Like every area of business these days, there’s lots of red tape and ecommerce has its own rules and regulations. Just remember, though, it’s up to you to comply with the law. Here are my tips to help you ensure your online store meets UK regulations.
If your annual revenue exceeds £68,000 you must be VAT registered. If you're below this threshold, you don't have to worry about charging VAT and it would actually be against the law to do so. There are some finer points to be aware of, too. For instance, if your products are a mixture of those requiring VAT to be charged, and those exempt from VAT, VAT charged on shipping should be in proportion. Make sure your ecommerce solution can handle all of the tax rules.
2 US import rules
The UK is part of the EU, obviously, so we’re bound by its rules. It’s not the same when handling US orders. The individual US states might want to charge tax on sales into their area, but it’s their responsibility to levy this tax. You don’t have to charge this “use tax”, which is between the buyer and the state where they live. As a UK business, you can sell into the US tax free – but you should make your customers aware that they may be charged tax on the goods when they’re imported.
3 EU Distance Selling Directive
Under this Directive, you must provide full contact details – including an address, phone number, email and company and VAT registration numbers – where applicable. Do it anyway – it helps to build trust.
The same Directive dictates that you must accept return of any items purchased within seven working days and failing to inform buyers of their rights has penalties. But why not make this a selling point?
4 Data Protection
You must register with the Information Commissioner’s Office if you hold data on people (eg customers). Registering takes some time and effort, but is inexpensive and fairly straight forward.
5 Email opt-in
If you want to email newsletters or offers to prospective customers, you must gain their consent in the form of a statement that the customers agree to receive communications. You must also give them an option to decline.
Emails involved in fulfilling orders or answering specific sales enquiries do not need this provision. When you send marketing messages there must be a free method of opting out each time you send an email. This itself can be by email. The regulations apply to communications with individuals, not businesses.
6 Disability legislation
Since 2004, by law, businesses have had to take “reasonable” steps to provide access to people with disabilities – and this includes your website. Ensure all images have alternate text tags, so visually impaired people can still navigate your site.
7 Libel on social media
Libel laws also apply to blogs, Twitter, Faceback, etc. Remember also that your words remain on record forever – so think before you type that competitor put-down.
8 PCI DSS
Protecting payment card data is crucial and the banks require compliance under the Payment Card Industry Data Security Standard (PCI DSS). Compliance is compulsory for anyone who accepts and stores debit/credit card details either on computer or on paper.
More information on PCI DSS can be found at https://www.pcisecuritystandards.org.
You can meet PCI DSS in one of two ways:
- Use a payment service provider (PSP) such as PayPal, WorldPay or SellerDeck Payments (if you use my company’s shopping cart). Your customers and employees only ever enter card details into the site of the PSP. That way, the PSP does most of the worrying about compliance and you are left with some straight forward actions. This is the best option for small retailers.
- Make your own infrastructure fully compliant. This is a difficult route and for the majority of smaller businesses, achieving proper compliance will probably not be practical or cost-effective. The total one-off cost is likely to exceed £45,000 plus ongoing fees.
9 3D Secure
3D Secure – known as “Verified by Visa” and “Mastercard SecureCode” – is a sort of online chip and PIN system. Online buyers are prompted to enter a password whenever they use their card. The password is sent directly to Visa or Mastercard and they approve the transaction (or decline). This is gradually becoming compulsory and you should consult your bank and PSP on how to comply.
10 Let the world know
Finally, assuming you are legal and decent, let the world know. Anything that adds to your credibility will help you online, so list all of the things that you have done under the heading “We comply with the following legal and tax regulations”.
If you are a start-up, these rules may seem to big a mountain to climb. But there are two things to remember. Firstly, do your best to comply. Secondly, if you’re correctly challenged, then immediately take corrective measures. With the exception of VAT transgressions, in most cases this will be enough to avoid business damage or prosecution.