of the DGCCRF as well as non-binding recommendations of the Advertising Regulatory Authority (ARPP) must also be observed to ensure compliance with French regulations and avoid liability for unfair commercial practices.

Provided that online sales promotions are not deemed to be an unfair commercial practice, there are no specific restrictions on launching a promotion online to the extent the communication on these promotions fulfils new rules set up by Ordinance 2021/1734 (see article Art. L. 112-1-1.-I. of the Consumer Code, requiring businesses to communicate the previous price charged within the last 30 days in case of announced promotions).

Price comparisons are permitted under the Consumer Code. However, the laws on comparative advertising must also be respected. According to Article L.122-1 of the Consumer Code, a comparative advertisement is only lawful if:

There are prohibitions relating to the advertising of certain kinds of products, for example, cigarettes or alcohol. There are also strict regulatory rules for advertising products such as medication, e-cigarettes or financial services. While the prohibitions are set out in the legislation, enforcement of the advertising rules is the DGCCRF's responsibility.

To sell products or services which are covered by regulatory rules and authorisations (including for example, medication, financial services and casino and paid for lottery games and gambling), accreditation from the relevant French governmental agency (or a professional chamber) must be obtained.

Under French law, direct marketing is defined as the sending of messages intended to promote, directly or indirectly, goods, services or the image of a person that sells goods or provides services (Article L34-5, Postal and Electronic Communications Code).

Under Article L34-5, direct marketing by email is prohibited, unless the recipient of the email has given its free, informed and specific consent to receive such emails.

However, this article also provides some specific exceptions to the principle of requiring prior consent. One of these exceptions applies when a company can send emails, including direct marketing content, without prior consent of the recipients, if these recipients are already some of its customers, if the email's content relates to products and services similar to those already offered by the company and if the recipients have been informed of such sending.

In any case, the recipient of marketing communication must be given means to object to direct marketing emails.

Any information directed to French consumers must be translated into French, under the French Language Act.

Value added tax (VAT) and other usual sales taxes apply to sales concluded online.

The Foreign Company Tax Service (Service des impôts des entreprises étrangères) (SIEE) is the tax ministerial service responsible for registering foreign companies. Companies must register before concluding sales online.

French companies are usually registered for VAT and tax administration services at the time of incorporation.

Under French Law, online content is strictly regulated and controlled. There are specific provisions that contain restrictions on what content can be published on a website:

In addition, under French law, further restrictions may apply to specific sectors and/or for specific persons (for example, for children, certain content (such as pornographic content) is prohibited).

In the case of illegal, harmful, defamatory, or counterfeiting content there are two different liability regimes, depending on whether content is published by a publisher or hosted by a host:

The mandatory legal information that must be included on the website is the following:

(Article 6, Law on confidence on digital economy (Loi pour la Confiance dans l’Economie Numérique) (LCEN).)

The following additional information is required for consumer-facing websites:

(Article 19, LCEN.)

In a B2B context, the T&Cs or terms of use of a website are sufficient to limit any liability in the case of mistake of the retailer on the site.

In a B2C context, liability clauses are generally considered as unfair and the website operator remains liable for any mistake on the website. The only exemption from liability for mistake is in the case of a gross mistake which can be recognised by anyone (for example, a common product with an average value of EUR10,000 priced on the website at EUR100).

An ISP has no obligation to:

However, an ISP must implement an easily accessible system which enables website users to alert the ISP to instances of offences and crimes being committed on a website. Offences of particular concern include crimes against humanity, incitement to racial hatred, child pornography and offences against freedom of the press. An ISP must promptly inform the competent public authorities of any of these illegal activities performed by the users of their services of which they are alerted.

An ISP can neither block or shut down a website nor remove content without a court or administrative order to do so (for example, the French Regulatory Authority for Audio-visual and Digital Communication (Autorité de régulation de la communication audiovisuelle et numérique) (Arcom) can order the blocking of illegal streaming websites under Law No. 2021-1382 of 25 October 2021). The injunction to shut down the website can only be issued if the editor or the hosting provider is not identifiable or competent.

Once the court has issued this order, it is immediately enforceable. After it is issued, it is the ISP's responsibility to shut down the website containing contentious information.

All services supplied online must generally be in accordance with the applicable legislation and may incur liability if any supplied service is unlawful. However, under the French online liability regime, the nature of the publisher or host of the website responsible for the unlawful content or service is a key element in assessing the liability of the relevant actors.

For example, the sale of counterfeiting goods is prohibited. If a counterfeit product is sold on an auction site, it is necessary to determine whether the website can be qualified as a publisher or a host (see Question 38). In accordance with European case law (CJEU, 12 July 2011, C-324/09), if the operator has not played an active role, it will be qualified as a host and will benefit from the mitigated liability attaching to hosts. Conversely, if the operator provides assistance to the seller which entails, in particular, optimising the presentation of the offers in question or promoting them, they play an active role and is considered to be a publisher. In addition, a host can be found liable if it does not prevent access to, or remove a website in breach, after a proper administrative injunction as provided under Article L. 521-3-1 of the Consumer Code.

Using spiders, bots and crawlers is in principle lawful if precautions are taken to ensure that they do not affect the rights of third parties. For example, comparison websites must make sure that they do not breach the terms of use and conditions from the crawled websites (ECJ, 15 January 2015, C-30/14, Ryan Air Ltd/PR Aviation). In addition, if a significant amount of data is extracted and reused, crawled websites may have a valid action based on the sui generis protection of database rights. When the data processed is personal, data protection rules and regulations must be respected.

Online businesses can obtain the same insurance policies as other businesses (in particular, insurance for professional civil liability).

However, most insurers for professional civil liability also offer specific e-commerce insurance. An insurance broker can be consulted before launching an online website to assess the most appropriate insurance, depending on the activities at stake.

The Platform to Business Regulation which entered into force in July 2019 (supplemented by the European Commission guidelines of 7 December 2020) was implemented in France by Act No. 2020-1508.

This Regulation sets out rules to ensure greater fairness and transparency in contractual relationships between platforms and businesses using such platforms, and provides (among others) specific provisions to be included in their T&Cs. In particular, it contains provisions regarding modification and termination of the agreement and also new transparency obligations with regard to offers ranking and differentiated treatment.

The Digital Content and Digital Services Directive was implemented in France by Ordinance No. 2021-1247 on the legal guarantee of conformity for goods, digital content and digital services, which creates obligations for professionals who market digital goods and services.

This Ordinance provides new rules on digital services and content and in particular broadens the notion of consideration by including the provision of personal data by consumers when signing in as counterparty and including a conformity requirement of the digital service or content.

Professionals must provide their customers with additional information before contracting, including warranties, technical specification, interoperability, and updating.

This new regulation also contains specific rules on the unilateral modification of the digital service or content by the seller.

The revised Audiovisual Media Services Directive was transposed into French law by Order No. 2020-1642.

The DSA entered into force on 16 November 2022 and will be effective on 17 February 2024 for most businesses. The new regulation creates new obligations for intermediary services (caching services, hosting services and online platforms) to transform the internet into a safer space for users in Europe.

For example, intermediary services must now provide transparent information on content moderation and their procedure for handling complaints, enhanced protective measures for minor users, and publish mandatory annual reports on illegal content. The regulation will apply earlier with additional obligations for Very Large Online Platforms and Search Engines (those with an average monthly base of 45 million or more EU users).

In addition, France has already implemented some of the obligations regarding large platforms with the Law No. 2021-1109 reinforcing respect for the principles of the Republic. In particular,:

The DMA was enacted on 14 September 2022 and will be effective on 2nd May 2023. The DMA will submit large online platforms, which qualify as market "gatekeepers", to specific obligations on content moderation, transparency and accountability. In particular, gatekeepers: