English law governing the conduct of business online is set out in various statutory instruments. This area of law has been subject to increasing harmonisation at EU level, although following the UK withdrawal from the EU there may be greater disparities between the two sets of laws in the future.

The following regulations are of particular significance:

Major UK legislation must be passed as an Act of Parliament. Additionally, Acts of Parliament often empower certain government ministers to make further, more detailed regulations in specific areas (for example, the Department for Business, Energy and Industrial Strategy oversees subordinate legislation for online services and consumer protection).

There are several national bodies that issue codes of conduct and guidance which do not have the force of law but can either influence interpretation of the law or bind companies that have agreed to comply with self-regulatory systems. Examples are the:

New businesses should establish a vehicle through which the business will operate (for example, a limited liability company). The business should be registered at Companies House, with HMRC and with the ICO (unless an exemption applies). Before choosing a company name or trading name, the owners should check that there are no existing companies trading with the same or a similar name which may cause confusion or potential issues with intellectual property (IP) infringement (see Question 28).

The business will need to establish an online trading presence and acquire a domain name. Unless the business already has staff with the necessary expertise, it will need to engage a third party to design and develop the website and an internet service provider to host the website.

The company's website must provide certain information to users (see Question 39). This is frequently provided in an "About Us" or "Terms of Use" section and in a privacy policy and cookies policy. Consent will be required for any cookies other than those which are non-essential, and should be collected on the website landing page by way of a cookie banner (see Question 18). If the business intends to trade through the website, it will require separate terms of sale/service.

In addition to the general legislation affecting online trade, the business owners should also check whether there are any rules and regulations specific to the type of business they intend to run.

Depending on the nature of the business, the following agreements are usually required:

People with the protected characteristics set out in section 4 of the Equality Act 2010 should not be discriminated against when using a service (Equality Act 2010). Providers of information society services must make "reasonable adjustments" to ensure that their services are accessible to disabled people, and are designed to meet the needs of people with protected characteristics (including disabled people) so that they can, as far as possible, receive the same standard of service.

The governing statutory body (that is, the Equality and Human Rights Commission) has published a code of practice to help organisations understand how to discharge these obligations (see Equality and Human Rights Commission: Services, Public functions and Associations: Statutory Code of Practice). Additionally, the World Wide Web Consortium (W3C) has published website accessibility guidelines, which provide an indication of the standard the courts would reasonably expect (see W3C Web Accessibility Initiative: WCAG 2 Overview). Public sector organisations are expected to meet the WCAG 2.1 AA accessibility standard (unless they are exempt) (Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018).

The ICO's Age Appropriate Design Code applies to providers of information society services likely to be accessed by children in the UK. The Code sets enhanced privacy standards for the processing of children's data, including requirements to:

There is also a prohibition on data sharing unless there is a compelling reason to share.

The Code came into force on 2 September 2020 with a 12-month transition period. While the Code itself is not binding, the ICO has made it clear that organisations that fail to comply with the Code will find it difficult to demonstrate that their processing is fair, which will give rise to a breach of UK GDPR and will be enforced in line with the ICO's Regulatory Action Policy (see also Question 22).

When embarking on a new project which uses personal data, organisations must evaluate whether the processing of personal data for the website or the app is likely to result in high risk to the affected individuals. If so, a Data Protection Impact Assessment (Article 35, UK GDPR) must be carried out. This process may involve prior consultation with the ICO. The ICO has produced guidance on conducting DPIAs including triggers for consultation.

Other guidance likely to be of particular relevance to those building websites and apps are:

Where a business enters into an agreement with an app developer, the terms must address which licences will be needed to develop and distribute the app, including for example, content and software licences (and address IP rights and ownership in any newly created or modified content or software). The agreement should also specify the required functionality of the app, development milestones and testing phases, and any ongoing support obligations of the developer.

If the business intends to distribute the finished app through an app store, it will usually enter into a distribution agreement with the app store provider. The agreements of the largest providers (Apple, Google and Microsoft) are publicly available on their websites.

Businesses frequently require users to enter into an End User Licence Agreement (EULA), which provides the terms and conditions (T&Cs) applicable to the use of the app. These may include data protection terms as well as certain mandatory terms stipulated by the relevant app store provider. The user must be provided with a copy of the EULA and must accept it before the user can download and use the app. The user must also be presented with relevant privacy information (see Question 16) and be given a mechanism through which the user can consent (or withhold consent) to non-essential cookies and similar technologies (see Question 18).

If the business wishes to accept payments through the app, an agreement with a third-party payment services provider may also be required.

For an online contract to be binding there must be an offer, acceptance, an intention to create legal relations, and certainty of terms.

To give the trader control over the terms of the contract, a website's T&Cs often:

The terms of the contract must be brought to the attention of the customer before the contract is completed. The English courts have not given definitive guidance as to how online T&Cs must be incorporated, but the most effective way is to design the website so that the customer is unable to complete their order until they have scrolled down the full T&Cs on-screen and clicked an "I accept" button (or similar). This is known as a click-wrap contract. In the context of software licence agreements (known as end user licence agreements) there are two other common forms of contract:

In a B2C context, the Explanatory Notes to the CRA reference the Law Commission and Scottish Law Commission's joint guidance note on unfair terms (see, in particular, Appendix C). The Explanatory Notes state that browse-wrap contracts are unlikely to be deemed contracts, and therefore capable of placing contractual obligations on a consumer, as there is no valid acceptance (as there is with a click-wrap contract).

Shrink-wrap contracts are also unlikely to be enforceable against consumers on the basis that they are likely to be unfair. Schedule 2 to the CRA sets out a list of terms which may be considered unfair in consumer contracts. These include a term which has the object or effect of irrevocably binding the consumer to terms with which the consumer has had no real opportunity of becoming acquainted before the conclusion of the contract.

However, both types of contract may potentially be considered a "non-contractual notice", so a form of warning to the consumer that may (for example) serve to discharge a duty of care that the website operator may otherwise have faced, and can serve to grant a unilateral licence to use the applicable software. Even as non-contractual notices, both browse-wrap and shrink-wrap contracts must comply with Part 2 of the CRA (unfair terms).

In a B2B context, it is unlikely that a browse-wrap contract would be legally binding, as there is no opportunity for the user to accept the terms.

The position on shrink-wrap contracts is unclear. While the terms may state that by downloading the software the user agrees to be bound by the terms of the licence, the user is still not made aware of those terms at the time of concluding the contract.

The Scottish Court of Session held that a shrink-wrap licence was enforceable in a case where a software package stated that opening the package indicated acceptance of the terms and conditions, and that the purchaser was entitled to return the packaged software up until the moment that the purchaser opened the package (Beta Computers (Europe) Ltd v Adobe Systems (Europe) Ltd, 14 December 1995). However, in the absence of English case law on this matter, the legal foundation for this well-established business practice remains unclear under English law.

Where orders are placed online, the E-Commerce Regulations require the trader to provide certain specific information, including:

The trader should also provide T&Cs in a way that allows the customer to store and reproduce them (Regulation 9).

The customer must be given the opportunity to review and correct input errors before completing the purchase. The trader must acknowledge receipt of the order by electronic means without undue delay, for example, by sending an order confirmation e-mail (Regulation 11). Businesses, but not consumers, can agree to contract out of these provisions.

Traders must provide consumers with additional specific information before entering into any contract, for example, the main characteristics and total costs of the relevant products/services, the arrangements for payment and delivery, and the existence of any right to cancel (Regulation 13 and Schedule 2, Consumer Contract Regulations).

Where orders are placed online, the trader must:

Under the Consumer Rights (Payment Surcharges) Regulations 2012 (SI 2012/3110) (as amended), a trader cannot impose any surcharges on consumers when making an online payment using credit or debit cards and similar online payment services (for example, PayPal).

In September 2019, the Law Commission published a report confirming that electronic signatures may be used to execute documents, including deeds (see Question 13).

It is crucial that the execution formalities are still satisfied, such as the requirement for a witness, if applicable. Some products by their nature require additional safeguards when being bought and sold by means of an electronic contract formed at a distance (see Question 32).

In general, contracts do not need to be available in a certain language (such as English) to be enforceable. However, contracts with consumers are subject to a transparency requirement, which requires that the terms are legible and are written in plain and intelligible language (section 68, CRA). Terms made available in another language are unlikely to satisfy the transparency requirement for UK-based consumers.

Businesses must comply with the E-Commerce Regulations, including the information requirements (see Question 7 and Question 39). Other statutory provisions apply to contracts formed online as they would do to a contract formed by other means including the:

The P2B Regulations impose obligations on providers of online platforms and search engines used by businesses to reach consumers, including:

There are also legal requirements where the contract involves the transfer of personal data between parties:

A business selling to consumers online must comply with the regulations applicable to B2B contracts (which generally cannot be contracted out of when dealing with consumers) and with additional consumer-specific regulation, in particular the CRA and the Consumer Contract Regulations.

The CRA applies to contracts formed on or after 1 October 2015, and consolidates and updates a number of other pieces of consumer rights legislation. It incorporates implied terms into consumer contracts (such as fitness for purpose and satisfactory quality), establishes a set of tiered remedies for consumers where their consumer rights are breached and grants statutory protection for consumers against unfair terms.

The Consumer Contract Regulations address what pre-contract information must be provided to consumers, including if contracting online, and the rights of consumers to a cooling off period within which they may cancel their contract and receive a refund with or without cause.

For more details on both pieces of legislation, see Practice Note, Consumer law: introduction to key legislation, and for information on the CRA generally, see Toolkit, Consumer Rights Act 2015.

EU legislation affecting online businesses that target customers in the EU include the:

These measures ceased to apply in the UK at the end of the Brexit transition period, but are still relevant to UK businesses targeting customers in the EU.

If the trader intends to trade with customers from other countries, they must establish which country's governing law will apply to the contract. When targeting consumers from another country, the trader should be aware that those consumers may be entitled to the benefit of certain mandatory laws from their own territory.

The trader must notify the customer whether the concluded contract will be filed by the trader and whether it will be accessible (Regulation 9(1), E-Commerce Regulations). Business customers, but not individual consumers, can contract out of this requirement.

Additionally, the UK GDPR imposes a general duty to retain personal data only for so long as is necessary, having regard to the purpose for which the data is collected or held (for example, for the purpose of fulfilling an order, or responding to a potential complaint or dispute).

There are no official government trusted site accreditations for websites, although some accreditations may be of interest to website providers, such as:

Remedies available for breach of an electronic contract are largely the same as those available for breach of any other type of contract.

Where a specific regulatory requirement is breached, additional remedies may be available. For example:

If the breach relates to the PEC Regulations, the ICO can issue a monetary penalty of up to GBP500,000.

E-signatures are recognised under English law.

The legal framework is based on the Electronic Identification Regulation ((EU) 910/2014) (eIDAS), which came into effect on 1 July 2016 and was implemented by the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016. eIDAS is an attempt to increase the use of electronic identification and authentication facilities and expand the legal framework governing electronic identification/documentation.

The UK regulations have been amended following the end of the Brexit transition period by the Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019 (SI 2019/89), largely to remove redundant provisions relating to intra-EU reciprocal arrangements.

The eIDAS defines an electronic signature as data in an electronic form that is attached to or logically associated with other data in an electronic form and used by the signatory to sign.

The eIDAS also provides a definition of "qualified electronic signatures". These are electronic signatures based on a qualified certificate and created by a secure-signature-creation device. Under the eIDAS, these signatures satisfy the legal requirements of a signature in the same manner as a handwritten signature, and are admissible as evidence in legal proceedings.

tScheme Limited operates a voluntary accreditation scheme of certification services, and maintains a list of providers it has certified.

English law takes a broad view of what constitutes a valid electronic signature. According to the Law Commission, it is simply necessary that the signatory's activity indicates an intention to authenticate. Law Commission guidance on the topic gives the following non-exhaustive examples:

For detailed guidance from the Law Commission, see The Law Society: Execution of a document using an electronic signature. The guidance is supplemented by an interim report by the expert Industry Working Group on Electronic Execution of Documents, which:

(Electronic Execution of Documents (publishing.service.gov.uk).

These reports provide guidance only and do not have legal effect.

The practicalities of having the signature witnessed can make electronic execution of a deed impractical. In September 2019, the Law Commission published their "Electronic execution of documents" report to address uncertainty about the formalities around the electronic execution of documents, particularly deeds.

The report confirmed that electronic signatures are capable of executing documents, including deeds, provided that the signatory intends to authenticate the document and the execution formalities are satisfied. The report took the view that the witnessing of a deed requires the physical presence of the witness (so this cannot be done remotely or by video link).

More generally, it can be harder to prove the validity of electronic signatures in comparison with handwritten signatures (where it is possible to use the evidence of a forensic handwriting expert). This risk can be mitigated to an extent through the use of a "qualified electronic signature" (see Question 12).

The collection and use of personal data is regulated by the UK GDPR and the DPA which apply to both:

The UK GDPR and DPA should be read in conjunction with one another. The UK Government has demonstrated its intention to reform the UK's data protection framework. One vehicle to achieve this was the Data Protection and Digital Information (No 2) Bill introduced in March 2023. At the time of writing, the future of the bill and the direction that reform may take are currently uncertain.

The UK GDPR also regulates international transfers of personal data. More detail on this is included in Question 16.

The UK GDPR regulates personal data, defined in Article 4(1) of the UK GDPR. It does not regulate information relating to corporate bodies.

Personal data is defined as any information relating to an identified or identifiable natural person. An "identifiable" natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier. "Identifiers" include online identifiers (Article 4(1), UK GDPR) provided by devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags (Recital 30).

The definition requires the data to relate to a "natural" person. Information about a "legal" person with a separate legal identity from its owners (such as a limited company) does not amount to personal data, although information relating to natural persons within the business (for example, employees and directors) may be personal data. Additionally, information relating to businesses operating without a separate identity from their owners (such as sole trader businesses) may be personal data (if the other elements of the definition are satisfied).

For more see Practice Note: Overview of UK GDPR: Definitions: Personal Data.

The UK GDPR:

See Practice Note, Overview of UK GDPR: First data protection principle: lawfulness, fairness and transparency.

In most cases, personal data should not be collected by or on behalf of a data controller unless prescribed privacy information is provided to the data subject (Articles 12 to 14, UK GDPR). This information includes, among other things:

For digital business, this requirement is usually addressed by the publication of a privacy notice. See Practice Note, Overview of UK GDPR: Fair processing: information notices.

The UK GDPR also imposes obligations on data controllers in relation to the quality of the personal data they collect and use, and the period for which they hold the personal data (Article 5(1), UK GDPR) (see Practice Note, Overview of UK GDPR: Second data protection principle: purpose limitation). Additionally, the UK GDPR "accountability" principle requires data controllers to be able to actively demonstrate compliance with the data protection principles (Article 5(2), UK GDPR) (see Practice Note, Overview of UK GDPR: Accountability).

The UK GDPR does not expressly restrict cloud storage of personal data, but its provisions should be taken into account when cloud solutions are used by data controllers to store information that includes personal data. Data controllers retain legal responsibility for the security and integrity of data stored by or on their behalf on the cloud. They must ensure that any commercial agreement with third party cloud providers includes prescribed data protection provisions (Article 28, UK GDPR), and they are expected to monitor the cloud provider's compliance with these terms. See Practice Note, Overview of UK GDPR: Processors.

The UK GDPR restricts storage or transfer of personal data outside the EEA (through the use of cloud solutions or otherwise). Transfers of personal data from the UK are prohibited unless there is adequate protection for personal privacy (Articles 44 to 50, UK GDPR). See Practice Note, Overview of UK GDPR: Transfers under UK adequacy regulations.

For transfers to countries or organisations which do not benefit from an adequacy finding, a range of mechanisms can be relied on to deliver adequate protection, including the use of the ICO's International Data Transfer Agreement or the use of approved Binding Corporate Rules.

See Practice Note, Overview of UK GDPR: UK Binding corporate rules.

Where personal data is transferred internationally on the basis of contractual protections or binding corporate rules, a transfer risk assessment must be completed. The ICO has produced guidance and a template to assist organisations with completing these. The ICO's approach to risk assessment deviates from the EU approach.

The UK GDPR also:

Since the end of the transition period, in the absence of a relevant adequacy decision from the European Commission, the UK is a "third country" for the purposes of transfers of personal data from the EEA. This means that a transfer mechanism or derogation (see above) must apply to transfers of personal data from the EEA to a UK-based recipient.

At the time of writing, the UK does have a relevant adequacy decision. As such this requirement does not apply until and unless this is revoked.

Data controllers must recognise the rights of data subjects, which can impact on the ability of businesses, in certain circumstances, to retain and use personal data in the face of requests by data subjects to do otherwise. Digital businesses must ensure that systems used to store personal data are capable of accommodating the exercise of these new rights. See Practice Note, Overview of UK GDPR: Rights of the data subject.

A significant number of public authorities and regulators have powers to access or compel disclosure of information that is relevant to the exercise of their regulatory functions, such as:

The use of cookies and similar technologies (referred to collectively as "cookies") is currently regulated by the PEC Regulations. Website operators cannot store information or gain access to information stored in the terminal equipment of a user unless the user is provided with clear and comprehensive information about the purpose of such storage or access and has consented to it (Regulation 6). However, Regulation 6 does not apply to cookies that are strictly necessary to provide an online service requested by the user.

Where user consent is required, it must satisfy the validity criteria established under the UK GDPR, so it must be a freely given, specific, informed and unambiguous indication of the data subject's agreement (by statement or a clear affirmative action) (Article 4(11), UK GDPR).

Additional requirements apply to the consent under Article 7 UK of the GDPR. For information on these and more, see Practice Note, Cookies: UK issues and the impact of UK GDPR and DPA 2018.

Where use of cookies involves processing of personal data, the provisions of the UK GDPR also apply.

The PEC Regulations impose obligations on internet service providers to take appropriate technical and organisational measures to safeguard the security of the services they supply. As a minimum, this means that internet providers must:

The collection of any such information is conditional on the deployment of technical and organisational measures as set out in Article 32 of the UK GDPR. See Practice Note, Overview of UK GDPR: Data security and personal data breaches. These measures might include:

Online businesses must comply with their own obligations under the UK GDPR to take appropriate measures against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage, and will be similarly required to comply with their obligations under the UK GDPR (Article 32, GDPR).

To the extent that traders accept card payments from customers, they must ensure that their systems comply with the Payment Card Industry Data Security Standards (PCI-DSS), which stipulate how traders deal with customer information. Sensitive card authentication data must never be stored by the trader after authorisation of a payment transaction even if it is encrypted.

Neither the UK GDPR nor the PEC Regulations mandate the use of encryption. However, the UK GDPR obliges controllers and processors to implement appropriate measures to ensure a level of security appropriate to the risk (see Question 19). The types of measures envisaged by the UK GDPR which may be appropriate include pseudonymisation and encryption of personal data (Article 32(1)(a), UK GDPR). In many cases data encryption will be considered an appropriate and necessary measure for the protection of personal data stored on mobile digital media, sensitive or confidential e-mail communications, and data held in the cloud.

Although the use of encryption by online businesses is not prohibited, under section 49 of the Regulation of Investigatory Powers Act 2000 (RIPA), law enforcement authorities have some powers to require decryption of a particular document or (in limited circumstances) to compel the disclosure of an encryption key by giving notice.

In addition, the Investigatory Powers Act 2016 (IPA) extends the previous power under RIPA to mandate a permanent interception capability. The IPA confers powers on:

See Practice Note, Investigatory Powers Act 2016: overview.

The provision of payment services is subject to a complex set of regulatory requirements and involves a number of regulators.

The Payment Services Directive ((EU) 2015/2366) (PSD2), implemented in the UK by the Payment Services Regulations 2017 (PSRs), governs the provision of payment services in the UK by regulated payment service providers. The PSRs contains strict requirements on the conduct of business by print service providers, security and protection of customer data and strong customer authentication. See Practice Note, Understanding the Payment Services Regulations 2017.

Traders are generally free to accept electronic payments, subject to certain security requirements (see Question 19).

Some traders also use recurrent electronic payments in the form of direct debit transactions using an instruction to the consumer's bank or electronic money institution. These payments are subject to the banking industry consumer protection rules including the Direct Debit Guarantee vetting process.

Subscription pricing models are also becoming increasingly prevalent for electronic payments. Subscription T&Cs are governed by contract and consumer protection laws (such as the Unfair Contract Terms Act 1977) and the payments model has been subject to increasing scrutiny by the Competition and Markets Authority.

Contracts with individuals are generally only enforceable if the individual has reached the age of 18 (section 1, Family Law Reform Act 1969). Contracts with very young children are generally void. However, there are some circumstances in which contracts with older minors may be enforceable, including contracts for:

Section 5 of the CAP Code (see Question 32) provides a series of restrictions on advertising to minors (including online).

The UK GDPR imposes specific obligations on website providers offering online services to children. See Practice Note, Overview of UK GDPR: Children and consent.

Website providers must supply extensive information to data subjects about the data processing operations conducted (Article 13, UK GDPR) (see Question 16).

This information must be communicated in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child (Article 12(1), UK GDPR).

Where online services are offered or supplied to a child and there is requirement under the UK GDPR to obtain consent to process the child's personal data, then parental consent or authorisation is required (Article 8, UK GDPR). The UK GDPR makes clear that children under the age of 13 can never themselves give consent to the processing of their personal data in relation to online services. Therefore, if an organisation seeks consent to process the personal data of a child under 13 in connection with the provision of an online service, parental consent or parental authorisation of consent is required. Website providers are expected to make "reasonable efforts" to verify that parental consent is given or that consent is authorised by a parent, in light of available technology.

The UK GDPR confers a right on all data subjects to obtain the erasure of their personal data where at least one of the grounds set out at Article 17(1) of the UK GDPR applies. One of the grounds on which this right can be exercised is that the personal data were collected in relation to the offer of online services to a child in circumstances where consent was given by or on behalf of the child. See Practice Note, Overview of UK GDPR: The right to erasure and the right to be forgotten.

The ICO has published its Age Appropriate Design Code (under section 123 of the DPA), which came into force on 2 September 2021 and applies to all providers of information society services likely to be accessed by children. The Code contains 15 standards that aim to provide children with "high privacy by default" and to automatically provide children with a built-in baseline of data protection whenever they access services online or through connected devices. For details of these standards, see ICO: Age appropriate design: a code of practice for online services.

The Commercial Agents (Council Directive) Regulations 1993 (SI 1993/3053), implementing Directive 86/653/EEC (Commercial Agents Regulations) govern the relationship between an agent and principal when an agent sells or purchases goods on behalf of its principal. The Commercial Agents Regulations contain some important protections protecting the agent's rights to commission. They do not extend to services or to other types of relationship that fall outside an agency (such as distributors).

In the UK, the courts have traditionally taken the view that the supply of software on a tangible medium (such as a CD) falls within the definition of "goods", whereas the electronic supply of software falls outside that definition. However, following a reference from the Supreme Court in The Software Incubator Ltd v Computer Associates UK Ltd [2016] EWHC 1587 (QB), the CJEU recently held that "goods" does cover the electronic supply of computer software, and if the software is provided in return for a fee in consideration of a perpetual user licence, this will classify as a "sale of goods" for the purposes of the Directive.

As a general rule, the UK regulations will apply if the agent is performing agency services in the UK. However, the position on international agency relationships is not always simple. For example, there is scope for the parties to contract out of this if they elect the law of an EEA member state. Therefore, specific advice should be taken.

Hyperlinking to, and framing material on, a third party's website is permitted, provided the linked material is both:

If the linked material has been removed or the link circumvents any subscription, pay wall or other barriers imposed by the original content owner, providing the link can be a breach of the Copyright Directive (2001/29/EC).

European case law also suggests that where the organisation/website linking to the material is operating for profit there may be a requirement for them to investigate whether the linked material is online with the rights owner's consent (GS Media BV v Sanoma Media Netherlands BV, Case C-160/15).

A recent decision of the English High Court states that where a party makes hyperlinks available to the public and that party is not a conventional search engine or website, that party may be making the works that appear at the source of the hyperlink available to a new public without the consent of the rights holder. To assess if that is the case, regard would have to be had both to the original public and to the intended public to which the hyperlink is made available (Warner Music and Another v TuneIn Inc [2019] EWHC 2923 (Ch)).

Other practices are not permitted if they are a breach of a third party's exclusive rights under copyright or trade mark law. Whether an infringement occurs depends on the material used and the use made of it.

In addition, if information is extracted from a third party's website, it is also necessary to ensure that the use is not in breach of the T&Cs of that website.

Use of metatags or keywords that are trade marks owned by a third party may infringe those trade marks. Whether or not an infringement occurs depends on the circumstances of the use. Each of the requirements necessary for trade mark infringement must be present (section 10, Trade Marks Act 1994) (L'Oréal SA v eBay International AG, Case C‑324/09).

There are no specific regulations in place regarding the licensing of domain names. The rules of contract law apply.

However, the licence must be in writing and signed by the licensor (the trade mark owner) if both:

(Trade Marks Act 1994.)

Anyone can register a ".uk" domain, whether based in the UK or not. These can be registered at Nominet, the official registry or any of a number of commercial registries.

As a result of the UK leaving the European Union (EU), any UK-based entity that has registered an .eu domain name will no longer be entitled to hold or operate from that domain. Only EU-qualifying people or entities are entitled to register .eu domains.

Domain names themselves do not confer any additional rights, but are merely property purchased by the domain name registrant from the registrar for a defined, renewable, period of time.

It is possible to register domain names as trade marks at the UK Intellectual Property Office, provided they meet the requirements for trade mark registration (and consequently the registered trade mark can also be subject to invalidation or revocation).

The use of a domain name might give rise to unregistered trade mark rights if, over time, the domain name acquires the attributes of a trade mark (for example, it serves to distinguish the goods of one undertaking from those of another undertaking). In such circumstances, if a third party misrepresents a connection or affiliation with the domain name, that third party could be committing an act of passing off. For more information, see Practice Note: overview of passing off.

For the majority of company types, the trader searches the register at Companies House to ensure the proposed name of the company is not the same as, or similar to, a name that is already in use. The company name must also include the appropriate ending (for example, "Limited" or "LLP"). Company names (and changes to them) must be recorded at Companies House as part of the company registration process.

Business names that imply a connection with government or a public authority, or contain certain "sensitive" words or expressions, are restricted and must be approved by the Secretary of State. Examples of restricted words include "Queen" and "Britain".

The existence of a registered trade mark that is identical or similar to the contemplated business name should also be considered.

The same jurisdiction rules apply to internet transactions/disputes as for other disputes, although the position has changed following Brexit. A distinction can now be drawn between legal proceedings that:

For a detailed analysis of the differences between the jurisdictional regimes, see Practice Note, Jurisdiction: an overview: Institution of proceedings.

Different rules apply depending on whether proceedings are within a B2B or B2C context.

Under the EU regime, defendants should generally be sued in their country of domicile. Although there are some exceptions, this will apply to civil and commercial matters where the defendant is a business domiciled in the UK for proceedings that have commenced before 11.00 pm on 31 December 2020.

Articles 17 to 19 of the Recast Brussels Regulations provide further jurisdictional protection for consumers domiciled in an EU member state. Such consumers can only be sued in their member state of domicile by the counterparty, but they have the choice to sue the counterparty either in their own or in the counterparty's domicile. Any jurisdiction clause that departs from this is rendered unenforceable unless entered into after the dispute arose (Article 25(4)).

Three types of consumer contract are covered by these provisions:

(Article 17(1).)

For proceedings commenced from 1 January 2021, the Civil Jurisdiction and Judgments Act 1982 (CJJA 1982) has been amended to provide similar protection for UK consumers as is provided in Articles 17 to 19 of the Recast Brussels Regulations. The main difference is that "member state" is substituted for "part of the United Kingdom", meaning a consumer can bring proceedings against a counterparty in the courts of the place where the consumer or the counterparty is domiciled in the UK.

Any jurisdiction clause entered into before the dispute arising will have no legal force if it purports to require the consumer to bring proceedings in a part of the UK where the consumer is not domiciled.

As the UK is no longer a party to the Lugano Convention 2007, parties will have to follow the domestic UK law regime, and will also have to consider different national regimes in cross-border disputes with parties residing within countries who are members of the Lugano Convention.

If court proceedings are commenced in a UK court, in relation to a contract, the following regulations determine governing law:

A core principle of Rome I and the Rome Convention is that the parties to an agreement are free to choose the law that governs that agreement. However, where the laws of a different country would have applied but for the choice of law, certain specific mandatory rules of law of that country may continue to apply.

If the parties did not choose a governing law (for example, under a sale of goods or services contract), Rome I generally provides that the law of the party selling the goods or performing the services applies, while the Rome Convention applies the law with which the contract has the closest connection. Where the contract is with a consumer, the law of the consumer's place of habitual residence generally applies (subject to exceptions which differ under the two sets of rules).

Non-contractual disputes are principally governed by the Rome II Regulation ((EC) No 864/2007), which is applied from 11 January 2009. As a general rule, Rome II provides that the law governing the dispute is that of the state in which the relevant damage occurred (subject to a number of exceptions).

Under both the Rome I and Rome II Regulations, consumers are provided further protection in that certain statutes, such as UCTA 1977, cannot be derogated from and will override the parties' choice of applicable law to the extent that the law has been chosen to avoid the statute.

As part of its Brexit arrangements, the UK incorporated Rome I and II into domestic law. The Rome I and Rome II Regulations, and EU-derived domestic legislation dealing with the law applicable to contractual and non-contractual obligations, are "retained EU law" within the meaning of the Withdrawal Act. Therefore, from that 1 January 2021, the UK applies the retained versions of Rome I and Rome II when determining the governing law of contractual and non-contractual obligations.

The rules under Rome I and Rome II have been amended to ensure that they operate effectively in domestic law at the end of the transition period (under the Law Applicable to Contractual Obligations and Non-Contractual Obligations (Amendment etc.) (UK Exit) Regulations 2019).

Following Brexit, the UK's legal framework for consumer ADR and ODR is now based on domestic legislation only. This means that:

If a trader is obliged to use ADR, whether under an enactment, rules of a trade association, or terms of a contract, the trader must provide the name and website address of the relevant ADR entity:

If a trader has exhausted its internal complaint procedures following a consumer complaint (regardless of whether the trader is obliged to use ADR), they must inform the consumer on a durable medium:

In line with the Online Dispute Resolution Regulation ((EU) 524/2013), on 15 February 2016, the European Commission made an ODR platform available (https://webgate.ec.europa.eu/odr). This enables consumers with a complaint about a product or service bought online to submit an online complaint form to a trader who is based either within the same jurisdiction or in another country within the EU.

The Online Dispute Resolution Regulation was revoked by the Consumer Protection (Enforcement) (Amendment etc.) (EU Exit) Regulations 2018. From 1 January 2021, businesses and consumers in the UK are no longer able to use the ODR platform. UK consumers can still access ADR entities in EU countries, but not through the ODR. In addition, online traders selling in the UK are no longer obliged to provide consumers with information about the EU's ODR platform on their websites.

The remedies available depend on the ADR provider used. It should be made clear to the users whether the ruling of an ADR provider is binding, before commencing the process.

The key legislation is the CPRs, which prohibit various unfair practices by traders, such as misleading actions or omissions, and aggressive sales practices. See Practice Note, Consumer Protection from Unfair Trading Regulations 2008.

Advertising and marketing in all non-broadcast media (including marketing claims on a company's own website, or in other non-paid-for space online under its control) is primarily governed by the CAP Code. See Practice Note, Advertising law and regulation: content rules and enforcement: Self-regulation and co-regulation by the advertising industry. The CAP Code includes general rules that all advertising and sales promotions must comply with, as well as certain industry-specific rules (see Question 32).

Additional regulation (both in terms of legislation and industry self-regulation) may apply to advertising in certain sectors. For example, the advertising of financial services, pharmaceuticals and medical devices are all subject to additional regulations and requirements.

Outside of the field of consumer advertising, the Business Protection from Misleading Marketing Regulations 2008 govern B2B advertising, and also the conditions for lawful comparative advertising. See Practice Note, Advertising law and regulation: content rules and enforcement: Business Protection from Misleading Marketing Regulations 2008 (SI 2008/1276).

The UK GDPR requires that all processing has a lawful basis (Article 6, GDPR).

The Working Party 29 Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (WP251), which remain relevant following the end of the transition period, indicate that it may be possible to rely on legitimate interests for profiling (in behavioural advertising), but that the ability to rely on this basis will diminish as the processing to build profiles becomes more invasive (for example, tracking individuals over multiple websites or platforms).

Where the lawful basis of legitimate interests is not available the controller is likely to have to collect the consent of the individual being profiled. The ICO has identified behavioural advertising as a priority area for regulation and is currently looking into the behavioural advertising practices of certain industries such as the gambling sector.

Any marketing conducted over direct messaging on social media is likely to be direct marketing and subject to the conditions set out in the PEC Regulations (that is, the organisation instigating the transmission of the marketing should have the consent of the individual to whom they send direct marketing unless there is an exemption). See Question 33.

Various types of products/services are either prohibited from being advertised or sold online or subject to additional requirements under the CAP Code, such as:

The PEC Regulations impose obligations on businesses that engage in direct marketing by e-mail or text message. They require senders of direct marketing e-mails or text messages to provide recipients with a valid address that can be used to opt out of further marketing communications. They also prohibit the sending of communications that disguise or conceal the identity of the sender.

Crucially, the PEC Regulations prohibit the sending of unsolicited marketing e-mails and texts to individual subscribers for direct marketing purposes, unless the recipient has consented to such communications (regardless of whether these are being sent by or merely at the instigation of the relevant business). An exception to this is the "soft opt-in", which permits a business to send marketing e-mails and texts to individual subscribers without consent where:

There are no specific language requirements for websites targeting the UK. However, section 68 of the Consumer Rights Act 2015 requires that all terms in consumer contracts or written consumer notices must be transparent. That is, they must be expressed in plain and intelligible language, and legible. This requirement is likely to prove difficult to fulfil if information relevant to the contract is not presented to a UK-based consumer in English.

Similarly, it would be difficult to demonstrate that the transparency obligations in the UK GDPR have been discharged where a privacy or cookie notice was not provided in English.

UK resident traders are subject to UK tax on worldwide income from sales concluded online. Different tax rates apply depending on the form of business structure. UK companies and UK branches of non-resident companies are subject to UK corporation tax at 25% for profits over GBP250,000 or 19% for profits under GBP50,000. Sole traders and individual partners are subject to income tax at rates ranging from 20% to 45% (plus National Insurance contributions).

A non-UK resident can be chargeable to UK taxation on profits arising from a trade carried on in (as distinct from "with") the UK, subject to double tax treaty relief. This includes non-resident companies trading through a permanent establishment (PE) (for example, a UK branch office or local employee presence). Whether a non-resident is exercising a trade in the UK is a question of fact.

The UK introduced a temporary Digital Services Tax (DST) in April 2020. DST is a turnover tax generally chargeable at 2% on a large group's revenues, attributable to UK users and in excess of certain annual thresholds, in connection with providing certain digital services activities. DST is being phased out as part of the UK's transition to and implementation of the OECD's complex two-pillar plan to reform international corporate tax systems. This includes a requirement for certain large UK and multinational groups to pay a "top- up" tax, where relevant UK and foreign operations have an effective tax rate of less than 15%.

Following consultation, the UK Government has confirmed that it will implement the OECD's Pillar Two framework for a global minimum corporate tax rate, for accounting periods beginning on or after 31 December 2023. Provision to this effect is included in the Finance (No.2) Bill 2022-23 which was introduced following the Spring Budget 2023.

For more detail, see Legal Update, 2022 Autumn Statement (Medium-term Fiscal Plan): key business tax announcements, Global minimum corporate tax rate; Practice Note, OECD pillar one proposal for taxing right over largest and most profitable multinationals and Practice Note, OECD Inclusive Framework proposal for global minimum corporate tax rate.

A proposed online sales tax (OST) under discussion in 2022 will not now be introduced due to its complexity and the risk of creating unfair outcomes between different business models in UK retail.

Diverted Profits Tax (DPT) at a rate of 31% (as of 1 April 2023), is chargeable on multinational enterprises that enter into arrangements to divert profits from the UK by artificially avoiding a UK PE and/or which lack economic substance and result in a tax mismatch outcome. The DPT rules are complex but there are exceptions, including where:

Digital platforms remain a key focus for the UK Government in seeking their co-operation to help promote tax compliance and to combat e-commerce tax fraud. Draft regulations were published in October 2022 to implement the OECD's Model Reporting Rules for Digital Platforms in the UK with effect from 1 January 2024, requiring UK operators of digital platforms which facilitate the provision of relevant services, sales of goods or the rental of property or transport to:

In November 2022, the UK signed a multilateral competent authority agreement with 21 other jurisdictions for the automatic cross-border exchange of information on income earned through digital platforms. First reports will be due from UK operators by 31 January 2025. HMRC will exchange the information collected with other tax authorities and use it to detect and tackle any non-compliance by sellers. However, uncertainties remain as to how these rules will be applied in practice as final regulations and written guidance from HMRC are still pending.

For further detail including on how to track this measure, see Practice Note, Common reporting obligations of platform operators.

Online sales have UK VAT implications (see Question 36).

Online companies with a UK establishment (for example, head office or staffed branch) must generally register and account for UK VAT on UK sales, where turnover exceeds the UK VAT registration threshold (GBP85,000 until 1 April 2026).

Overseas traders without a UK establishment must register for UK VAT if they make any taxable supplies in the UK and no VAT registration threshold applies. The UK's standard rate of VAT is 20%.

The place of supply determines where a supply of goods/services should be taxed, and in which country the registration and compliance requirements will arise.

Under general rules for services, B2B services are treated as supplied where the recipient belongs. Therefore, when services are supplied by non-UK businesses to UK VAT registered businesses, they usually fall within the UK's VAT reverse charge reporting procedure, requiring the business recipient to self-account for the UK VAT due. This avoids a need for the overseas supplier to register for UK VAT.

B2C services are treated as supplied where the supplier belongs under general rules, but several important exceptions apply:

For more detail, see Practice Note, Value added tax: Place of supply.

Significant UK VAT changes for online sales of goods were introduced as of 1 January 2021, with Great Britain no longer part of the EU Customs and VAT territory. Whilst UK VAT rules relating to services apply to the whole of the UK including Northern Ireland (NI) remains subject to EU VAT rules for trade in goods under the Northern Ireland Protocol (Protocol) agreed with the EU as part of Brexit. The Protocol adds a significant level of complexity to the application of VAT to goods moving to and from NI. As of 1 July 2021, major EU VAT changes also took effect for e-commerce sales of B2C goods and cross-border supplies of services which affect UK suppliers selling to EU consumers and UK online marketplaces facilitating those sales.

As a result of these changes, VAT is now due (at the rate applicable in the customer's country) on all commercial (non-excise) goods imported into the UK or Europe irrespective of their value, and a new "deemed supplier" regime applies requiring marketplace operators to account for the VAT due on certain sales of goods facilitated by the marketplace in place of underlying sellers.

In February 2023, the UK Government and the European Commission announced that agreement had been reached in principle on amendments to the NI Protocol but the proposed VAT changes are relatively minor. Meanwhile however, extensive new EU VAT initiatives have been proposed such as the "VAT in the Digital Age" package adopted in December 2022 and May 2023 proposals to expand the range of supplies covered by the EU's 2021 VAT e-commerce package, that could materially impact e-commerce sales in Europe by UK businesses.

For further details of these developments see Practice Note, Value added tax: UK VAT law and Practice note: overview, Post-transition period UK VAT changes: overview, as well as Practice note: Overview, Post-transition period UK VAT changes: overview: Northern Ireland, Legal update, The Windsor Framework: VAT and customs aspects: VAT and Legal update, The Windsor Framework: VAT and customs aspects: VAT and Legal update, VAT in the Digital Age: European Commission adopts package of proposals.

In addition to the above changes under certain conditions, operators of online marketplaces in the UK may be jointly and severally liable for the unpaid UK VAT of sellers using their platforms (similar provisions may also apply in the EU), and platform operators must take certain steps in relation to the verification and publication of valid UK VAT registration numbers of those selling goods on their platforms.

HM Revenue & Customs (HMRC) also has powers to compulsorily register an overseas online business and/or to require the appointment of a VAT representative and security.

Content posted on a website targeted at the UK must be lawful in the UK. Some key potential areas of liability for online traders are:

Both the poster of the content and the website operator may be liable.

Whether a poster is liable depends largely on whether the website is targeted at the UK and, if so, whether the poster's activity is unlawful in the UK. If both of these factors are satisfied, the poster is liable for their content.

A website operator may also be liable (see Question 40).

The minimum information that a website operator must provide includes:

(Regulation 6(1), E-Commerce Regulations.)

UK traders must display on their website information including:

(Company, Limited Liability Partnership and Business (Names and Trading Disclosures) Regulations 2015 (SI 2015/17).)

There are additional requirements if the website is used to conclude contracts, in particular with consumers (for example, under Regulation 13 of the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013).

If the trader provides services, the Provision of Services Regulations 2009 (POS Regulations) contain further information requirements, including an obligation to provide contact details for sending complaints or requests for information (Part 2, POS Regulations).

A privacy notice and cookie disclosure should also be provided (see Question 3 and Question 18).

Additional information must also be supplied by the website operator (in certain circumstances) regarding any applicable ADR service (see Question 30).

The draft Online Safety Bill (see Question 37) is also likely to increase the amount of information that in-scope platforms must provide about how they view and treat different types of content.

A trader is liable for unlawful content displayed on its website unless it is able to rely on a defence (see, for example, Regulation 17 of the CPRs). Unlawful content can include misleading actions or omissions of the trader, such as making misleading claims about the product, if it causes the consumer to make a transactional decision that they otherwise would not have made (Regulations 5 and 6, CPRs).

A similar prohibition against misleading business customers is contained in Regulation 3 of the Business Protection from Misleading Marketing Regulations 2008.

It is good practice for a trader to include disclaimers regarding the accuracy and availability of content on its website, to limit the expectations of users and therefore limit potential liability if the trader has displayed content by mistake. However, this may not be sufficient if the trader is unable to establish it has taken due care. Pricing errors are a common cause of concern. It is important that the trader's terms of sale anticipate this possibility and provide that a contract is not concluded until the trader has had the opportunity to review and confirm the order (see Question 7).

An information society service provider such as a website operator cannot be liable for content uploaded by a third party (that was not acting under the website operator's authority), if it:

(Regulation 19, E-Commerce Regulations.)

To benefit from this defence it is common for providers to operate a system which allows users to notify the provider of infringing content on their website, so that the provider has the opportunity to disable access to that content (a "notice and takedown" system).

Advertisers are also potentially liable for the content of their advertising that is carried out on third party websites.

The UK GDPR imposes an obligation of accuracy on the controller of any personal data (Article 5(1)(d), UK GDPR). The data controller is responsible for inaccuracies relating to personal data and the data subject has a right to rectification of any inaccurate data (Article 16, UK GDPR).

The E-Commerce Regulations set out certain defences that ISPs can rely on to take down infringing materials such as websites, content or links (including without permission), provided that the ISPs reserve their rights in relation to these defences in the terms of their applicable agreements or terms of service.

For details of the key provisions of the E-Commerce Regulations and when they apply, see Practice Note, Caching: Liability for caching: Electronic Commerce Regulations.

Frequently ISPs do not disable content unless they are obliged to do so by a court order. Content owners can obtain injunctions under section 97A of the Copyright, Designs and Patents Act 1988, requiring ISPs whose services are being used by a third party to infringe copyright to block the applicable website, provided that the ISP has actual knowledge of the infringement (Twentieth Century Fox Film Corp v British Telecommunications plc [2011] EWHC 1981 (Ch)). The courts have also granted similar website-blocking injunctions to protect other rights such as trade marks (Cartier International AG v British Sky Broadcasting Ltd [2014] EWHC 3354 (Ch)) to comply with the Intellectual Property Directive (2004/48/EC).

The UK GDPR and DPA provide the Information Commissioner with certain powers of enforcement (Article 58, UK GDPR), including the power to require a controller or a processor ceases certain processing activities or ceases processing certain personal data (Article 58(2)(f), UK GDPR).

In most cases, the position on liability for products or services supplied online is the same as for offline sales. However, online traders need to satisfy the specific requirements set out in this guide, to avoid adverse consequences. For example, where a consumer has not been informed of their right to cancel the contract, the cancellation period is extended (Consumer Contract Regulations).

From an IP perspective, the Trade Mark Act 1994 and the Copyright, Designs and Patents Act 1988 (CDPA) also apply to acts done online. For example, the sale of a pirated work online is an infringement of section 16 of the CDPA and offering for sale goods or services that infringe a trade mark (or which the supplier has reason to believe infringe a trade mark) (see Question 24 and Question 41).

See also Question 8 about the provisions in the Consumer Contract Regulations for the supply of digital content and Question 11 regarding remedies available for a breach of an electronic contract.

Online businesses largely require the same insurance as other businesses in the specific industry sector within which they operate. However, certain insurers offer products aimed at businesses with a significant online presence. For example, retailers can purchase online retailer policies which cover cyber liability as well as standard product and stock liability cover.

Following Brexit, EU laws no longer have effect in the UK. Several changes have been made to retained EU law, including some provisions that have been revoked entirely. The EU and UK regimes are likely to continue to diverge as their respective legislation and case law evolves separately.

Through its Digital Marketing Strategy, the EU has implemented significant legislation to promote online trade between member states. The UK Government has stated that it will not implement certain of these measures (such as the Copyright Directive ((EU) 2019/790)) and has repealed other items of legislation that rely on the maintenance of reciprocal measures between the UK and EU member states.

Irrespective of whether it chooses to align itself with certain EU developments, the UK Government seems set to continue to review the legislative framework relating to digital business, and further reform is expected in this area in the coming years. For example: