Originally published in 2009 as a page on our old website.
Below are breif details of the main legislation relating to operating a website, primarily focussed on businesses based within the UK. Please use this as a starting point for researching the legislation that will apply to your specific business.
Important note: we provide no gaurantees as to the currency of this information.
Anyone processing personal data must comply with the eight enforceable principles of good practice. They say that data must be:
There is stronger legal protection for more sensitive information, such as:
Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply. With processing, the definition is far wider than before. For example, it incorporates the concepts of 'obtaining', holding' and 'disclosing'.
In May 2018, the Data Protection Act will be replaced by the EU’s General Data Protection Regulation, a framework with greater scope and much tougher punishments for those who fail to comply with new rules around the storage and handling of personal data.
Among many new conditions, one of the biggest changes SMEs will face concerns consent. Under the new regulations, companies must keep a thorough record of how and when an individual gives consent to store and use their personal data.
And consent will mean active agreement. It can no longer be inferred from, say, a pre-ticked box. Companies that control how and why data is processed will have to show a clear audit trail of consent, including screen grabs or saved consent forms.
Individuals also have the right to withdraw consent at any time, easily and swiftly. When somebody does withdraw consent, their details must be permanently erased, and not just deleted from a mailing list. GDPR gives individuals the right to be forgotten.
In the event of a data breach, GDPR forces companies to inform relevant authorities within 72 hours, giving full details of the breach and proposals for mitigating its effects.
BT has produced a white paper, Dealing with new EU data-protection regulation, which outlines the implications of the new regulations and offers insight into how to best prepare for their implementation.
On 13 June 2014 the Distance Selling Regulations were replaced with the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013. These apply to sales of goods or services to consumers without face-to-face contact. This includes selling by mail order, through the internet, using digital television, or by telephone, fax or text message.
You must provide certain information if you’re selling goods or services through digital TV, by mail order or by phone or text message. This is called distance selling.
Before an order is placed you must provide:
This information must be easy to understand and on paper, in an email or another format the customer can save for future reference.
Right to cancel
You must tell the customer they can cancel their order up to 14 days after their order is delivered. They don’t need to give a reason for cancelling.
If you don’t tell the customer about their right to cancel, they can cancel at any time in the next 12 months. If you tell them about the right to cancel during these 12 months, they have 14 days to cancel from when you told them.
After an order is placed you must:
These rules don’t apply to:
You must also follow the general rules for accepting returns or giving refunds.
Before an order is placed you must:
You must confirm the contract as soon as possible, for example with an email.
Selling digital services
There are extra rules for selling digital services which customers download or stream online, including:
Downloads and streaming services
If you supply downloads or streaming services, you must:
If you don’t follow these rules, the customer will keep their 14 day right to cancel without paying.
After an order is placed you must:
VAT rules in the EU
There are special rules on registering for VAT if you sell digital services to customers in other EU countries.
The information provided on these pages was taken from the following sites, please refer to them if you require further information:
UK Government - Data Protection Regulations
UK Government - Consumer Protection (Distance Selling) Regulations
Office of Fair Trading - Guide to Internet Shopping