Legislation Relating to Operating a Website

02 August 2017

Originally published in 2009 as a page on our old website.

Legal Guidelines

Below are breif details of the main legislation relating to operating a website, primarily focussed on businesses based within the UK. Please use this as a starting point for researching the legislation that will apply to your specific business.

Important note: we provide no gaurantees as to the currency of this information. 

Data Protection Act (DPA)

Anyone processing personal data must comply with the eight enforceable principles of good practice. They say that data must be:

  • used fairly and lawfully
  • used for limited, specifically stated purposes
  • used in a way that is adequate, relevant and not excessive
  • accurate
  • kept for no longer than is absolutely necessary
  • handled according to people’s data protection rights
  • kept safe and secure
  • not transferred outside the European Economic Area without adequate protection

There is stronger legal protection for more sensitive information, such as:

  • ethnic background
  • political opinions
  • religious beliefs
  • health
  • sexual health
  • criminal records

Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply. With processing, the definition is far wider than before. For example, it incorporates the concepts of 'obtaining', holding' and 'disclosing'.

General Data Protection Regulation (GDPR)

In May 2018, the Data Protection Act will be replaced by the EU’s General Data Protection Regulation, a framework with greater scope and much tougher punishments for those who fail to comply with new rules around the storage and handling of personal data.

Among many new conditions, one of the biggest changes SMEs will face concerns consent. Under the new regulations, companies must keep a thorough record of how and when an individual gives consent to store and use their personal data.

And consent will mean active agreement. It can no longer be inferred from, say, a pre-ticked box. Companies that control how and why data is processed will have to show a clear audit trail of consent, including screen grabs or saved consent forms.

Individuals also have the right to withdraw consent at any time, easily and swiftly. When somebody does withdraw consent, their details must be permanently erased, and not just deleted from a mailing list. GDPR gives individuals the right to be forgotten.

In the event of a data breach, GDPR forces companies to inform relevant authorities within 72 hours, giving full details of the breach and proposals for mitigating its effects.

BT has produced a white paper, Dealing with new EU data-protection regulation, which outlines the implications of the new regulations and offers insight into how to best prepare for their implementation. 

The Consumer Contracts (formerly Distance Selling) regulations

On 13 June 2014 the Distance Selling Regulations were replaced with the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013. These apply to sales of goods or services to consumers without face-to-face contact. This includes selling by mail order, through the internet, using digital television, or by telephone, fax or text message.

You must provide certain information if you’re selling goods or services through digital TV, by mail order or by phone or text message. This is called distance selling.

Before an order is placed you must provide:

  • your business name, contact details and address
  • a description of your goods or services
  • the price, including all taxes
  • how a customer can pay
  • delivery arrangements, costs and how long goods will take to arrive
  • the minimum length of their contract and billing period
  • conditions for ending contracts
  • how they can cancel and when they lose the right to cancel
  • if they will still need to pay reasonable costs for using a service after they cancel
  • a standard cancellation form, if they can cancel
  • conditions for money given as a deposit or financial guarantees
  • what digital content does (for example, the language it’s in or how to update software)
  • the cost of using phone lines or other communication to complete the contract where it will cost more than the basic rate

This information must be easy to understand and on paper, in an email or another format the customer can save for future reference.

Right to cancel

There are different rules for downloads and streaming services.

You must tell the customer they can cancel their order up to 14 days after their order is delivered. They don’t need to give a reason for cancelling.

If you don’t tell the customer about their right to cancel, they can cancel at any time in the next 12 months. If you tell them about the right to cancel during these 12 months, they have 14 days to cancel from when you told them.

After an order is placed you must:

  • provide a copy of the contract on paper, by email or another format the customer can save for future reference
  • provide the copy of the contract no later than when the goods are delivered
  • deliver the goods within 30 days, unless you’ve agreed otherwise with the customer


These rules don’t apply to:

  • goods and services worth £42 or less
  • NHS prescriptions and treatment (free and paid for)
  • financial services, for example pensions, mortgages, credit
  • the construction of new buildings (but not extensions)
  • food and drink supplied regularly (like milkmen)
  • gambling
  • package holidays, timeshares and holiday clubs
  • contracts to let a property the customer will live in, for example renting a house or flat (although they do apply to estate agents’ marketing services)
  • goods bought from a vending machine
  • using a payphone or paying to use an internet connection (for example, at an internet café)
  • bus, train, flight and other tickets for passenger travel

You must also follow the general rules for accepting returns or giving refunds.

There are extra rules for selling online.

Before an order is placed you must:

  • make it clear to customers they have to pay when they place an order (for example, a ‘pay now’ button)
  • display clearly how customers can pay and include delivery options and costs
  • list the steps involved in a customer placing an order
  • take reasonable steps to let customers correct errors in their order
  • let customers know what languages are available
  • make sure customers can store and reproduce your terms and conditions, for example these can be downloaded and printed off
  • give your email address
  • give your VAT number (if your business is registered for VAT)
  • give the cost of using phone lines or other communication to complete the contract where it will cost more than the basic rate
  • give a description of your goods, services or digital content - include as much information as you can
  • give the total price or how this will be calculated
  • give the total delivery cost or how this will be calculated
  • tell them the minimum length of their contract
  • give any conditions for ending rolling contracts or contracts with no clear end date

You must confirm the contract as soon as possible, for example with an email.

Selling digital services

There are extra rules for selling digital services which customers download or stream online, including:

  • computer games
  • in-game purchases
  • TV and film
  • books
  • computer programs
  • mobile phone apps

Downloads and streaming services

If you supply downloads or streaming services, you must:

  • get the customer to confirm before they download or stream content that they are aware they’ll lose their 14 day right to cancel
  • get the customer to agree to an instant download before they start the download
  • include this information in your confirmation of the contract, along with the other pre-contract information

If you don’t follow these rules, the customer will keep their 14 day right to cancel without paying.

After an order is placed you must:

  • confirm the contract as soon as possible and no later than when goods are delivered, a service starts or digital content is downloaded (for example, an email must be sent when content is downloaded even if it doesn’t arrive at the same time)
  • provide a copy of the contract on paper, by email or another format the customer can save for future reference
  • deliver the goods within 30 days, unless you’ve agreed otherwise with the customer

VAT rules in the EU

There are special rules on registering for VAT if you sell digital services to customers in other EU countries.


The information provided on these pages was taken from the following sites, please refer to them if you require further information:

UK Government - Data Protection Regulations

UK Government - Consumer Protection (Distance Selling) Regulations

Office of Fair Trading - Guide to Internet Shopping