Legislation for selling online: What you need to know when starting an e-commerce website

With almost £1 in every £5 spent on retail now done so online, the UK’s e-commerce market generates an incredible £688 billion a year. 

With figures like this, it’s not surprising that businesses up and down the country want a slice of the pie. While moving online makes good business sense, there are a number of important considerations to bear in mind.

There are legal requirements for e-commerce websites and failure to comply with them can land you in hot water. Below is an introduction to UK website laws and regulations which covers policies, data protection and security procedures.

Please note that this guide is not an exhaustive list and there may be other factors to consider depending on the industry you’re operating in.

UK website laws and regulations

As I mentioned earlier, there are a number of legal requirements for e-commerce websites in the UK. Please remember that these requirements change frequently and as a website owner, it’s important that you stay on top of this.

The identity of your business

The Companies Act 2006 requires you to disclose certain information about the identity of your business on your website. This should be positioned somewhere easy to find and where visitors would expect to see it, such as your contact or about page.

The information you need to disclose includes:

• Company name
• Company registered number
• Place of company registration (England, Wales or Scotland for example)
• Registered office address
• Company name, postal address and email address
• How to contact your company via non-electronic means (postal address or telephone number)
• Your VAT number
• The name of any trade bodies or professional associations you’re part of, including membership or registration details

Policies

It’s a legal requirement to display certain policies on your website. In particular, you will need to include data protection information so consumers know how you collect, store and use their information. As a minimum, you should include:

• A privacy policy. This details the personal information your business collects and how you use it. This can include names, date of birth, contact details and credit card information. Here is further information about writing a GDPR-compliant privacy policy
• A cookie policy so visitors know how your business uses cookies on your website. Cookies are typically used to store anything from how long people spend on a site to the pages they look at and the links they click on. This can be part of your privacy policy. Find out what a cookie policy is and how to write one for your website
• A returns policy which explains your terms and conditions. This can include which items are returnable, how long customers have to return items and how to place a return. You can find an example of a returns policy on asos.com. Before writing this document, it’s a good idea to understand what the law states about accepting returns and giving refunds. You can also read more about writing a returns policy and how small retailers should handle the online returns process

Accessibility

Your website should be accessible to as many people as possible and this means following guidelines set out by The World Wide Web Consortium (W3C). Gov.uk is a great resource to help you understand more about accessibility requirements, best practice and how you can meet the minimum standard to ensure your website is accessible to all.

Data protection

When it comes to the list of legal requirements for e-commerce websites, data protection is one of the most important. These regulations are in place to protect your business and your customers so that personal information doesn’t fall into the wrong hands.

As a website owner, it’s your responsibility to ensure that you’ve done everything you can to prevent personal data from being accidentally or deliberately compromised. This includes:

• Complying with The Data Protection Act 2018. This gives people the right to know what information is being stored about them and how it’s being used. This information should be displayed in your privacy and cookie policies
• Implementing an SSL certificate on your website
• Updating your website software regularly, including your operating system and content management system. Software updates are crucial because they protect against newly discovered threats
• Testing your website for security vulnerabilities
• Complying with GDPR regulations

GDPR regulations

In May 2018, the General Data Protection Regulation (GDPR) was introduced to give the public greater protection of their personal data. It’s a legal requirement that your website is GDPR compliant which means:

• Users have to proactively opt-in to preferences such as receiving marketing emails. You can’t have the consent box automatically ticked for example
• You must make it easy for users to withdraw consent or opt-out
• You should only collect essential information that you need, such as an email address
• Notifying website visitors that you use cookies
• Having a data breach process in place

Some helpful resources covering data protection and GDPR:

• What is personal data under GDPR?
• Video: GDPR compliance in a nutshell
• GDPR compliance for small businesses
• GDPR compliance checklist

Payment Card Industry Data Security Standard (PCI DSS)

UK website laws and regulations are especially important for e-commerce websites because they require taking payment information from consumers. Should card or bank details fall into the wrong hands, this could be devastating for customers and the reputation of your business.

The Payment Card Industry Data Security Standard (PCI DSS) has been created to help prevent such fraud from taking place. It ensures there are stricter controls around data and these standards must be adhered to if your organisation holds or processes card information.

If you use a third-party service such as PayPal to process payments, some of this responsibility is down to the platform, but some parts still apply to you. The level you’re required to comply with varies depending on transaction volume and how much you’re taking.

Under the PCI DSS, there are 12 key requirements you must meet if you take card payments via your website:

1. Use a firewall to protect data
2. Do not use vendor supplied defaults for passwords or other parameters
3. Protect stored data
4. Encrypt the transmission of data and sensitive information. This means that even if you suffer a breach, hackers won’t be able to read your data
5. Use anti-virus software
6. Maintain a high level of security. For example, use secure passwords, ensure you have an SSL certificate and follow all the points mentioned on this list
7. Restrict access to data. Only employees who need to have access should be able to view sensitive information
8. Assign a unique ID to each person with access
9. Restrict physical access to cardholder data
10. Track and monitor all access to the network
11. Regularly test your security systems
12. Implement and maintain a policy which addresses security

A more in-depth explanation of the PCI’s security standards can be found on the organisation’s website. 

Security for processing payment details

As well as adhering to PCI security standards, you should also follow the government HTTPS security guidelines.

You will notice that many e-commerce websites have https at the beginning of their URL. This tells you that the connection on that website is secure which means that payment information is protected from being intercepted by malicious third parties.

Users are becoming increasingly cautious about only using websites which provide this added layer of security so it’s important to switch from HTTP to HTTPS if you haven’t already.

Here are some more great tips for ensuring that your e-commerce website is secure for payment processing. Of a similar note, you can find out about changes to strong customer authentication (SCA) here. 

You should now have a good understanding about the legal requirements for e-commerce websites. While it may seem like a lot to get your head around initially, these laws and regulations are in place to protect your business and your customers.

Please remember that requirements change regularly so it’s a good idea to get into the habit of checking for updates. Here are some great ways businesses can stay on top of changing compliance regulations.

Some other resources you might find helpful include:

• Cyber security for SMEs
• Legal requirements for business websites
• For more information on data protection, the ICO website is a great resource
• Top e-commerce platforms for new online retailers
• How to create an e-commerce website
• Seven ways to promote your e-commerce website

Disclaimer

The information in this article is for general guidance only and is not legal advice. We have tried to ensure that this guidance is accurate and relevant as at January 2021. However, Nominet UK does not accept liability for any loss, damage or inconvenience arising as a consequence of any reliance on or use of any information contained in this guidance.