API Terms of Use (UK)

An API Terms of Use in the United Kingdom is a legally binding written instrument. It defines the service scope, SLA, pricing, data-protection duties, and liability allocation between provider and customer.

API Terms of Use in the UK are governed primarily by English contract law, with the governing framework depending on whether the agreement is between two businesses (B2B) or between a business and a consumer (B2C). In B2B API agreements, the Unfair Contract Terms Act 1977 (UCTA 1977) applies to exclusion and limitation of liability clauses, requiring them to satisfy the reasonableness test set out in section 11 of UCTA 1977 and Schedule 2. In B2C agreements, the Consumer Rights Act 2015 imposes stronger protections: unfair terms in consumer contracts are not binding (section 62), and certain terms (such as the requirement to pay regardless of service availability) may be subject to challenge.

The Copyright, Designs and Patents Act 1988 (CDPA 1988) is central to the intellectual property provisions of API terms. The API software, documentation, data schemas, and output formats are typically protected as original literary works under section 1 of CDPA 1988. API terms should assert the provider's copyright ownership, grant a limited licence to developers, and prohibit acts that would infringe the copyright without authorisation, including reverse engineering (subject to permitted acts under section 50BA of CDPA 1988 for interoperability purposes).

The UK GDPR, which is the retained EU version of Regulation (EU) 2016/679 as amended by the European Union (Withdrawal) Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, together with the Data Protection Act 2018, applies whenever the API processes personal data. The Information Commissioner's Office (ICO) is the supervisory authority responsible for enforcing UK data protection law. API providers who process personal data on behalf of API users (as data processors) must enter into a data processing agreement satisfying Article 28 UK GDPR. API terms should incorporate or reference this agreement.

The Computer Misuse Act 1990 makes it a criminal offence to access computer programs or data without authorisation (section 1), to access with intent to commit further offences (section 2), or to make unauthorised modifications to computer material (section 3). API terms should include clear authorisation provisions — defining what constitutes authorised access — to protect against claims of ambiguity by alleged unauthorised users, and to preserve the provider's right to invoke the Computer Misuse Act 1990 against abusive API users.

UK API Terms of Use are needed by any organisation in England, Wales, or Scotland that makes an API available to third-party developers, partner companies, or the public, whether the API is offered commercially, as a freemium service, or as an open API.

Technology companies in the UK that offer Software as a Service (SaaS) platforms and expose API access to their customers — for example, fintech companies providing payment APIs regulated under the Financial Services and Markets Act 2000, or insurtech platforms providing data APIs — require API terms to define the scope of permitted use, rate limits, and liability allocation.

Open Banking providers regulated by the Financial Conduct Authority (FCA) under the Payment Services Regulations 2017 must provide API access to Third Party Providers (TPPs). The Open Banking Implementation Entity (OBIE) publishes technical standards for Open Banking APIs, but each provider still needs its own API terms of use to govern liability, data use, and acceptable use restrictions with specific API users.

Healthcare and NHS digital providers offering API access to clinical or patient data — governed by NHS Digital data access frameworks and the NHS Data Security and Protection Toolkit — need API terms that incorporate data protection obligations consistent with the NHS Caldicott Principles and the UK GDPR.

Start-ups and scale-ups building developer ecosystems around their platforms need API terms from the moment they open API access, even in beta. Without terms, an early-stage provider has no mechanism to restrict scraping, rate-limit abuse, or terminate access for harmful use. The Computer Misuse Act 1990 and the UK GDPR provide statutory protection, but contractual terms are faster and cheaper to enforce.

Government and public sector bodies in the UK that publish open data APIs — for example, through data.gov.uk or under an Open Government Licence — should supplement the standard open data licence with API terms addressing rate limits, attribution requirements, and liability exclusions.

UK API Terms of Use must address the following key provisions to adequately protect the API provider and create enforceable obligations on API users under English law.

Licence grant defines what API users are permitted to do. The terms should grant a limited, non-exclusive, non-transferable, revocable licence to access and use the API for the specified purpose only. The scope of the licence should be narrow enough to prevent unauthorised uses — for example, sublicensing, embedding in competitor products, or using the API to train machine learning models without separate permission.

Acceptable use restrictions identify specific prohibited behaviours. These typically include: accessing the API in a way that breaches the Computer Misuse Act 1990; using the API to transmit spam, malicious code, or unlawful content; scraping or extracting data beyond permitted query limits; reverse engineering or decompiling the API contrary to the Copyright, Designs and Patents Act 1988; reselling API access; and any use that violates applicable law.

Rate limits and service availability terms set out the maximum number of API calls permitted in a given period, what happens if limits are exceeded (throttling, suspension, or additional charges), any service level commitments or disclaimers of uptime guarantees, and the process for planned maintenance. Providers should expressly disclaim liability for API unavailability caused by third-party infrastructure (such as cloud hosting providers).

Intellectual property provisions assert the provider's ownership of the API, documentation, and output, and clarify what rights (if any) the user acquires over application output. Where the API generates data, the terms should address data ownership. The provider should require attribution and prohibit removal of copyright notices.

Data protection obligations under the UK GDPR and Data Protection Act 2018 must be addressed where the API processes personal data. The terms should identify whether the provider acts as a data controller or data processor, reference a separate data processing agreement where required by Article 28 UK GDPR, address data security measures under Article 32 UK GDPR, and restrict transfers of personal data outside the UK to countries with an adequacy decision or with appropriate safeguards.

Liability limitations should exclude the provider's liability for indirect, consequential, or economic loss, and cap direct liability at a specified amount (typically the fees paid in the preceding 12 months or a fixed sum). Any such caps must satisfy the reasonableness test under the Unfair Contract Terms Act 1977 in B2B contracts, and must not exclude liability for death or personal injury caused by negligence.

Termination rights give the provider the ability to suspend or terminate API access immediately for breach of the acceptable use restrictions, and on notice for any reason. The terms should address what happens to the user's data and applications on termination. The forms-legal.com API Terms of Use (UK) template covers the mandatory elements under Companies Act 2006.