Online shops and consumer law – what you need to know in 2015

There were big changes to the law covering online shops and consumer rights in 2014 – and many online shops are breaking the law and don’t know it.

The new laws demand consumers get more information and rights than before, and for the first time imposed legal standards for online shops, and penalties for those who don’t comply.

When was the last time you checked to see if your shop complies with the new laws?

Consumer rights law 2015 – the basics

We’ve put together a quick guide that covers the basics, but if you want to be sure your shop complies we recommend you see a specialist lawyer.

This short summary will give an idea of what’s required and the infographic below adds a wider context.

Information you provide

You have to be upfront about everything, especially:

  • Provide full contact information, including your address and a non-premium phone number
  • Provide information on all payment options, your returns policy and delivery charges before checkout, including any extra charges
  • Provide receipts including all of the above

shopping cart photo

Everything must be in clear, easy to understand language, with no hidden charges or other shady practices such as automatically adding products to shoppers’ carts are all banned.

Much of this is common sense if you want anyone to buy from you, but it’s amazing how many online shops still don’t have this information, and it’s one of the main reasons why online shops fail.

Returns and cooling off period

In short, a customer can return a product bought at your shop for any reason, within 14 days of receiving it – until last year it was seven days.

You must have a simple, clear policy on returns and things like who pays for postage, as well as a returns form and these must be easily found on your website.

The rules are quite detailed on how this should be done, and there are exceptions for things like perishable goods and personalised goods.

Who do the new laws apply to?

The law applies to anyone who sells anything online, from physical products, to e-books, to appointments, courses and subscriptions. Selling online means where transaction takes place on a website.

The rules, especially for subscription and membership sites, are very complex and need to be looked at in depth. There are links to resources at the bottom of the page.

This infographic comes courtesy of Reflect Digital, on behalf of their client Waterfront Solicitors

Consumer Rights law UK and online shops infographic

Where to find out more about the Consumer Rights Directive

This post is only intended to provide a flavour of the law and the main points you need to look at and should NOT be taken as legal advice.

If you want to know the full detail, you’re going to have to do your homework and we strongly recommend you do, so here are some resources.

  • Waterfront Solicitors – Consumer law is changing – 5 key pointers for online businesses

Official guidance from the EU and from the UK Government

The EU guidance document (in PDF format) is a massive 79 pages!

The UK Department for Business Innovation and Skills guide is a mere 26 pages: Consumer Contracts (Information, Cancellation, and Additional Charges) Regulations (PDF format)

If you still need help with how to comply

Then ask us for help. We can audit your site pointing out areas for attention.

Contact us to find out more.

Why online shops fail

Why online shops fail

If your business sells things in the real world, it’s simple enough to set up an online shop and just sit back and watch the money roll in.

That’s the theory but it rarely works out that way. Here are the main reasons why online shops become online flops.

[box type="info"]This post has been updated to reflect changes in UK consumer law introduced in 2014[/box]

We get asked to fix a lot of online shops and nearly always the complaint is the same: No-one’s buying.

Sometimes no-one’s visiting at all, but often when we look at statistics we can see plenty of visitors but few or no sales.

So why does nobody buy?

The answer lies in a combination of factors, assuming you are selling something people want to buy in the first place.

Computer keyboard and credit card
Get it right and the card will come out

Trust and credibility

These days the average web user is afraid of online fraud and needs reassurance. First of all they need to know who you are: They need your address.

It’s surprising how many shops ignore this basic rule but it’s more important than that – it’s the law in the UK.

If you are UK based and selling online, the Consumer Contracts (Information, Cancellation, and Additional Charges) Regulations 2014 apply to you. These replace the Consumer Protection (Distance Selling) Regulations 2000, and they are tougher.

Put simply, the regulations make up for the fact that online shop customers can’t inspect your products in person. But they are also a good framework for building a shop that people will trust.

Broadly, this means your shop should:

  • Provide clear information about the supplier, the goods or services and the sale in writing
  • Give shoppers the right to 14 working days in which to change their minds and return the product (though there are some exceptions)
  • Be totally clear on everything, from delivery charges and dates to any other charges you may make
  • Provide protection from credit card fraud.

By covering this you are answering questions potential buyers are bound to have, such as:

  • When will I receive my goods?
  • What if they are not the right size or otherwise unsuitable?
  • Am I safe giving my financial information to this shop?

If you are transparent about who you are and provide clear information about delivery, returns and how to contact you then that all helps to build trust. Oh, and it’s mandatory now, though many online shop owners don’t seem to know this.

Of course, the product descriptions must not be misleading!

Another big aspect of trust is the safety in numbers principle – that the shopper will feel safer buying if they know others are. This is sometimes called social proof.

You can help in this way by encouraging customers to review their purchases or write testimonials – but if your shop has a review facility and nobody has reviewed anything then this can have the opposite effect, and draw attention to your lack of customers.

To make this work you will need to give people an incentive to leave reviews or link to you on social media. More about the importance of trust and websites.

Poor promotion and management

Getting the shop right is only part of the job. To get people to buy from you you need to get them to your site.

This means you need to promote your site, whether offline through promotional leaflets and flyers, or online through methods like social media.

Who to target depends on what you sell, just like every shop needs to plan for how to get the visitors and the customers.

But once you have got the customers you need to be able to look after them and that means having the systems in place to staff the shop – answer questions, get the products to the customers and deal with any issues. These things don’t happen by themselves.

In the end your shop is a part of your business, just the same as any other part, and as such it will require some time and effort to run it.

Your shop is hard to use – or doesn’t work at all

If you build a shop, you MUST test it. It’s amazing how many times this is forgotten.

That means doing a test purchase to make sure everything works as it should and that you and the customer will get the right email notifications.

You should also test the contact form to make sure it sends email to the right place. We’ve seen a fair few shops where email enquiries disappear into a black hole – along with potential customers.

Nothing puts customers off faster than a shop with that doesn’t work properly – and that includes broken links.

Nothing except a shop that’s hard to use.

Getting around

Shops are generally big sites, which means it should be as easy as possible to find what you want. Navigation should be clear, simple and consistent and the search should be effective (often it’s not but nobody tests it).

Checkout and payment

Your customer has decided to buy and so you have to make it as easy as possible for them.

The best shops have a single page checkout where customers enter their details, review their shopping cart and proceed to payment: The worst have three or four pages to wade through, and won’t let you buy unless you set up an account first.

You also need to think about how people want to pay and give them as many options as you can.

Payment by cheque only, for example, is likely to lose you customers – who needs to wait for a cheque to clear before they can have their goods when they bought online in the first place to save time?

If you do nothing else, at least set up payment by PayPal as it is a trusted brand for online payments and offers some protection – and therefore more trust in your shop.

Other online shop ‘fails’

  • Text that’s too small to read
  • Product images that are too small and/or low quality
  • Not enough information about the products
  • Not focusing on the products – it’s a shop so the products must be front and centre
  • Being so clever or gimmicky that customers can’t use your site

More information:

Jeff Bullas blog: 12 Reasons I won’t buy from your website

The Floating Frog: 13 Reasons why your online shop will fail

E-Commerce Rules: Top 5 reasons Why your online shop will fail

The UK Department for Business Innovation and Skills: Consumer Contracts (Information, Cancellation, and Additional Charges) Regulations (PDF format)

E-Consultancy: Why does customer service suck online?

Photo credit: Fosforix via photopin cc

Cookie Law: Dead in the Water?

Cookie Consent Widget

At last the Information Commissioner has bowed to the inevitable and further watered down the UK Cookie Law.

As of today websites can officially accept set cookies without asking first, rendering more or less meaningless one of the most pointless – and unenforceable – laws in recent years.

So hopefully that will spell the end for one of the most annoying features ever to have to hit the web: the cookie consent widget.

These annoying little blighters have been springing up on websites for the past year or so – asking everyone if it’s okay to set cookies.

The Cookie Law just annoys people

Some would disappear if you ignored them, others refused to go away and tracked you right through a site and others popped up again as soon as you said yes or no to their insistent demands.

[caption id="attachment_604" align="alignright" width="283"]Cookie Consent Widget Goodbye Cookie Control – We won’t miss you[/caption]

As a website owner, if you set yours according to the letter of the law then your site would not record statistics until the site visitor agreed, and social media add ons like Facebook Like buttons would not work.

So until people agreed you could not measure them, meaning your website statistics only recorded some of the visitors to your site.

We always advocated a lighter approach in our blog posts on the Cookie Law and Complying with the Cookie Law.

To be fair the Cookie Law was the biggest bane on usability since the arrival of Flash websites.

Cookie warning notice

But now it is dead. All you have to do is have a cookie notice on your site – and that’s it. Not even an annoying widget.

It would appear to be a victory for common sense, although the ICO is portraying it as ‘job done’. More likely that it was a totally unworkable piece of legislation that has been nothing but a gigantic pain for everyone as it changed, changed and changed again.

So will you miss the Cookie Law? Was it a good thing? Add your views below.

More information

ICO to change cookie policy to recognise implied consent –

Changes to cookies on our website – Information Commissioner’s Office

Make sure your Tweets and blog posts don’t land you in trouble with the law

Sticks of dynamite

The following is an overview of how to avoid legal issues on social media.

With the current case of Lord McAlpine suing people who falsely named him as a child abuser, Twitter and social media in general is under the microscope like never before.

The former Tory treasurer is chasing everyone who named him on Twitter based on rumours he abused children in a home in Wrexham in the 70s. And, for the avoidance of doubt (and in case his lawyers read this!) we should point out those rumours are totally untrue.

[caption id="attachment_522" align="alignright" width="300"]Sticks of dynamite Your Tweets could be legal dynamite, but not literally.[/caption]

Lord McAlpine has deep pockets and a lot of people who repeated the allegation will be getting a letter from his lawyers.

If you use social media, this is the perfect example of why you need at least a basic understanding of the law of defamation and libel before you bash out a Tweet and press the send button.

And it’s not just libel. Earlier this month nine people who used their Twitter accounts to name a woman raped by footballer Ched Evans were ordered to pay her compensation.

All said they didn’t know identifying a rape victim was a criminal offence.

In all cases it’s no defence to say you did not know the law. A Tweet in particular can be retweeted to thousands upon thousands of people, gaining a massive audience beyond your followers.

And it doesn’t matter how many times other people have tweeted or blogged the statement (whatever it is) before you. If you repeat it, you are just as guilty as the person who started it.

That’s why Twitter users in particular are under the microscope, but the law also applies to blogs and – to a lesser extent – Facebook posts, where a lot depends on privacy settings.

Deleting won’t save you

Deleting Tweets and posts won’t help as they can be recovered, and social media sites will hand over your details if asked for them by the police or by a court order.

But in the last few days I’ve seen a lot of blogs repeating the most outrageous allegations of child abuse against politicians of all parties and I expect the bloggers involved will be getting letters from lawyers sooner or later.

Some high profile Tweeters have been caught out by this, not to mention the BBC and ITV, so the risks are clear.

Back in the old days…

In the days before widespread use of the internet and social media, when only newspapers, magazines and TV and radio could broadcast to wide audiences, this wasn’t a problem.

Journalists understood the law, and what they wrote or put on air went through the filter of an editor who (mostly) would pick up anything libellous or likely to break the law.

The onus was – and still is – on them to get it right. And as a Twitter user or the writer of a blog or poster on Facebook the same laws apply to you.

That means it’s your responsibility that your tweets don’t break the law or defame someone. And if they do, you will face the consequences.

So what’s the law now?

You can fall foul of the law in two different ways:

By committing a criminal offence, for example the inflammatory Tweets that people have gone to jail for, or naming rape victims. If you commit a criminal offence you are prosecuted and go to a criminal court. Only criminal offences can land you in jail.

By committing defamation, or libel in particular. Libel is when a person’s reputation is damaged by an untrue statement that is written and published.


Libel is not a criminal offence, it is a tort or a ‘civil wrong’ that means the person who you libelled can sue you in a civil court and claim money as compensation for the damage to their reputation.

There’s no legal aid for libel and it’s very expensive to start an action or defend one. But if you libel someone who has a lot of money you are in trouble.

There are lots of defences for libel, the chief one being that the statement made was true. But again you have to prove that and that can be very expensive indeed.

You don’t even have to name the person directly.

However you can’t libel someone who is dead, which is why anyone can say what they like about Jimmy Savile.

This is a simplified version of a very complex law. For more information see these pages:

The Guardian: Libel laws explained

Sense about Science: A quick guide to libel laws in England and Wales (PDF file)

Out-Law: Guide to defamation

Criminal law

The main law we are dealing with here is the naming of rape victims. There is an automatic lifetime ban on identifying the victim of any sexual offence. You can’t go to jail for this, but you can be fined as in the Ched Evans case.

The same goes for identifying juveniles – those under 17 years old – also a danger area, whether they are offenders or victims.

In most cases this is banned outright though in extreme cases, such as the two boys convicted of the killing of Jamie Bulger, the judge allowed them to be publically named. However people who recently tweeted pictures purporting to be one of them have been charged with contempt because they can no longer be identified. Confusing, huh?

Commenting on criminal court cases – especially ongoing ones – can be risky and is best avoided as the law of Contempt of Court is very restrictive.

More information:

BBC News: Twitter users: A guide to the law

The Guardian: Ched Evans rape case: nine fined over naming of footballer’s victim

The Daily Mail goes into more detail, especially what the offending Tweets said.

Then there’s the whole issue of offensive Tweets and Facebook posts, that have led to some recent high profile court cases and jailings. Though there is a debate over whether this is freedom of expression it’s clear the courts are taking it seriously.

Here are some examples:

BBC News Racist Twitter user jailed for 56 days

The Guardian Tom Daley Twitter abuse arrest leads to calls to educate people of legal risks

BBC News: April Jones: Matthew Woods jailed for Facebook posts

And another McAlpine story: The Guardian: McAlpine’s solicitor warns long list of Twitter users to ‘apologise or be sued’

Think before you Tweet

Admittedly, these are extreme examples but when it’s so easy to type something out and send it, it pays to think before you Tweet or post:

  • Do you know it’s true? Could you prove it if challenged?
  • Is what you say likely to offend anyone, even if you are not setting out to offend?
  • If you are commenting on a court case is has what you say already been reported in the mainstream media? If it hasn’t you could be unwittingly landing yourself in trouble.

These are just a few of the main considerations. There’s a more comprehensive guide here on the Lawyers4Mumpreneurs website:

Top ten legal issues to consider when using Twitter

Cookie law made simple – no need to panic

Woman with bag on head

In the last few months alarm has been spreading across the web community and anyone who owns a website.

The reason? A new British law governing privacy and websites, often referred to as the EU Cookie Law because it is derived from a European Directive.

Since this post was first written in July 2012 the interpretation of the law has been relaxed again. See our latest blog post on the issue.

The law affects just about every website, with severe fines of up to £500,000 for non-compliance. Yet most websites did not comply and most website owners were not aware of it.

[caption id="attachment_537" align="alignright" width="300"]Woman with bag on head Sure this is an approach to the Cookie Law, but not the best one[/caption]

As time ticked down towards its introduction on May 26 the fear and paranoia grew – and as ever there were plenty of people only too ready to cash in. That wasn’t helped by a lack of clear guidance from the Information Commissioner’s Office (ICO), who will enforce the law.

So what’s it all about?

Cookies are small files that allow a website to recognise and track users. The vast majority of websites use them – for example to remember what is in your shopping cart or to recognise you when you return to a site. They also allow website owners to track statistics for their sites, allowing them to improve services in a cost effective way.

On the whole they are a good thing that makes using the web easier for everyone.

But some are intrusive, effectively spying on people who visit a website for a long time after they have left it, and without their knowledge or permission.

The law was created to regulate these, after all it’s only right that you should have a choice whether to accept them or not. It’s about online privacy.

The trouble is it targets ALL cookies, not just the intrusive ones, which is why it puts just about everyone in a technical breach. As with all privacy issues, it’s difficult to know where to draw the line. That makes it a major headache for everyone who runs a website.


Much of the fear has been generated around the penalties for not complying with the law and it’s true that website owners can be fined up to £500,000. But don’t expect to see anyone fined for a long, long time.

The ICO is adopting a softly, softly approach of education rather than using a big stick and fines will only be issued as a last resort when:

  • There have been complaints about a site
  • That site is using very intrusive cookies that capture sensitive data, such as medical information, maybe using that info to target advertising or pass on to third parties
  • The site owner explicitly refuses to do anything about it, despite repeated requests from the ICO.

And if you are approached by the ICO, you will be given plenty of chances – and lots of advice – to help you put things right.

That hasn’t stopped consultants and some web firms seeing an opportunity to cash in, often using fear of fines as a way to sell their services, most of which involve over the top solutions – a sledgehammer to crack a nut.

To be fair on some of these, the hazy guidance from the ICO hasn’t helped. Neither has the fact that at the 11th hour the ICO made a small, but very important, change to their advice.

Their first advice was that websites must obtain consent before setting any cookies, therefore disabling analytics, social media or many other site functions until a user agreed. This was technically quite difficult to do. It also meant using intrusive pop ups that block a site from use until a user has consented – or otherwise.

Sometimes the only way to comply would have been to tell people to leave the site.

But just before the May 26 deadline the advice changed. The new version allows for implied consent – so it’s ok to set cookies so long as you tell them what they are and how to block them. This makes all the difference.

Many web companies have invested a lot of time and money into producing solutions that – while being intrusive – complied with the law as it stood.

Unfortunately, the change to implied consent has made these solutions look like overkill. You can’t blame these companies for persisting with them when they have spent a lot of time and money developing their solution, only to see it obsolete.

The truth is that complying with the law – or at least avoiding unwanted attention from the ICO – is relatively straightforward for most of us and should not involve a great deal of work.

See the easy way to comply with the EU Cookie Law

The easy way to comply with the EU Cookie Law

The Cookie Monster

There has been much talk about the EU Cookie Law, which came into force in the UK in May this year, as well as scaremongering about big fines for non-compliance.

Since this post was first written in July 2012 the interpretation of the law has been relaxed again. See our latest blog post on the issue. But the position changes repeatedly, so see for the latest updates.

The truth, while a little hazy at times, is somewhat simpler and a lot less intimidating. It’s really not that difficult to set yourself on the road to compliance, which is what the authorities are looking for.

[caption id="attachment_611" align="alignright" width="300"]The Cookie Monster Cookie Monster[/caption]

The following is our interpretation of how to put yourself on the road to complying with the new EU Cookie Law and should work for you as long as you are not using any overly intrusive cookies that gather sensitive data.

It is not intended as definitive advice and if you need that you should consult the Information Commissioner’s Office(ICO) directly or see a lawyer. For full advice see the ICO’s latest guidance (PDF download)

The law is far from clear and it’s early days yet. The position may change but right now complying with the law – or at least avoiding unwanted attention from the ICO – is relatively straightforward for most of us and should not involve a great deal of work.

Remember that the ICO will be satisfied if you are ‘working towards compliance’ and to do that you need to follow the steps below. The good news is this need only take an hour.

Do a cookie audit

As a website owner, you need to understand what cookies your website is setting and what they do.

The way to do this is to use a free tool that checks your site. There is no need to spend a fortune on doing this – or even any money at all.

If you use Google Chrome a simple free browser extension is available from Attacat. Full details and the extension itself are available on this page:

You don’t have to register to get it, and it will also give you an indication as to how instrusive any cookies you use are.

Another solution, especially if you use Mozilla Firefox, is the Firefox web developer toolbar, which includes a cookie auditing tool. The extension is available here:

Remember, it’s not an exact science and a cookie audit may not pick up everything your site generates. You only have to show that you are taking steps towards complying in full.

When you have done your audit you need to assess each cookie and what it does. If there’s anything you don’t understand you will need to talk to your web design company.

You can also Google the name of the cookie to find out what it does.

Publish the information

It’s actually been law to publish cookie information on your site since 2003, something that many people have ignored.

It’s usually hidden in the site’s Privacy Policy (if you have one) but now you have to make it easier to find.

It should also be in plain English and easy to understand, so there’s no room for legal jargon and geek speak.

You will need to create a new page for your Cookies Policy. You need to tell people what cookies you use (not necessarily naming them all) and what each one does.

It’s helpful to point people to instructions on how to turn cookies off using their browser controls. This page at aboutcookies is useful.

This page at offers a comprehensive guide for the lay person and the developer.


The ICO’s line on this is clear – you must have consent. But that seems to extend to implied consent, where you can assume consent has been given, so long as you make it easy for people to withdraw their consent and not accept cookies.

But while the law makes no distinction between ‘good’ cookies and ‘bad’ ones, in practice the ICO will. So for many sites that do not collect sensitive information, covering the first three steps should be enough for now at least.

What are others doing?

It’s a good idea to look at what the big boys do. If you have visited any of the sites below before, clear your cookies first before using these links.

The BBC went live with their cookie advice a few days before the May 26 deadline, but when the emphasis went to implied consent they scaled it back. The banner appears only once and assumes consent.

ITV is doing even less. Its cookie statement is in their website footer, and again assumes consent.

BT uses lots of cookies and therefore spent a lot of time and money on developing their solution, with a sliding scale where users can set their preferences, but even they are assuming consent has been given.

John Lewis adopt the same approach, with a subtle banner at the top that disappears once you move to another page.

See The Cookie Law made simple – for more background on the law.

photo credit: nettsu via photopin cc