Japan does not have a special legal regime governing digital business. There are a variety of laws and regulations relevant to digital business. Some of the laws are specific to online business, while others apply to all business activities.

These are the main applicable laws and regulations together with some recent relevant amendments:

The Ministry of Economy, Trade and Industry issued Interpretative Guidelines on Electronic Commerce and Information Property Trading in March 2002. The latest amendment was made in April 2022. The Guidelines were created with a view to enhancing predictability for concerned parties and facilitating trade by clarifying how the Civil Code and other relevant laws are applied to various legal issues relating to electronic commerce and information property trading.

The Bill on Improvement of Transparency and Fairness of Specific Digital Platforms was enacted in 2021. Under this Bill, major operators of digital platforms, such as cybermall operators, must:

The Diet is the sole legislative body in Japan. Japanese laws passed by the Diet often set out broad parameters and objectives and then authorise relevant government ministers to make further, more detailed regulations.

The relevant statute specifies which regulatory body is responsible for enacting regulations. For example, the Personal Information Protection Commission (PPC) enacts regulations under the APPI, and the Ministry of Economy, Trade and Industry enacts regulations under the Electronic Contract Act and the Act on Specified Commercial Transactions. The Ministry of Internal Affairs and Communications enacts regulations under the Act on Regulation of Transmission of Specified Electronic Mail.

The Digital Agency was established in September 2021 to facilitate the digital transformation of Japanese society.

Setting up an online business in Japan involves the same legal process as setting up a "bricks and mortar" business.

To access the Japanese market effectively, the website of the entity, regardless of form, must be in Japanese. This is not a legal requirement, but it is a practical reality. Very few online businesses will succeed if their goods and services are available only through a website in a foreign language. The Japanese language is used by nearly 100% of the population. The non-Japanese speaking foreign community represents a small percentage of the total population. Despite this, businesses and other entities are increasingly including a bilingual button that allows individuals to switch between Japanese, English and sometimes Chinese. The content of the non-Japanese webpage is frequently little more than a summary of what is included on the Japanese webpage.

An online business can expect to contract with the following parties:

Where goods are sold or services provided through a website or app, the following information must be indicated on the web page or app page:

Companies must endeavour to improve the structure of their website/app, maintain equipment, provide training for the relevant staff and address any other aspects of the digital environment to eliminate social barriers and/or accessibility (Article 5, Act for Eliminating Discrimination against Persons with Disabilities).

There is no specific law or guidance relating to access by children. However, an electronic contract entered into by a minor (below the age of 18) without parental consent is rescindable, unless the minor acts fraudulently to make the other party mistakenly believe that they are an adult, or have obtained parental consent (in which case the contract cannot be rescinded). Some companies take appropriate measures to prevent minors from entering into a transaction without parental consent, by requiring the contracting party to input their date of birth (or age) on the screen.

There are no specific legal requirements that apply to the development and distribution of apps. To be successful, the app must be in Japanese and be able to run on a mobile or smart phone. Japanese people are increasingly using mobile or smart phones as their primary method of accessing the internet. Many app developers provide versions of their apps optimised for mobile use.

However, the Japan Fair Trade Commission has reported that the following app developer agreements can violate the Act on Prohibition of Private Monopolisation and Maintenance of Fair Trade in Japan.

An agreement in Japan, including an electronic contract, is in principle formed only by offer and acceptance without requiring the preparation of documents or any other formalities, except as otherwise provided by laws and regulations. Exceptions to the general rule exist mainly in the area of consumer protection. For example, in B2C electronic transactions, if the company has not taken measures to reconfirm the consumer's offer, any contract made due to the consumer's error is rescindable in principle (Article 3, Electronic Contract Act).

Conversely, if the company has taken reconfirmation measures and there is gross negligence on the part of the consumer, the company can assert the valid formation of a contract. For example, the business entity needs to construct a webpage on which either:

There is no legal statutory "cooling off" period in mail order sales such as electronic transactions, apart from in designated sectors. However, unless the seller has indicated special provisions on withdrawal of the offer or cancellation in its advertisement, the person who made the offer (or the purchaser) can withdraw their offer for a sales contract or cancel the sales contract up to eight days after the date on which the purchaser delivered the goods or transferred the rights (Article 15-3(1), Act on Specified Commercial Transactions).

If the user is aware of the contents of the licence agreement before clicking on the button "I Agree (to the licence agreement)", where they click the button with intent to conclude a licence agreement, the licence agreement is formed. Where this happens, the click-wrap contract is enforceable.

Offer or acceptance by a consumer will not be found, and a licence agreement cannot be formed, where:

In such a case, the browse-wrap contract will not be enforceable.

There is some controversy concerning the validity of shrink-wrap contracts. If the user is aware of the contents of a licence agreement before breaking the seal of the media (such as a film wrap or seal), and they proceed to break the seal with intent to conclude a licence agreement, the licence agreement is formed. In such a case, the user cannot return the product on the grounds that they did not consent to the agreement. If information on the film wrap, the seal or the like is adequate and recognisable to the user and was broken, it is generally difficult for the user to assert that they are not bound by the contents of a licence agreement, although this depends on the facts in the actual case. However, if the user could have not been aware of the contents of the licence agreement, they can return the product even after they have broken the seal.

There are no major limitations in relation to electronic contracts and most contracts can be concluded electronically in Japan. However, to prevent future conflicts, there are some contracts that must be concluded in writing. The major contract types that cannot be formed electronically are:

Moreover, in some types of contracts, additional requirements are required when executing an electronic contract. For example, the Construction Business Act requires obtaining the agreement of the other party and meeting specific technical criteria to enter into an electronic contract for construction work (Article 19(3)).

Contracts are governed generally by the provisions of the Civil Code (as amended). Business to business (B2B) contracts are also governed by the provisions of the Commercial Code (Act No. 48 of 1899, as amended). In B2C electronic contracts, the Electronic Contract Act applies.

There is also no material difference whether the contract is for the supply of goods, services or digital products, other than generally applicable rules for certain regulated industries or for goods, services and digital products prohibited by Japanese public policy.

Japan has extremely strict gun, sword, and drug control laws. The latter include laws for prescription drugs that have been approved in one country, and are available on the internet, but have not been approved for use in Japan. Importing regulated or prohibited products purchased online could result in the arrest and prosecution of the buyer. The seller could also be subject to arrest and prosecution, assuming the authorities can obtain jurisdiction over the person selling the prohibited articles in Japan.

Japan has also amended the Criminal Code and enacted laws aimed at protecting children on the internet, such as the Act on Punishment of Activities relating to Child Prostitution and Child Pornography, and the Protection of Children (Act No. 52 of 26 May 1999). Of particular concern to the National Police Agency are internet dating sites that can be used to lure teenagers into prostitution and pornography.

A business operator handling personal information must strive to keep personal data accurate and up to date within the scope necessary for its use, and to delete the personal data without delay when such use has become unnecessary (Article 22, APPI).

The APPI also provides that, when a business operator handling personal information provides personal data to a third party, the following must take place:

Where a business operator who is required to preserve books and documents related to income tax or corporate income tax conducts electronic transactions, they must preserve the transaction information with respect to those electronic transactions for seven years (Article 7, Act on Special Provisions concerning Preservation Methods for Books and Documents Related to National Tax Prepared by Means of Computers; Article 59, Regulation for Enforcement of the Corporation Tax Act).

Where a business operator who sends electronic mail as a means of advertising for its own sales activities or for others receives requests or consents from receivers to send the electronic mail prior to their transmission, they must preserve the documents that evidence those requests/consents (Article 3(2), Act on Regulation of the Transmission of Specified Electronic Mail).

A number of internationally trusted site accreditation organisations operate in Japan. One domestic entity is JIPDEC, established as a non-profit organisation in 1967 under the auspices of the Ministry of Economy, Trade and Industry.

JIPDEC operates the "PrivacyMark" system. It assesses a business operator's framework and operations for the processing of personal information in a secure and appropriate manner, and if the business operator meets the standardised requirements for the secure processing of personal information, JIPDEC permits the operator to use the PrivacyMark.

The remedies for breach of an electronic contract are essentially the same as those for non-electronic contracts. They include monetary damages, injunctions and rescission. There is no difference between remedies for businesses and remedies for consumers.

Japanese law recognises e-signatures.

The Act on Electronic Signatures and Certification Business (Act No. 102 of 31 May 2000) (Electronic Signature Law) took effect from April 2001.

An e-signature as used in compliance with the Electronic Signature Law is a measure taken with respect to information that can be recorded in an electromagnetic record (a record in electronic, magnetic or any other form not perceivable by human senses and that is used for information processing by computers), and that meets both of the following requirements:

An e-signature which meets the above requirements and which can be performed by the principal through the appropriate management of codes and properties necessary to perform them is presumed to be authentic if it is performed by the principal in relation to information recorded in the electromagnetic record (Article 3, Electronic Signature Law). However, e-signatures are not a mandatory requirement for the formation of an electronic contract.

An e-signature must meet the requirements listed above. In addition, an e-signature that is presumed to be authentic is limited to one which can be performed only by the principal through appropriate management of codes and properties necessary to perform it (Article 3, Electronic Signature Law). Although there is no requisite format for e-signatures, public key cryptography is used extensively. E-signatures forming part of a Japanese government initiative are expected to prove popular, since they are stored on an individual number card to be issued to Japanese residents under the social security and tax number system introduced in 2016.

According to JIPDEC, 69.7% of companies in Japan had introduced a system for e-contracts as of January 2022. However, e-signatures which meet the requirements of Article 2(1) of the Electronic Signature Law are not used in all electronic contracts.

There are no limitations on the use of e-signatures in Japan.

The collection and use of personal data is regulated by the APPI. The APPI applies to any business operator handling personal information, including an operator using a personal information database for its business.

A digital platform provider, such as a cybermall operator, auction site operator or online search service to whom a consumer provides their personal data in exchange for using the platform's service(s), must not:

For further information on data protection laws in Japan, see Data Protection in Japan: Overview.

Personal information is regulated by the APPI and is defined as any information about a living individual which can identify the specific individual by name, date of birth or other description contained in the information (including information which allows easy reference to other information and enables the identification of the individual).

The APPI designates an "individual identification code" as personal information. "Individual identification code" means an identification code prescribed by cabinet order, including any character, letter, number, symbol, or other code that:

In addition, the APPI has designated certain personal information as "special care required personal information", which is personal information that identifies, among other things, a principal's:

Under a cabinet order, the handling of this type of personal data requires special care to ensure that the principle is not subject to unfair discrimination, prejudice, or any other disadvantage.

A business operator handling personal information:

When personal information is acquired, the acquiring business must notify every relevant person either individually or by public notice of the purpose for which it is used (Article 21(1), APPI). A business must expressly disclose the purpose in advance, when it acquires personal information from such a person directly by means of a written document or electronic method, except where acquisition is urgently required for the protection of the life, body or property of an individual (Article 21(2), APPI).

A business operator handling personal information must:

In addition, certain cases of leakage, loss or damage of the data must be reported to the Personal Information Protection Commission and be notified to the data subject (Article 26, APPI).

A business operator is prohibited from providing personal data to a third party without consent with the following exceptions:

A business operator retaining personal data:

There are no restrictions on the storage of personal information in the cloud provided that the storage arrangements meet the obligations of the APPI. The Ministry of Economy, Trade and Industry has published Guidelines on Information Security Management for Use of Cloud Services, which describe what cloud users and operators should do to ensure information security.

A business operator handling personal information must not provide a third party located in another country with personal data without first obtaining the data subject's consent. However, a business operator handling personal information may provide a third party in another country with personal data without such consent if that third party:

Is located in countries which are considered to have an adequate level of protection specified by a ruling of the PPC.

Has the adequate protection measures designated by a ruling of the PPC.

EEA countries and the UK are designated as the countries which have an adequate level of protection.

Where handling personal data in a foreign country, it is necessary to understand the systems and rules concerning the protection of personal data in the relevant foreign country and take security control measures (Article 23, APPI and General Guideline 10-7).

For example, where using cloud services provided by a third party in a foreign country:

The police can access or compel disclosure of personal data under a lawfully issued search warrant. Also, a business operator handling personal information must disclose personal data (among others):

There is no specific law restricting, or imposing conditions on, the use of cookies. While cookies themselves are basically not deemed to be personal information, any information, including cookies, which allows easy reference to other information and enables the identification of the specific individual falls under personal information. In this case, the prior consent of the data subject is required to provide cookies to third parties.

Even when acquiring Personally Referable Information such as cookies that by themselves do not identify an individual, the consent of the data subject is required if the information is acquired as personal data, such as by adding it to personal data after acquisition (Article 31(1), APPI).

In addition, under the amended Telecommunications Business Act, certain telecoms carriers must notify users of the content of information about them that is to be transmitted by cookies and the telecoms facilities to which such information is to be sent, or place such information where such users can access it (Article 27-12). However, this does not apply:

Under the Instalment Sales Act (Act No. 159 of 1 July 1961), credit cards' member stores and so on should take proper management of credit card numbers, which effectively means either not storing such data, or implementing the Payment Card Industry Data Security Standard (PCIDSS).

Encryption is neither required nor prohibited. It is, however, used by online businesses to assure consumers and customers that the information they provide is safe.

The Payment Services Act regulates payments made using prepaid-type electronic money. The Act stipulates various obligations such as notification, registration and the establishment of information security management. The Act also provides regulations for funds transfer service providers and crypto-assets exchange service providers. Any company providing these services must be registered with the Japanese Government.

There is a duty to report designated payments into or out of Japan to the Bank of Japan (Foreign Exchange and Foreign Trade Control Act (Act No. 228 of 1 December 1949, as amended)). There is also a duty to prevent money laundering by such means as confirming designated information when making a transaction, or reporting a suspicious transaction to a government agency (Act on Prevention of Transfer of Criminal Proceeds).

In addition to the major regulations mentioned above, there are various laws and regulations relating to financial services, such as the:

There are no specific rules that apply if the site is aimed at children.

An electronic contract by a minor (below the age of 18) without parental consent is valid in principle unless they or their parent cancel the contract by rescinding their manifestation of intention (Article 5(1) and (2), Civil Code). However, if a minor acts fraudulently to make the other party mistakenly believe that they are an adult, or have obtained parental consent, that minor cannot rescind the manifestation of intention (Article 21, Civil Code).

A business operator handling personal information must obtain the prior consent of the data subject to provide the personal data to a third party (Article 27, APPI) (see Question 16).

Where a child has no ability to understand the results arising from their consent to the handling of personal information, the consent of the child's attorney-in-fact must be obtained.

There are no laws protecting companies that resell or market online digital content, services or software licences provided by a supplier outside the jurisdiction.

In principle, it is permitted to link to any third-party website in Japan. However, where a link is configured so that a viewer could be confused between the contents of the linking website and the site to which it is linked, this can constitute infringement of a copyright holder's moral rights under the Copyright Act (Act No. 48 of 1970, as amended).

Linking and framing can also fall within the definition of unfair competition if the product identification of the operator of the linked page is configured so that users are misled into confusing the linking page with the linked page. The same applies where a well-known product identification is used as if it were the product identification of the operator of the linking page.

Finally, setting up a linked website can constitute infringement of a trade mark if it appears to the website's users that the linking site is the origin of another person's trade mark.

Caching in cache servers, and reproduction in conjunction with the exploitation of works on a computer, are both permitted (Articles 47-4, Copyright Act).

Spidering by an internet search engine is also permitted (Article 47-5, Copyright Act).

There is no limitation on the use of advertising keywords. However, if a company uses another company's trade mark, that company may be liable under tort law as a free rider, and liable under the Unfair Competition Prevention Act.

Displaying a website using a title tag or description tag including the trade mark of another company in the source code can constitute trade mark infringement or an act of unfair competition, while using a keywords tag including the trade mark of another company does not constitute trade mark infringement.

To register a co.jp domain name, a company must be established in Japan. Foreign companies can meet this requirement by, for example, having a registered branch office.

.Jp domain names are registered on a first-come, first-served basis, usually within a day or two of application. However, a registration made or used in bad faith can be contested at the agency authorised by the Japan Network Information Centre (JPNIC). The authorised agency is the Japan Intellectual Property Arbitration Centre (JIPAC).

Acquiring or holding the right to use a domain name that is identical or similar to another person's specific indication of goods (a name, trade name, trade mark, mark, or any other indication of goods or services relating to a person's business), or the use of any such domain name to acquire an illicit gain or cause injury to another person, is deemed to be unfair competition (Article 2(1), (xix), Unfair Competition Prevention Act (Act No. 47 of 19 May 1993)).

Using another company's trade mark for domain could infringe its right of trade mark.

For all Japanese companies, the government maintains a list of corporate names that have already been registered. If a proposed business name is not already in use, it will be available unless it violates the trademark of another business.

A Japanese company must use in its company name the words Kabushiki-Kaisha (stock company), Gomei-Kaisha (general partnership), Goushi-Kaisha (limited partnership) or Goudou-Kaisha (limited liability company).

Names contrary to public order, good morals or the laws of Japan are also prohibited. The same rules apply to domain name registration.

In principle, Japanese courts honour choice of jurisdiction clauses in contracts, including the selection of arbitration over litigation. Where there is no choice of jurisdiction clause, a court in Japan will have jurisdiction over an action against a person who has a domicile in Japan or against a juridical person or any other association or foundation whose principal office or business office is located in Japan (Article 3-2, Code of Civil Procedure). Even if the defendant has no domicile, principal office or business office in Japan, a court in Japan may have jurisdiction depending on the circumstances of the case (Article 3-3, Code of Civil Procedure).

Even where Japanese courts have jurisdiction over an action (excluding those that can only be filed in Japan), the court can dismiss without prejudice all or part of it if hearing the case in Japan would impair fairness between the parties or hinder efficiency of the hearing. The circumstances it would take into consideration when making such a decision include:

An action relating to a business involving consumer contracts (excluding labour contracts) which is brought by a consumer against a business operator can be filed with a court in Japan if the consumer is domiciled in Japan at the time the action is filed or the contract is entered into (Article 3-4(1), Code of Civil Procedure). There are no special rules for business customers.

Conflicts of law are governed by the Act on the General Rules of Application of Laws (Act No. 10 of 1898, as amended by Act No. 78 of 21 June 2006).

A choice of law provision made by the parties will be respected by the courts in Japan (Article 7, Act on the General Rules of Application of Laws).

In the absence of a choice of law by the parties, a legal act will generally be governed by the law of the place with which the act is most closely connected at the time of the act. The law provides a number of more specific rules intended to assist a judge in selecting the applicable law.

There are also special rules for consumer contracts in favour of selecting the law of the consumer's habitual residence. If the consumer has indicated their intention to the business operator that a specific mandatory provision in the law of that residence should be applied, the provision will also apply to the matters specified under it with regard to the formation and effect of the consumer contract. There are no special rules for business customers.

Finally, there is a public policy override in cases where foreign law governs. The classic example is punitive damages, which are void in Japan as contrary to public policy.

The options that online traders and customers can use for ADR are the standard Japanese procedures, such as arbitration, conciliation, and mediation of settlement.

In the case of arbitration, the party that wants to use such a procedure must ensure that there is an arbitration agreement between the parties. The arbitration agreement confirms that the parties will leave the resolution of civil disputes to an arbitrator or arbitrators and accept the arbitral award. If the parties conclude an arbitration agreement, they cannot file for a civil dispute. One party must respond to the other party's application for arbitration. Moreover, the arbitral award has the same effect as a final and binding judgment.

In cases involving conciliation and mediation of settlement, participation or renouncement of the procedure, the parties choose to consent to or reject a settlement offer. However, as a settlement agreement reached in this way has the effect of a general agreement under the civil code, there is no power of enforcement.

There are several ADR organisations in Japan such as the:

The largest B2C ADR organisation in Japan is the EC Network. Small and medium sized enterprises tend to use an arbitration organisation because they often lack the experience and know-how to deal effectively with consumer complaints. The members of the EC Network can take advantage of ADR or ODR administered by the EC Network. Complaints are handled exclusively by email and the service is free of charge to consumers. The EC Network handles around 50 to 60 complaints a month.

The Japanese Government set up a council in October 2020 to analyse and study ODR and promote both the implementation and use of ODR in Japan. This council is currently holding study sessions on a regular basis, but no conclusions have yet been reached.

There are no requirements to notify customers of the availability of these dispute resolution options other than the requirements contained in the APPI. Under the APPI, a business operator handling personal information must make the following information accessible to persons if the business operator is an enterprise covered by an accredited Personal Information Protection Organisation:

Where online traders and customers use conciliation or mediation of settlement as an ADR method, these are simply voluntary dispute resolution solutions and there is no power to enforce the outcome of the resolution process. However, where arbitration is used, the arbitral award is legally enforceable.

Advertising goods and services online or via social media is subject to the same basic rules that apply to all advertising. Essentially, false or misleading advertising is prohibited. The following are of particular relevance:

The Fair Trade Commission and Consumer Affairs Agency formulate guidelines for representation on B2C electronic transactions. In addition, APPI applies if through cookies or other information collection devices such behaviour history information can become personal information (see Question 18).

Japanese law has a number of regulated industries that require a licence, including banking, insurance and securities. Operators within these industries are not permitted to offer their goods and services online to potential customers in Japan without obtaining the same licences as required by a domestic party engaged in these businesses.

In practice, it is virtually impossible to obtain the necessary licences without a physical presence in Japan.

Regulated businesses must also have a bona fide resident representative in Japan, so that there is a person available to the regulators for questioning if necessary.

Prescription drugs (which can be imported by foreign nationals when not available in Japan, with appropriate permission) and weapons are also very strictly regulated. Other goods, such as illegal drugs (for example, marijuana, even for medical use), operate under a zero tolerance policy. Online gambling is another example of a business activity that is prohibited under Japanese public policy.

In addition, it is prohibited to advertise or publicise false or exaggerated information with respect to the effect or efficacy of drugs (Article 66, Pharmaceutical Affairs Act).

The Act on Regulation of the Transmission of Specified Electronic Mail and the Act on Specified Commercial Transactions regulate text messages and spam emails (see Question 31).

Online businesses can offer goods and services in any language. As indicated in Question 3, an online business will not be widely successful in Japan unless its goods and services are offered in Japanese.

Online sales are subject to taxation. Japan has a consumption tax of 10%. The consumption tax applies to domestic transactions for goods and services as well as to imports.

Services such as providing e-books, music, video, and so on are taxed at the address of the recipient and not the address of the office of the service provider.

A Japanese business receiving B2B electronic services from outside Japan is responsible for filing and paying the consumption tax, instead of the foreign service provider (the "reverse charge mechanism"). In this case, a foreign business providing B2B electronic services for a Japanese business must indicate beforehand that the service recipient will be liable to file and pay consumption tax when providing the services.

When a foreign business provides B2C electronic services, the foreign service provider must file and pay the consumption tax. A sole proprietor without an address or domicile in Japan, and a corporation without a head office or an office in Japan, must designate a tax agent to deal with submission of tax returns and notification documents, and tax payment.

A purchase tax credit can be claimed if the foreign business is registered with the National Tax Agency. With the launch of the invoice system, the registered foreign business operator system will be abolished on 1 October 2023. The invoice system is a system under which only transactions using a qualified invoice, which can only be issued by a pre-registered qualified invoicing business, can be eligible for the tax credit for purchases. A registered foreign business entity as of 1 September 2023 that fails to request cancellation of its registration will be deemed to be registered as a qualified invoicing business entity, and will be obliged to deliver a qualified invoice when requested by their counterparty.

The Act contains a safe harbour exemption for businesses with sales of less than JPY10 million in the relevant tax year.

A business without a head office or other office in Japan does not need to register but must designate a tax agent if it has to file tax returns and make consumption tax payments.

A person who infringes copyright, defames another, or provides obscene material or child pornography on the internet can be subject to criminal punishment (Articles 119 to 124, Copyright Act; Articles 175 and 234, Criminal Law; Article 7(2) and (6), Act on Regulation and Punishment of Acts Relating to Child Prostitution and Child Pornography, and the Protection of Children). In addition, a copyright owner can file an infringement claim against a person who is infringing their copyright on the internet, and a person who is defamed or whose privacy is infringed on the internet can file a claim for defamation/infringement of privacy (in all cases injunctive relief can be sought by the claimant).

The person or entity that placed the material on the website is liable for its content. In addition, if a website operator fails to delete illegal information, the website operator may be held liable in tort to the person whose rights are injured by that illegal information (Articles 709 and 719, Civil Code), provided the transmission of the illegal information infringes that person's rights and it is easy to prevent its transmission (that is, to delete it). However, the provider only bears this civil liability under certain specified circumstances (Article 3, Act on the Limitation of Liability for Damages of Specified Telecommunications Service Providers and the Right to Demand Disclosure of Identification Information of the Senders (Act No. 137 of 30 November 2001)).

A seller or service provider must provide certain information when it advertises terms and conditions through mail order sales (Article 11, Act on Specified Commercial Transactions) (see Question 31).

In addition, where personal information is obtained on a website, the purpose of use must be explicitly stated in principle (Article 21(2), APPI).

The seller is liable for content displayed on its website. Under the Civil Code, where a contract is concluded on the basis of a mistake, that mistake (and the contract arising under it) can be rescinded (Article 95(1), Civil Code). However, where the mistake is based on gross negligence, the mistake (and the contract arising under it) can only be rescinded in the following cases:

The general rule is that where a seller indicates an incorrect price, a contract is concluded at that price. In this instance, although the seller makes an offer based on mistake, the seller who indicated an incorrect price will generally be considered to be grossly negligent. However, where the purchaser was aware of the incorrectness of the price, or where most reasonable browsers of the website would have been aware of the incorrectness of the price, the seller may be able to rescind the contract (even though they were grossly negligent).

Where a seller provides misleading information and a buyer erroneously makes an offer as a result of that misleading information, the buyer will be able to rescind their offer on the grounds of mistake or fraud (Articles 95 and 96, Civil Code). In addition, where a seller provides incorrect or misleading information on a website in violation of a duty of care or through wilful misconduct or negligence towards a buyer, the buyer may be able to claim compensation by way of damages.

For details about liability where the content a website displays infringes copyright or other laws, see Question 38. For details about platformers (such as a cybermall operator and liability where a seller sells its products at a platform), see Question 42.

An ISP can shut down a website, remove content or disable linking if it has a reasonable basis to believe that the content violates a third party's rights without permission (Provider Liability Limitation Act). If an ISP does not delete the content and ignores a court order to do so, a claimant can seek a civil fine until the ISP complies with the court order.

In addition, in a request for disclosure of sender information, to prevent IP addresses and time stamps among others from being deleted before the disclosure order is issued, the amended law (which came in force on 1 October 2022), allows for an order to ISPs to prohibit deletion of IP addresses, time stamps and so on. (Article 16, Provider Liability Limitation Act).

In principle, auction sites bear no liability for any transactional problems between users if they are not directly involved in transactions but simply provide the brokering sales system. However, they can be held liable for failing to build a non-defective auction system, as there is an obligation to alert users to the potential for becoming victims of internet fraud. If the auction site is substantially involved in transactions between users beyond simple provision of the brokering system, it can be liable to the extent of such further involvement; for example, in cases where an auction site:

A cybermall (online shopping) operator is not liable for damages arising from any consumer transactions with individual cyber shops. However, the cybermall operator can be liable to the customer if the:

It is advisable for a website offering goods for sale online to have product liability insurance.

Digital business law is under continuous scrutiny, and reforms are being proposed regularly, mainly through ministerial guidelines.

Amendments to the Consumer Contract Act, the Specified Commercial Transactions Act, and the Telecommunications Business Act, among others, will clarify the content of electronic transactions and strengthen consumer protection.