We use cookies to improve your experience. Please read our cookies policy here.

×

Legislation for selling online: What you need to know when starting an e-commerce website

GDPR checklist

5 minute read

Monique Holtman
Monique Holtman
GDPR checklist

With almost £1 in every £5 spent on retail now done so online, the UK’s e-commerce market generates an incredible £688 billion a year. 

With figures like this, it’s not surprising that businesses up and down the country want a slice of the pie. While moving online makes good business sense, there are a number of important considerations to bear in mind.

There are legal requirements for e-commerce websites and failure to comply with them can land you in hot water. Below is an introduction to UK website laws and regulations which covers policies, data protection and security procedures.

Please note that this guide is not an exhaustive list and there may be other factors to consider depending on the industry you’re operating in.

UK website laws and regulations

As I mentioned earlier, there are a number of legal requirements for e-commerce websites in the UK. Please remember that these requirements change frequently and as a website owner, it’s important that you stay on top of this.

The identity of your business

The Companies Act 2006 requires you to disclose certain information about the identity of your business on your website. This should be positioned somewhere easy to find and where visitors would expect to see it, such as your contact or about page.

The information you need to disclose includes:

  • Company name
  • Company registered number
  • Place of company registration (England, Wales or Scotland for example)
  • Registered office address
  • Company name, postal address and email address
  • How to contact your company via non-electronic means (postal address or telephone number)
  • Your VAT number
  • The name of any trade bodies or professional associations you’re part of, including membership or registration details

Screenshot of Etsy webpage

Policies

It’s a legal requirement to display certain policies on your website. In particular, you will need to include data protection information so consumers know how you collect, store and use their information. As a minimum, you should include:

GDPR checklist
GDPR checklist

Accessibility

Your website should be accessible to as many people as possible and this means following guidelines set out by The World Wide Web Consortium (W3C). Gov.uk is a great resource to help you understand more about accessibility requirements, best practice and how you can meet the minimum standard to ensure your website is accessible to all.

Data protection

When it comes to the list of legal requirements for e-commerce websites, data protection is one of the most important. These regulations are in place to protect your business and your customers so that personal information doesn’t fall into the wrong hands.

As a website owner, it’s your responsibility to ensure that you’ve done everything you can to prevent personal data from being accidentally or deliberately compromised. This includes:

  • Complying with The Data Protection Act 2018. This gives people the right to know what information is being stored about them and how it’s being used. This information should be displayed in your privacy and cookie policies
  • Implementing an SSL certificate on your website
  • Updating your website software regularly, including your operating system and content management system. Software updates are crucial because they protect against newly discovered threats
  • Testing your website for security vulnerabilities
  • Complying with GDPR regulations

GDPR regulations

In May 2018, the General Data Protection Regulation (GDPR) was introduced to give the public greater protection of their personal data. It’s a legal requirement that your website is GDPR compliant which means:

  • Users have to proactively opt-in to preferences such as receiving marketing emails. You can’t have the consent box automatically ticked for example
  • You must make it easy for users to withdraw consent or opt-out
  • You should only collect essential information that you need, such as an email address
  • Notifying website visitors that you use cookies
  • Having a data breach process in place

GDPR opt in example

Some helpful resources covering data protection and GDPR:

Payment Card Industry Data Security Standard (PCI DSS)

UK website laws and regulations are especially important for e-commerce websites because they require taking payment information from consumers. Should card or bank details fall into the wrong hands, this could be devastating for customers and the reputation of your business.

The Payment Card Industry Data Security Standard (PCI DSS) has been created to help prevent such fraud from taking place. It ensures there are stricter controls around data and these standards must be adhered to if your organisation holds or processes card information.

GDPR checklist
GDPR checklist

If you use a third-party service such as PayPal to process payments, some of this responsibility is down to the platform, but some parts still apply to you. The level you’re required to comply with varies depending on transaction volume and how much you’re taking.

Under the PCI DSS, there are 12 key requirements you must meet if you take card payments via your website:

  1. Use a firewall to protect data
  2. Do not use vendor supplied defaults for passwords or other parameters
  3. Protect stored data
  4. Encrypt the transmission of data and sensitive information. This means that even if you suffer a breach, hackers won’t be able to read your data
  5. Use anti-virus software
  6. Maintain a high level of security. For example, use secure passwords, ensure you have an SSL certificate and follow all the points mentioned on this list
  7. Restrict access to data. Only employees who need to have access should be able to view sensitive information
  8. Assign a unique ID to each person with access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to the network
  11. Regularly test your security systems
  12. Implement and maintain a policy which addresses security

A more in-depth explanation of the PCI’s security standards can be found on the organisation’s website. 

Security for processing payment details

As well as adhering to PCI security standards, you should also follow the government HTTPS security guidelines.

You will notice that many e-commerce websites have https at the beginning of their URL. This tells you that the connection on that website is secure which means that payment information is protected from being intercepted by malicious third parties.

Amazon URL

Users are becoming increasingly cautious about only using websites which provide this added layer of security so it’s important to switch from HTTP to HTTPS if you haven’t already.

Here are some more great tips for ensuring that your e-commerce website is secure for payment processing. Of a similar note, you can find out about changes to strong customer authentication (SCA) here. 

GDPR checklist
GDPR checklist

You should now have a good understanding about the legal requirements for e-commerce websites. While it may seem like a lot to get your head around initially, these laws and regulations are in place to protect your business and your customers.

Please remember that requirements change regularly so it’s a good idea to get into the habit of checking for updates. Here are some great ways businesses can stay on top of changing compliance regulations.

Some other resources you might find helpful include:

Disclaimer
The information in this article is for general guidance only and is not legal advice. We have tried to ensure that this guidance is accurate and relevant as at January 2021. However, Nominet UK does not accept liability for any loss, damage or inconvenience arising as a consequence of any reliance on or use of any information contained in this guidance.
Monique Holtman

After completing her degree in Journalism, Monique began her career at a digital marketing agency. It was here she discovered a passion for online marketing with a particular focus on content creation for the web. Six years ago Monique set up her own copywriting business, Copyworks Group, which specialises in creating content for websites, blogs, newsletters and social media pages.

Sign up to the UK Domain newsletter

Get all our monthly news and updates direct to your inbox