Ecommerce has transformed how we do business. This huge shift was accelerated by the pandemic, but it's a trend that has continued to grow, with a recent survey showing that 77% of people prefer to shop via websites and online stores. This is translating into record figures for businesses, with global retail ecommerce sales projected to hit the trillions in 2025.

Is Ecommerce regulated?

This vast commercial domain operates within a comprehensive and evolving set of regulations. In an era where transactions occur with a click, it's crucial to understand the protections afforded to both consumers and businesses.

Over three decades have passed since the inaugural ecommerce transaction in 1994—the online sale of Sting's Ten Summoner's Tales CD for $12.48.

Since then, industry giants like Amazon have revolutionised how goods are delivered, with its Prime Air programme now operational in parts of the US and planning expansions into the UK and Italy. Simultaneously, countless small, medium, and even tiny enterprises have ventured into online selling, leveraging ecommerce platforms to sell their products and services.

As the popularity of ecommerce continues to grow, the legal landscape has become more robust to address fraud, protect consumers, and meet customer expectations. A wave of new legislation means that 2025 is a pivotal year for online businesses in the UK.

In this article, we delve into the key laws governing ecommerce in the UK, providing small business owners with the essential knowledge they need to navigate this dynamic landscape.

{{cta-ecommerce-calendly}}

The Digital Markets, Competition and Consumers Act 2024 (DMCCA)

The most significant recent change for UK ecommerce businesses is the Digital Markets, Competition and Consumers Act 2024 (DMCCA). While some provisions came into force in late 2024, the key consumer protection measures will apply from 6 April 2025.

This Act gives the Competition and Markets Authority (CMA) direct enforcement powers, allowing it to investigate and fine businesses for breaches without going to court first. Fines can be severe—up to 10% of a business's global turnover.

Key changes for ecommerce businesses include:

• A ban on drip pricing: You must show the total price of a product or service upfront, including any mandatory fees. Hidden or "dripped" charges revealed later in the checkout process are prohibited.
• A ban on fake reviews: It is now illegal to commission or publish fake reviews. Businesses must take reasonable steps to verify that reviews are genuine.
• New rules for subscription contracts: Businesses must provide clear pre-contract information, send reminders before a contract renews, and make it easy for consumers to cancel.

Consumer rights and contracts

Alongside the new DMCCA, foundational consumer laws remain critical.

The Consumer Rights Act 2015 serves as a robust safeguard for consumers, regardless of whether their transactions occur online or offline. It requires that products are of reasonable quality, match their description, and are fit for purpose. Services are expected to be performed with reasonable skill and care.

If there's a breach, consumers have the right to remedies such as a refund, repair, replacement, or discount, depending on the circumstances. Refunds should generally be processed within 14 days of the agreement to refund.

The Consumer Contracts Regulations 2013 also play a significant role. One crucial aspect is the cancellation or "cooling-off" period. Typically, consumers have 14 days to cancel a contract, starting from the delivery of goods or the day the service contract was agreed.

Surcharges

It's important to note that imposing surcharges for the use of debit cards, credit cards, or payment services such as Stripe or PayPal is prohibited by the Consumer Rights (Payment Surcharges) Regulations. This ensures consumers are not subjected to additional charges based on their chosen payment method.

Data protection and privacy

When customers provide their data during an ecommerce transaction, you must protect that personal data in line with the UK GDPR and the Data Protection Act.

Recent changes via the Data (Use and Access) Act 2025 have updated the Privacy and Electronic Communications Regulations (PECR), which govern electronic marketing and the use of cookies.

Key updates include:

• Increased fines: The Information Commissioner's Office (ICO) can now issue fines for serious PECR breaches of up to £17.5 million or 4% of global turnover, aligning them with UK GDPR penalties.
• New cookie exemptions: Consent is no longer required for certain "strictly necessary" cookies, such as those used for statistical analytics or improving user experience, provided users are informed and given an easy way to opt out.
• Expanded "soft opt-in": The rule allowing marketing to existing customers (the soft opt-in) has been extended to non-commercial organisations like charities and political parties.

Data breaches may be reportable to the ICO within 72 hours of discovery.

Obligations for online marketplaces

If you operate an online marketplace, you now face specific legal duties beyond those of a standard online retailer.

From 1 October 2024, the Product Safety and Metrology (Amendment) Regulations 2024 place new responsibilities on marketplaces. You must take proactive steps to prevent unsafe products from being sold, ensure sellers comply with UK safety laws, and cooperate with regulators. Failure to do so can result in the marketplace being held liable if an unsafe product causes harm.

Additionally, since 1 January 2024, digital platform operators must collect and report seller data to HMRC under new tax transparency rules. This applies to sellers who complete over 30 transactions or earn more than €2,000 (approx. £1,700) in a year. The first reports are due by 31 January 2025.

Electronic contracts and signatures

The Electronic Communications Act 2000 prescribes that electronic signatures are legally recognised and admissible as evidence in legal proceedings. This means they hold the same legal weight as traditional signatures.

Some government bodies are now requiring higher standards. For example, from 6 April 2025, businesses submitting tax repayment claims on behalf of clients must use an Advanced Electronic Signature (AES) to confirm client approval.

The Electronic Commerce Regulations 2002 also remain in force post-Brexit. These require you to provide clear information on your website, including your business name, address, email, company number, and VAT number (if applicable). They also regulate the online contracting process, requiring you to explain the steps to conclude the contract and acknowledge the order promptly.

Advertising and marketing

In the world of ecommerce, advertising and marketing play a critical role in attracting customers. The general advice is always to be truthful, clear, and not misleading.

The new rules under the DMCCA on drip pricing and fake reviews are now central to compliant advertising.

Furthermore, the Privacy and Electronic Communications Regulations (PECR) require that you obtain customer consent to send electronic marketing communications. You must clearly state who is calling in marketing telephone calls and provide a valid address for replies in marketing emails.

Other key laws include:

• The Consumer Protection from Unfair Trading Regulations 2008, which illegalises unfair commercial practices and misleading statements. The DMCCA has updated the list of banned practices.
• The Business Protection from Misleading Marketing Regulations 2008, which protects traders from misleading advertising by competitors.
• The Unfair Contract Terms Act 1977 (UCTA), which imposes restraints on excluding or limiting liability in business-to-business contracts.

Complaints and enforcement

Under The Provision of Services Regulations 2009, businesses must provide contact details for complaints, deal with them as quickly as possible, and use their "best efforts" to find a solution.

However, the most significant development in this area is the CMA's new ability to enforce consumer law directly under the DMCCA. This shift means businesses face a much higher risk of investigation and substantial financial penalties for non-compliance, making robust internal complaints procedures more important than ever.

Know the regulations

Compliance with ecommerce regulations begins with ensuring your website, marketing, and processes include all the information the law mandates. The introduction of the DMCCA and other new rules for 2025 has significantly raised the stakes for online businesses.

These regulations cover everything from pricing transparency and subscription models to product safety, data privacy, and advertising practices.

For businesses in the UK, it's advisable to clearly state in your website's terms and conditions that English law governs your operations, with jurisdiction granted to English courts. This helps manage disputes with international shoppers.

Given the complexity and the severe penalties for non-compliance, having a solid understanding of these laws is essential. Seeking legal advice to conduct a full review of your online business is a wise decision to ensure you meet all your legal obligations.
‍