Online Business and Privacy

Selling products or services online in the UK means you are subject to a specific set of legal obligations on top of the general rules that apply to every business. The key statutes you need to know are the Consumer Rights Act 2015, the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013, and the Electronic Commerce (EC Directive) Regulations 2002.

Before a customer places an order, your website or app must clearly display:

• Your business name and registered address (or principal place of business)
• Your company registration number (if you are a limited company)
• Your VAT number (if VAT-registered)
• A contact email address and, ideally, a phone number
• Clear pricing including all taxes and delivery charges
• A description of the main characteristics of each product or service

These are not nice-to-haves. Failing to provide pre-contract information can give customers extra cancellation rights and may attract enforcement action from Trading Standards.

Every business website should have terms and conditions that govern how visitors use the site and, if you sell online, how sales work. For consumer-facing businesses, these terms must be fair under the Consumer Rights Act 2015. A term is unfair - and therefore not binding - if it creates a significant imbalance between your rights and the consumer's, to the consumer's detriment.

Distance Selling Rules

Under the Consumer Contracts Regulations 2013, consumers who buy online have a statutory right to cancel most orders within 14 days of receiving goods (or 14 days from concluding a service contract). This is sometimes called the "cooling-off period." You cannot contract out of it. Key points:

• You must tell customers about the cancellation right before they order. If you do not, the cancellation period extends by up to 12 months.
• You must provide a model cancellation form (a template is in Schedule 3 of the Regulations).
• Certain products are exempt - for example, personalised goods, perishables, and sealed hygiene products that have been opened.
• Refund timing depends on the contract type. For goods, you usually have 14 days from getting the goods back (or receiving evidence of return). For services, the refund deadline is generally 14 days from cancellation.

If you run an eCommerce storeor offer a SaaS product, your terms need to cover territory beyond basic website T&Cs. Under the Electronic Commerce Regulations 2002, you must provide a clear ordering process that includes:

1. The technical steps required to place an order
2. Whether the contract will be stored and how the customer can access it
3. How the customer can correct input errors before placing the order
4. The languages in which the contract may be concluded

For SaaS products, your terms should also address subscription billing, service-level expectations, data handling (particularly where your customers store personal data in your platform), and what happens to customer data on termination. If you serve business customers, you have more flexibility to negotiate terms - the Consumer Rights Act fairness rules apply only to consumer contracts.

Bear in mind that UK consumer law can apply to digital content and digital services. Under the Consumer Rights Act 2015, digital content must be of satisfactory quality, fit for purpose, and as described. This applies to apps, downloadable files, streaming content, and SaaS products sold to consumers.

Selling on Amazon, eBay, Etsy, or another marketplace does not remove your legal obligations as a trader. You are still the seller under UK consumer law, so the distance selling rules, cancellation rights, and product safety requirements all apply to you directly.

Marketplace platforms typically set their own seller terms on top, and these can be strict - covering response times, returns policies, and dispute resolution. It is worth reading them carefully, because a platform can suspend your account if you breach their policies, even if you are technically complying with the law.

If you sell goods on an online marketplace and your UK turnover exceeds the VAT registration threshold (currently 90,000 GBP), you must register for VAT. Some marketplaces are also required to collect and report seller income data to HMRC under the Platform Reporting Rules based on the OECD model reporting rules.

Data protection law in the UK is governed by two pieces of legislation working together: the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). The UK GDPR is the retained EU law version of the EU GDPR, carried into UK domestic law after Brexit. In practice, the rules are very similar to the EU regime.

The regulator is the Information Commissioner's Office (ICO), which has the power to investigate complaints, conduct audits, and issue fines of up to 17.5 million GBP or 4% of global annual turnover (whichever is higher) for serious breaches.

Most organisations that process personal data must pay an annual data protection fee to the ICO. The fee is tiered:

• Tier 1 (currently 52 GBP/year): micro organisations with a maximum turnover of 632,000 GBP and no more than 10 staff
• Tier 2 (currently 78 GBP/year): small and medium organisations with a maximum turnover of 36 million GBP and no more than 250 staff
• Tier 3 (currently 3,763 GBP/year): large organisations above those thresholds

A small number of exemptions exist - for example, organisations that process personal data only for core business activities like staff administration and accounts/records with no marketing or tracking. However, most online businesses will need to register.

Articles 13 and 14 of the UK GDPR set out exactly what you must tell people when you collect their personal data. Your privacy policy needs to include:

• Your identity and contact details (and your DPO's details, if you have one)
• The lawful basis for each type of processing (consent, contract performance, legitimate interests, legal obligation, vital interests, or public task)
• What personal data you collect and why
• Who you share data with (including any third-party processors)
• Whether you transfer data outside the UK and, if so, the safeguards in place
• How long you retain data (or the criteria used to determine retention periods)
• Individual rights - the right to access, rectify, erase, restrict processing, data portability, and object
• The right to withdraw consent (where consent is the lawful basis)
• The right to lodge a complaint with the ICO
• Whether you use automated decision-making or profiling

A good privacy policy is written in clear, plain English. The ICO explicitly discourages legal jargon and encourages layered or just-in-time notices so that people can access the information that matters most to them quickly.

If you experience a personal data breach - for example, a database hack, an email sent to the wrong recipient, or a lost laptop containing customer records - UK GDPR imposes strict reporting obligations.

Reporting to the ICO

You must notify the ICO within 72 hoursof becoming aware of a breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. The notification must include:

• The nature of the breach and the categories of data affected
• The approximate number of individuals and records involved
• The likely consequences of the breach
• The measures taken or proposed to address the breach
• The name and contact details of your DPO or other contact point

Notifying Individuals

If the breach is likely to result in a high risk to individuals, you must also inform the affected people directly and without undue delay. Tell them what happened, what data was involved, what you are doing about it, and what they can do to protect themselves (for example, changing passwords).

Even if a breach does not meet the reporting threshold, you should document it internally. The ICO may ask to see your breach log during an audit, and a pattern of undocumented incidents can itself be an accountability failure.

Cookie consent in the UK is governed by the Privacy and Electronic Communications Regulations 2003 (PECR), which sit alongside UK GDPR. The core rule: you must get informed, affirmative consent before setting any non-essential cookies or similar tracking technologies (pixels, local storage, fingerprinting scripts).

Essential cookies - those strictly necessary for a service the user has explicitly requested, such as a shopping cart or authentication session - do not require consent. Everything else does, including:

• Analytics cookies (Google Analytics, Hotjar, etc.)
• Advertising and retargeting cookies
• Social media tracking pixels
• Preference or functionality cookies that are not strictly necessary

Consent must be opt-in. Pre-ticked boxes, implied consent from "continued browsing," and cookie walls that force acceptance as a condition of access are not valid. Your cookie banner should:

1. Clearly describe the categories of cookies you use and their purposes
2. Allow users to accept or reject each category individually
3. Not set non-essential cookies until consent is given
4. Make it as easy to refuse cookies as it is to accept them
5. Record and store consent as evidence of compliance

UK GDPR restricts the transfer of personal data outside the UK unless the destination country has an adequacy decision from the UK government, or you put appropriate safeguards in place. Post-Brexit, the UK operates its own adequacy framework independently of the EU.

Where You Can Transfer Freely

The UK currently recognises adequacy for the EEA (all EU/EEA member states), plus a number of other countries including Switzerland, Japan, South Korea, Canada (for commercial organisations subject to PIPEDA), New Zealand, Israel, and Argentina, among others.

For the United States, the UK-US Data Bridge (an extension of the EU-US Data Privacy Framework) allows transfers to US organisations that have self-certified under the framework. If your US processor is on the Data Privacy Framework list, you can transfer data to them without additional safeguards.

Transfers Without Adequacy

For countries without an adequacy decision, you will typically need to rely on one of these mechanisms:

• International Data Transfer Agreement (IDTA):the UK's replacement for the EU Standard Contractual Clauses
• UK Addendum to the EU SCCs: if your contracts already use EU Standard Contractual Clauses, you can add a UK Addendum
• Binding Corporate Rules (BCRs): for intra-group transfers within multinational organisations

In all cases, you must carry out a Transfer Risk Assessment (TRA)to evaluate whether the destination country's legal framework provides adequate protection in practice. This is a proportionate assessment - a startup sending newsletter data to a well-known US email platform on the Data Privacy Framework is a different risk profile from a business transferring sensitive health data to a country with weak rule of law.