E-Commerce Regulations 2002: UK Website Obligations

The Electronic Commerce (EC Directive) Regulations 2002, often called the e-commerce regulations 2002 UK, set the information UK websites must publish. They cover what to display, how an online contract is formed and what rules apply to commercial electronic communications. The full text sits at legislation.gov.uk/uksi/2002/2013.

The regulations are retained UK law. They were originally made to implement the EU E-Commerce Directive (Directive 2000/31/EC) and stayed in force after Brexit under the European Union (Withdrawal) Act 2018. EU-specific cross-border provisions have been amended out. The core duties on UK-established providers still bite.

Want to know if your site meets these rules? Scan your UK site for free.

Who the regulations apply to

The ECR 2002 apply to "information society service providers" (ISS providers). An ISS is a service "normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient." In practice that covers:

• Websites selling goods or services.
• Subscription platforms and SaaS products.
• Online marketplaces.
• Sites providing commercial information or advertising.
• Sites hosting user-generated content for commercial purposes.

The regulations apply to ISS providers "established" in the UK. That means any business with a real and stable presence pursuing economic activity in the UK. A UK business is established in the UK whether or not its servers are abroad and whether or not it has EU customers. The statutory instrument itself (SI 2002/2013) sets out the full text of the regulations.

Regulation 6: the general information duty

Regulation 6 requires ISS providers to make set information "easily, directly and permanently accessible" to recipients and to relevant authorities. The information must be on the site at all times. It must be findable without much effort. It must not be hidden behind a download or an account login.

The required items are:

For most standard e-commerce shops the minimum disclosure is the legal name, the physical address, an email address and the Companies House number. Add the VAT number if registered. Add sector items where they apply.

The simplest way to meet Regulation 6 is a dedicated "Legal" or "Company information" page linked from the footer on every page. See company website trading disclosures for the overlapping duties under the Companies Act 2006 and the Company, Limited Liability Partnership and Business (Names and Trading Disclosures) Regulations 2015 (SI 2015/17).

Regulations 9 and 11: contract formation

Regulations 9 and 11 set transparency duties around how an online order is placed and confirmed.

Regulation 9 (information before conclusion). Before the recipient places an order, the provider must give the following information clearly and unambiguously: the technical steps to conclude the contract, whether the contract will be filed and accessible, the means for spotting and correcting input errors and the languages the contract can be concluded in. The text is at legislation.gov.uk/uksi/2002/2013/regulation/9.

In practice the checkout should show a clear order summary before the final confirmation step. The customer must be able to review and correct the order. A multi-step checkout with a final "review your order" stage before payment meets this rule. A single-page checkout where the payment button is the first time the customer sees the full order may not.

Regulation 9(3) (storable terms). Where terms and conditions are part of the service, the provider must make them available in a way the recipient can store and reproduce. A PDF download or a printable web page meets this duty. Terms that can only be viewed on screen and that can change without notice do not.

Regulation 11 (placing of the order). The provider must acknowledge receipt of the order "without undue delay and by electronic means." An automated order confirmation email or an on-screen order reference is fine. A delay of hours or days is not. Regulation 11(1)(b) also requires the provider to give the recipient an effective means to identify and correct input errors before the order is placed. The text is at legislation.gov.uk/uksi/2002/2013/regulation/11.

Regulation 7: commercial communications

Regulation 7 covers marketing and promotional content sent by electronic means. The message must be clearly identifiable as a commercial communication. The person on whose behalf it is sent must be clearly identifiable. Any promotional offer such as a discount, bonus or gift must be clearly identifiable as such. Conditions for the offer must be clearly and unambiguously accessible.

This overlaps with the Consumer Protection from Unfair Trading Regulations 2008 on misleading practices. For email marketing, Regulation 7 works alongside the consent rule in Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR). The Information Commissioner's Office covers the consent test in its direct marketing guidance.

Unsolicited communications. Regulation 8 says any unsolicited commercial communication, such as a marketing email or text not requested by the recipient, must be clearly and unambiguously identifiable at the moment of receipt. Subject lines that hide the marketing purpose breach Regulation 8. The rule sits on top of PECR consent. It does not create a consent exemption for clearly labelled marketing.

Penalties and enforcement

Breaches are enforced by the Information Commissioner's Office for personal-data aspects. Ofcom, the Competition and Markets Authority and trading standards take other breaches. Trading standards has primary responsibility for most consumer-facing ECR 2002 issues.

The ECR 2002 does not set a dedicated civil penalty regime. Enforcement runs through the general powers in the Enterprise Act 2002, by way of court orders and undertakings. Since the Digital Markets, Competition and Consumers Act 2024 the CMA has direct civil enforcement powers for consumer-protection breaches. The CMA explains the new regime on its consumer protection enforcement page. Criminal sanctions under the ECR 2002 itself are reserved for narrow points such as failure to answer a competent authority's request for information. They are rarely used.

The most practical risk from ECR 2002 non-compliance is reputational. Customers or business partners who notice missing disclosures may raise the issue. They may use it as evidence of poor practice or as a ground to dispute contract formation.

Common questions

Does a contact form count as an email address? No. Regulation 6(1)(c) calls for an email address. A contact form on its own does not meet the rule.

Do these rules apply to a free service? Yes, where the service is "normally provided for remuneration." Free services funded by advertising or data are within scope.

Do I need a separate page for the disclosures? No. The rule is about access. A footer link to a single page that lists the items is fine. So is splitting them between an "About" page and a "Contact" page so long as both are linked from every page.

Are these rules the same as the Consumer Rights Act 2015? No. The CRA 2015 covers what a trader has to disclose about goods, services and digital content before sale. See Consumer Rights Act 2015 website disclosures for the overlap.

Quick checklist

• Legal name on a publicly linked page.
• Geographic address.
• Working email address.
• Companies House number if registered.
• VAT number if registered.
• Regulatory body details if you are supervised.
• Checkout shows order summary and an error-correction step before payment.
• Order acknowledgement email fires straight after payment.
• T and Cs available as a downloadable or printable file.
• Marketing emails labelled as marketing in the subject line.

For a current check of your site's legal disclosure signals, scan your UK site for free. For related consumer-rights duties under the Consumer Rights Act 2015, see Consumer Rights Act 2015 website disclosures.