Data & Consumer Protection

Alternative Dispute Resolution covers mediation, conciliation, arbitration and ombudsman services that resolve consumer or commercial disputes without going to court. UK traders selling to consumers must signpost a certified ADR provider once an internal complaint reaches deadlock. Approved schemes include the Financial Ombudsman, Ombudsman Services and the Furniture & Home Improvement Ombudsman.

The Consumer Rights Act 2015 consolidated UK consumer law into a single statute covering goods, digital content and services. Goods must be of satisfactory quality, fit for purpose and as described; services must be performed with reasonable care and skill. Statutory remedies — repair, replacement, refund — are tiered by time elapsed. Unfair contract terms are unenforceable.

The Distance Selling Regulations were superseded in 2014 by the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations, which transpose the EU Consumer Rights Directive. They give consumers a 14-day right to cancel most distance and off-premises contracts and require traders to give pre-contract information. Specific exemptions apply for perishable goods, made-to-measure items and unsealed digital content.

The Data Protection Act 2018 is the UK's domestic data-protection statute, sitting alongside the UK GDPR. It supplements the GDPR with national derogations, regulates law-enforcement and intelligence-services processing, and underpins the Information Commissioner's powers. Together with UK GDPR, the DPA 2018 governs almost all processing of personal data in the UK.

The General Data Protection Regulation (GDPR) — retained in UK law as UK GDPR after Brexit — is the primary framework governing how organisations collect, store and process personal data. It grants individuals rights including access, rectification, erasure and portability of their data. Organisations must have a lawful basis for each processing activity, keep records of processing, and appoint a Data Protection Officer if they handle data at scale or process sensitive categories. The Information Commissioner's Office (ICO) enforces UK GDPR and can impose fines of up to £17.5 million or 4% of global annual turnover.

A GDPR-compliant business handles personal data according to the UK GDPR and Data Protection Act 2018. Core requirements include a lawful basis for processing, a clear privacy notice, data-subject rights handling (access, erasure, rectification) within one month, breach notification within 72 hours, and — where applicable — appointing a Data Protection Officer. Compliance is regulator-assessed by the ICO, with fines up to £17.5m or 4% of global turnover.

Under UK GDPR, organisations must notify the Information Commissioner of a personal data breach within 72 hours of becoming aware, unless the breach is unlikely to pose a risk to data subjects. Where risk is high, affected individuals must also be told without undue delay. The ICO maintains an online breach-reporting form. Failure to notify is itself an infringement.

The Information Commissioner's Office (ICO) is the UK's data protection regulator. Most organisations processing personal data must pay an annual data protection fee and appear on the ICO public register. Fees range from £40 to £2,900 depending on size and turnover. Failing to pay is itself an offence, separate from any UK GDPR breach.

Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements managed by the PCI Security Standards Council (founded by Visa, Mastercard, Amex, Discover and JCB) for any organisation that stores, processes or transmits cardholder data. Compliance involves passing an annual assessment (a self-assessment questionnaire for smaller merchants or an audit by a Qualified Security Assessor for larger ones) and quarterly network scans. Non-compliance can result in fines from the card schemes and, in the event of a breach, the merchant bearing the full cost of fraudulent transactions.

Section 75 of the Consumer Credit Act 1974 makes a credit-card issuer jointly and severally liable with the trader for a breach of contract or misrepresentation, for goods or services costing £100-£30,000. Cardholders can claim from the issuer if the supplier refuses to refund or has ceased trading. Debit-card "chargeback" is a separate, voluntary card-scheme right with weaker statutory backing.

Trading Standards is the network of local-authority enforcement officers responsible for fair trading, product safety, weights and measures, age-restricted sales and consumer protection in the UK. National coordination is provided by the Chartered Trading Standards Institute (CTSI). Citizens Advice operates the consumer helpline (0808 223 1133) and refers cases to Trading Standards where appropriate.

The Waste Electrical and Electronic Equipment (WEEE) Regulations require producers, distributors and retailers of electrical goods in the UK to finance collection and recycling of end-of-life equipment. Producers must register annually with the Environment Agency through an approved compliance scheme. Distributors must either offer free in-store take-back of like-for-like items or join the Distributor Take-back Scheme.