Magento Imagine Awards 2019 Finalist

Legal requirements for an eCommerce website

wiA recent report stated one quarter of small and medium businesses were in breach of website legal requirements to trade online. Regardless of whether your business is trading millions, thousands or nothing at all, your website needs to adhere to certain requirements.

Here is our guide to trading legally online:

Company information

As of 1st January 2007 all business stationery (which includes your website) must display the following in legible text:

This information needs to be displayed on all letters, emails, order forms, parcels, invoices, receipts, credit notes and website. We generally add these to the website footer.

Web accessibility

Your website should be accessible to as many people as possible. The World Wide Web Consortium (W3C) is an international organisation that develops web standards. As part of their remit they create specifications to ensure websites follow best practices so people with disabilities can use the internet.

The web accessibility guidelines are split into three checkpoints – priority 1, 2 and 3. Each of these checkpoints has a list of requirements a website must meet. The checkpoints are:

The UK Government and the Royal National Institute of Blind People (RNIB) advise that websites must satisfy priority 1 and should satisfy priority 2 of the guidelines. If both these priorities are satisfied then it will allow people with disabilities to use your website.

Keep in mind the guidelines are not just for web developers but for those who manage content too. For example, all images must include alternative text using the ALT attribute. This will allow screen readers to interpret the contents of an image.

These guidelines are taken very seriously. In January 2012 the RNIB served legal proceedings against Bmibaby over the failure to make their website accessible for blind and partially sighted customers.

Data protection

The Data Protection Act outlines the UK law for processing and storing peoples information. It’s the main legislation that governs the protection of personal data in the UK. The act gives people the right to know what information is stored and provides a framework for how that information should be handled.

Companies and organisations should notify the Office of the Information Commissioners that they are collecting data.

The data protection principles state that organisations, businesses and the government should make sure information is:

The latest General Data Protection Regulation (GDPR) framework was introduced in May 2018 and now provides Europe with the world’s strongest data protection. In a nutshell, GDPR gives a greater protection to the rights of the public with regards to their personal data. If your website collects user data, for example from an enquiry form, you should include a privacy policy that informs website users how you will retain and process their personal information.

Website legal requirements now also contain stronger legal protection against sensitive information. This includes ethnic background, political opinions, religious beliefs, health, sexual health and criminal records.

Consumer protection

From the 13th June 2014 the Consumer Contracts Regulation were enforced. This implemented the European Consumer Rights Directive into UK law. This legislation replaces the distance selling regulations. For any sales prior to 13th June 2014 the distance selling regulations still apply.

The Consumer Contracts Regulation covers distance selling, face-to-face sales that are not on a businesses premises and in-store sales.

We’ll be focusing on distance selling. For a sale to be valid you must provide the following information:

Any failure to meet these regulations could result in cancellation rights being extended up to one year.

Electronic commerce regulations

This came into force in 2002 and implements the European Union’s eCommerce directive into UK law. It is designed to achieve clarification and harmony of the rules concerning trading online.

One major part of the legislation is the country of origin principle. This states that a website only needs to follow the legislation of the country it is based in, regardless of whether sales are made to other EU countries. However, there are certain qualifications to this principle.

There are benefits to the country of origin principles. UK laws are generally much more lax compared to other countries in the UK, particularly around promotions. If your company is based in the UK you only need to follow UK law.

The Electronic Commerce Regulations states that a website should provide the following information:

These are in addition to the company information that must be provided as part of the Companies Act that we spoke about earlier.

When an order is placed online the Electronic Commerce Regulations states the following information should also be provided:

You’ll notice that many of these stipulations are also part of the Consumer Contracts Regulation.


The Payment Card Industry Data Security Standard (PCI DSS) was created to help prevent fraud for companies who process payments. PCI DSS ensures there are increased controls around data to help reduce the possibility of being compromised.

These standards apply to companies who hold, process of pass card information. Many eCommerce sites take payment using a third party service such as PayPal or SagePay. In this case the majority of the burden is on these services but some parts will still apply to you. The level you are required to comply will vary based on transaction volume, how much you’re taking and whether payments will be taken over the telephone.

There are 12 key requirements for companies who accept or process card payments:
  1. Use a firewall to protect data.
  2. Do not use vendor supplied defaults for passwords or other parameters.
  3. Protect stored data.
  4. Encrypt the transmission of data and sensitive information.
  5. Use antivirus software.
  6. Maintain a high level of security.
  7. Restrict access to data.
  8. Assign unique ID to each person with access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to the network.
  11. Regularly test security.
  12. Maintain a policy that addresses security.

Remember that PCI DSS also extends to where your website is hosted. Make sure you have secure passwords, suitable firewalls, an SSL certificate, anti virus software and limit access.

EU anti-spam laws

The Privacy and Electronic Communications Directive (E-Privacy Directive) was created for data protection and privacy in the digital age. This directive prohibits the sending of unsolicited commercial communications by email or other electronic messaging such as SMS.

To comply you must ensure that the user is offered an opt-in option. Customers are exempt from this but you are required to offer an opt-out option. If you purchase a database of emails you must ensure that those people have given consent to pass their emails on to third parties. Lastly, if you send an email there must be instructions to opt-out.

Cookie law

Cookies are small files that can be stored on a users computer when they visit a website. They’re used for Google Analytics, keeping you logged in or keeping a history of someones basket who is not logged in.

Cookies can also be used on websites to target advertising. This is potentially a privacy issue so the Information Commissioners Office (ICO) created a policy to prevent this from happening – say hello to the EU Cookie Law.

The EU cookie law states that a website must clearly show that it is using cookies. Most websites use an unobtrusive bar at the bottom or top of the page. This bar contains a link to a page with more information. It’s fine to assume consent for cookies but clear instructions should be available for how to block them.

Most content management systems use cookies so there is likely to be a module or plugin already available to make your website compliant to the EU Cookie Law.

Your website legal requirements – a quick recap

If you’re in any doubt we recommend contacting your website developers or seeking legal advice.

Here at iWeb, we create bespoke eCommerce websites that adhere to website legal requirements

If you’d like to achieve eCommerce success, speak with our team of experts to see how we can help. 

Contact us today – we’re always happy to discuss your needs!


Subscribe via email

Sign up to get notifications of new posts by email.

Share this article

Posted in eCommerce, Magento


Other posts you might like

If you’re running an ecommerce site on Magento 1, you should be aware by now that support for the long-running…

Magento Inc. have recently announced their hosted Magento eCommerce service, Magento Go, will be shutting down on 15th February 2015.…

What a year it’s been here at iWeb. 2019 has been filled with awards, epic website launches (if we do…

Call us on 01785 279920

Our friendly Magento experts are happy to answer your questions.

Follow us!

Get the latest eCommerce news, reviews and expert advice in your inbox.

To find out more about how we use your data, read our Privacy Policy