There are no specific laws governing the online conduct of business activities. However, there are several laws that regulate general commercial practices and are therefore relevant to online business activities. These laws include the:

Ordinances are generally passed by the legislature of Hong Kong (Legislative Council).

Some ordinances also authorise specific government departments to publish subsidiary regulations to give effect to the provisions of the main ordinances. For example, the Secretary for Commerce and Economic Development can amend the scope of exempted persons or products under the TDO and can make regulations for safety standards for consumer goods under the CGSO.

For financial services institutions seeking to carry out regulated activities through the use of financial technology, the Securities and Futures Commission (SFC), the Hong Kong Monetary Authority (HKMA) and the Insurance Authority have each launched their respective regulatory "sandbox" initiative. This means that qualified firms can launch pilot schemes to a limited number of participating customers under close supervision by regulators in a confined regulatory environment before rolling out to a wider public. Where the initiative concerns a cross-sector Fintech product, the qualified firm need only apply to the regulatory sandbox it considers most relevant. This will enable it to gain concurrent access to multiple regulators through a single point of entry.

Businesses should first consider whether to set up a local presence, for example a Hong Kong subsidiary company or registered non-Hong Kong company. However, there is no legal requirement that a company must first set up a presence in Hong Kong for its online business before the services and products to which the online business relates can be provided to people or businesses.

If the business wants a presence in Hong Kong and sets up a Hong Kong entity, it usually takes the form of a limited liability company that can be established by either:

It is fairly straightforward to establish a subsidiary company in Hong Kong. The key legal requirements are:

The company must determine if the proposed online business needs specific operating permits or approvals, for example a:

A new business can engage a website developer and internet service provider to develop and host the website (see Question 4). However, an existing business can consider localising its existing website to ensure compliance with Hong Kong law if the website is hosted in Hong Kong. The website must include:

An online business usually contracts with the following third parties:

The Disability Discrimination Ordinance (Cap 487) has created a legal duty for organisations to ensure their services are available to everyone regardless of disability. This principle is applicable to information and services provided through websites.

The Privacy Commissioner (the enforcement body of the PDPO) has published a leaflet on "Collection and Use of Personal Data through the Internet – Points to Note for Data Users Targeting at Children" which sets out best practices for data users who interact with children (that is, a person under the age of 18) via the internet, including:

For specific rules or guidance applicable to websites aimed at (or that might be accessed by) children, see Question 22.

Businesses generally enter into app development agreements with software companies (app developers). Agreements should include the necessary software and content licences required to develop or distribute the app. They should also include details on the ownership of IPRs in any newly created or modified content or software.

Generally, businesses distribute apps through app store providers (for example, Apple, Google and Microsoft, which are the largest app store providers and their agreements are publicly available on their websites). Businesses enter into end user licence agreements that provide the terms and conditions that end users must accept to download and use apps. Businesses also enter into agreements with providers of third-party payment services for distribution of apps and services provided by businesses to end users and customers.

Hong Kong law recognises most contracts that are formed electronically.

However, there are exceptions for certain types of contracts listed under Schedule 1 to the ETO. For example, deeds or documents relating to land charges under the Conveyancing and Property Ordinance (Cap. 219) must be executed with a handwritten signature and must not be stored in electronic form.

To form a valid electronic contract, the following elements are required:

When contracting online, businesses should particularly consider offer and acceptance and the incorporation of terms.

For a business to have control over the terms of the contract, a website's terms and conditions usually state that:

The terms of the contract must be sufficiently brought to the attention of the customer before the contract is made. If not, the standard terms of the business will not be successfully incorporated into the contract. In practice, the most effective way is to design the website so that the customer must scroll down to the bottom of the entire set of terms and conditions on-screen and click an "I accept" button (or similar) before they can complete the order.

Generally, consideration is evident for most online contracts. It is either when a supply of goods or services is made in exchange for a customer's payment, or a customer accepts the terms of use in exchange for access to the website or software (if it is free access).

In addition, the intention to create legal relations is normally presumed for most online contracts due to the commercial nature of these transactions.

To the extent that any click-wrap, browse-wrap, and shrink-wrap contracts have the four elements outlined above, these contracts are legally enforceable.

The ETO does not apply to certain contracts, for example, assignments of interests in land. These contracts cannot be validly formed electronically and must be prepared and executed in the traditional paper-based manner.

There are no specific statutory provisions regulating online contracting activities. Businesses should therefore generally comply with general contract law and all relevant statutory requirements that could apply to online contracting. The ordinances that are applicable include the:

Businesses supplying goods or services online must comply with the law applicable to B2B contracts (some of which cannot be excluded when dealing with consumers, for example certain implied warranties set out in the SGO). They must also comply with additional consumer-specific statutory control, in particular under the UCO and certain provisions in the CECO. If the court regards a contract or any part of the contract as unconscionable at the time the contract was made, the court can:

(Section 5, UCO.)

When determining whether a contract or a part of it is unconscionable the court considers, among other things, the relative bargaining positions of the consumer and the business at the time when the contract was made and whether the terms and conditions were sufficiently drawn to the consumer's attention (section 6, UCO).

A data user should not keep any personal data longer than is necessary for the fulfilment of the purpose for which the data is used (Data Protection Principle 2, Schedule 1, PDPO). There is no specific retention period prescribed in the PDPO itself.

There are no official government accreditations for websites. However, some accreditations may be of interest to website providers, for example:

Remedies available for breach of an electronic contract are the same as the remedies available for breach of any other type of valid contract, for example a claim for damages or seeking a court order for specific performance.

E-signatures are recognised and the use of electronic signatures is governed by the ETO.

An electronic signature consists of any letters, characters, numbers or other symbols in digital form attached to, or logically associated with an electronic record, and executed or adopted for the purpose of authenticating or approving the electronic record (section 2, ETO).

The ETO also recognises digital signatures as a form of electronic signature. In relation to an electronic record, a digital signature is an electronic signature of the signer generated by the transformation of the electronic record using an asymmetric cryptosystem and a hash function to the extent that a person having the initial untransformed electronic record and the signer's public key can determine the difference (section 2, ETO.)

This applies both in transformations generated by a private key corresponding to the signer's public key and where the initial electronic record was changed after the transformation was generated (section 2, ETO).

For transactions where all parties are non-governmental entities, signatories can agree to use electronic signatures or digital signatures.

For transactions that involve government entities, signatories must use digital signatures (supported by a recognised certificate issued by a certification authority).

An electronic signature is valid where:

(Section 6, ETO.)

Electronic signatures are recognised for the purpose of most contracts. However, there are certain exceptions that require handwritten signatures including:

(Schedule 1, ETO.)

The collection or use of personal data is regulated by the PDPO. The PDPO applies to data users in the public and private sectors. A data user is a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data (section 2, PDPO).

The PDPO regulates "personal data", which means any data relating directly or indirectly to a living individual. It must be possible to directly or indirectly ascertain the individual's identity from the data. The data must also be in a form that makes access to or processing of the data practicable (section 2, PDPO).

For activities conducted by online businesses, "personal data" (for PDPO purposes) is likely to be either:

The PDPO prohibits the collection and use of personal data unless proper notification is given to the individual (Data Protection Principle 1, Schedule 1, PDPO). Notification must include:

Personal data must be collected by lawful and fair means, for a purpose directly related to a function or activity of the data user, and the data collected should be necessary and not excessive (Data Protection Principle 1, Schedule 1, PDPO).

There are no specific limitations on the storage of personal data in the cloud under the PDPO. However, if businesses engage data processors to undertake data processing (which could cover cloud storage), they must ensure that the data processors comply with certain obligations (for example, not to keep personal data longer than necessary and to prevent unauthorised access or loss (Data Protection Principle 2, Schedule 1, PDPO)).

Online businesses relating to or concerning a sector or an industry that is subject to additional regulatory control on outsourcing (for example, insurance and banking), and that engage cloud service providers for storage purposes, trigger additional regulatory requirements including the requirement that the cloud storage arrangement is vetted by the relevant regulator, or the regulator must be notified of any material outsourcing arrangements. The regulator can be for example, the Hong Kong Monetary Authority if the online business is conducted by an authorised institution.

Several public authorities and regulators have powers to access or compel disclosure of information (including personal data), for example the:

There are no specific regulations on the use of cookies. However, the use of cookies by website operators to collect, store or use personal data must comply with the relevant PDPO obligations (see Question 16 and Question 18). In particular, website operators must:

In the context of safeguarding the security of the personal data collected and used by the contracting companies and internet providers, data users must take all practicable steps to ensure that personal data is protected against unauthorised or accidental access, processing, erasure, loss or use (Data Protection Principle 4, Schedule 1, PDPO). Businesses must ensure that measures providing an appropriate level of security are applied to internet transactions that involve the transmission of personal data.

If traders accept card payments from customers, it is likely that they must ensure that their systems comply with generally accepted industry standards on data security. This is because a number of payment card scheme operators are subject to the Code of Practice for Payment Card Scheme Operators, a self-regulated compliance code monitored by the HKMA, that requires the operations of payment card scheme operators to comply with industry accepted security standards.

Encryption is a common (but not mandatory) security measure used to protect personal data to comply with Data Protection Principle 4 of the PDPO. In a number of guidance notes, including the guidance note on cloud computing, the Privacy Commissioner (the enforcement body of the PDPO) recommends the use of encryption for electronic data for security purposes. The Privacy Commissioner indicates that security measures must be proportionate to the degree of sensitivity and likely harm caused by the loss or unauthorised access of personal data.

The use of encryption is not unlawful. However, the Import and Export Ordinance (Cap. 60) and the Import and Export (Strategic Commodities) Regulations (Cap. 60G) regulate the import and export of certain types of encryption software.

Regulations govern the provision of payment services operated by:

These include the framework provided under:

Designated retail payment systems (RPS) must comply with system operation obligations, including ensuring the safety and efficiency of these operations and maintaining books and records of the relevant transactions (PSSVFO). While a range of payment systems may be potentially caught under the definition of RPS (including payment card, electronic funds transfer, transaction acquiring and payment gateway), the HKMA can designate a system an RPS only if the authority is of the opinion that:

RPS include Visa, Mastercard, UnionPay International, American Express, Joint Electronic Teller Services Limited, and EPS Company (Hong Kong) Limited.

As records of electronic payments are produced and stored in electronic form, the electronic records are subject to the ETO.

In addition, if personal data is used for verification purposes or involved in the course of electronic payment, the website or the electronic payment operator must comply with the relevant security requirements under the PDPO.

The HKMA's Faster Payment System enables round-the-clock interbank fund transfers, and connects banks and stored-value-facility operators on the same platform, allowing members of public to transfer and receive funds by registering their mobile phone number or email address as an account proxy. The Common QR Code Standard for Retail Payments enables payment QR codes from different payment service providers to be converted into a single, combined payment QR code.

There are no specific or express rules regulating websites that are aimed at children. However, there are certain sector-specific legislations that contain express provisions relating to under 18 year olds). For example, it is an offence to offer an indecent article to a minor, or to target a minor in any advertisements or promotional material relating to horse race or football betting or lotteries (Control of Obscene and Indecent Articles Ordinance (Cap. 390) (COIAO), Betting Duty Ordinance (Cap. 108)).

Additionally, there are certain limitations on the enforceability of contracts entered into with minors. General contract law will be relevant in determining if the contract is enforceable (see Question 6 to 8). A contract (for example, the website terms and conditions) entered into online with a minor will be enforceable only if the contract relates to "necessaries".

In relation to the personal data of a minor, and where consent is required in connection with the personal data (for example, the personal data will be used for a new purpose), and the minor is incapable of understanding the new purpose, the consent can only be given on the minor's behalf by a person with parental responsibility for that minor and if that person considers that it is in the minor's interest to permit such new use (section 2, PDPO and Data Protection Principle 3, Schedule 1, PDPO).

There are currently no laws that specifically protect companies in Hong Kong that resell or market online digital content, services or software licences provided by overseas suppliers.

The usual IPR issues must also be considered by companies reselling or marketing such content, services or licences, in particular, whether there is a legal right or permission to reproduce or communicate the content online.

Under the latest legislative changes pursuant to the Copyright (Amendment) Ordinance 2022, online service providers may be able to benefit from a statutory "safe harbour" defence for copyright infringements (see Question 41).

Linking, framing, caching, spidering and the use of metatags are subject to limitations under the general protection of IPRs.

If the link circumvents any subscription, pay or other barriers imposed by the original content owner, providing the link may not be permissible if the linking constitutes a breach of a third party's exclusive rights under applicable IPRs law. Whether an infringement occurs depends on the material used and the use made of it.

In addition, if information is extracted from a third party's website, it is also necessary to ensure that the use is not in breach of the terms and conditions of that website.

The use of metatags or advertising keywords can potentially amount to trade mark infringement if it constitutes constitute use in the course of trade or business in relation to either:

There are no specific regulations on the licensing of domain names. Therefore, general contract law principles regulate the relationship between the registrant of the domain name and the business licensing the domain name.

If a domain name also includes a trade mark owned by the registrant, the licensing of the domain name (under the domain name registration agreement) must include the right to use the trade mark. The licence must be in writing and signed by the licensor (trade mark owner) (section 33(3), Trade Marks Ordinance (Cap. 559)).

Any person can register a ".hk" domain; there is no residence requirement. However, only commercial entities registered in Hong Kong can register a ".com.hk" domain.

Domain names themselves do not confer any additional legal rights. However, certain common law rights can be developed through usage. A domain name can also be capable of being protected as a registered trade mark.

A trade mark must be registered in the Trade Marks Registry of the Hong Kong Intellectual Property Department to be an enforceable trade mark. It is possible to register domain names as trade marks if they meet the requirements for registration (and consequently the registered trade mark can also be subject to invalidation or revocation).

The use of a domain name may give rise to unregistered trade mark rights for the owner and user of the domain name if, over time:

If so, and a third party misrepresents a connection or affiliation with that domain name and as a result causes or is likely to cause damage to the business, that third party may be liable for committing an act of passing off.

Any company name identical to that of an existing company, or appearing on the Companies Registry's index of company names, must not be used to incorporate a Hong Kong limited liability company. A company name can be in English, Chinese, or both. Businesses should search the register at the Companies Registry to ensure the proposed name of the company is not the same as, or similar to, a name that is already in use. The company name must also include the appropriate ending (for example, "Limited" or the equivalent Chinese characters). Company names (and changes to them) must be recorded at the Companies Registry as part of the company registration process.

The Companies Registry must approve company names that imply a connection with the Hong Kong Government or the Central People's Government or a body of either government, or contain certain words and expressions prescribed by the Financial Secretary (for example, chamber of commerce, savings, trust, or trustee).

There are no differences between the rules that apply to internet transactions and those for other disputes.

The set of rules used to determine the jurisdiction is based on common law principles.

Generally, methods of establishing jurisdiction are either:

Even if a defendant is effectively served, the defendant can seek to challenge the court's jurisdiction by demonstrating that there is a more appropriate forum.

Businesses can generally agree the jurisdiction between themselves with a jurisdiction clause in the contract. However, specific rules (or exceptions to the above general principles) may apply in non-contractual disputes, for example defamation or in cases concerning foreign IPRs.

General legal principles provide that the parties to an agreement are free to choose the law that governs that agreement, which is then the proper law of the contract.

Irrespective of the choice of law, certain specific mandatory legal rules may continue to apply, in particular statutory restrictions that apply to the parties' choice of law in a consumer contract (see, for example, section 17(2) of the CECO and section 7(2) of the UCO).

If the parties do not choose a governing law, the law with which the contract has the closest connection applies (factors to be considered can include the location of the subject matter or place of intended performance of the contract).

For non-contractual disputes relating to actions for torts, the subject matter must be actionable under both Hong Kong law and the law of the place where the act was committed. However, this is subject to a number of exceptions; for example, a particular issue of the subject matter may be governed by the law of the place that has the most significant relationship with the occurrence and the parties.

There are no specific dispute resolution services available to online traders and customers. However, there are some dispute resolution options available for certain aspects of electronic transactions and online business, for example:

There is no single comprehensive legislation or regulation governing advertising activities. Both online and offline advertising activities are generally regulated through the TDO (to the extent that any advertisement constitutes a trade description of any goods or services) and several specific laws that govern advertising of regulated products and services.

For example, the TDO prohibits online advertisements that contain any of the following:

In addition, the advertising of certain regulated products or services is subject to specific regulations, for example the:

On a self-regulated basis, the Association of Accredited Advertising Agencies of Hong Kong enforces a non-statutory code of practice against advertising agencies who are members of the association. Generally, the code of practice requires any advertisement to be legal, decent, honest and truthful.

Generally, there is no distinction between the treatment for online or offline activities for the selling and advertising of products or services, as they are subject to the same regulatory approach (see Question 31).

Any business conducting online regulated financial services and issuing related advertisements must comply with the relevant regulatory requirements under the SFO or guidance issued by the SFC. For example, specific risk management and security controls are imposed on internet trading activities, and the provision of financial information may also trigger licensing or registration requirements.

The UEMO is the main legislation that regulates text messages or spam emails. The UEMO sets out a number of statutory requirements that must be complied with if commercial electronic messages are sent out; for example, the information must be accurate and the recipient of the message must be able to unsubscribe.

The UEMO also prohibits, among other things, the sending of unsolicited marketing and promotional emails or text messages to subscribers on the do-not-call registers kept by the Communications Authority, unless the recipients gave their consent to receive the messages. However, several exemptions are available under the UEMO. In particular, businesses can, without consent from the recipients, send messages such as invoices or receipts to confirm or facilitate a transaction, or deliver goods or services for a transaction, that the recipients previously agreed to enter into.

The PDPO also regulates the sending of text messages or spam emails if the messages involve the use of personal data in direct marketing. Among other PDPO provisions on direct marketing activities, section 35G of the PDPO confers an absolute right to an individual to object to the use of their personal data for direct marketing purposes. The business or trader must stop using the personal data when they receive notification. The Privacy Commissioner, in the guidance note New Guideline on Direct Marketing issued in January 2013, states that the PDPO direct marketing provisions do not apply to the use of personal data for direct marketing activities targeted at a corporation (that is, if the personal data is collected from individuals in their official capacity and the product or service is clearly meant for exclusive corporate use).

In addition, organisations that collect personal data must inform affected individuals on the intended use of that data (Schedule 1, Data Protection Principles, Principle 1, PDPO). The PDPO also prohibits the use of collected personal data for purposes that are incompatible with the purposes for which the data was originally collected.

There are no specific language requirements for websites targeting Hong Kong. However, when the court decides whether a contract or any of its provisions are enforceable it will consider whether the consumer was able to understand the contract or relevant provisions (section 6, UCO). Businesses can avoid that risk by presenting the contract either in Chinese or English.

Hong Kong adopts a territorial source principle of taxation. Profits tax is only charged on profits that arise in or are derived from Hong Kong. Therefore, whether sales concluded online are subject to taxation will depend on whether profits derived from the sales can be regarded as arising in or deriving from Hong Kong.

Profits tax is chargeable for each year of assessment for corporations (16.5%) and unincorporated businesses (15%), if:

(Section 14, IRO.)

There is no value added tax (VAT) on goods and services.

Website content is governed by a mix of statute and common law. Some key potential areas of liability for online traders are:

Both content providers and website operators may be liable depending on the nature of the wrongdoing. If for example the website is targeted at Hong Kong and the content provider's activity is illegal under Hong Kong law, the provider is generally liable for such content. However, the website operators can also be held liable (see Question 40).

A company must state its registered name in legible characters and its liability status on its website (Section 4(c), Companies (Disclosure of Company Name and Liability Status) Regulation (Cap. 622B)).

If the website can collect personal data, a personal information collection statement must be included to satisfy the notification requirement (PDPO) (see Question 16).

Hong Kong law does not expressly prescribe the manner in which the terms and conditions of a website or the privacy notice must be presented on a website. In practice, the website terms and conditions, the privacy policy and other key information should be prominently displayed, particularly on consumer-facing websites, so that they do not fall foul of the UCO, or fail to meet the notification requirement under the PDPO.

A website operator is liable for unlawful content displayed on its website unless it can rely on a defence. For example, it is a defence to a TDO offence if the contravening person can prove that both:

(Section 26, TDO.)

For online businesses involving the publication of third-party content, both the author of the content and the website operator can be liable, depending on the wrongdoing alleged.

Accordingly, it is good practice for a trader to include disclaimers on the accuracy and availability of content on its website to limit the expectations of users and limit potential liability if the trader displayed content by mistake. However, this may not be sufficient if the trader is unable to establish it took due care.

Some traders include a term on their websites to provide for their right to cancel a contract based on mistaken information presented on the website. However, there is a risk that the term may be held unenforceable against a consumer under the UCO (see Question 7, Consumer Contracts).

Most ISPs reserve their contractual rights to suspend their services to take down infringing websites, content or links.

Unlike the statutory defences for website operators (see Question 40) there is no statutory protection for ISPs for trade mark infringements. In the light of the Copyright (Amendment) Ordinance 2022 (commencement date to be confirmed), ISPs may potentially rely on a statutory defence for copyright infringements, provided that certain prescribed actions are taken such as taking reasonable steps to limit or stop the infringement as soon as it is notified.

There is no express statutory provision giving courts the right to grant an injunction against an ISP, where that ISP has actual knowledge of another person using their service to infringe copyright. The mere provision of physical facilities for enabling the making available of copies of works to the public does not of itself constitute an act of communicating infringing content to the public. In the absence of any statutory provision or established case law, an injunction may not be easy to obtain.

The Privacy Commissioner has powers to serve a notice to an ISP demanding that they cease revealing personal data if it has reasonable grounds to believe that the:

The law applicable to the sale and supply of products and services offline also applies when they are sold or provided online. Therefore, an online auction site could be liable for auctioning counterfeit goods on the same basis as if the same counterfeit goods are auctioned offline.

Websites that provide services by aggregating online content or information from other websites using tools including web crawlers, scrapers, spiders, or other automated tools should also be aware that these operations can attract civil and criminal liability, including:

Online businesses require the same sort of insurance as other businesses in the relevant industry sector within which they operate. In addition, online businesses should consider specific insurance policies covering the risks related to data privacy and network security from a data leakage or security breach.

The Hong Kong Government announced (in its Policy Address in both 2021 and 2022) that it is planning to introduce a cybersecurity law, focusing on operators of public utilities and other critical information infrastructure and their obligations to protect such infrastructure against cyber-attacks.

A public consultation exercise on this legislative proposal was expected to be undertaken in 2023. Against this backdrop, the Hong Kong Law Reform Commission released a consultation paper in July 2022 proposing the new cybercrime offences, which aim to rein in cybercrime with tougher penalties (up to the maximum of life imprisonment).

The proposed offences focus on crimes that can be committed only through the use of information and communications technology devices, where the devices are both the tool for committing the crime and the target of the crime.

In conjunction with the government's attempt in introducing a cybersecurity law, consolidated legislative efforts are expected to focus on formulating a general framework for protection of cybersecurity in Hong Kong.

The regulation of the transfer of personal data outside of Hong Kong under section 33 of the PDPO is not yet in effect and there is no concrete time frame for the government to put it forward for legislative approval. Pending section 33 becoming effective, business should follow the Guidance on Personal Data Protection in Cross-border Data Transfer and the Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data (including the Recommended Model Clauses annexed to the Guidance) issued by the Privacy Commissioner. This serves as a practical guide for data users to prepare for the implementation of section 33.