Before you launch your business online and take your first orders, you need to ensure that your e-commerce website meets all the relevant legal requirements. There are important policies to put in place, online payment security standards to comply with, data protection laws to follow and so much more.
Our experts from FSB Legal and Business Hub have broken down some of the main areas of business legislation your small business needs to be aware of, so that you can trade legally online. In addition to this guide, there are more detailed factsheets, together with numerous precedent documents, available on the FSB Legal and Business Hub.
What are the legal requirements for an e-commerce business?
Although your legal obligations are much the same as a traditional brick-and-mortar retailer, there are additional areas that you need to consider when trading online. This includes online payment security standards, policies for your website, accessibility and more. Here are 14 areas you need to be aware of when running an e-commerce business.
1. Electronic Commerce Regulations
These regulations relate to information that you should clearly provide on your website if you’re selling online, including:
- Your business name (and trading name if you have one)
- Your address (and registered address if this is different)
- Contact email address
- Company registration number
- Any Trade or Professional Association memberships
- Your VAT number if you’re VAT registered
Typically, this information features in your website footer.
2. Do you have terms and conditions?
As an online retailer, it’s important to have terms and conditions in place as an online contract to reduce your legal risk. Make sure this is tailored to your business, for example Business-to-Business (B2B) or Business-to-Consumer (B2C). There are precedent terms and conditions use when selling goods and/or services online available on the FSB Legal and Business Hub.
3. Online selling rules
There are extra steps that you must take when selling online to consumers. A consumer is an individual acting for purposes wholly or mainly outside of a business, and their statutory rights cannot be taken away or altered.
Before the sale, this includes:
- Making it clear to Consumers they have to pay when ordering
- Clearly displaying delivery options and costs
- Giving an accurate description of your goods or services
- Informing customers of their right to cancel. For goods, up to 14 days from the receipt of the goods, and for services, up to 14 days from the date the contract is entered into). There are limited circumstances in which there is no right to cancel, for example bespoke or perishable goods
After the sale, this includes:
- Confirming the contract and associated terms, including the right to cancel with an order confirmation email
- Delivering the goods within 30 days, unless agreed otherwise
4. Consumer Rights Act
The Consumer Rights Act outlines what rights a Consumer has and what your obligations are as a goods or services provider in the event of a dispute. For example, when you’re putting together your product descriptions, you should make sure they’re accurate to avoid misleading customers under the terms of the Consumer Rights Act.
If you are selling business to business, then the Sale of Goods Act 1979 (as amended) applies, unless your terms and condition alter or amend this.
5. Is your online shop accessible?
By law, you must make reasonable adjustments to ensure your website is suitable for all, including disabled users. The Web Content Accessibility Guidelines are an international standard for ensuring that websites are accessible for all.
If you’ve chosen to set up your own ecommerce website rather than sell through an online marketplace, you’ll want to make sure that it’s designed with accessibility in mind.
6. Are you compliant with UK GDPR?
If a user is registering for an account on your website, purchasing a product, or receiving your marketing emails, you need to ensure that you are handling this data correctly in compliance with data protection laws.
The Data Protection Act 1998 has been replaced by the Data Protection Act 2018, which incorporates the General Data Protection Regulation (GDPR). GDPR is an EU regulation that no longer applies to the UK, however, the provisions of GDPR have been incorporated into UK law as the UK GDPR. The regulation applies to any business that processes personal data.
7. Privacy and Electronic Regulations (PECR)
Whether you’re sending out email newsletters with your latest offer or calling prospective clients, you need to ensure you’re staying on the right side of the law. In addition to UK GDPR, Privacy and Electronic Regulations (PECR) give individuals privacy rights linked to electronic methods of communication, including email marketing and cookies. The regulations apply to both B2B and B2C marketing. The ICO provides an overview of the basics of PECR for businesses.
You can access a detailed FAQ about direct marketing and the implications for UK GDPR and PECR on the FSB Legal and Business Hub.
What should you include?
- Let customers and visitors know what data you’re collecting and how you store it
- Explain what data (if any) you’ll be sharing and with whom.
- Make sure your give customers the choice of opting in or out
- Inform customers of their rights
- State how long you hold onto the data
- Why you’re using them on your website
- The types of cookies you’re using
- Relevant information about third parties using the data from cookies
11. Refund and return policy
A major policy for businesses operating in the e-commerce space is a refund and returns policy. Every now and then you might experience a customer who requests a refund for a faulty item, is unhappy that a product has arrived damaged, isn’t impressed with the service, or wants to return an item that isn’t suitable.
Therefore, a robust refund and return policy protects your business and manages customer expectations. When putting together your policy, you need to remember Consumer rights, for example giving full refunds within 30 days for a faulty product.
12. PCI compliance
Taking online payments is an essential aspect of e-commerce, whether it’s credit cards, PayPal or other providers. Offering multiple ways to pay provides a more convenient checkout experience with less friction, but you need to ensure this is secure and compliant to protect both you and your customer.
Security measures like the Payment Card Industry Data Security Standard (PCI DSS) are not only essential for compliant online transactions, but also serve to boost customer confidence when making a purchase.
Although it’s not required by law, failure to comply with PCI can result in fines from your bank provider if there is a data breach. You also risk breaching the Data Protection Act 1998 and enforcement action from the ICO.
Find out more about how to become PCI compliant.
13. Strong Customer Authentication
New rules under the Payment Service Directive 2 (PSD2) mean that consumers are now required to confirm their identity when purchasing online to improve payment security.
Strong Customer Authentication (SCA) is a form of two-factor authentication, whereby extra steps are put in place for online card transactions to reduce card-not-present fraud.
Discover what you need to know about Strong Customer Authentication and how it applies to your business.
14. Ban on surcharges
Giving your customers the option of several payment methods on your website creates a better checkout experience. Surcharge rules ban traders from adding a surcharge fee in addition to the price of a transaction if paying with a certain method of payment like credit cards or electronic payments.
You can find detailed guidance about surcharge rules for consumer and business transactions on FSB Legal and Business Hub.
Is your e-commerce website compliant?
Whether you’re ready to set up your e-commerce website or you want to check your current website is compliant, FSB members can take a quick health check for trading online on the FSB Legal and Business Hub.