The Legal Essentials Every Online Store Must Have in Place (B2C)

Running an online store is exciting, but the legal foundations you build it on are just as important as the products you sell. Here is what you need to know to stay compliant and protect your business, when selling to Consumers.

Whether you are launching a boutique clothing brand, a digital downloads shop, or a specialist food business, getting your legal documents right from day one is not optional. UK law imposes clear obligations on independent e-commerce businesses – and the consequences of getting it wrong can range from regulatory fines to unenforceable contracts.

This guide walks you through every legal essential your online store needs, in plain English.

NB: This guide focuses primarily on businesses selling to consumers (B2C). Where you are selling to other businesses (B2B), the position may differ.

1. Privacy Policy

A privacy policy is a legal requirement for any website that collects personal data – and almost every online store does. Under the UK GDPR and the Data Protection Act 2018, you must clearly identify your lawful basis for processing and explain how customer data is collected, used, stored, and shared.

Your privacy policy should also outline data subject rights (such as the right to access, correct, or delete personal data) and how users can exercise them. If you rely on consent to process personal data – for example, for marketing emails – you must implement and document appropriate consent mechanisms.

Practical tip: Make your privacy policy easy to find – typically in the website footer – and write it in plain language your customers can actually understand.

2. Cookie Policy

If your website uses cookies or similar tracking technologies, you need a cookie policy. This must explain which cookies you use, what they do, and how visitors can manage or withdraw their consent.

Compliance with the Privacy and Electronic Communications Regulations (PECR) is essential here. The key rule: you must obtain explicit user consent before placing any non-essential cookies (such as analytics or advertising cookies) on a visitor’s device.

Practical tip: A cookie banner alone is not enough.

3. Terms of Use

These are distinct from your terms of sale and apply to all website users, whether or not they purchase anything. Terms of use govern how visitors interact with your website. They should cover intellectual property rights (protecting your content and branding), disclaimers, acceptable use rules, and contact details.

These terms help protect your business from potential liabilities – for example, if a user misuses your site or relies on information that later proves inaccurate.

Practical tip: Do not treat your terms of use as a “set and forget” document. Ensure they are actively brought to users’ attention

4. Terms and Conditions of Sale

For any store selling goods, services, or digital content directly to consumers, this is one of the most critical documents you need. Your terms and conditions of sale must comply with the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 (CCR 2013).

At a minimum, they should clearly set out pricing, delivery arrangements, dispute resolution mechanisms, cancellation rights, and refund policies. The specifics vary depending on what you sell:

• Physical goods: delivery timescales, risk and title, returns
• Services: scope, timelines, payment terms, liability
• Digital content: access, compatibility, download rights

It is worth noting that the Consumer Rights Act 2015 implies non-excludable terms into consumer contracts, including that goods must be:

• of satisfactory quality;
• fit for purpose; and
• as described.

Any attempt to exclude or restrict these statutory rights will likely be unenforceable.

Under the Consumer Rights Act 2015, all consumer-facing terms must be fair, transparent, and prominent.

Terms which create a significant imbalance in the parties’ rights to the detriment of the consumer may be unenforceable.

High-risk clauses include unilateral variation rights and auto-renewals without clear disclosure.

Practical tip: Make sure your terms of sale are not only legally compliant but also operationally aligned with how your business actually works (e.g. dispatch times, refund handling, payment flows). Misalignment between your terms and your real processes is one of the most common sources of customer disputes and chargebacks.

5. Refund and Cancellation Policy

Under CCR 2013, consumers buying online have a 14-day right to cancel most contracts after receiving goods or entering into a service or digital content agreement. Your store must clearly communicate this right, including how to exercise it and when exceptions apply.

Common exceptions include personalised goods, perishable items, and digital content that has been downloaded once the consumer has given explicit consent to immediate delivery.

Real-world consequence: If you fail to provide the required pre-contractual information about cancellation rights, the cancellation period is automatically extended to 12 months plus 14 days from the date of the contract. During this period, your ability to enforce the contract is significantly restricted. In particular:

• you may be required to refund sums paid; and
• you may be unable to charge for services already performed unless specific statutory conditions have been met (e.g. express request and acknowledgment of loss of cancellation rights).

Practical tip: Build your cancellation and refund process into your customer journey (emails, returns flow, T&Cs).

6. General Information Disclosure

Under the Electronic Commerce (EC Directive) Regulations 2002, online businesses must make certain information easily accessible on their website. This includes:

• Full legal business name and trading name
• Registered address and contact details
• VAT number (if VAT registered)
• Company registration number (if applicable)

This information should typically appear on your “Contact Us” or “About” page, and in your terms of sale.

Practical tip: Ensure your business details are consistent across your website, terms, invoices, and Companies House.

7. Advertising and Pricing Compliance

Every price, promotion, and product claim on your website must be accurate and not misleading. UK consumer protection law – including the Consumer Protection from Unfair Trading Regulations 2008 – prohibits misleading advertising and unfair commercial practices.

Particular risk points include:

• “Sale” pricing: you must be able to evidence that the higher price was genuinely applied for a meaningful period before the promotion;
• Drip pricing: adding mandatory fees late in the checkout process;
• Scarcity and urgency claims: e.g. “only 2 left” or countdown timers which are not genuine;
• Green claims: environmental or sustainability statements must be clear, substantiated, and not overstated.

Commercial impact: Non-compliance can lead not only to regulatory action, but also unenforceable contracts, refunds, and reputational damage.

Practical tip: Pressure test your website as a customer – if any pricing, discount, or claim could be misunderstood, it is likely to be challenged.

8. Data Security and Payment Processing

Data protection law requires you to implement appropriate technical and organisational security measures to protect customer data.

For online stores handling card payments, PCI DSS (Payment Card Industry Data Security Standard) will typically apply via your payment provider. While PCI DSS is not a legal requirement in itself, it is usually contractually mandated and forms part of demonstrating appropriate security controls. In practice, many businesses use a third-party payment processor (such as Stripe or PayPal) which handles card transactions – though outsourcing does not remove your obligations and you remain responsible for the overall security of your website and customer data.

Practical tip: If there’s a data breach, regulators won’t focus on your payment provider, they will look at you. Make sure your wider systems are secure, not just your checkout.

9. Insurance

While not published on your website, having the right insurance in place is an essential legal and commercial protection. Depending on your business , you may need product liability insurance, professional indemnity insurance, cyber or sector-specific coverage.

Practical tip: Treat insurance as part of your risk strategy, not an afterthought – and take advice from a regulated broker to ensure your cover aligns with your actual exposure.

10. Industry-Specific Requirements

Depending on your sector, additional obligations may apply on top of the general requirements above. These can impose stricter rules on how products are marketed, sold, and delivered – and in some cases require licences or authorisations before you can trade.

Common examples include:

• Age-restricted products licensing and age verification / delivery controls
• Food products: labelling, allergen, and hygiene regulations
• Financial products: FCA authorisation may be required
• Health products: advertising rules and licensing requirements

Failure to comply in regulated sectors can lead to trading restrictions, fines, product recalls, and reputational damage.

Practical tip: Always check whether your specific industry has additional regulatory requirements before launching. A short conversation with a specialist solicitor at the outset can save significant cost and risk later.

This blog provides general legal information for e-commerce businesses operating in the UK. It does not constitute legal advice. If you have specific questions about your obligations, feel free to contact our Commercial and IP team on commercial@mlplaw.co.uk or 0161 926 9969.

Key legislation referenced: UK GDPR · Data Protection Act 2018 · Privacy and Electronic Communications Regulations (PECR) · Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 · Electronic Commerce (EC Directive) Regulations 2002 · Consumer Protection from Unfair Trading Regulations 2008