Summary
- UK e-commerce businesses must comply with the UK GDPR, with ICO fines reaching £17.5 million or 4% of global annual turnover.
- The Consumer Rights Act 2015 and the Consumer Contracts Regulations 2013 govern product quality, refunds and the 14-day cooling-off period for online sales.
- Since April 2025, the Competition and Markets Authority can fine businesses directly under the Digital Markets, Competition and Consumers Act 2024.
- This guide explains e-commerce compliance for online retailers in the United Kingdom.
- LegalVision’s business lawyers specialise in advising clients on e-commerce and consumer law compliance.
Tips for Businesses
Show all costs, including VAT and delivery, before checkout. Publish a clear privacy policy and refund policy. Use unticked marketing opt-ins. Report data breaches to the ICO within 72 hours. Check payment processors are PCI DSS compliant, and review checkout flows against the drip pricing and fake review bans.
UK e-commerce business’ must comply with several overlapping laws: the UK GDPR and Data Protection Act 2018 for customer data, the Privacy and Electronic Communications Regulations for marketing, the Consumer Rights Act 2015 for product quality and refunds, and the Consumer Contracts Regulations 2013 for distance selling. Card payments must meet the Payment Card Industry Data Security Standard. Since 6 April 2025, the Competition and Markets Authority can fine businesses directly for breaching consumer protection law under the Digital Markets, Competition and Consumers Act 2024. The Information Commissioner’s Office enforces data protection, with fines reaching £17.5 million or 4% of global annual turnover. This article explains the key e-commerce regulations UK businesses must follow to stay compliant.
Data Protection and UK GDPR
The UK General Data Protection Regulation (UK GDPR), retained after Brexit, governs how you collect, process and store customer data. Online retailers handle large volumes of personal information, so compliance is essential.
Key requirements include a lawful basis for collecting data, strong security measures, giving customers access to their data, and reporting data breaches within 72 hours. You must also publish a clear privacy policy that explains how you use customer data.
Marketing Consent and PECR Requirements
The Privacy and Electronic Communications Regulations (PECR) set specific rules for electronic marketing that work alongside the UK GDPR. PECR requires explicit consent to send marketing emails to new prospects. It allows a soft opt-in for existing customers: you may email previous customers about similar products if you gave them an opt-out option at the point of purchase.
To comply with PECR, you should:
- use unticked opt-in boxes for marketing consent;
- provide a clear unsubscribe option in every marketing email; and
- obtain explicit consent for all SMS marketing.
Starting or running an online business? Download this free guide to understand key legal essentials, including contracts, data, and compliance.
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.
Consumer Rights
Product Quality Rights
The Consumer Rights Act 2015 protects customers who shop online. It covers product quality, delivery and returns. You must ensure goods are of satisfactory quality, fit for purpose, and match their description.
If products fail these standards, consumers can reject faulty goods within 30 days for a full refund, or ask for a repair or replacement. Give clear, accurate product descriptions so customers are not misled and goods match how you describe them. Handle complaints efficiently and give customers clear ways to contact you.
14-Day Cooling-Off Period
The 14-day cooling-off period comes from the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013, which govern distance selling, including online sales. These give consumers cancellation rights separate from quality-based remedies.
Under these Regulations, you must offer a 14-day cooling-off period for most goods, letting customers cancel for any reason. The cancellation period starts from delivery of goods or the conclusion of a service contract. Some goods are exempt from cancellation rights, including personalised items, perishable goods, and items made to a customer’s specification.
Information and Transparency Regulations
The Consumer Contracts Regulations 2013 also set information and transparency requirements for online retailers. They require you to:
- clearly identify your business name, registered address and contact details on your website;
- provide comprehensive product information; and
- show total costs, including VAT and delivery charges.
You must acknowledge orders without undue delay, usually through an automated email confirmation, and give clear information about delivery arrangements and timeframes.
The Digital Markets, Competition and Consumers Act 2024
Since 6 April 2025, the Digital Markets, Competition and Consumers Act 2024 has reshaped how consumer law is enforced online. The Act replaced the Consumer Protection from Unfair Trading Regulations 2008 and gave the Competition and Markets Authority direct enforcement powers. The CMA no longer needs a court to act. It can investigate a business and impose fines of up to £300,000 or 10% of global annual turnover, whichever is higher.
The Act also bans two practices common in online retail. The first is drip pricing, where a headline price is shown and mandatory fees are added later at checkout. All compulsory charges, including booking and delivery fees, must appear in the price the customer first sees. The second is fake reviews. You must not publish reviews without taking reasonable steps to confirm they are genuine, and you must not hide that a review was incentivised.
In November 2025, the CMA opened its first investigations under these powers, targeting online pricing tactics. Online retailers should audit their checkout flows and review policies now, because these rules apply to every consumer sale.
Payment Security
The Payment Card Industry Data Security Standard (PCI DSS) applies to e-commerce businesses that accept card payments. This global standard requires every business that processes, stores or transmits card data to keep that data secure.
To comply with PCI DSS, you should:
- use secure payment gateways that encrypt customer payment information;
- update and patch your systems regularly to protect against known vulnerabilities;
- run vulnerability scans and penetration testing to find and fix weaknesses; and
- limit access to cardholder data to employees who need it for their role.
Key Takeaways
Running an e-commerce business in the UK means meeting several sets of rules at once: data protection under the UK GDPR, marketing consent under PECR, consumer rights under the Consumer Rights Act 2015 and the Consumer Contracts Regulations 2013, the enforcement regime under the Digital Markets, Competition and Consumers Act 2024, and payment security under PCI DSS. Meeting these obligations protects you from fines and builds customer trust.
Compliance is ongoing. Review and update your policies as the law changes, and consider an annual compliance audit to find and close any gaps.
LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced contract lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 0808 196 8584 or visit our membership page.
Frequently Asked Questions
What are the main data protection requirements for UK e-commerce businesses?
UK e-commerce businesses must comply with the UK GDPR. This means having a lawful basis to collect data, applying strong security measures, giving customers access to their data, publishing a clear privacy policy, and reporting data breaches to the ICO within 72 hours.
How long do UK e-commerce businesses have to process refunds?
When a customer cancels within the 14-day cooling-off period under the Consumer Contracts Regulations 2013, you must refund them within 14 days of receiving the returned goods or proof of return. For faulty goods rejected within 30 days, refund without undue delay.
Do online customers have the right to change their mind?
Yes. Under the Consumer Contracts Regulations 2013, customers buying online get a 14-day cooling-off period and can cancel for any reason. If you do not tell them about this right, the cooling-off period can extend by up to 12 months.
Can the CMA fine my business directly for breaking consumer law?
Yes. Since April 2025, under the Digital Markets, Competition and Consumers Act 2024, the Competition and Markets Authority can investigate and fine businesses directly for breaching consumer protection law, without going to court. Fines can reach 10% of global annual turnover.
We appreciate your feedback! Request your free consultation now.