Legal requirements for online businesses

Several important pieces of legislation work together to regulate online business and e-commerce in the UK. The main ones you need to be aware of are:

• The Electronic Commerce (EC Directive) Regulations 2002

• The Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 (these replaced the old Distance Selling Regulations)

• The Consumer Rights Act 2015

• The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018

• The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)

The following sections will break down what these laws mean for your business in practical terms.

What information must I display on my website?

Under The Electronic Commerce (EC Directive) Regulations 2002, you must be transparent about who you are. This information needs to be easily and permanently accessible to your customers, often in the website's footer or on a 'Contact Us' page.

You must include:

• your business's full name (eg 'Sample Ltd' or 'John Smith trading as Smith and Sons')

• the geographic address where your business is established (a PO Box is not sufficient)

• your contact details, including an email address

• your VAT number, if you're registered for VAT

• your company registration number and registered office address (if you're a private limited company)

While not a legal requirement, it's also highly recommended that you have a clear set of Website terms and conditions. These form a contract between you and your customers, managing expectations on things like payment and delivery, and can protect your business if a dispute arises.

What extra information is needed for e-commerce sites?

If you're selling goods or services directly from your site, you have additional obligations before an order is placed. You must clearly explain:

• the technical steps a customer follows to complete the order and form a contract

• how customers can identify and correct any errors before placing an order

• the languages available for the contract

• whether you will keep a record of the contract, and if the customer can access it

• any codes of conduct you follow

You should make relevant Terms and conditions for your e-commerce business.

What rights do my customers have when buying online?

Your customers are protected by strong consumer laws, mainly The Consumer Contracts Regulations 2013 and The Consumer Rights Act 2015. You must provide certain information before an order is placed, such as a description of the goods, the total price, and delivery details. The most important rights for customers are the right to cancel an order and the right to a remedy for faulty goods.

The right to cancel (the 'cooling-off' period)

The Consumer Contracts Regulations give customers a 'cooling-off' period to change their mind. They can cancel their order for any reason within 14 days of receiving their goods. They then have another 14 days to return the items to you. You must provide a full refund, including the original standard delivery cost, within 14 days of getting the goods back. You must inform customers about this right. 

Note that this right doesn't apply to certain items, like personalised or perishable goods and that special rules apply to digital content.

The right to a refund, repair, or replacement

Under the Consumer Rights Act 2015, any goods you sell must be of satisfactory quality, fit for their intended purpose, and as described on your website. If an item is faulty, your customer has a 30-day period during which they can reject it and claim a full refund. After 30 days, they are entitled to a repair or a replacement.

For more information on these rights, read Consumer rights and Doing business with consumers.

How must I handle customer data and marketing?

Handling personal data correctly is a critical legal responsibility for any online business, governed by the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR).

Complying with UK GDPR

If you collect any personal data from customers (such as their name, email, or address), you must comply with UK GDPR. This means you need a lawful reason for collecting and using the data, and you must be transparent about it in a clear and accessible Privacy policy. Key principles include collecting only the data you need, keeping it secure, and not holding it for longer than necessary.

For more information, read Complying with the GDPR and Data protection.

Following the rules on cookies and marketing

PECR sets specific rules for electronic marketing and website cookies. You must have a user's clear consent before you send them marketing emails or texts, unless they are an existing customer buying a similar product. You must also clearly identify any such communications as marketing and state on whose behalf they are being sent.

You must get consent before placing cookies on a user's device unless the cookie is 'strictly necessary' for your site to work (like one that remembers items in a shopping basket). This is usually managed via a cookie banner and a detailed Cookie policy.

For more information, read Data privacy and cookies and Marketing and the law.

If you have any specific questions about your online business, do not hesitate to Ask a lawyer.