Legal Requirements for UK Online Business Compliance

Legal Requirements for UK Online Business Compliance

business compliance

Just like any other enterprise, an online business has legal responsibilities and it is up to the owner to ensure that these are complied with. This is true whether you are a large organisation or someone who has set up a small website to sell a few things in their spare time. To make sure that you understand your legal obligations and to stop you falling foul of the law, this article will explain the legal responsibilities of online businesses that are based in or trade in the UK.

There are four main laws that online businesses have to comply with in the UK, these are:

  • The Electronic Commerce (EC Directive) Regulations 2002
  • The Data Protection Act 1998
  • The Consumer Protection (Distance Selling) Regulations 2000
  • Privacy and Electronic Communications (EC Directive) Regulations 2003

The Electronic Commerce (EC Directive) Regulations 2002

The Electronic Commerce Regulations govern the way online businesses communicate with their customers. To give some clarity here, it is best to understand customers as anyone who uses your website, not just people who buy from you and communication as any text or images, either on your website or in other form (emails, etc.) which is intended, directly or indirectly, to sell products or services.

To comply with the Electronic Commerce Regulations, you must ensure that:

  • your business name and address, company registration number, VAT number and direct contact information (e.g. email address and phone numbers) are clearly displayed on your website
  • your website’s clearly displays its terms and conditions
  • clear information is provided on prices, tax and delivery charges
  • all orders are acknowledged in writing (e.g. by email)
  • any marketing offers and their terms are made clear
  • any communication sent from your company identifies the sender
  • promotional / advertising emails make it obvious they are of a commercial nature
  • unsolicited emails are identified as unsolicited

This will clearly have an impact on all online businesses and will mean that things will need to be put in place before you launch your company website. You will need to ensure your business information is on your contact page, that you have a terms and conditions page, that an automatic response email is set up to acknowledge orders and that an email signature is created so that all emails clearly identify the sender. You also need to ensure any e-commerce software is set up so that prices, VAT and delivery charges are clearly seen.

Data Protection Act 1998

The Data Protection Act is designed to protect personal information and it applies to all organisations not just commercial ones. If you collect the personal information of anyone, either internally as an organisation or of visitors to your website, then you are legally required to register with the Information Commissioners Office (ICO) and comply with the Data Protection Act. This applies to information collected by any means, not just electronically. You can register by visiting the ICO website, where you will need to name a member of your staff as the official Data Controller for your business.

To comply with the Data Protection Act you must:

  • register with the ICO
  • only collect personal data if it is important to your business needs
  • ensure all data is securely stored
  • remove personal data if the individual requests it
  • make it clear in your terms and conditions what you use the data for and comply with what you state
  • not move any collected data out of the EU without permission from the individual
  • specify in your terms and conditions if any data used by third-party organisations (such as Google Analytics) moves outside the EU
  • provide advice to show individuals how to remove their data

Again, there is much here which will require putting into place before you launch your website including further additions to your terms and conditions. Perhaps the most important requirement is making sure any digital data you collect is secure from hackers. Make sure your website is protected using strong passwords, is scanned for intrusion and that personal information is encrypted.

The Consumer Protection (Distance Selling) Regulations 2000

The aim of the Distance Selling Regulations is to protect the rights of customers. The law applies to businesses who supply goods and services to the general public, it does not cover B2B transactions.

Under the Consumer Protection (Distance Selling) Regulations 2000, online businesses need to do the following:

  • provide clear and concise information about products and services prior to purchase
  • clearly show postage and packaging costs
  • inform customers whether the price includes VAT
  • give all customers a 14 day period where they can cancel or return their order (excludes perishable goods and digital downloads)
  • acknowledge every order in writing (e.g. by email).
  • explain that customers can return goods for a full refund (except return postage) in your terms and conditions.

Some of these conditions overlap with the Electronic Commerce Regulations, however, there is an additional clause to be added to your terms and conditions. The biggest impact here is to recognise that you have to accept returns, even if the product has been opened.

Privacy and Electronic Communications (EC Directive) Regulations 2003

Cookie law popups have been annoying everyone’s browsing experience since they were introduced in the UK in 2012 under the amended regulations, however, for the time being they are part and parcel of online trading and if you run a website that leaves a cookie on the user’s device, then you are obliged to comply with the revised regulations.

Cookies are small text files that enable websites to track how visitors use their sites. They can be used to gather information on browsing habits and user preferences. The Cookie Law was created to protect internet users from websites which were using cookies for illegitimate reasons. Although you may not have deliberately intended to create cookies on your site, some of the software or plugins you use, such as Goole Analytics, could create them. If you have an online store, your shopping basket software will use cookies to record the customer’s choice of product.

If you use cookies you are obliged to:

  • inform every visitor that you use cookies
  • provide information about how you use cookies in your privacy policy
  • inform your users how to turn off cookies (they can do this themselves in their browser settings.)

For online businesses, the Cookie Law means adding more information to the privacy policy section of your terms and conditions (unless you privacy policy is a separate page.) In addition, you will need to provide a means of displaying that you use cookies. The best way to achieve this is to use a Cookie Law plugin these appear when a user first arrives at your website and can be closed by the user or vanish after a certain time. You can also use these to provide links to your privacy policy and to give details of how to turn cookies off.


It is important if you run an online business that you stay within the law. Doing so not improves your business reputation but also ensures you don’t end up being prosecuted. After reading this article, you should now have a better understanding of the obligations you need to meet and the things you must put into place before launching your online business.

If you are looking for business web hosting that can provide you with the security you need to keep your data safe, take a look at our business hosting page.


Please note that the laws, regulations and associated EU directives are subject to change. Before proceeding, you should check with the Sale of Goods and Services and Data Protection page of the website which covers the needs of online businesses.