Skip to content

E-Commerce Compliance: Key Regulations for UK E-Commerce Business’

Summary

  • UK e-commerce businesses must comply with the UK GDPR, with ICO fines reaching £17.5 million or 4% of global annual turnover.
  • The Consumer Rights Act 2015 and the Consumer Contracts Regulations 2013 govern product quality, refunds and the 14-day cooling-off period for online sales.
  • Since April 2025, the Competition and Markets Authority can fine businesses directly under the Digital Markets, Competition and Consumers Act 2024.
  • This guide explains e-commerce compliance for online retailers in the United Kingdom.
  • LegalVision’s business lawyers specialise in advising clients on e-commerce and consumer law compliance.

Tips for Businesses

Show all costs, including VAT and delivery, before checkout. Publish a clear privacy policy and refund policy. Use unticked marketing opt-ins. Report data breaches to the ICO within 72 hours. Check payment processors are PCI DSS compliant, and review checkout flows against the drip pricing and fake review bans.

Summarise with:
ChatGPT logo ChatGPT Perplexity logo Perplexity

On this page

UK e-commerce business’ must comply with several overlapping laws: the UK GDPR and Data Protection Act 2018 for customer data, the Privacy and Electronic Communications Regulations for marketing, the Consumer Rights Act 2015 for product quality and refunds, and the Consumer Contracts Regulations 2013 for distance selling. Card payments must meet the Payment Card Industry Data Security Standard. Since 6 April 2025, the Competition and Markets Authority can fine businesses directly for breaching consumer protection law under the Digital Markets, Competition and Consumers Act 2024. The Information Commissioner’s Office enforces data protection, with fines reaching £17.5 million or 4% of global annual turnover. This article explains the key e-commerce regulations UK businesses must follow to stay compliant.

The mistake I see most often is treating compliance as a one-off setup task. The rules that trip up online retailers now are the newest ones: the CMA can fine you directly for hidden fees at checkout or for fake reviews, so those checks need to live inside your buying flow, not in a policy document nobody reads.

Humna Ahmed, LegalVision

Data Protection and UK GDPR

The UK General Data Protection Regulation (UK GDPR), retained after Brexit, governs how you collect, process and store customer data. Online retailers handle large volumes of personal information, so compliance is essential.

Key requirements include a lawful basis for collecting data, strong security measures, giving customers access to their data, and reporting data breaches within 72 hours. You must also publish a clear privacy policy that explains how you use customer data.

For example, when a customer creates an account on your platform, you must explain what data you collect and why. Failure to comply with the UK GDPR can lead to fines of up to £17.5 million or 4% of your global annual turnover, whichever is higher.

The Privacy and Electronic Communications Regulations (PECR) set specific rules for electronic marketing that work alongside the UK GDPR. PECR requires explicit consent to send marketing emails to new prospects. It allows a soft opt-in for existing customers: you may email previous customers about similar products if you gave them an opt-out option at the point of purchase.

To comply with PECR, you should:

  • use unticked opt-in boxes for marketing consent;
  • provide a clear unsubscribe option in every marketing email; and
  • obtain explicit consent for all SMS marketing.
Front page of publication
Legal Essentials for UK Online and eCommerce Businesses

Starting or running an online business? Download this free guide to understand key legal essentials, including contracts, data, and compliance.

Download Now
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.

Consumer Rights

Product Quality Rights

The Consumer Rights Act 2015 protects customers who shop online. It covers product quality, delivery and returns. You must ensure goods are of satisfactory quality, fit for purpose, and match their description.

If products fail these standards, consumers can reject faulty goods within 30 days for a full refund, or ask for a repair or replacement. Give clear, accurate product descriptions so customers are not misled and goods match how you describe them. Handle complaints efficiently and give customers clear ways to contact you.

For example, if you sell electronics, state the product specifications, warranty information and any limitations. If a customer receives a faulty item, you may need to repair, replace or refund it.

14-Day Cooling-Off Period

The 14-day cooling-off period comes from the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013, which govern distance selling, including online sales. These give consumers cancellation rights separate from quality-based remedies.

Under these Regulations, you must offer a 14-day cooling-off period for most goods, letting customers cancel for any reason. The cancellation period starts from delivery of goods or the conclusion of a service contract. Some goods are exempt from cancellation rights, including personalised items, perishable goods, and items made to a customer’s specification.

Information and Transparency Regulations

The Consumer Contracts Regulations 2013 also set information and transparency requirements for online retailers. They require you to:

  • clearly identify your business name, registered address and contact details on your website;
  • provide comprehensive product information; and
  • show total costs, including VAT and delivery charges.

You must acknowledge orders without undue delay, usually through an automated email confirmation, and give clear information about delivery arrangements and timeframes.

For example, an online clothing store should include size guides, fabric information and care instructions on each product page. Your checkout must display all costs, including VAT and shipping, before the customer confirms their order, and set out cancellation rights and procedures.

The Digital Markets, Competition and Consumers Act 2024

Since 6 April 2025, the Digital Markets, Competition and Consumers Act 2024 has reshaped how consumer law is enforced online. The Act replaced the Consumer Protection from Unfair Trading Regulations 2008 and gave the Competition and Markets Authority direct enforcement powers. The CMA no longer needs a court to act. It can investigate a business and impose fines of up to £300,000 or 10% of global annual turnover, whichever is higher.

The Act also bans two practices common in online retail. The first is drip pricing, where a headline price is shown and mandatory fees are added later at checkout. All compulsory charges, including booking and delivery fees, must appear in the price the customer first sees. The second is fake reviews. You must not publish reviews without taking reasonable steps to confirm they are genuine, and you must not hide that a review was incentivised.

In November 2025, the CMA opened its first investigations under these powers, targeting online pricing tactics. Online retailers should audit their checkout flows and review policies now, because these rules apply to every consumer sale.

Key Statistics

  1. Online share of UK retail: Online sales made up 28.3% of total UK retail sales in December 2025, showing how much commerce now runs through e-commerce channels.
  2. Maximum UK GDPR fine: The ICO can fine businesses up to £17.5 million or 4% of global annual turnover, whichever is higher, for serious data protection breaches.
  3. CMA direct fines: The Competition and Markets Authority can fine businesses up to £300,000 or 10% of global annual turnover, whichever is greater, for breaching consumer protection law.

Sources

  • Office for National Statistics, 2025
  • Information Commissioner’s Office, 2024
  • GOV.UK (Competition and Markets Authority), 2025

Payment Security

The Payment Card Industry Data Security Standard (PCI DSS) applies to e-commerce businesses that accept card payments. This global standard requires every business that processes, stores or transmits card data to keep that data secure.

To comply with PCI DSS, you should:

  • use secure payment gateways that encrypt customer payment information;
  • update and patch your systems regularly to protect against known vulnerabilities;
  • run vulnerability scans and penetration testing to find and fix weaknesses; and
  • limit access to cardholder data to employees who need it for their role.

For example, if you use a third-party processor such as PayPal or Stripe, check that they are PCI DSS compliant. If you store payment information on your own servers, apply strict access controls and encryption.

Key Takeaways

Running an e-commerce business in the UK means meeting several sets of rules at once: data protection under the UK GDPR, marketing consent under PECR, consumer rights under the Consumer Rights Act 2015 and the Consumer Contracts Regulations 2013, the enforcement regime under the Digital Markets, Competition and Consumers Act 2024, and payment security under PCI DSS. Meeting these obligations protects you from fines and builds customer trust.

Compliance is ongoing. Review and update your policies as the law changes, and consider an annual compliance audit to find and close any gaps.

LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced contract lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 0808 196 8584 or visit our membership page.

Frequently Asked Questions

What are the main data protection requirements for UK e-commerce businesses?

UK e-commerce businesses must comply with the UK GDPR. This means having a lawful basis to collect data, applying strong security measures, giving customers access to their data, publishing a clear privacy policy, and reporting data breaches to the ICO within 72 hours.

How long do UK e-commerce businesses have to process refunds?

When a customer cancels within the 14-day cooling-off period under the Consumer Contracts Regulations 2013, you must refund them within 14 days of receiving the returned goods or proof of return. For faulty goods rejected within 30 days, refund without undue delay.

Do online customers have the right to change their mind?

Yes. Under the Consumer Contracts Regulations 2013, customers buying online get a 14-day cooling-off period and can cancel for any reason. If you do not tell them about this right, the cooling-off period can extend by up to 12 months.

Can the CMA fine my business directly for breaking consumer law?

Yes. Since April 2025, under the Digital Markets, Competition and Consumers Act 2024, the Competition and Markets Authority can investigate and fine businesses directly for breaching consumer protection law, without going to court. Fines can reach 10% of global annual turnover.

Register for our free webinars

Managing Cyber Threats: What To Do When Your Business Is Hacked

Online
Managing cyber threats, data breach obligations and your legal response plan under UK law. Register for our free webinar.
Register Now

Consumer Rights and Returns: Ensuring Your Business is Compliant

Online
Learn what your business’ returns policy must include and how to handle related customer disputes. Register for our free webinar.
Register Now

Recruiting New Franchisees to Your Network: How to Avoid Costly Mistakes

Online
Learn how to select the right franchisees to reduce your risks and ensure your network grows. Register today to learn more.
Register Now

Is Your Marketing Exposing You? A Defamation and Advertising Risk Check For 2026

Online
Check your marketing for defamation and advertising risk before it costs you. Register for our free webinar.
Register Now
See more webinars >

Humna Ahmad

Solicitor | View profile

Humna is a Solicitor at LegalVision within the Corporate and Commercial team.

Qualifications: Humna graduated from the City, University of London with a Bachelor of Laws (Hons) and then completed the Legal Practice Course and Masters in 2023. Prior to joining LegalVision, Humna worked at a high-street firm, gaining experience in a variety of areas such as Property, Corporate and Commercial.

Read all articles by Humna

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

LegalVision is an award-winning business law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards