UK Digital Compliance for E-commerce Websites: The Web Development Blueprint
Table of Contents
UK digital compliance for e-commerce websites is no longer a legal checklist you hand to a solicitor after launch. It is a set of technical standards that must be incorporated into your site before a single product goes live. Get it wrong, and the consequences range from ICO fines and trading standards investigations to lost customer trust and damaged search rankings.
For SMEs across Northern Ireland, Ireland, and the UK, the compliance landscape has shifted significantly. The Digital Markets, Competition and Consumers Act 2024 (DMCC) introduced new obligations on fake reviews and drip pricing, which came into force in April 2025, with further rules on subscriptions and cancellation flows due in autumn 2026. WCAG 2.2 accessibility standards now carry legal weight under the Equality Act. ICO enforcement against smaller businesses has increased. None of this is reflected in most of the guides currently ranking for this topic.
This article covers what UK digital compliance for e-commerce websites actually requires at the build and design level, with practical guidance on what your developer, designer, and digital marketing team each need to get right.
Getting UK digital compliance for e-commerce websites right is not a one-off project — it is an ongoing responsibility that touches every layer of your site’s build and marketing stack.
Why “Compliance by Design” is the New E-commerce Standard
Most e-commerce compliance problems stem from the same mistake: treating legal requirements as something to bolt on after the site is built. A privacy policy gets copied from a template. A cookie banner gets added as an afterthought. A returns policy is buried in the footer and does not meet the Consumer Contracts Regulations’ wording requirements.
The result is a site that looks compliant on the surface but fails the moment it is audited — by the ICO, by trading standards, or by a customer who knows their rights.
“The businesses we see struggling with compliance audits are almost always those that treated it as a legal task rather than a development task,” says Ciaran Connolly, founder of ProfileTree. “When compliance is built into the wireframe, the cookie architecture, and the checkout flow from day one, it stops being a cost and starts being a feature.”
Compliance by design means your developer understands the UK GDPR’s privacy-by-default requirements, your designer understands WCAG 2.2 colour contrast ratios, and your CMS configuration reflects data minimisation principles rather than collecting everything because it is easy to. This is the standard that the ICO and the courts are increasingly measuring sites against, and it is the approach that ProfileTree’s web development services are built around.
Mandatory Business Disclosures: What Your Website Must Display
Before you think about GDPR or accessibility, UK digital compliance for e-commerce websites starts with a layer of basic legal disclosure that every site must meet. These are not optional enhancements; they are minimum requirements under the Electronic Commerce (EC Directive) Regulations 2002 and the Companies Act 2006.
Company Information and Footer Architecture
If you operate as a limited company, your website must display your full registered company name, your Companies House registration number, your registered office address, and your VAT number if you are VAT registered. Sole traders and partnerships have slightly different requirements but must still display a physical contact address — a PO box is not sufficient.
The table below sets out the minimum footer requirements for a UK e-commerce site:
| Required Item | Legal Basis | Where It Must Appear |
|---|---|---|
| Registered company name | Companies Act 2006 | Footer, T&Cs, invoices |
| Companies House number | Companies Act 2006 | Footer, T&Cs |
| Registered office address | Electronic Commerce Regulations 2002 | Footer, Contact page |
| VAT number (if registered) | VAT Regulations 1995 | Footer, invoices |
| Email address | Electronic Commerce Regulations 2002 | Footer, Contact page |
| ICO registration number (if processing data) | UK GDPR | Privacy Policy |
Many SME sites fail on this at the most basic level. A well-structured footer is not a design nicety; it is a legal requirement, and it is one of the first things trading standards officers and ICO investigators check.
Pricing Transparency and VAT Display
All prices shown to consumers on a UK e-commerce site must include VAT. Displaying ex-VAT prices to retail customers and adding tax at checkout is not compliant under the Consumer Protection from Unfair Trading Regulations 2008. The DMCC Act 2024 further strengthened this by targeting drip pricing — the practice of gradually adding mandatory fees during checkout. Under the rules, which came into force on 6 April 2025, the total price including all mandatory charges must be clear at the point the product is first advertised to the consumer, not revealed only at the final checkout stage.
Data Privacy and GDPR: Building Compliant Consent Mechanisms
UK GDPR compliance is the most technically demanding area of UK digital compliance for e-commerce websites, and the one most likely to result in an ICO fine if handled poorly. The maximum penalty for serious breaches is £17.5 million or 4% of global annual turnover, whichever is higher, with a lower tier of £8.7 million or 2% applying to less serious infringements. These figures reflect the current UK GDPR and Data Protection Act 2018 framework; the Data (Use and Access) Act 2025 is now in law and the ICO’s related guidance is under review, so the editor should verify the current penalty structure remains unchanged before publishing.
The law requires that personal data is collected only with a valid lawful basis, that consent is freely given, specific, informed, and unambiguous, and that data is not kept longer than necessary. Each of these principles has direct technical implications for how your site is built.
Cookie Management: Moving from Banners to Blockers
The most common GDPR failure on UK e-commerce sites is not the absence of a cookie banner — it is a cookie banner that fires non-essential cookies before consent is given. This is a technical problem, not a policy problem. If your analytics or advertising scripts load on page arrival before a user has accepted cookies, your site is non-compliant regardless of what your cookie policy says.
A properly built consent mechanism blocks all non-essential scripts at the server or tag manager level until explicit consent is recorded. The ICO distinguishes between essential cookies (session management, shopping cart), analytical cookies (Google Analytics, Hotjar), and marketing cookies (Meta Pixel, Google Ads). Only essential cookies can fire without consent.
ProfileTree’s SEO and technical web services include consent architecture reviews as part of site audits — checking that tag manager configuration, script loading order, and consent mode settings align with ICO guidance.
Customer Account Creation and Data Retention
When a customer creates an account, your site collects personal data. UK GDPR’s data minimisation principle means you should only collect what is genuinely needed to fulfil the order or provide the service. Requiring a date of birth for a general clothing retailer, for example, is difficult to justify legally.
Data retention is equally important. Your privacy policy must state how long customer data is kept, and your CMS or CRM must actually enforce that retention period. An automated data-deletion workflow is not complicated to build, yet it is often absent from SME e-commerce sites. If you cannot demonstrate that you delete data after a stated period, your privacy policy is misleading.
The table below sets out the cookie consent requirements by type:
| Cookie Type | Examples | Default State | Consent Required |
|---|---|---|---|
| Essential | Session cookies, cart | On | No |
| Analytical | Google Analytics | Off | Yes |
| Marketing | Meta Pixel, Google Ads | Off | Yes |
| Preference | Language, currency | Off | Yes (recommended) |
The DMCC Act 2024: What UK E-commerce Sites Must Change
The Digital Markets, Competition and Consumers Act 2024 is the most significant update to UK e-commerce compliance in over a decade, and it is the section almost entirely absent from existing guides ranking for this topic. It is important to understand which parts of the Act are already in force and which are still to come.
What Is Already in Force: Drip Pricing and Fake Reviews
The unfair commercial practices provisions of the DMCC Act came into force on 6 April 2025. Two areas are directly relevant to e-commerce sites right now.
Drip pricing is now a banned practice. Any e-commerce site that shows a headline price and then adds mandatory fees — platform charges, service fees, booking fees — later in the checkout journey is in breach. The total price of all mandatory charges must be included the first time the product is presented to the consumer. This applies to product listings, email promotions, and any advertisement that includes a price. It is a development and UX requirement as much as a legal one; your checkout flow and product pages need to be audited against this standard.
Fake reviews are also prohibited from 6 April 2025. The Act bans commissioning, submitting, or failing to take reasonable steps to prevent the publication of fake reviews on your platform. For e-commerce sites displaying customer ratings, your review collection process must be documented. Sending review requests only to verified purchasers, using a recognised review platform with verified buyer checks, and not suppressing negative reviews are the practical standards the Competition and Markets Authority will apply.
The CMA now has direct enforcement powers and can fine businesses up to 10% of their global annual turnover for consumer law breaches without needing to go to court first.
What Is Coming: Subscription Contract Requirements
The DMCC Act’s subscription contract regime is not yet in force. It was originally expected in spring 2026 but has been delayed; the Department for Business and Trade has confirmed implementation will not commence before autumn 2026 at the earliest, pending secondary legislation and CMA guidance.
When it does come into force, the regime will require businesses offering subscription contracts to provide a clear pre-contract summary before the customer subscribes, to send reminder notices before free trials convert to paid subscriptions and before annual renewals, and to offer a straightforward cancellation mechanism — specifically, a contract entered into online must also be cancellable online. Cooling-off rights will also apply at the point of renewal.
For e-commerce developers and business owners, now is the right time to audit subscription flows and identify the development work needed. The autumn 2026 timeline is closer than it appears.
Digital Accessibility (WCAG 2.2) as a Legal Compliance Requirement
Website accessibility is consistently the most overlooked area of UK digital compliance for e-commerce websites. Competitors’ ranking for this topic does not cover it. Most SME developers do not build to it by default. And yet, the Equality Act 2010 requires that online businesses make reasonable adjustments to ensure their services are accessible to people with disabilities.
WCAG 2.2, published on 5 October 2023, is the current technical standard and one of the most underutilised requirements within UK digital compliance for e-commerce websites. For e-commerce, the most commercially significant requirements include keyboard navigation for the full checkout flow, sufficient colour contrast for all text and interactive elements (minimum 4.5:1 ratio for body text), text alternatives for all product images, and form fields with clear labels and error messages that do not rely on colour alone to communicate.
The business case for accessibility aligns directly with SEO. Screen readers and search engine crawlers both rely on semantic HTML, descriptive alt text, and logical heading structure. A site built to WCAG 2.2 standards is also a site that Google can read cleanly, which supports organic search performance.
ProfileTree’s web design process applies WCAG 2.2 requirements at the wireframe stage, not as a retrofit. This matters because accessibility problems are significantly more expensive to fix after a site is built than to design them out from the start.
Payment Security and PCI DSS Compliance in the Checkout Flow
Any UK e-commerce site that processes, stores, or transmits cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS). The current version is PCI DSS v4.0.1. Non-compliance does not carry a direct government fine, but card processors can impose penalties and withdraw processing privileges, which is commercially terminal.
Tokenisation vs. On-site Processing
The safest approach for most SME e-commerce sites is to use a payment gateway that handles all card data off-site, so the cardholder data never touches your server. Stripe, PayPal, and Worldpay all offer hosted payment pages or iframe integrations that reduce your PCI DSS scope to the lowest level (SAQ A).
If you are using a checkout that posts card data to your own server before passing it to a gateway, your PCI DSS obligations are significantly higher, requiring quarterly vulnerability scans and annual penetration testing.
3D Secure 2.0 and Strong Customer Authentication
Strong Customer Authentication (SCA) under the Payment Services Regulations 2017 requires that most online card transactions use two-factor authentication via 3D Secure 2.0. SCA became mandatory for UK businesses on 14 March 2022. Failure to implement it correctly means a higher rate of declined transactions and potential chargeback liability. Both your payment gateway configuration and checkout flow need to support this correctly.
UK E-commerce Regulations: Consumer Rights and Distance Selling
The Consumer Rights Act 2015 and the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 together form the core of UK consumer protection for e-commerce. These regulations govern the information you must provide before a purchase, the rights customers have to cancel, and how quickly refunds must be processed.
The key obligations for your site are: pre-contract information must be clear and prominent before checkout, customers have 14 days to cancel most online purchases without giving a reason, and refunds must be issued within 14 days of receiving returned goods. There are exceptions to the 14-day cancellation right that your terms and conditions must reflect accurately. These include personalised or bespoke goods, perishable items, sealed hygiene goods once opened, and digital content where the consumer has given express consent to immediate download and acknowledged this waives their cancellation right. Your returns policy must be written in plain language and easy to find.
Northern Ireland: The Windsor Framework and E-commerce
For businesses based in Northern Ireland or selling goods into or out of Northern Ireland, the Windsor Framework introduced specific rules on product standards markings. Goods moving from Great Britain to Northern Ireland for sale to consumers follow UK rules. Goods moving into the EU single market follow EU rules. For e-commerce businesses selling physical products across this border, the UKCA and CE marking requirements differ depending on the destination market.
This is directly relevant to SME retailers in Belfast and across Northern Ireland. If your e-commerce site sells physical goods and ships across the Irish border, your product compliance obligations are more complex than a standard UK-only guide will cover. The current UK government and HMRC guidance on the Windsor Framework should be your primary reference for the specific product categories that apply to your business.
UK E-commerce Compliance Checklist: The Technical Audit
The table below maps the key requirements of UK digital compliance for e-commerce websites to the stage of your project at which each must be addressed:
| Stage | Requirement | Legal Basis |
|---|---|---|
| Design | WCAG 2.2 colour contrast and navigation | Equality Act 2010 |
| Design | Cookie consent architecture (block before consent) | UK GDPR / PECR |
| Development | Footer disclosures: company name, reg. number, address | Companies Act 2006 |
| Development | VAT-inclusive pricing throughout | Consumer Protection Regs 2008 |
| Development | Total price upfront in all product listings and ads | DMCC Act 2024 (in force) |
| Development | Data minimisation in account registration forms | UK GDPR |
| Development | PCI DSS v4.0.1 SAQ A checkout (hosted gateway) | PCI DSS v4.0.1 |
| Development | 3D Secure 2.0 / SCA integration | Payment Services Regs 2017 |
| Pre-launch | Privacy Policy with ICO registration number | UK GDPR |
| Pre-launch | Returns and refund policy (plain language) | Consumer Contracts Regs 2013 |
| Pre-launch | T&Cs with pre-contract information | Consumer Rights Act 2015 |
| Pre-launch | Verified review collection process | DMCC Act 2024 (in force) |
| Ongoing | Data retention and deletion workflows | UK GDPR |
| Ongoing | Pre-renewal reminders for subscriptions (prepare now) | DMCC Act 2024 (autumn 2026) |
ProfileTree offers e-commerce web design and development services that build these standards into every project from the brief stage. If you are auditing an existing store, our team can identify compliance gaps and prioritise the fixes that carry the highest legal and commercial risk.
Frequently Asked Questions
What happens if my UK e-commerce site is not GDPR compliant?
The ICO can issue fines of up to £17.5 million or 4% of global annual turnover for serious breaches under the current UK GDPR framework. For SMEs, the more common consequence is an enforcement notice requiring specific changes, but the ICO has shown an increasing willingness to investigate smaller businesses following complaints. Beyond fines, a publicised data breach damages customer trust in a way that is difficult to recover from.
Do I need separate privacy policies for UK and EU customers?
If you sell to customers in EU member states, you must comply with EU GDPR as well as UK GDPR. In practice, the two frameworks are closely aligned but not identical. You may need to appoint an EU representative if you do not have an establishment in the EU, and your privacy notices must reflect whichever law applies to each customer. A single policy covering both is possible but must be carefully drafted to satisfy both regimes.
What are the rules around sale prices and discounts on UK e-commerce sites?
Under the DMCC Act 2024 and the Consumer Protection from Unfair Trading Regulations 2008, a “was” price used in a discount claim must reflect a genuine previous selling price. The CMA’s guidance indicates that the reference price should have been genuinely offered at that level for at least 30 days immediately before the discount begins, and for no shorter a period than the discount itself runs. Countdown timers that create false urgency, or “limited stock” messages that are not accurate, also breach these regulations.
Is a cookie banner required if I only use basic analytics?
Yes, if those analytics cookies are non-essential and persistent. Google Analytics 4 cookies are classified as analytical rather than essential by the ICO, and they require explicit consent before firing. The only cookies that can be loaded without consent are strictly necessary for the site to function, such as session and shopping cart cookies.
How does the DMCC Act 2024 affect my subscription checkout?
The subscription contract provisions of the DMCC Act are not yet in force and are not expected to take effect before autumn 2026. When they do come into force, businesses offering subscriptions will need to display a pre-contract summary with clear cancellation terms, send reminders before free trials convert to paid and before annual renewals, and provide a single online cancellation mechanism. The drip pricing and fake review rules, however, are already in force from 6 April 2025 and apply to all e-commerce sites now.
What contact information must a UK e-commerce site legally display?
At minimum: a valid email address, a physical address (not a PO box), your company name as registered at Companies House, your registration number if you are a limited company, and your VAT number if registered. A telephone number is not strictly required by the Electronic Commerce Regulations 2002, but the Consumer Contracts Regulations 2013 require that customers can contact you quickly and efficiently. Most trading standards guidance recommends including one.