E-Commerce Regulations 2002: UK Website Obligations

The Electronic Commerce (EC Directive) Regulations 2002 (commonly called the E-Commerce Regulations or ECR 2002) impose a set of baseline obligations on anyone providing services online in the UK. They cover what information must be displayed on a website, how online contracts are validly formed, and what rules apply to commercial electronic communications.

The regulations are retained UK law — they were originally enacted to implement the EU E-Commerce Directive (Directive 2000/31/EC) and remained part of UK law after Brexit under the European Union (Withdrawal) Act 2018, with amendments to remove EU-specific cross-border provisions. The core obligations on UK-established providers remain in full effect.

To check whether your website meets the ECR 2002 and related disclosure requirements, run a free scan at /uk/en/scan.

Who the regulations apply to

The ECR 2002 apply to "information society service providers" (ISS providers). This covers any person or business providing a service "normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient." In practice, this covers:

Websites selling goods or services. Subscription platforms and SaaS products. Online marketplaces. Websites providing commercial information or advertising services. Websites hosting user-generated content for commercial purposes.

The regulations apply to ISS providers "established" in the UK — broadly, any business with a real and stable presence and actually pursuing an economic activity in the UK. UK businesses operating websites are established in the UK and therefore subject to ECR 2002 regardless of where their servers are located or whether they have EU customers.

Regulation 6: the general information obligation

Regulation 6 requires ISS providers to make specified information "easily, directly and permanently accessible" to service recipients and relevant authorities. This means the information must be on the website at all times, findable without significant effort, and not buried in documents that require download or account access.

The required information is:

Name: the legal name of the provider. For limited companies, the registered company name. For sole traders, the individual's name or trading name alongside their own name.

Geographic address: a physical address where the provider can be contacted. A PO box is generally not sufficient — the regulation contemplates a real address. A registered office address for limited companies satisfies this where it is the actual place of business or correspondence.

Electronic mail address: a working email address. A contact form alone, without an email address, is technically non-compliant with Regulation 6(1)(c), though the ICT case law on this point is limited.

Trade register number: if registered in a trade or similar register, the name of the register and the registration number. For UK limited companies, this means the Companies House registration number.

VAT number: if the activity is subject to VAT and the business is VAT-registered, the VAT registration number must be provided. Under the VAT Regulations 1995, the VAT number must appear on invoices; the ECR 2002 additionally requires it to be accessible on the website itself.

Regulatory authority: if the provider is subject to a regulatory authorisation scheme (financial services, legal services, healthcare, gambling), the name and web address of the regulatory authority must be disclosed.

Professional title: if the provider belongs to a regulated profession (solicitors, accountants, doctors, architects), the professional title, the professional body, and the jurisdiction where the title was granted must be disclosed.

For most standard e-commerce businesses, the minimum ECR 2002 disclosure is: legal name, physical address, email address, and Companies House registration number. VAT number if registered. Sector-specific additions where applicable.

The most convenient way to satisfy Regulation 6 is on a dedicated "Legal" or "Company information" page linked from the footer on every page of the site. See company website trading disclosures for the overlapping obligations under the Companies Act 2006 and Trading Disclosures Regulations 2008.

Regulations 9–11: contract formation

Regulations 9–11 impose transparency obligations on the process of concluding an online contract with a consumer or business customer.

Regulation 9 — information before conclusion: before the recipient places an order, the provider must clearly, comprehensibly, and unambiguously provide: the technical steps required to conclude the contract; whether the concluded contract will be filed and whether it will be accessible; the technical means for identifying and correcting input errors before placing the order; and the languages in which the contract can be concluded.

In practice, this means a checkout process should include a clear order summary before the final confirmation step, with an opportunity to review and correct the order. Multi-step checkouts with a final "review your order" stage before the payment confirmation step satisfy this requirement. Single-page checkouts where the payment button is the first point at which the customer sees the full order may not.

Regulation 10 — placing an order: the provider must acknowledge receipt of the order "without undue delay and by electronic means." An immediate automated order confirmation email or on-screen order reference satisfies this. Delays of hours or days in acknowledging receipt would be non-compliant.

Regulation 11 — contract terms: if terms and conditions or contract terms are included in the service, the provider must make them available in a form the recipient can store and reproduce. A PDF download or a printable webpage satisfies this. Terms that can only be viewed on-screen and are subject to change without notice do not fully satisfy Regulation 11.

Regulation 7: commercial communications

Regulation 7 requires that commercial communications (marketing and promotional content) sent by electronic means must be clearly identifiable as such, that the person on whose behalf the communication is made must be clearly identifiable, and that any promotional offer (discount, bonus, gift) must be clearly identifiable as such with conditions clearly and unambiguously accessible.

This overlaps with the CPUTRs' prohibition on misleading commercial practices. In the context of email marketing, Regulation 7 works alongside PECR Regulation 22's consent requirements.

Unsolicited commercial communications: Regulation 8 requires that unsolicited commercial communications — marketing emails or texts not requested by the recipient — must be clearly and unambiguously identifiable as such at the moment of receipt. Subject lines that do not identify the message as marketing non-compliant with Regulation 8. Note that Regulation 8 operates alongside PECR's consent requirements — it does not override them or create a consent exemption for clearly labelled marketing.

Penalties and enforcement

Breaches of ECR 2002 are enforced by the Information Commissioner's Office (for breaches affecting personal data processing) and by Ofcom, the CMA, and trading standards authorities for other breaches. The Trading Standards service has primary responsibility for ECR 2002 enforcement for most consumer-facing violations.

The ECR 2002 does not specify a dedicated civil penalty regime. Enforcement proceeds via the general powers in the Enterprise Act 2002 (court orders, undertakings) and, since DMCCA 2024, via the CMA's direct civil enforcement powers for consumer protection breaches. Criminal sanctions under the ECR 2002 itself are reserved for breaches of specific provisions (such as failure to respond to a competent authority's request for information) and are rarely used.

The most practical risk from ECR 2002 non-compliance is reputational and through consumer dispute resolution — customers or business partners who become aware of a business's failure to make required information accessible may raise this as evidence of poor practice or as a basis for disputing contract formation.

For a current check of your website's legal disclosure and compliance status, run a free scan at /uk/en/scan. For the related consumer rights obligations under the Consumer Rights Act 2015, see consumer rights act 2015 website disclosures.