Digital business in the United Kingdom: overview
A Q&A guide to digital business in the United Kingdom.
The Q&A gives a high level overview of matters relating to regulations and regulatory bodies for doing business online, setting up an online business, electronic contracts and signatures, data retention requirements, security of online transactions and personal data, licensing of domain names, jurisdiction and governing law, advertising, tax, liability for content online, insurance, and proposals for reform.
To compare answers across multiple jurisdictions, visit the Digital Business Country Q&A tool.
This Q&A is part of the global guide to digital business law. For a full list of jurisdictional Q&As visit www.practicallaw.com/digital-business-guide.
English law governing the conduct of business online is set out in a number of different statutory instruments, some of which are specific to online trade, whereas others apply to all business activities. This area of law has also been subject to increasing harmonisation at EU level, although the extent to which EU laws will continue to affect the UK is uncertain following the UK's vote to leave the EU.
The following regulations are of particular significance:
The E-Commerce Regulations 2002 (E-Commerce Regulations) impose a range of obligations on the operators of commercial websites, in particular obligations to provide users with certain information about the operator and its services.
The Consumer Rights Act 2015 (CRA) has consolidated a range of previous UK consumer rights legislation and updated certain areas, including statutory implied terms in consumer contracts and the remedies for breach available to the consumer.
The Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 (Consumer Contract Regulations) place additional obligations on website operators who deal with consumers.
The Consumer Protection From Unfair Trading Regulations 2008 (CPRs) prohibit various unfair practices by traders, such as misleading actions or omissions, and include a "blacklist" of prohibited commercial practices.
The Provision of Services Regulations 2009 (POS Regulations) provide that in the provision of services, traders must not discriminate between EEA residents on the grounds of nationality or place of residence unless justified by objective criteria (for example, the provision of services across borders involves additional costs).
The Data Protection Act 1998 (DPA) contains provisions around the use of personal data, including concerning website users.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PEC Regulations) govern direct marketing (both solicited and unsolicited) by means of electronic communication.
Major legislation must be passed by Parliament as an Act of Parliament.
Additionally, Acts of Parliament often empower certain government ministers to make further, more detailed regulations in specific areas (for example, the Department of Business, Innovation and Skills oversees subordinate legislation for online services and consumer protection).
The Committee of Advertising Practice (CAP) also publishes the "Codes" which govern broadcast and non-broadcast (including online) advertising in the UK. The CAP Codes are enforced by the Advertising Standards Agency (ASA). See Question 31.
Setting up a business online
New businesses should establish a vehicle through which the business will operate (for example, a limited liability company).
This largely depends upon the nature of the business, but the following agreements are usually required:
Website development. A website development agreement should clearly set out the company's functional and visual specification for the website, maintenance and support obligations, and the ownership of intellectual property rights (for example, in the design of the web pages and underlying software).
Website hosting agreements. Hosting agreements should in particular detail the scope of the services (for example, whether security, maintenance or support is provided), the specification of the server, and minimum availability requirements.
Content licences. Where the business does not own all content that will be displayed on the site it must ensure its licences with third parties are appropriate (for example, covering how the content is to be used, the territorial scope and the term of the licence).
Where the business enters into an agreement with an app developer, the terms must address what licences will be needed to develop and distribute the app, including for example, content and software licences (and address intellectual property rights in any newly created or modified content or software).
If the business wants to distribute the finished app through an app store, it will usually enter into a distribution agreement with the app store provider. The agreements of the largest providers (Apple, Google and Microsoft) are publicly available on their websites. Businesses frequently require users to enter into an End User Licence Agreement (EULA), which provides the terms and conditions applicable to the use of the app. The user must be provided with a copy of the EULA and must accept it before the user can download and use the app. If the business wishes to accept payments through the app, an agreement with a third party payment services provider can also be required.
Running a business online
For an online contract to be binding there must be an offer, acceptance, an intention to create legal relations, and certainty of terms. Offer and acceptance and incorporation of terms are of particular importance when contracting online.
Offer and acceptance.In order to give the trader control over the terms of the contract, a website's terms and conditions often:
State that by submitting an order the customer is making an offer.
Describe when the trader is deemed to have accepted that offer, for example, only once it has issued the customer with an order confirmation e-mail, or actually dispatched the goods.
Incorporation of terms. The terms of the contract must be sufficiently brought to the attention of the customer prior to the contract being completed. The English courts have not given definitive guidance as to how online terms and conditions must be incorporated, but the most effective way is to design the website so that the customer is unable to complete their order until they have scrolled down the full terms and conditions on-screen and clicked an "I accept" button (or similar). This is known as a click-wrap contract. In the context of software licence agreements (known as end user licence agreements) there are two other common forms of contract:
Browse-wrap contracts, where a user is simply notified that by continuing to use the software they will be bound by certain terms and conditions, but without the user having to take a positive action to accept them.
Shrink-wrap contracts, where a user purchases a physical software product and the terms are either included with the packaging or in a file that must be opened during installation.
Business-to-business context. In a business-to-consumer context, the Explanatory Notes to the Consumer Rights Act 2015 (CRA), reference the Law Commission and Scottish Law Commission's joint guidance note on unfair terms: (see in particular Appendix C). The Explanatory notes state that browse-wrap contracts are unlikely to be deemed contracts, and therefore capable of placing contractual obligations on a consumer, as there is no valid acceptance (as there is with a click-wrap contract).
Shrink-wrap contracts are also unlikely to be enforceable against consumers on the basis that they are likely to be unfair. In particular, Schedule 2 to the CRA sets out a list of terms which may be considered unfair in consumer contracts. This includes: "a term which has the object or effect of irrevocably binding the consumer to terms with which the consumer has had no real opportunity of becoming acquainted before the conclusion of the contract." However, both types of contract may potentially be considered a "non-contractual notice", that is, a form of warning to the consumer that may (for example) serve to discharge a duty of care that the website operator may otherwise have faced, and can serve to grant a unilateral licence to use the applicable software. Even as non-contractual notices, both browse-wrap and shrink-wrap contracts must comply with Part 2 of the CRA (unfair terms).
Business-to-business context. In a business-to-business context, it is unlikely that a browse-wrap contract would be legally binding, as there is no opportunity for the user to accept the terms.
The position on shrink-wrap contracts is unclear and this has been subject of academic debate. While the terms may state that by downloading the software the user agrees to be bound by the terms of the licence, the user is still not made aware of those terms at the time of concluding the contract. The Scottish Court of Session held that a shrink-wrap licence was enforceable in a case where a software package stated that opening the package indicated acceptance of the terms and conditions, and that the purchaser was entitled to return the packaged software up until the moment that the purchaser opened the package (Beta Computers (Europe) Ltd v. Adobe Systems (Europe) Ltd, 14 December 1995). However, in the absence of English case law on this matter, the legal foundation for this well-established business practice remains unclear under English law.
Regulatory requirements. Where orders are placed online, the E-Commerce Regulations require the trader to provide certain specific information, including (Regulation 9):
The different technical steps to follow to conclude the contract.
The languages offered for the conclusion of the contract.
The customer must be given the opportunity to review and correct input errors before completing the purchase. The trader must acknowledge receipt of the order by electronic means without undue delay, for example, by sending an order confirmation e-mail (Regulation 11). Businesses, but not consumers, can agree to contract out of these provisions.
Consumer contracts. Under the Consumer Contract Regulations, traders must provide consumers with additional specific information prior to entering into any contract, for example, the main characteristics and total costs of the relevant products/services, the arrangements for payment and delivery, and the existence of any right to cancel (Regulation 13 and Schedule 2). Where orders are placed online, the trader must clearly label the order button to indicate that placing the order entails an obligation to pay the trader by using words such as "order with obligation to pay" (Regulation 14). The trader must give the consumer confirmation of the contract, including the pre-contract information, in a "durable medium" within a reasonable period, and no later than delivery of the goods or commencement of the services (Regulation 16).
Businesses must comply with the E-Commerce Regulations, including the information requirements (see Questions 6 and 37). Other statutory provisions such as the Sale of Goods Act 1979, the Supply of Goods and Services Act 1982 and the Unfair Contracts Terms Act 1977 (UCTA), will apply to contracts formed online as they would do to a contract formed by other means.
A business selling to consumers online must comply both with the regulations applicable to business-to-business contracts (which generally cannot be contracted out when dealing with consumers) and additional consumer-specific regulation, in particular the Consumer Rights Act 2015 (CRA) and the Consumer Contract Regulations.
The CRA applies to contracts formed after 1 October 2015, and consolidates and updates a number of other pieces of consumer rights legislation. For example, it:
Sets out the key terms that will be implied into a consumer contract (such as satisfactory quality and fitness for purpose).
Establishes a set of tiered remedies for the consumer in the event the consumer's statutory rights are breached, including (in relation to goods) a right to reject the goods, to have them repaired or replaced or to receive a price reduction. There is also a specific compensation mechanism if digital content has caused a damage to a device or other digital content owned by a consumer (for example, through a virus).
Grants statutory protection for consumers if a trader tries to impose unfair terms on them, and includes a non-exhaustive list of black-listed terms that will usually be considered unfair.
The Consumer Contract Regulations amongst other things:
State that, subject to some limited exceptions, a consumer has a right to cancel a contract made online within a period of 14 days, commencing when the consumer receives the goods or, in respect of services, the conclusion of the contract. Where a cancellation right exists, the trader must provide the consumer with a cancellation form containing specific information, and provide a refund in accordance with the requirements of the Consumer Contract Regulations.
Require a trader to obtain the consumer's express consent before imposing any charges in addition to the remuneration agreed for the trader's main obligations (pre-ticked boxes cannot be used to obtain this consent).
Introduced a new regime specific to digital content. Traders are obliged to provide additional pre-contract information concerning the functionality of the digital content (for example, region restrictions, and DRM and other technical protection measures) and any relevant information about its compatibility with other hardware or software. If the content is downloaded, the trader must either obtain the express consent from the consumer to waive the cancellation right, or not enable the consumer to download the content until the end of the 14 day cancellation period. If the content is provided on a CD or other tangible media, the cancellation period usually ends 14 days after the day on which the media came into the possession of the consumer (or until the consumer breaks any seal).
Most contracts governed by English law can be concluded electronically.
However, there are some cases in which documents will need to be signed by hand. For example, the Land Registry currently only accepts deeds creating or transferring an interest in land if they are executed with a handwritten signature (although a facility has been introduced whereby mortgage deeds can be signed online if an applicant is taking out an e-mortgage).
Further, some products by their nature require additional safeguards when being bought and sold by means of an electronic contract formed at a distance (see Question 31).
Where a contract is to be concluded by electronic means, the E-Commerce Regulations require the trader to notify the customer whether the concluded contract will be filed by the trader and whether it will be accessible (Regulation 9(1)). Business customers, but not individual consumers, can contract out of this requirement.
Additionally, the Data Protection Act imposes a general duty to retain personal data only for so long as is necessary, having regard to the purpose for which the data is collected or held (for example, for the purpose of fulfilling an order, or responding to a potential complaint or dispute).
There are no official government trusted site accreditations for websites, although some accreditations may be of interest to website providers, for example:
ISO 27001 is the international standard for information security management (which can be obtained through the British Standards Institution).
tScheme Limited operates an industry-led, self-regulatory system set up to approve electronic trust services, including qualified certificate services (see Question 12).
For the most part, the remedies available for breach of an electronic contract are the same as those available for breach of any other type of contract. However, where a specific regulatory requirement is breached, additional remedies might be available, for example:
A breach of the obligation in the E-Commerce Regulations to give the customer an opportunity to correct input errors could give the customer a right to rescind the contract.
A breach of the obligation to provide the cancellation right in the Customer Contracts Regulations will extend the period in which the consumer can exercise that right.
Traders who supply digital content online should in particular note the additional requirements and remedies that are available under the Consumer Rights Act 2015 and the Consumer Contracts Regulations (see Question 7).
E-signatures are recognised under English law.
The legal framework for electronic signatures in the UK is based on the Electronic Services Regulation 2014 (ESR), which came into effect on 1 July 2016 and was implemented in the UK by the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016. The ESR is an attempt to increase the use of electronic identification and authentication facilities and expand the legal framework governing electronic identification/documentation.
Definition of e-signatures
The ESR defines an electronic signature as data in an electronic form which is attached to or logically associated with other data in an electronic form and which is used by the signatory to sign.
The ESR also provides a definition of qualified electronic signatures. These are electronic signatures which are based on a qualified certificate and which are created by a secure-signature-creation device. Under the ESR, these signatures satisfy the legal requirements of a signature in the same manner as a handwritten signature, and are admissible as evidence in legal proceedings.
tScheme Limited operates a voluntary accreditation scheme of certification services, and maintains a list of providers it has certified.
Format of e-signatures
English law takes a broad view of what constitutes a valid electronic signature. According to the Law Commission, it is simply necessary that the signatory's activity indicates an intention to authenticate. The Law Commission guidance gives the following non-exhaustive examples:
Digital signature through use of an encryption system involving a certification authority (a type of advanced electronic signature).
A scanned manuscript signature or a digitised version of a manuscript signature.
The typing of a name.
Clicking on an appropriately labelled button on a website (for example, "I accept").
E-signature is of limited use when the document in question is a deed. In some cases a handwritten signature is required (see Question 8) and in general the practicalities of having the signature witnessed make electronic execution of a deed unlikely to be possible.
More generally, it can be harder to prove the validity of electronic signatures in comparison with handwritten signatures (where it is possible to use the evidence of a forensic handwriting expert). This risk can be mitigated to an extent through the use of a "qualified electronic signature" (see Question 12).
Implications of running a business online
Cyber security/privacy protection/data protection
The collection and use of personal data is regulated by the Data Protection Act (DPA) which implements the EU Data Protection Directive (95/46 EC). The DPA applies to data controllers, defined as "persons who determine the purposes for which and the manner in which personal data are processed".
For further information on data protection laws in the UK, see Data Protection in UK (England and Wales): overview.
The Data Protection Act (DPA) regulates personal data (as defined in section 1 of the DPA). It does not regulate information relating to corporate bodies.
Personal data is defined as data which relates to a living individual who can be identified from that data, or from that data together with other information in the possession of, or likely to come into the possession of, the data controller (section 1, DPA).
In the context of digital businesses, any information processed or intended to be processed in digital or electronic form, as well as information held in non-automated records that are structured in a way which allows ready access to information about individuals, is likely to satisfy the definition of "data" for DPA purposes.
The Data Protection Act (DPA) imposes a series of restrictions on the collection and use of personal data. The DPA generally permits the collection and use of personal data without specific consent to the extent necessary for the performance of a contract with data subjects or for taking steps at the request of the data subject with a view to entering into a contract. Otherwise, in the context of consumer contracts, personal data can generally be collected and used only with consent or where the collection and use of the data is necessary for a legitimate interest of the trader or another person and is not unwarranted by reason of the rights, freedoms and legitimate interests of data subjects.
In most cases, personal data should not be collected by or on behalf of a data controller unless certain privacy information is supplied (Schedule 1, Part II, DPA). For digital business, this requirement is usually addressed by the publication of a privacy notice confirming the identity of the data controller and providing information regarding the intended use of the customer's data.
The DPA also imposes obligations on data controllers for the quality of the data they collect and use. Data controllers are required to:
Take steps to ensure that personal data is:
kept up to date.
Retain data only for as long as is necessary for the purposes for which it has been obtained.
The DPA does not expressly restrict cloud storage of personal data, but its provisions should be taken into account when cloud solutions are used by data controllers to store information that includes personal data. When using cloud solutions, data controllers retain legal responsibility for the security and integrity of data stored by or on their behalf on the cloud. They must ensure that any commercial agreement with third party cloud providers include prescribed data protection provisions and they are expected to monitor the cloud provider's compliance with these terms.
The DPA also restricts the use of cloud solutions that involve the storage of personal data on servers located outside the EEA, by prohibiting the transfer of such data to non-EEA countries unless there is adequate protection for personal privacy. A range of mechanisms can be relied on to deliver adequate protection, including the use of EU Commission approved standard contractual clauses, the use of approved Binding Corporate Rules and the use of the EU-US Privacy Shield. The European Commission has also made adequacy findings in relation to some non-EEA countries.
The PEC Regulations impose obligations on internet services providers to take appropriate technical and organisational measures to safeguard the security of the services they supply. As a minimum, this means that internet providers must:
Ensure that personal data can be accessed only by authorised personnel for legally authorised purposes.
Protect the personal data they store or transmit against accidental or unlawful destruction, accidental loss or alteration and unauthorised or unlawful storage, processing, access or disclosure.
Ensure the implementation of a security policy for the processing of personal data.
Online businesses are required to comply with their own obligations under the Data Protection Act to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage.
To the extent that traders accept card payments (credit or debit) from customers, they will be required to ensure that their systems comply with the Payment Card Industry Data Security Standards (PCI-DSS) which stipulate how traders deal with customer information. One of the central requirements is that sensitive card authentication data must never be stored by the trader after authorisation of a payment transaction even if it is encrypted.
The Data Protection Act (DPA) and the PEC Regulations) do not mandate the use of encryption. However, website providers must ensure that the security measures they take are proportionate to the sensitivity of the data concerned. In many cases data encryption will be considered an appropriate and necessary technical measure for the protection of personal data stored on mobile digital media, sensitive or confidential e-mail communications, and data held in the cloud.
The use of encryption by online businesses is not prohibited in any circumstances, although law enforcement authorities have powers under the Regulation of Investigatory Powers Act 2000 to compel the disclosure of encryption keys by giving notice.
A significant number of public authorities and regulators have powers to access or compel disclosure of information that is relevant to the exercise of their regulatory functions, for example:
The Information Commissioner has powers under section 43 of the Data Protection Act (DPA) to require a data controller to provide specified information for the purpose of an investigation (although this does not extend to legally privileged information, or information that can expose the subject to risk of prosecution for an offence, other than an offence under the DPA).
The Department of Work and Pensions has powers to compel specified organisations, including banks, insurers and certain utilities providers, to supply information for the purpose of preventing or detecting fraud.
Under the Regulation of Investigatory Powers Act 2000, specified public authorities, including the Security Service, police forces and HMRC, are able to obtain communications data held by communications service providers for the purposes of the prevention and detection of crime and national security.
Traders are generally free to accept electronic payments, although these are subject to certain security requirements (see Question 18).
The provision of payment services is subject to a complex set of regulatory requirements, and involves a number of regulators (including the Payment Services Regulator (PSR), the Competition and Markets Authority (CMA), and the Financial Conduct Authority (FCA)).
Contracts with individuals are generally only enforceable in the UK if the individual has reached the age of majority, which is 18 (section 1, Family Law Reform Act 1969). Contracts with very young children are generally void. However, there are some circumstances in which contracts with older minors may be enforceable including contracts for:
Necessaries" (for example, food and clothes).
Education, apprenticeship and service (including employment).
In addition, section 5 of the CAP Code (see Question 31) provides a series of restrictions on advertising to minors (including online). For example, advertisements must not directly urge children to buy a product or service or encourage them to ask their parents, guardians or other persons to buy or enquire about a product or service for them (section 5.1.9, CAP Code).
Hyperlinking to, and framing material on, a third party's website is permitted, provided the linked material is:
Still publicly available.
Not behind a pay wall of some form.
If the linked material has been removed or the link circumvents any subscription, pay wall or other barriers imposed by the original content owner, providing the link can be a breach of Directive 2001/29/EC on copyright and related rights in the information society (Copyright Directive).
Other practices are not permitted if they are a breach of a third party's exclusive rights under copyright or trade mark law. Whether an infringement occurs depends on the material used and the use made of it.
In addition, if information is extracted from a third party's website, it is also necessary to ensure that the use is not in breach of the terms and conditions of that website.
There are no specific regulations in place regarding the licensing of domain names between a domain name registrant and third parties. The rules of contract law apply.
However, under the Trade Marks Act 1994 the licence must be in writing and signed by the licensor (the trade mark owner) if the following conditions are met:
The domain name includes a trade mark owned by the registrant.
The licensing of the domain name includes the right to use a trade mark.
Anyone can register a ".uk" domain, whether based in the UK or not.
Domain names themselves do not confer any additional rights, but are merely a piece of property owned by the domain name registrant.
A registered trade mark must be registered in the UK Intellectual Property Office in order for it to become a trade mark. It is possible to register domain names as trade marks, provided they meet the requirements for registration (and consequently the registered trade mark can also be subject to invalidation or revocation).
The use of a domain name might give rise to an unregistered trade mark for the owner/user of the domain name if, over time, it acquires the attributes of a trade mark (for example, it serves to distinguish the goods of one undertaking from those of another undertaking). If the use of the domain name gives rise to an unregistered trade mark and a third party misrepresents a connection or affiliation with that domain name, that third party could be committing an act of passing off.
For the majority of company types, the trader searches the register at Companies House to ensure the proposed name of the company is not the same as, or similar to, a name that is already in use. The company name must also include the appropriate ending (for example, "Limited" or "LLP"). Company names (and changes to them) must be recorded at Companies House as part of the company registration process.
Business names that imply a connection with government or a public authority or contain certain "sensitive" words or expressions are restricted and must be approved by the Secretary of State. Examples of restricted words include "Queen", and "Britain".
Jurisdiction and governing law
The same rules apply to internet transactions as to other disputes. The two principle sets of general rules determining jurisdiction in England and Wales are:
The European regime (principally the Recast Brussels Regulation, 2001 Brussels Regulation, Brussels Convention, 2007 and 1988 Lugano Conventions).
English common law.
Where the defendant to the dispute is based in a member state, the starting point under the European regime is that the defendant can, subject to various exceptions, be sued in the member state of the defendant's domicile. In matters relating to contract, a party domiciled in a member state can sue in another member state where the place of performance of the obligation in question took place, for example, where the goods are or should have been delivered, or where services were or should have been provided.
Where the European regime does not apply (for example, the defendant is based outside of the EU, Iceland, Norway or Switzerland), the English common law principles will apply. These principles are based on rules relating to the correct service of process within or outside the jurisdiction, or on the submission by the defendant to UK jurisdiction. Even if a defendant is effectively served, a court's jurisdiction can be challenged on the basis there is a more appropriate forum.
If implemented correctly, businesses can generally contract out of these provisions and agree the jurisdiction between themselves. However, as a general rule, under the European regime, European consumers can only be sued in their state of domicile but can elect whether to sue businesses in the state of either the consumer or the business.
There are exceptions to each of these rules, so each case should be considered on its facts. For example, different rules apply in relation to non-contractual disputes such as defamation or copyright infringement (where in general under the Recast Brussels Regulation and 2001 Brussels Regulation jurisdiction is ascertained on the basis of the state in which the harmful act occurred).
If court proceedings are commenced in a court within the EU in relation to a contract, the following regulations are used to determine governing law:
For contracts entered into after 17 December 2009, the Rome I Regulation is used.
For contracts entered into before this date, the Rome Convention is used.
A core principle of Rome I and the Rome Convention is that the parties to an agreement are free to choose the law that governs that agreement.
Despite the choice of law, certain specific mandatory rules of law of a country may continue to apply, in particular in relation to consumer contracts (see for example, section 27(2) of the Unfair Contracts Terms Act).
If the parties did not choose a governing law, Rome I generally provides that the law of the party selling the goods or performing the services should apply, while the Rome Convention applies the law with which the contract has the closest connection. Where the contract is with a consumer it is the law of the consumer's place of habitual residence that generally applies (subject to exceptions which differ under the two sets of rules).
Non-contractual disputes are principally governed by the Rome II Regulation (which is applied from 11 January 2009). As a general rule, Rome II provides that the law governing the dispute is that of the state in which the relevant damage occurred (although again this is subject to a number of exceptions).
The EU's legal framework for consumer ADR and ODR is established by the following:
Directive 2013/11/EU on alternative dispute resolution for consumer disputes.
Regulation (EU) 524/2013 on online dispute resolution for consumer disputes (Online Dispute Resolution Regulation).
Commission implementing Regulation (EU) 2015/1051.
The UK implemented these through the Alternative Dispute Resolution for Consumer Disputes (Competent Authorities and Information) Regulations (SI 2015 No. 542) and the Alternative Dispute Resolution for Consumer Disputes (Amendment) Regulations 2015 (SI 2015 No. 1392) (collectively, the ADR Regulations).
The ADR Regulations apply to all businesses in the UK which sell goods, services or digital content to consumers, other than businesses classed as "health professionals" under the EU Directive 2011/24/EU.
Therefore, all traders selling to consumers (online or offline) must have access to a certified provider of ADR services in their sector (although ADR is not mandatory for traders unless sector-specific requirements already exist).
A list of certified ADR providers, by sector, can be found at www.tradingstandards.uk/ADRbodies.
ADR notification requirements:
If a trader is obliged to use ADR, whether under an enactment, rules of a trade association, or terms of a contract, the trader must provide the name and website address of the relevant ADR entity (or EU listed body):
On its website (if the trader has one).
In the general terms and conditions of sales or service contracts between the trader and a customer (where such general terms and conditions exist).
If a trader has exhausted its internal complaint procedures following a consumer complaint (regardless of whether the trader is obliged to use ADR), they must inform the consumer on a durable medium:
That the trader cannot settle the complaint with the consumer.
Of the name and website address of an ADR entity (or EU listed body) which is competent to deal with the complaint, if the consumer wishes to use alternative dispute resolution.
Whether the trader is obliged or prepared to submit to an ADR procedure, operated by that ADR entity (or EU listed body).
ODR notification requirements:
On 15 February 2016, the European Commission made an online dispute resolution platform available (https://webgate.ec.europa.eu/odr). This enables consumers with a complaint about a product or service bought online to submit an online complaint form to a trader who is based either within the same jurisdiction or in another country within the EU. In cross border disputes, the consumer can receive information and assistance from advisors based within their own jurisdiction to facilitate communication between the parties involved. As of 15 February 2016 all online traders (including online marketplaces) who provide goods or services to consumers, must provide consumers with the following information:
A link on their website to the ODR platform (regardless of whether they currently market their products or services to consumers in other member states).
An e-mail address on their website so that consumers have a first point of contact.
Traders that are required by legislation, through membership or by contract to use an approved ADR provider must:
Inform consumers of the existence of the ODR platform and the possibility of using the ODR platform for resolving disputes.
Provide the required ADR information (see above).
Provide a link to the ODR platform in:
e-mails which offer goods or services to consumers, and
the general terms and conditions applicable to online sales and service contracts (if any).
Upon receipt of a complaint, the ODR platform will notify the relevant trader and include details of approved ADR providers that are competent to deal with the complaint. The trader has ten days to state whether it is obliged to use a specific ADR provider or, if not obliged, that it is willing to use one of the providers detailed in the notification of the ODR platform. If a trader is not obliged to use a specific ADR provider and refuses to use one, the complaint cannot progress further via this route.
The remedies available to the consumer depend on the ADR provider used. It should be made clear to the users whether the ruling of an ADR provider is binding before commencing the process.
Advertising and marketing in all non-broadcast media (including, since March 2011, marketing claims on a company's own website, or in other non-paid-for space online under its control) is governed by the UK Code of Non-Broadcast Advertising, Sales Promotion and Direct Marketing (CAP Code). The CAP Code is written and maintained by the Committee of Advertising Practice (CAP) and reflects the statutory requirements for advertising and marketing, together with additional provisions designed to ensure that advertising is legal, decent, honest and truthful. The CAP Code is administered by the Advertising Standards Authority (ASA), which serves as a "one stop shop" for breaches of the code and the underlying legislation (although the ASA has the ability to refer serious or persistent breaches of the codes to Trading Standards as a "legal backstop").
The CAP Code includes general rules that all advertising and sales promotions must comply with, as well as certain industry-specific rules (see Question 31). The CAP Executive publishes frequent advice notes on areas of interest to online advertisers, such as online behavioural advertising (www.cap.org.uk/~/media/Files/CAP/Help%20notes%20new/Online%20Behavioural%20Advertising.ashx) and viral advertising (www.cap.org.uk/~/media/Files/CAP/Advertising%20Guidance/Advertising%20Guidance%20-%20Virals%20non-broadcast.ashx). In the context of social media, advertisers must take particular care to ensure that, when they engage celebrities to post about their products/services, it is clear to the consumer that the post is sponsored. There have been several high profile ASA adjudications in this area in recent years.
Outside of the field of consumer advertising, the Business Protection from Misleading Marketing Regulations 2008 govern business-to-business advertising, and also the conditions for lawful comparative advertising.
There are a number of types of products/services which are either prohibited from being advertised or sold online or are subject to additional restrictions, for example:
There are specific provisions regarding the online advertisement of tobacco products in the Tobacco Advertising and Promotion Act 2002.
Online gambling services require specific remote operating licences from the Gambling Commission.
From 1 July 2015 anybody in the UK selling medicines online to the general public must be registered with the Medicines and Healthcare products Regulatory Agency (MHRA).
The advertisement of these, and a number of other products (for example, financial services, alcohol and foods), is subject to additional specific requirements under the UK Code of Non-Broadcast Advertising, Sales Promotion and Direct Marketing (CAP Code).
The PEC Regulations impose a number of obligations on businesses that engage in direct marketing by e-mail or text message.
The PEC Regulations require senders of direct marketing e-mails or text messages to provide recipients with a valid address that can be used to opt out of further marketing communications. The PEC Regulations also prohibit the sending of communications that disguise or conceal the identity of the sender.
Crucially, the PEC Regulations prohibit the sending of unsolicited marketing e-mails and texts to individual subscribers for direct marketing purposes unless the recipient has notified the sender that he/she consents for the time being to such communications being sent by, or at the instigation of the sender. There is one exception to the requirement for prior consent. This is known as the "soft opt-in". It permits a business to send marketing e-mails and texts to individual subscribers without consent where:
Contact details have been obtained in the course of a sale or negotiations for sale.
Direct marketing communications are in respect of that business's similar products and services.
The recipient has been given an opportunity to opt out at the time his details were collected and is given the same opportunity at the time of each subsequent communication.
The Data Protection Act (DPA) also regulates the sending of SMS and e-mail spam where this involves the processing of personal data. Irrespective of whether spam is directed at individual or corporate subscribers, section 11 of the DPA confers an absolute right to object to the use of one's personal data for marketing purposes.
There are no specific language requirements for websites targeting the UK. However, section 68 of the Consumer Rights Act 2015 requires that all terms in consumer contracts or written consumer notices must be transparent, that is, they must be expressed in plain and intelligible language and legible. This requirement can be difficult to fulfil if information relevant to the contract is not presented to a UK-based consumer in English.
Worldwide income from sales concluded online is within the scope of UK taxation for UK resident traders, whether UK corporation tax up to 20% (reduced to 19% from April 2017 and 17% from April 2020) for companies or income tax at a rate of up to 45%.
A non-UK resident can be chargeable to UK taxation on profits arising from a trade carried on in (as distinct from "with") the UK, subject to double tax treaty relief. This includes non-resident companies trading through a permanent establishment (for example, UK branch office or local employee presence). Whether a non-resident is exercising a trade in the UK is a question of fact. One key factor is the place where the online contract is made (typically the same as the buyer's location). However even where contracts are made abroad, a trade is exercised in the UK if there is otherwise substantial profit-making activity performed in the UK.
As of 1 April 2015, the UK introduced a diverted profits tax at a rate of 25% chargeable on multinational enterprises who enter into arrangements to divert profits from the UK by artificially avoiding a UK permanent establishment and/or which lack economic substance and result in a tax mismatch outcome. The rules are complex but there are exceptions, including where:
A group is a qualifying small or medium-sized enterprise.
UK sales do not exceed GB£10 million in a 12-month accounting period.
Online sales will also have VAT implications (see Question 35).
Further future tax changes (including a further corporation tax rate reduction) may be introduced, depending on the UK government's position in response to the implications of the:
UK's referendum vote to leave the EU.
OECD's BEPS (base erosion and profit shifting) project which is leading to changes in various international tax rules and having a fundamental effect on international businesses structures. For example, the UK is broadening the scope of UK withholding taxes (20%) due at source on royalty payments to non-residents, including for trademarks that were not previously covered by UK law.
Online companies with a UK establishment (for example, head office or staffed branch) have to register and account for UK VAT on UK sales where turnover exceeds the VAT registration threshold (currently GB£83,000). Overseas online traders must register for UK VAT if they make any taxable supplies in the UK even without a UK establishment, depending on the nature of the product they sell.
Cross border trade in services and/or the sale and movement of goods within the EU between businesses broadly fall within a VAT reverse charge reporting procedure, requiring the business customer to self-account for the VAT due which avoids a need for the supplier to VAT register in the business customer's country.
Different rules apply for cross-border business-to-customer supplies (B2C) within the EU, for example:
All suppliers of B2C digital services are liable to register and account for VAT on their B2C sales in each EU country where their customers belong, at the VAT rate applicable in their customer's country. Businesses face compliance burdens in establishing their customer location. To help reduce a supplier's administrative burden, an optional mini One Stop Shop system has been introduced. This system allows a supplier to register electronically in one EU country and submit single quarterly VAT returns and payments due in other EU countries, in which the supplier does not have an establishment.
EU businesses are subject to distance selling rules for cross border B2C sales of goods, requiring suppliers to register for VAT in their EU consumer's country where the value of B2C sales exceeds that country's distance selling threshold (GB£70,000 for most distance sales into the UK).
Goods brought into the UK from outside the EU are not distance sales or acquisitions but imports that are potentially chargeable to import VAT. Goods removed from the UK are potentially VAT-free exports if removed to a non-EU jurisdiction within applicable time limits and supported by necessary evidence of removal.
UK-based online companies generally must register with HM Revenue & Customs for corporation tax purposes within three months of starting the UK business activity. If they employ staff (including directors), they must register as an employer for PAYE purposes within the two months before the employee's first payday and pay employers' National Insurance contributions. Different payroll obligations may apply in respect of overseas-based employers.
If the UK leaves the EU, this may significantly impact VAT rules and applicable rates. In particular, it may bring the UK outside the scope of an ambitious EU Action Plan on VAT, which proposes to modernise the current EU VAT system, remove VAT obstacles for cross-border e-commerce and the digital economy and create a single EU VAT area within the EU single market with VAT simplifications and a modernised VAT rates policy. This may lead to fundamental changes to the current regime (see above) including for cross-border trade in goods. (see http://ec.europa.eu/taxation_customs/taxation/vat/action_plan/index_en.htm). The impact on UK digital businesses by these new measures post-Brexit will need to be carefully monitored.
Protecting an online business
Liability for content online
Some key potential areas of liability for online traders are:
If a trader fails to comply with certain regulatory requirements (in particular regarding consumer protection), a public enforcement authority can obtain an injunction against the trader requiring it to comply with the applicable provisions (breach of which can be penalised by imprisonment or fines).
If the trader uses third party content online without obtaining the relevant rights, it can be exposed to claims of trade mark or copyright infringement. It is often assumed that content that is made available online (particularly on social media) can be freely used, but this is not the case and use without the correct permission is copyright infringement.
Under the common law and the Defamation Acts of 1952 and 1996, where content published on a website is defamatory, the victim can obtain damages and/or an injunction requiring removal of the offending content from the website.
There are several statutory offences that can potentially be committed through the publication of online content. For example, the publication of obscene material can be an offence under the Obscene Publications Act 1959, or the publication of racially inflammatory material an offence under the Public Order Act 1986. Criminal liability can also be incurred under the Data Protection Act where, for example, a website operator has misused an individual's personal data by publishing it online without their consent.
The Electronic Commerce (EC Directive) Regulations (SI 2002/2013) (E-Commerce Regulations) set out the minimum information that a website operator must provide (see regulation 6(1)), including the:
Company registration number (or equivalent means of identification).
VAT number (if applicable).
For UK traders, the Company, Limited Liability Partnership and Business (Names and Trading Disclosures) Regulations 2015 (SI 2015/17) require that traders display on their website information, including the:
Registered name and number.
Address of their registered office.
Part of the UK in which they are registered.
There are additional requirements if the website is used to conclude contracts, in particular with consumers (for example, under Regulation 13 of the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013).
If the trader provides services (as opposed to solely goods), the Provision of Services Regulations 2009 (POS Regulations) contain further information requirements, including an obligation to provide contact details for sending complaints or requests for information (Part 2, POS Regulations).
for the Information must also be supplied by the website operator (in certain circumstances) regarding any applicable ADR service (see Question 29).
A trader is liable for unlawful content displayed on its website unless it is able to rely on a defence (see, for example, regulation 17 of the Consumer Protection From Unfair Trading Regulations).
It is good practice for a trader to include disclaimers as regards the accuracy and availability of content on its website to limit the expectations of users and therefore limit potential liability if the trader has displayed content by mistake. However, this may not be sufficient if the trader is unable to establish it has taken due care. Pricing errors are a common cause of concern. It is important that the trader's terms of sale anticipate this possibility and provide that a contract is not concluded until the trader has had the opportunity to review and confirm the order (see Question 6).
Where a website includes a facility for content to be uploaded by a third party, the hosting defence under Regulation 19 of the Electronic Commerce (EC Directive) Regulations (SI 2002/2013) (E-Commerce Regulations) provides that an information society service provider such as a website operator cannot be liable for content provided by a third party (that was not acting under the website operator's authority) if it:
Does not have actual knowledge of unlawful activity or information.
Upon obtaining such knowledge or awareness, it acts quickly to remove or to disable access to the information.
In order to benefit from this defence it is common for providers to operate a system which allows users to notify the provider of infringing content on their website, so that the provider has the opportunity to disable access to that content (a "notice and takedown" system).
Advertisers will also be potentially liable for the content of their advertising that is carried out on third party websites.
To benefit from the defences under the Electronic Commerce (EC Directive) Regulations (SI 2002/2013) (E-Commerce Regulations), ISPs will reserve rights in their applicable agreements or terms of service to take down infringing materials such as websites, content or links (including without permission). These defences protect ISPs where they act as mere conduits or hosts of information, or merely cache information (Regulations 17 to 19, E-Commerce Regulations). However, in order to benefit from the hosting and caching defences, the ISP will need to "act expeditiously" to remove or to disable access to infringing content once it has actual knowledge of it (for example, as a result of a notice and takedown system).
Frequently ISPs do not disable content unless they are obliged to do so by a court order. Content owners can obtain injunctions under section 97A of the Copyright, Designs and Patents Act 1988, requiring ISPs whose services are being used by a third party to infringe copyright to block the applicable website, provided that the ISP has actual knowledge of the infringement (Twentieth Century Fox Film Corp v British Telecommunications plc  EWHC 1981 (Ch)). The courts have also been prepared to exercise their inherent jurisdiction to grant similar website-blocking injunctions to protect other rights such as trade marks (Cartier International AG v British Sky Broadcasting Ltd  EWHC 3354 (Ch)) to comply with Directive 2004/48/EC on the enforcement of intellectual property rights (Intellectual Property Directive).
Liability for products / services supplied online
In most cases, the position on liability for products or services supplied online is the same as for offline sales. However, online traders need to satisfy the specific requirements set out in this guide, to avoid adverse consequences. For example, under the Consumer Contract Regulations, where a consumer has not been informed of their right to cancel the contract, the cancellation period will be extended.
From an intellectual property perspective, the Trade Mark Act 1994 and the Copyright, Designs and Patents Act 1988 (CDPA) apply equally to acts done online as they do to acts done in the physical world, for example, the sale of a pirated work online will be an infringement of section 16 of the CDPA and offering for sale goods or services which infringe a trade mark (or which the supplier has reason to believe infringes a trade mark) (see Questions 23 and 39).
Also, see Question 7 about the provisions in the Consumer Contract Regulations for the supply of digital content and Question 11 regarding remedies available for a breach of an electronic contract.
For the most part, online businesses require the same sort of insurance as other businesses in the specific industry sector within which they operate. However, certain insurers offer products aimed at businesses with a significant online presence. For example, retailers can purchase online retailer policies which cover cyber liability as well as standard product and stock liability cover.
In May 2015, the EU Commission published a Digital Single Market strategy communication setting out its proposals for greater harmonisation of digital business within the EU, including proposals intended to make it easier for consumers to purchase goods and services from other member states. Since then, the Commission has published various draft legislative proposals to implement this strategy. These include:
A draft regulation to enhance the portability of online audio-visual services by requiring providers to enable consumers to access services while temporarily visiting other member states
Draft regulations to prohibit traders from discriminating on the basis of nationality, country of residence or establishment between potential online customers of goods and services. Further legislative proposals in this area are expected in the coming months.
Following the UK referendum on leaving the EU, there remains a large degree of uncertainty over the extent to which EU laws will continue to have effect in the UK following Brexit, and the nature of any laws that will be enacted by the UK Parliament to take their place.
Description. The official online resource for UK legislation enacted since 1267.
Advertising Standards Authority (ASA)
Description. The official website of the Advertising Standards Authority (ASA), including rulings given by the ASA in cases concerning online advertising.
Committee of Advertising Practice (CAP)
Description. The official website of the Committee of Advertising Practice (CAP), containing the full text of the CAP and BCAP Codes and help notes on how to comply.
Information Commissioner's Office (ICO)
Description. Office responsible for the enforcement of the Data Protection Act 1998
Craig Giles, Associate
Bird & Bird LLP
Professional qualifications. Solicitor, England and Wales
Areas of practice. Commercial law, consumer law, media and sport.
Will Deller, Associate
Bird & Bird LLP
Professional qualifications. Solicitor, England and Wales
Areas of practice. Commercial agreements, sponsorship, media rights, IP licensing, consumer contracts.
The authors would like to thank Heledd Lloyd-Jones (Data Protection), Caroline Brown (Tax), Rebecca O'Kelly-Gillard (IP) and Matthew Foote (Dispute Resolution) for their contribution to this chapter.