E-commerce has now fully emerged as the go-to shopping vehicle for consumers. The regulatory landscape designed to protect purchasers and sellers has followed this development closely, with new mandatory obligations making it increasingly challenging for online businesses to ensure compliance.
If you wish to find out more about upcoming regulation, it may be worth visiting our digital regulation hub.
This checklist is designed to bring to your attention some of the key considerations when operating an e-commerce site targeting UK consumers.
Key company information
Your online business is legally required to disclose details, such as its registered name, office address, company number, country of registration and VAT number. It is also good industry practice to include details of any applicable regulatory authority that applies to your business (such as the Financial Conduct Authority). There may be further information required, depending on the nature and structure of your business. The information can be included as text or hyperlinks in the footer of the landing page, so that it is visible to visitors wherever they are on the website.
Data protection
If you are operating an e-commerce site, you will be collecting and processing personal data of individual customers and will need to prepare and publish a privacy notice. The notice should set out what data is processed, why, the legal basis for the processing, who has access to the data and how long it will be held for, alongside the rights of the data subject – such as the right to withdraw previously given consent and lodge a complaint with the ICO.
If your website is also likely to be accessed by children, you will need to consider the ICO's Children's Code, which you can find out more about here.
Although a notice generally appears on a business' website, this doesn't mean that it should be limited to processing undertaken in relation to website use. A privacy notice is the place where you explain all processing undertaken by the business. So the notice should also include other processing activities, such as processing relating to visitors to physical stores (e.g. CCTV use), processing relating to suppliers and any processing undertaken in relation to online advertising and ancillary activities, such as competitions and promotions.
Direct marketing
If you wish to send electronic marketing to consumer customers (e.g. email or SMS), you should consider if and how you need to obtain their consent to such marketing. In most cases, you will need to obtain the customer's opt-in consent. However, depending on the circumstances, it might also be possible to rely on the so-called soft opt in, which is essentially where an individual has bought something from you recently, given you their details, and did not opt out of marketing messages, meaning that they are probably happy to receive marketing from you about similar products or services even if they haven't specifically consented. However, you must have given them a clear chance to opt out – both when you first collected their details and in every message you send.
Cookies
Cookies can help you collect vital data points to customise the customer experience and drive revenue. However, to collect data for purposes other than those essential to providing the online service, you will require the visitor's consent. For this consent to be valid, it must be freely given, specific and informed (cue annoying cookie pop up banners). It must also be "given" by the visitor through a clear, positive action. The ICO has now indicated that the grace period for cookie compliance has ended (read our article on this here). Businesses should make it as easy to reject all non-essential cookies as it is to accept them which generally means including a "Reject All" option in the consent banner.
Accessibility
Under the Equality Act 2010, online businesses selling direct to the public are required to make reasonable adjustments to ensure their websites can accommodate all users, including those with additional accessibility needs. Businesses should consider with their website design teams the measures that may be required to be taken to make it easier for the visually impaired to view the terms. This could be done by providing text or audio descriptions of any graphics or animation, or by providing a text-only version or a non-flash multimedia version. It is important to consider how a website works with accessibility tools such as screen readers used by the visually impaired.
Modern slavery statement
If your business has an annual turnover of £36 million, is doing business in the UK and is providing goods or services, then it should be publishing a statement setting out the steps that it has taken during the previous year to deal with modern slavery risks in its supply chains. See Gov.uk guidance here to see whether this applies to you.
Selling to consumers
UK consumer laws are very protective of consumers and there are a number of laws and regulations that online businesses need to be aware of and comply with when selling to consumers. The rules that apply depend on what you are selling (e.g. goods, services or digital content), but broadly speaking, traders must give certain key pieces of information to consumers about the contract at specific points in the sales process and must give effect to certain cooling-off (or cancellation) rights. The consequences of getting things wrong can be quite severe – failure to give certain information at the correct time can extend cancellation rights for up to a year or can mean the consumer is not bound by the contract. The online sales process and the applicable terms and conditions of sale must be carefully designed to comply with the requirements of consumer laws.
In addition, the new Digital Markets, Competition and Consumer Act
2024 includes a whole host of new rules that apply to
subscription contracts, which are a key focus of regulators. The
new subscriptions rules are due to come into force around Spring
2026.
For more detailed information on these issues please see our article.
Faulty products
Consumers have certain rights in relation to faulty or misdescribed products and services. UK consumer laws imply certain terms into consumer contracts, such as that goods will be of satisfactory quality and fit for purpose and that services will be performed with reasonable care and skill. It is not possible to disapply these rights and where goods and services do not meet these quality standards, the consumer may be entitled to a refund, a repair or replacement or a discount.
If a consumer complains, you must try to resolve the complaint in line with your complaint handling process. If you exhaust your complaint handling process and have not been able to resolve the complaint, you will need to provide the consumer with certain information in writing about the availability of alternative dispute resolution, which is a process of resolving disputes without the need to go to court. Some businesses that are regulated or bound by the rules of a trade body are required to participate in alternative dispute resolution, in which case the information about ADR must also be included in the online terms and conditions.
Reviews
If your website enables customers to leave reviews, it is important to consider what steps you should be taking to ensure such reviews are genuine. The new Digital Markets, Competition and Consumer Act 2024 imposes specific obligations on traders to prevent the publication of fake reviews so, when the relevant provisions of the Act come into force (likely late 2024 or early 2025), traders publishing reviews on their websites will likely come under even greater regulatory scrutiny.
User generated content
Where you operate a website or platform which allows users to encounter content generated, uploaded or shared by other users, you will need to consider if your service constitutes a user-to-user service under The Online Safety Act which requires in-scope businesses to carry out risk assessments and put in place certain systems and processes to help improve the safety of website users. You can find out more about The Online Safety Act here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.