UK Website Terms of Use — UK Drafting Reference

Last verified

Drafting reference for UK website terms of use — clickwrap vs browsewrap, E-Commerce Regulations 2002, Online Safety Act 2023, UCTA 1977, CRA 2015 Part 2.

Website terms of use are the contract between the operator of an online service and the people who access it. They allocate intellectual-property rights in operator content and user-generated content, set the rules for acceptable use, exclude and limit operator liability to the extent legally permitted, and choose the governing law and jurisdiction for any dispute. Unlike a consumer purchase agreement they do not necessarily involve payment — most public-facing websites have terms of use that apply to free access — but they engage the same English-law mechanics of offer, acceptance, consideration (browsing of dynamic content suffices), and intention to create legal relations. Where the operator is a business and the user is a consumer, Part 2 of the Consumer Rights Act 2015 (CRA) controls the fairness of the terms. Where the operator is a UK-based information-society service, the Electronic Commerce (EC Directive) Regulations 2002 (SI 2002/2013) layer on minimum information disclosures. For user-to-user platforms and search services from 2024-2026 onwards, the Online Safety Act 2023 imposes regulated duties enforced by Ofcom.

See Privacy Notice for the UK GDPR transparency document, Cookies Policy for the device-storage overlay, and Unfair Contract Terms for the underlying UCTA + CRA fairness regimes.

Applicable Law

Consumer Rights Act 2015 Part 2. Where the user is a consumer — an individual acting wholly or mainly outside trade, business, craft or profession (s.2(3) CRA) — Part 2 of the CRA controls the fairness of the terms. Section 62 imposes the fairness test: a term is unfair “if, contrary to the requirement of good faith, it causes a significant imbalance in the parties’ rights and obligations under the contract to the detriment of the consumer”. Unfair terms are not binding on the consumer (s.62(1)). Section 64 exempts the core-term assessment from the fairness review provided the core terms are transparent and prominent. Section 65 absolutely prohibits exclusion or restriction of liability for death or personal injury caused by negligence in consumer contracts. Section 68 requires written terms to be expressed in plain and intelligible language. Schedule 2 Part 1 lists 20 indicative grey-list terms.

UCTA 1977. Where the user is a business and the operator is contracting on its written standard terms, UCTA 1977 s.3 controls exclusions of liability for breach and substantial-performance variations through a reasonableness test (s.11 + Schedule 2). UCTA s.2(1) imposes an absolute prohibition on excluding negligence-caused death or personal injury; s.2(2) subjects other negligence-caused loss to the reasonableness test. UCTA also reaches misrepresentation exclusions (s.8 amending Misrepresentation Act 1967 s.3) and indemnities from consumers under s.4 (though s.4 was largely repealed for consumer transactions on 1 October 2015).

E-Commerce Regulations 2002. The Electronic Commerce (EC Directive) Regulations 2002 (SI 2002/2013) implement Directive 2000/31/EC and continue to apply post-Brexit. Three packages of obligations matter for terms of use:

  • Reg 6 (general information) — name, geographic address, contact details including email enabling rapid and direct communication, registration number where applicable, the supervisory authority where activity is regulated, professional-body details where the operator is a regulated professional, VAT number where applicable.
  • Reg 9 (information to be provided where contracts are concluded by electronic means) — the technical steps to conclude the contract, whether the contract will be filed and accessible, the technical means for identifying and correcting input errors prior to placing the order, languages offered, and any relevant codes of conduct.
  • Reg 11 (placing of the order) — acknowledgment of receipt without undue delay; means to identify and correct input errors. Reg 11(1)(b) does not apply between businesses contracting purely through email exchange.

Intermediary safe harbours — Regulations 17 (“mere conduit”), 18 (“caching”) and 19 (“hosting”) give limited liability protection to intermediary information-society service providers in respect of third-party content, subject to the conditions in the relevant regulation (notice-and-takedown for hosting). These reflect Articles 12-14 of the original E-Commerce Directive and remain in force in domestic law.

Online Safety Act 2023. The OSA 2023 received Royal Assent on 26 October 2023 and is being brought into force in phases through 2024-2026. It applies to two categories of regulated service: user-to-user services (UGC platforms) and search services. Regulated services have duties to assess and mitigate risks of illegal content (Part 3 Chapter 2 duties), with additional protections for children where the service is likely to be accessed by children (Chapter 3) and adult-user empowerment duties for the largest “Category 1” services (Chapter 5). Terms of use of regulated services must reflect the in-scope content-moderation rules, the reporting mechanisms, and the user-redress procedures specified by Ofcom. Civil penalties under s.143 OSA reach the higher of £18 million or 10% of global annual qualifying turnover, with senior-manager criminal liability for failure to comply with Ofcom information notices (s.110).

Contract Formation — Incorporation and Acceptance

A set of website terms is only a contract once it has been incorporated into the legal relationship by valid acceptance. English law has been working with this problem since the 19th century in the railway-ticket cases. The classic statement is Parker v South Eastern Railway Co (1877) — a passenger taking a ticket with terms on the back is bound only if reasonable notice of the terms was given before the contract was concluded. The modern restatement in British Crane Hire Corp Ltd v Ipswich Plant Hire Ltd [1975] 1 QB 303 confirms that incorporation can be by signature, by reasonable notice, or by a consistent course of dealing.

For website terms three patterns recur:

Clickwrap. The user is presented with the terms (or a clear link to them) and is required to take an affirmative step — typically ticking an unchecked box and clicking “I agree” — before proceeding. This is the most defensible incorporation method and the unambiguous English-law preference. Where the operator records the acceptance metadata (timestamp, IP address, version of the terms, server log) the evidential position is strong.

Sign-in-wrap / scroll-wrap. The user is informed adjacent to the action button that “by clicking [Sign Up / Place Order / Continue] you agree to our [Terms]” with a link to the terms. Whether this is enforceable depends on the prominence of the notice and the conspicuousness of the hyperlink. Generally enforceable where the notice is clearly above or beside the call-to-action button and the link is visually distinct.

Browsewrap. Terms are referenced in a footer link only, with no affirmative act of acceptance. Generally not enforceable in English law because the operator cannot show that reasonable notice was given before the contract was concluded. Spreadex Ltd v Cochrane [2012] EWHC 1290 (Comm) is the leading English authority on the point — Mr Justice Singh found that scrolling through 49 pages of online financial-trading terms behind a “By using the system, you signify your agreement” link did not provide reasonable notice and the terms were not incorporated. Operators relying on browsewrap face a substantial risk that the terms (and especially any onerous or unusual clauses — Interfoto Picture Library Ltd v Stiletto Visual Programmes Ltd [1989] 1 QB 433) will be unenforceable.

Updates to the terms. Bilta (UK) Ltd v Nazir [2015] UKSC 23 illustrates the doctrine that one-sided variation rights are vulnerable to unconscionability and fairness review. Practically, terms should be updated by notice to existing users with a reasonable opportunity to review and either continue use (constituting acceptance of the new terms) or terminate. CRA 2015 Schedule 2 Part 1 paragraph 11 grey-lists terms permitting the trader to alter the terms unilaterally without a valid reason specified in the contract.

No-oral-modification. Rock Advertising Ltd v MWB Business Exchange Centres Ltd [2018] UKSC 24 confirmed that a “no oral modification” clause is enforceable in English law and a purported oral variation does not vary the contract. A NOM clause in website terms therefore prevents informal email variations, subject to estoppel where a party has relied on the purported variation.

Eligibility and User Identity

Most terms exclude minors from the service or set a minimum age (commonly 13 or 16 for general-purpose services; 18 for age-restricted services). The DPA 2018 s.9 threshold of 13 for information-society-service consent to processing of personal data is the practical floor for general-purpose services aimed at the consumer market.

Eligibility clauses must also address compliance with applicable export-control and sanctions law — the Sanctions and Anti-Money Laundering Act 2018 framework is the relevant UK regime, with HM Treasury OFSI as the supervisor for financial sanctions. US Treasury OFAC sanctions reach UK businesses with US nexus.

Acceptable Use

A standard acceptable-use policy enumerates the conduct that is not permitted on the service — unlawful conduct, infringement of third-party rights (copyright, trade mark, defamation, privacy), abusive or harassing conduct, dissemination of malware, automated scraping, decompilation/reverse-engineering of operator software (subject to the CDPA 1988 s.50B mandatory exception for interoperability), interference with the technical operation of the service, and circumvention of access controls.

For regulated user-to-user and search services under the OSA 2023, the acceptable-use policy must align with the priority-illegal-content categories listed in Schedule 7 OSA (terrorism, child sexual exploitation and abuse, intimate-image abuse, harassment, controlling or coercive behaviour, hate, public-order, fraud, drug, firearms, immigration, modern-slavery, sexual exploitation of adults, animal welfare, and others) and the safety-duty operational mechanisms (content reporting, content removal, user appeal, transparency reporting).

User-Generated Content Licence

Where the service permits users to upload content (text, images, video, audio, code), the terms grant the operator a licence to use that content for the purposes of operating, promoting and improving the service. The typical formula is:

“You grant us a non-exclusive, royalty-free, perpetual, irrevocable, worldwide, transferable and sublicensable licence to use, reproduce, distribute, prepare derivative works of, display and perform your User Content in connection with the Service and our business.”

Two limits matter under English copyright law:

Moral rights — CDPA 1988 ss.77-89. Authors of literary, dramatic, musical or artistic works (and directors of films) have moral rights of paternity (s.77), integrity (s.80), and against false attribution (s.84). The right of paternity must be asserted (s.78) to become enforceable. All moral rights can be waived under s.87, but the waiver must be in writing and signed by the person giving the waiver. A bare licence does not waive moral rights; a robust UGC clause includes an express written waiver in the terms acceptance flow.

Database right. Where users contribute structured data, the sui generis database right under the Copyright and Rights in Databases Regulations 1997 (SI 1997/3032) attaches to the maker (substantial investment in obtaining, verifying or presenting the contents). The licence should reach database rights.

Intellectual Property and Operator Content

The operator typically reserves all IP in its own content (software, design, logos, text, images, video, audio, brand). A short reservation-of-rights statement is sufficient. Where the service permits user generation of derivative works (e.g., template-based creation), the scope of the user’s licence in the derivative work must be clear.

Trade marks. Reference to operator trade marks under a “Trade Marks” section, with the brand-protection contact address for permission and infringement reports. The CMA / Trade Marks Act 1994 prohibitions on use of registered marks without consent (s.10) operate independently of the terms.

Open-source licences. Where operator software is distributed under an open-source licence (Apache 2.0, MIT, GPL, etc.), the website terms should clarify that the open-source licence applies to that software in supersession of the terms, with the licence text accessible.

Reporting and Takedown

The Reg 19 hosting safe-harbour requires the operator to remove or disable access to unlawful content “expeditiously” upon obtaining actual knowledge of its unlawful nature. A clear contact channel for infringement notices and a documented internal procedure for evaluating them is required. The UK has no exact DMCA equivalent but the practical convention — “infringement notice” sent to a designated email (often dmca@ or copyright@ or legal@) containing identification of the work, identification of the allegedly infringing material, contact details of the complainant, a statement of belief of infringement, and a statement of accuracy under penalty of perjury — is widely adopted.

For OSA-regulated services, the content-reporting and complaints duties under ss.20, 21 and 33 OSA require dedicated reporting mechanisms, response timeframes, and right of appeal for users whose content is removed.

Disclaimers and Limitation of Liability

The boundaries of permissible limitation are set by CRA 2015 Part 2 (consumer) and UCTA 1977 (B2B):

  • Death or personal injury caused by negligence. Cannot be excluded or restricted. s.65 CRA / s.2(1) UCTA.
  • Fraud or fraudulent misrepresentation. Cannot be excluded as a matter of public policy — HIH Casualty and General Insurance v Chase Manhattan Bank [2003] UKHL 6.
  • Implied terms under CRA Part 1. In consumer contracts for goods, services or digital content, the implied terms (satisfactory quality, fit for purpose, as described, reasonable care and skill) cannot be excluded — s.31 (goods), s.47 (digital content), s.57 (services).
  • Misrepresentation. Exclusion or restriction subject to the reasonableness test under UCTA s.8 / Misrepresentation Act 1967 s.3 for B2B; for consumer contracts grey-listed under CRA Schedule 2 paragraph 3.
  • Other loss. Subject to the fairness test in consumer contracts (s.62 CRA) and the reasonableness test in B2B where dealing on written standard terms (UCTA s.3). Standard formula: aggregate liability cap (often equal to fees paid in the prior 12 months for paid services, or a small fixed amount for free services); exclusion of indirect, consequential, special, exemplary loss; exclusion of loss of profit, business, goodwill, opportunity, anticipated savings, data.

Indirect-loss exclusions. The English-law division between direct loss and indirect-or-consequential loss is governed by the two limbs of Hadley v Baxendale (1854) 9 Ex 341. Indirect loss for the purposes of an exclusion is loss falling within the second limb only. Star Polaris LLC v HHIC-Phil Inc [2016] EWHC 2941 (Comm) and 2 Travel Group plc v Cardiff City Transport Services Ltd [2012] CAT 19 reinforce this orthodoxy.

Indemnification

A user indemnity for breach of the terms or for misuse of the service is common but must be drafted with care. Sumukan Ltd v The Commonwealth Secretariat [2007] EWCA Civ 243 requires unambiguous language to give an indemnity its full literal effect. In consumer contracts, broad indemnities are grey-listed under CRA Schedule 2 paragraph 4 (“requiring any consumer who fails to fulfil his obligations to pay a disproportionately high sum in compensation”) and need careful proportionality drafting.

Termination and Survival

Operators typically reserve the right to suspend or terminate access at any time. A broadly-drafted unilateral termination right is grey-listed for consumers under CRA Schedule 2 paragraph 7 (“authorising the trader to dissolve the contract on a discretionary basis where the same facility is not granted to the consumer”) and paragraph 8 (terminating an indeterminate-duration contract without reasonable notice except where serious grounds exist). The practical drafting compromise is either (a) symmetric termination rights with reasonable notice for both parties, or (b) defined grounds (breach of acceptable-use policy, fraud, abusive conduct) plus a residual discretion exercised reasonably.

Standard survival clauses preserve IP, confidentiality, indemnities, limitation of liability, and governing-law provisions beyond termination.

Variation

Operators reserve a right to vary the terms. The grey-list constraint at CRA Schedule 2 paragraph 11 — variation without a “valid reason specified in the contract” — is the practical limit for consumer contracts. The grey-list paragraph 13 limit (“enabling the trader to alter unilaterally the characteristics of the product or service to be provided”) also applies. The defensible drafting position is: (a) right to vary on notice for legal/regulatory reasons, security reasons, or material changes to the service; (b) reasonable advance notice (commonly 14 or 30 days); (c) right of the consumer to terminate without penalty if the change is not accepted; (d) prominent display of the changes and the effective date.

Governing Law and Jurisdiction

Choice of law. English law (or, where relevant, the law of Scotland or Northern Ireland separately). The choice is given effect by the Rome I Regulation (retained EU law, Article 3) for contractual obligations, subject to Article 6 mandatory-protection rules for consumer contracts — a consumer habitually resident in another country whose protections cannot be derogated from by agreement keeps the benefit of those protections.

Jurisdiction. Post-Brexit, the UK is no longer party to the Brussels Recast Regulation 1215/2012 or the Lugano Convention 2007 (UK accession remains pending). The applicable framework is the Hague Convention on Choice of Court Agreements 2005 (in force for the UK as a standalone Contracting Party since 1 January 2021), supplemented by the common-law rules on jurisdiction. For exclusive choice of court agreements that are within the Hague 2005 scope, English courts will accept jurisdiction and other Contracting States will enforce English judgments.

For consumer contracts, mandatory consumer-protection rules in the consumer’s country of habitual residence may continue to apply notwithstanding the choice of law, and the consumer may have rights to sue in their home court.

Sample Structure

A complete set of website terms of use typically contains:

  1. Definitions.
  2. Acceptance of these terms. Clickwrap mechanism; identity of operator.
  3. About us. Reg 6 SI 2002/2013 disclosures.
  4. Eligibility. Age threshold; export-control / sanctions compliance.
  5. Account registration. Accuracy, security, single-use credentials.
  6. Acceptable use. Prohibited conduct.
  7. User-generated content. Licence to operator + warranty of right to grant + moral-rights waiver.
  8. Intellectual property. Operator reservation; trade marks; open-source.
  9. Privacy. Cross-reference to privacy notice and cookies policy.
  10. Reporting and takedown. Infringement-notice procedure; OSA reporting mechanisms.
  11. Disclaimers. AS-IS, no warranty of availability, fitness or accuracy (within CRA / UCTA limits).
  12. Limitation of liability. Aggregate cap; excluded heads of loss; mandatory exceptions.
  13. Indemnification. User indemnity for breach.
  14. Termination. Operator and user termination rights; consequences.
  15. Modifications. Variation procedure and notice.
  16. Miscellaneous. Entire agreement (fraud carve-out); severance; assignment; no third-party rights (CRTPA 1999 exclusion); no waiver; no agency.
  17. Governing law and jurisdiction. English law; Hague-compatible choice of court.
  18. Contact. Email and postal address.

Bibliography

Cross-references

Disclaimer: Handbook content is informational, not legal advice. Online-services regulation is rapidly evolving — the Online Safety Act phasing, secondary legislation under the Digital Markets, Competition and Consumers Act 2024, and ongoing Hague / Lugano accession questions all change the picture. Consult a solicitor admitted in England and Wales for binding decisions. Last verified 2026-05-11.