Internet Across Borders: What Law Governs?

©2025. Published in GPSolo: Volume 42, Number 4, by the American Bar Association Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder.

Via the Internet, companies can publish information, offer contracts, deliver virtual items, and send payments to any country in the world. Companies can also collect personal information from consumers anywhere on the planet. For attorneys, this raises the question of what law governs transactions and activities involving businesses or legal entities in more than one jurisdiction. In this article, I will summarize a few principles, flag commonly relevant issues, and suggest practical approaches for attorneys advising Internet businesses.

Applicability of Internet Laws Across Borders

National laws typically apply to persons, companies, activities, things, and places within a nation’s territory. Persons and companies in a particular jurisdiction have rights and obligations under that jurisdiction’s law with respect to activities and transactions taking place within that jurisdiction. When a person or company takes actions that affect persons in other jurisdictions, the laws of such other jurisdictions often apply, too, but they may be less likely to be enforced across borders.

Public international law—the law of nations—governs rights and obligations between countries. Public international law is created through contracts between countries (also known as “treaties”) and customary international law. Countries create customary international law through consistent practice in recognition of a legal obligation to follow the practice.

Countries tend to acknowledge that their jurisdiction to execute and adjudicate is generally limited to their own territory. That means a country must not send police, marshals, or bailiffs to enforce its laws in another country without that country’s consent (e.g., via judicial assistance programs). But countries have not accepted any meaningful geographical limitations on their own jurisdiction to prescribe laws. For example, antitrust laws, consumer protection laws, and privacy laws often apply also to persons and companies acting in other countries. Courts, scholars, and commentators note that, as a matter of comity and respect for other countries’ sovereignty, countries should enact laws that apply extraterritorially only concerning conduct outside their territory that has or is intended to have a substantial effect within their territory. But the “substantial effect” concept does not draw a clear line or invoke any material limitation in practice.

Unlike international law, U.S. federal law does limit the jurisdiction of U.S. states to legislate. Similarly, EU law limits the legislative jurisdiction of EU member states. Companies should take note of such limitations because they can challenge the validity of laws that were enacted without proper legislative jurisdiction.

In principle, U.S. states are free to legislate on any topic. In contrast, the U.S. Congress can only legislate based on enumerated powers set forth in the U.S. Constitution. The Internet, as such, is not subject to any of the enumerated powers. In practice, however, the U.S. Constitution (through the Supremacy Clause and the Commerce Clause) constrains states’ ability to regulate out-of-state and foreign corporations and persons in ways that harm interstate commerce or conflict with federal law. For example, the Airline Deregulation Act preempts the application of the California Online Privacy Protection Act (CalOPPA) to require commercial airlines to post privacy policies on the Internet.

Also, when a state law effectively imposes a restriction or tax only on out-of-state Internet providers, it violates the dormant Commerce Clause. Where a state law provides for different treatment of in-state and out-of-state economic actors, it will be upheld only if it serves a legitimate local purpose and the state cannot achieve the purpose through available nondiscriminatory means. Even if a state law does not discriminate against out-of-state businesses and attempts to advance a legitimate local public interest, it may be struck down when a court finds that the burden on interstate commerce outweighs the local benefits. This can help protect Internet businesses from local laws in other U.S. states. In 2003, the Second Circuit Court of Appeals stated that it is “likely that the Internet will soon be seen as falling within the class of subjects that are protected from State regulation because they ‘imperatively demand . . . a single uniform rule’” (American Booksellers Found. v. Dean, 342 F.3d 96, 104 (2d Cir. 2003)). Attorneys should keep this in mind for situations in which a client is charged with violating laws in other U.S. states. However, in the context of routine advice on compliance requirements, companies typically assume the validity of applicable laws and try to comply with them.

Besides being limited by public international law and higher-ranking national or regional law, cybersecurity laws, by themselves, may restrict their territorial scope. Some statutes explicitly specify whether they apply only to data, computers, or persons in a particular jurisdiction or anyone,anywhere. For example, the California wiretap statute, California Penal Code Section 631(a), applies to communications “while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state”; this statute applies to persons acting outside of California, but only concerning communications within California. California Penal Code Section 637.7(a), which limits the use of radio-frequency identification devices (i.e., tracking devices), applies only to a “person or entity in this state.” California Corporations Code Section 25400 makes it “unlawful for any person, directly or indirectly, in this state” to commit securities fraud (as defined by the statute). These laws apply only to companies or persons in California. On the other hand, CalOPPA applies to companies wherever they are located because it specifies a residency limitation only with respect to data subjects. CalOPPA provides that “any operator of a commercial website or online service that collects personally identifiable information through the internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site. . . .”

The California Consumer Privacy Act of 2018 (CCPA) protects only California residents but also requires businesses in other states and countries to comply, subject to a convoluted and narrow exception that applies only “if every aspect of th[e] commercial conduct takes place wholly outside of California.” The statute defines that to mean where “the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold.” Therefore, a company in another U.S. state or in another country is fully subject to the CCPA if its website is available in California and thus inevitably collects IP address information from Californians, which is defined to constitute personal information under the CCPA.

Enforceability of Laws Across Borders

Even though international law does not place meaningful limitations on a state’s power to prescribe, it does place relatively clear limitations on a country’s or state’s power to adjudicate and enforce. A state must not send its police, judges, or other government officials to other countries to enforce its law there. Countries may choose to recognize and enforce judgments issued by foreign courts in the interest of reciprocity and comity. For example, California recognizes and enforces foreign money awards (but not injunctions) under the California Uniform Foreign-Country Money Judgments Recognition Act. Therefore, companies must consider their potential vulnerability to actions by any foreign government against assets and business interests that the company has in foreign countries or because their home jurisdiction recognizes court decisions of particular foreign countries. At the same time, companies may feel relatively safe regarding laws and enforcement actions originating in jurisdictions to which they do not have strong ties.

Within the United States, the federal constitution provides that each state must give full faith and credit to every other state’s public acts, records, and judicial proceedings. A state must extend full faith and credit to a judgment rendered by another state’s court or agency, even if the action or proceeding resulting in the judgment could not have been brought under the law or policy of the state applying the decision. Many California privacy laws apply to companies in other states and countries, but a company subject to a California privacy law is not automatically subject to the jurisdiction of California courts, only if it purposefully avails itself of California jurisdiction by targeting consumers in California. A passive website or nationwide advertisement is not enough.

Therefore, companies typically prioritize analysis and compliance efforts regarding laws in other jurisdictions that they specifically target (with localized Internet sites, advertisements, or offers) or where they have a physical presence, assets, or significant customer bases that make enforcement of foreign laws more likely.

Contractually Choosing Applicable Law Across Borders

In contracts, companies can expressly choose applicable law and dispute resolution mechanisms. On the Internet, most transactions are formed via standard terms that one party proposes and the other party accepts—either expressly by clicking “agree” or impliedly by proceeding with registering an account or simply using a website after being presented with website terms of use. Courts in most jurisdictions around the world accept express choice of law clauses, and some apply the chosen law already in the context of disputes concerning contract formation. Exceptions apply with respect to mandatory laws that companies cannot derogate from contractually, such as consumer protection laws, privacy laws, competition laws, and criminal laws. But even if a contractual choice of law may not cover all potential aspects of doing business over the Internet, it is generally in the best interest of a business to prescribe an express choice of law for all dispositive terms pertaining to a transaction.

Most companies choose their home jurisdiction’s laws because of familiarity and a clear nexus that will make it more difficult for other parties to challenge the validity of the choice of law clause based on local law. But attorneys should also analyze whether another jurisdiction’s laws may be more favorable for their client. For example, from a buyer’s perspective, German law is generally preferable for procurement terms over California law because Germany’s strict rules on unfair contract terms invalidate most limitations of liability, warranty disclaimers, and other seller-friendly clauses that are commonly used in contracts governed by California law. On the other hand, a company that sells goods over the Internet should prefer California law and most other jurisdictions’ laws over German law for the same reason.

Incoterms and Place of Performance

In addition to contractually choosing the home jurisdiction’s law, an Internet seller that is unsure of the foreign legal, tax, and customs regimes that apply to its products can contractually shift most foreign compliance and tax burdens to a foreign business customer by contractually proposing delivery, transfer of risk of loss, and transfer of title at the seller’s place of business—and select the International Chamber of Commerce’s Incoterm (standardized trade term) “Ex Works.”

Companies must ensure compliance with export control laws before they sell any products or transfer technical know-how to foreign buyers, even if the buyers come to their jurisdictions. Sales to embargoed countries or “denied parties” and transfers without the required prior approvals or notifications can result in serious sanctions, particularly in the United States.

Laws and Considerations That Apply Regardless of Contractual Choice of Law Clauses

Intellectual Property

To exploit their intangible valuables, tech businesses need to own, perfect, and protect their intellectual property rights. Like property rights in real estate and chattels, intellectual property rights are territorial and subject to different legal regimes in every country. When entrepreneurs pick names for their company and products for promotion over the Internet, they should think ahead about whether trademark registrations and domain names are available in other countries, how the chosen names sound in other languages, and what connotations a term may have abroad.

While copyrights are as territorial as other intellectual property rights, they are largely harmonized by international treaties. Authors tend to acquire copyrights simultaneously in their home country and around the world simply by writing their works down, be it text or software code. Patents, however, require local filings, prosecution, and greater budgets; thus, companies must be more selective and strategic about where to obtain patents.

Regulatory Restrictions

Once a company goes “live” with a web or mobile site, it immediately becomes subject to various foreign laws. Under public international law, every country can and does enact laws that apply worldwide, including trade laws, competition regulations, data privacy laws, content restrictions, and consumer protection laws. While countries generally have neither the interest nor the resources to enforce these laws outside their borders, a few types of laws tend to cause companies trouble if not addressed early on.

A company that sells to consumers in other countries should clarify to visitors of its web or mobile site that it is intended only for residents of jurisdictions for which the company has conducted at least some basic legal due diligence. Firms should try to keep out consumers from other jurisdictions by limiting credit card acceptance, delivery locations for physical products, or geo-targeting. For specifically targeted jurisdictions, consumer site operators should familiarize themselves with and comply with tax obligations, translation requirements, and restrictions on contract terms.

Data privacy laws in Europe and other countries require affirmative opt-in choices for marketing emails and cookie placement, specific disclosures in privacy notices, data subject access rights, and adequate safeguards for international data transfers. An operator of a passive dot-com site can relatively safely rely on a disclosure that it complies only with the laws of its home jurisdiction. But an interactive site that places cookies on foreign computers, ships abroad, and targets consumers in other countries with translated websites should consider additional compliance steps to satisfy data privacy laws in the targeted jurisdictions.

A company that delivers products to specific foreign countries needs to familiarize itself with local compliance requirements relating to its products. Those include restrictions on material composition (e.g., the restrictions in Europe’s Restriction of Hazardous Substances (RoHS) or the Registration, Evaluation, Authorization, and Restriction of Chemicals (REACH)), as well as product safety, warnings, labeling, recycling, registration requirements for medical devices, import bans or license requirements for encryption products, and technical standards.

Dealer Protection Laws

Companies that want to sell via distributors, resellers, or independent sales agents must consider tax and legal consequences when selecting the best distribution model. Options include buy-sell models (involving sales to wholesale distributors, resellers, and franchisees) and referral agent models (where intermediaries receive a commission for referring buyers). Each distribution model has pros and cons in terms of risks, opportunities, and the degree of control preserved by the company. The trade-offs vary from jurisdiction to jurisdiction, subject to the following general principles:

• By appointing dependent agents in other jurisdictions, companies can establish a taxable presence with resulting tax reporting and remittance burdens, known as a “PE problem,” even if the company sells only via an Internet site without establishing a foreign presence.
• If a company engages an individual person as a commission agent or other intermediary, employment laws and rules on misclassification must be considered.
• By selling products to intermediaries abroad, companies can exhaust their intellectual property rights with respect to the sold items, which can prompt undesired re-importation and price disruptions.
• Under mandatory dealer protection laws in many countries, particularly in Latin America, Europe, and the Middle East, intermediaries are entitled to severance and other protections against termination. In some cases, companies can mitigate risks with contractual disclaimers, alternative dispute resolution clauses, or picking a less protected distribution model.
• Franchise laws are often much less developed outside the United States, but some countries have also enacted disclosure requirements and termination protections. Companies need to clarify to what extent a foreign reseller may use the manufacturer’s marks, company name, and domain URL in the reseller business, as well as keep control over foreign trademark and product registrations.
• Under foreign competition laws, particularly in Europe, companies face prohibitions regarding resale price maintenance, territory and customer allocation, and other restraints of trade. As a rule of thumb, companies are allowed to exercise more control in the context of commission agency than buy-sell arrangements.

Considerations for Cross-Border Businesses

Internet businesses should assume that laws around the world govern their websites and transactions. They can derogate from some foreign laws by specifying the express choice of law clauses in theironline sales terms and website terms of use. However, mandatory laws, such as intellectual property and consumer protection laws, can apply despite choice-of-law clauses, and Internet businesses should analyze foreign laws particularly for jurisdictions where an Internet business establishes a physical presence, hires employees or distributors, maintains assets, or targets consumers because enforcement is more likely there.

When analyzing the applicability of a foreign law, attorneys should first review the specific rules of the statute in question, which may expressly state that it applies only to persons or companies acting on local territory or that it shall also apply to persons elsewhere if local consumers, markets, or other interests are affected by websites hosted abroad. If the statute in question is unclear, attorneys advising clients on compliance requirements may reasonably assume preliminarily that the local law also applies to out-ofstate conduct that produces effects locally.

Where compliance with foreign laws is prohibitively difficult or in dispute, attorneys should also analyze if a law regulating foreign Internet businesses may be invalid due to higher-ranking law. For example, U.S. state laws that discriminate against Internet companies in other states or countries may be preempted by federal law or invalid under the dormant Commerce Clause of the U.S. Constitution. Similarly, EU law can invalidate national laws that impede free trade across borders within the EU.