As beauty e-commerce continues to boom, regulation is catching up fast. This means that beauty e-commerce businesses, whether shipping moisturizers to Milan or face masks to Manchester, will need to meet EU and UK standards across cosmetics safety, tax, consumer protection, data privacy, and digital platform risk.
To help businesses fully understand the key rules shaping the market, this article breaks down beauty e-commerce regulations into six essential pillars and gives practical steps and insights on how to tackle each one. Here’s how businesses can keep operations clean, compliant, and scalable in 2025 and beyond.
1. Build compliance practices into your company setup
The very first step is getting your company operations set up properly. Get your legal and product safety foundation right, and compliance will be much easier to achieve. For example, as you’re designing your branding and product labels, you’ll need to pay close attention to regulations on things like product labeling.
Know the law on cosmetics
For businesses supplying cosmetic products to Great Britain (England, Scotland, and Wales), the key regulations you need to follow include Regulation 1223/2009 and the Cosmetic Products Enforcement Regulations 2013 and the CLP Regulation (Reg 1272/2008). Guidance for placing beauty products on the Northern Ireland market is slightly different, so businesses should pay extra attention to the rules to ensure any additional approvals and steps are taken.
⚠️ Effective from 1 September 2025, significant updates to banned and restricted substances in cosmetics now apply. The EU has classified over 20 new substances as carcinogenic, mutagenic, or toxic for reproduction (CMR) are these are all now prohibited under Regulation (EU) 2025/877, amending (EC) No 1223/2009. Note that there is no grace period, which means that products must be reformulated or withdrawn before the deadline.
Know the law on chemicals
Your business should also be aware of REACH (Registration, Evaluation, and Authorization of Chemicals) Regulation, which protects humans and the environment from risks posed by chemical substances. The UK REACH and the EU REACH systems are independent of each other, although both are based on the REACH model.
REACH covers chemicals beyond those found and used in cosmetic products (furniture, cleaning products, paints, electricals, etc.), and cosmetic e-commerce businesses should take proactive steps to stay compliant with the law. The burden of proof is on companies to identify and manage risks linked to substances manufactured and marketed in the UK and EU.
Complete a Product Information File (PIF)
Under Article 11 of the UK’s 2013 Cosmetics Regulations, a Product Information File (PIF) must contain a description of the cosmetic product, the Cosmetic Product Safety Report, the method of manufacture and GMP, the nature and proof of effect of the product, and any information regarding animal testing.
This information must be kept on record by your business for a period of 10 years after the date of the last batch of each product. This is very much a “living document” that should always be updated as required.
Identify your Responsible Person (RP)
The EU 1223/2009 and the UK Cosmetics Regulation 2013 require all cosmetics to have a designated Responsible Person in the relevant market. This is set out in Articles 4, 5, and 5A and could include a Manufacturer or Importer who is based in the UK and places the products directly on the market or a third party where authorized by a written mandate. This role is important, as the Responsible Person is in charge of ensuring the business complies with the regulation and that the requirements are fulfilled. If a cosmetic is found to present a risk to human health, it is the Responsible Person who must immediately let the relevant authorities know and cooperate with them to resolve the issue. This includes making the PIF of the product readily available.
The Responsible Person must update the PIF as required or choose when to create a new PIF if product updates mean that the product has now changed significantly.
Register every product through CPNP or SCPN
Your business will also need to undertake safety assessments and ensure your labels comply with regulations. Lastly, you must register all products through the Cosmetics Products Notification Portal (CPNP) in the EU or the cosmetics product search, or Search Cosmetic Product Notifications (SCPN), in the UK. The UK’s SCPN was created to notify the Secretary of State of any products made available on the UK market. Businesses can submit a notification here.
Add special labels for hazardous ingredients
If any of your cosmetics contain recognized hazardous substances (these are quite common in fragrances, peels, or essential oils), your business must also comply with CLP labeling requirements. This will include using hazard pictograms, signal words, and safety phrases on your labeling and packaging.
The rules on CLP are set out under the EU law for all cosmetic products placed on the EU market and applied to all member states. These rules were created when the UK was a member state of the EU and came into force in 2009. The CLP laws are based on the United Nations' Globally Harmonized System of the classification and labelling of chemicals (GHS); however, as this is only a voluntary agreement, the EU CLP Regulations make the GHS legally binding. Despite Brexit, the EU CLP Regulation (as amended) remains enshrined in UK law, and all businesses putting cosmetic products on the market should follow the law closely.
Quick tip: many businesses selling ‘natural’ or ‘artisanal’ products that they believe to be harmless unintentionally trigger CLP thresholds. A good example is products containing high concentrations of essential oils. No matter how natural your brand or products are, always check CLP and cosmetics labeling requirements, even for small-batch products or cosmetic collections.
Adhere to rules on transparency and digital labeling
Both the EU and the UK require full INCI (International Nomenclature of Cosmetic Ingredients) disclosure for all cosmetics sold online. Failure to provide clear, accessible ingredient lists on e-commerce platforms can result in fines and reputational damage. For e-commerce businesses, proper digital labeling of each product should be taken very seriously. Digital labeling enforcement is increasing, especially in France and Germany, with authorities targeting misleading or incomplete online product information.
2. Tax and accounting set up
If your business sells to EU consumers, you might want to opt for the One-Stop Shop (OSS) scheme for your VAT (value-added tax) matters. For businesses supplying UK customers, post-Brexit, you may need a UK VAT number so that platforms can handle VAT collection. Let’s look at these two schemes separately.
One Stop Shop (OSS) in the EU
The One Stop Shop scheme streamlines VAT registration and reporting for EU-based and non-EU businesses selling goods or services to EU consumers.
OSS started out as mini One Stop Shop (MOSS) in 2015, which was limited to digital services. In 2021, it was extended to OSS and now covers three schemes: the non-Union scheme, the Union scheme, and the import scheme (Import OSS or IOSS).
For businesses, the impact of these schemes is simple: instead of registering for VAT in every EU country where you sell, you only need to register in one member state and file a single VAT return covering all cross-border B2C sales within the EU. Union OSS is for businesses established in the EU, whereas non-union OSS is for non-EU businesses (including UK-based sellers post-Brexit) selling services to EU consumers. IOSS is for distance sales of goods imported into the EU from outside the EU, for consignments up to €150.
For the non-Union and Union scheme, the return must be filed quarterly. For the import, the return must be filed monthly. The return contains the details of all the VAT owed to each country, and the local tax authority then distributes payments accordingly. The OSS covers both physical goods and digital services sold B2C.
As Northern Ireland remains aligned with the EU VAT regime for goods, distance sales can use the Union OSS. Guidance for businesses registered for the OSS scheme and making distance sales from Northern Ireland to the EU can be found on the UK Government website.
UK VAT post-Brexit rules
After Brexit, non-UK sellers shipping goods to UK consumers must register for UK VAT if they store stock in the UK or sell goods directly to UK consumers. For physical goods, the UK VAT registration threshold for foreign businesses is effectively £0—registration is required from the first sale. UK VAT is charged at the point of sale to consumers.
Online Marketplaces (OMPs) and the ‘Deemed Supplier’ rule
The UK now often treats online marketplaces (such as Amazon or eBay) as the ‘deemed supplier’ for VAT purposes in two main scenarios:
- If goods are outside the UK at sale and the consignment value is £135 or less, the marketplace collects and remits VAT.
- If goods are already in the UK at the time of sale, the marketplace is also responsible for VAT collection, regardless of value.
If your business sells directly to your customer (no marketplace involved), you are responsible for UK VAT collection and payment. The main legislative basis for these rules is found in the Value Added Tax Act 1994 and its subsequent amendments.
Quick tip: if your business sells via a marketplace, you must establish who is the ‘deemed supplier’ and who is responsible for different VAT tasks in your agreements.
Foreign sellers and import VAT
Businesses that import goods into the UK for onward sale may reclaim import VAT only if they are UK VAT registered. For consignments over £135, import VAT is due at the border, and you must account for UK VAT on subsequent sales.
Always keep accurate records of sales, VAT collected, and any marketplace transactions. If unsure, seek support and guidance to determine if you need to register for UK VAT.
3. Agreements under consumer protection laws
Ensuring your e-commerce beauty business complies with EU and UK consumer protection laws is essential for building trust and avoiding costly penalties. Here’s what you need to know about the core legal frameworks.
Consumer Rights Directive (2011/83/EU) & UK Consumer Contracts Regulations
The EU Consumer Rights Directive (2011/83/EU) and the UK’s Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 harmonize consumer rights across the EU and UK and set out mandatory requirements for online sales. This includes rules on pre-contract information, rights to cancel, refunds, hidden fees, and contract confirmation.
Pre-Contract Information
Sellers must provide clear, comprehensive information before a sale, including a detailed description of the goods, services, or digital content; the total price (or how it will be calculated), including all taxes and delivery charges; payment methods and timelines for delivery; the identity and contact details of the seller; and the terms of any ongoing commitments, compatibility of digital content, and return/cancellation procedures.
Right to Cancel (Cooling-Off Period)
Consumers have a minimum 14-day period to cancel and return goods for any reason. The 14-day period begins from the day they receive the goods or, for services or digital content, when the contract is made. If the seller fails to inform the consumer of this right, the cancellation period can extend up to one year.
Refunds
Upon cancellation, consumers are entitled to a full refund within 14 days of giving notice. Sellers must also refund standard delivery costs, but consumers may be responsible for return shipping unless otherwise stated.
No Hidden Fees
All costs must be disclosed upfront. Hidden fees, pre-ticked boxes, or surcharges are prohibited. The total price must be transparent at the point of purchase.
Contract Confirmation
Sellers must confirm the contract and provide all required information in a durable medium (e.g., email or paper).
Distance Selling Directive (97/7/EC)
This directive is now superseded in the EU by the Consumer Rights Directive (covered above), so why include it here? The Distance Selling Directive established many foundational principles for remote sales, such as clear pre-sale information; a cooling-off period for returns; written confirmation of key terms; obligations to fulfill contracts within 30 days; and full refunds for cancellations within the cooling-off period.
These principles still influence international benchmarks and may be relevant for non-EU/UK cross-border sales.
UK DMCCA 2024 covers consumer protection, pricing, and reviews
The Digital Markets, Competition, and Consumers Act 2024 (DMCCA), effective from April 2025, introduces significant new protections for UK consumers. Businesses should pay special attention to the following rules and ensure that they comply with them accordingly.
Unfair Commercial Practices
The DMCCA strengthens rules against misleading, aggressive, or unfair sales tactics. The noticeable difference is the enforcement powers that the Competition and Markets Authority (CMA) can now wield over non-compliant businesses. Now, the CMA can impose fines up to 10% of global turnover for breaches and can take much swifter action without court approval.
Drip Pricing Ban
Businesses must display the total price of their products and services—including all mandatory fees and shipping costs—upfront. The practice of adding unexpected charges late in the checkout process (“drip pricing”) is now explicitly banned.
Subscription Contracts
New rules require clear disclosures about subscription terms, renewal, and cancellation rights to prevent “subscription traps” and give power to the consumer in the context of subscriptions.
Fake Reviews
The DMCCA bans fake, misleading, or concealed incentivized reviews. Onus falls on businesses to take active steps to prevent and remove fake reviews from their platforms. Failure to comply can result in severe penalties.
In light of the DMCCA and other consumer laws, businesses should be taking steps now to remain compliant and should be preparing themselves to be ready for proactive compliance checks and guidance updates.
How Legal Nodes can support your beauty E-commerce business
Legal Nodes helps beauty e-commerce businesses understand and manage their compliance requirements in the EU and UK. We guide you through setting up your company correctly, meeting obligations under cosmetics and chemicals laws, and ensuring all product registrations and labeling are in order. Our team can clarify your tax and VAT responsibilities, help draft compliant consumer agreements, and advise on data protection and privacy rules like GDPR and ePrivacy.
We also support you in assessing digital risks under new regulations like to make sure your business is prepared for emerging legal changes. Plus, as Legal Nodes is a digital platform and not a law firm, we are able to provide practical solutions across multiple jurisdictions that are cost-effective for your business.
4. Legal memos and licenses
We briefly discussed REACH earlier in this article, as both EU REACH and UK REACH require careful assessment of your supply chain and product formulations. Registration, notification, and ongoing compliance depend on your business’s role (manufacturer, importer, or downstream user), the substances you handle, and the jurisdictions you operate in. Non-compliance can result in enforcement action, product withdrawal, and reputational risk—so ensure your legal memos and licenses are robust and regularly reviewed.
EU REACH (Regulation (EC) No 1907/2006)
If you import or manufacture chemicals or raw materials in the EU at quantities of 1 ton or more per year, you must register those substances with the European Chemicals Agency (ECHA). This applies to both individual substances and those in mixtures, including cosmetic ingredients.
While finished cosmetic products are primarily regulated under the Cosmetics Regulation, REACH can still apply. If your product releases substances intentionally during use (such as sprays, wipes, or exfoliating beads), you may have REACH obligations even if you are only importing finished goods.
Key Steps for Compliance with EU REACH
- Determine if your imports or products trigger REACH registration (by volume and by whether substances are released).
- Submit the required technical dossier to ECHA, including safety data, use information, and exposure scenarios.
- Maintain up-to-date Safety Data Sheets (SDS) for all regulated substances.
- Monitor the Candidate List for Substances of Very High Concern (SVHC) and ensure communication down the supply chain if your products contain any listed substances.
UK REACH post-Brexit
The UK REACH is a separate Regime post-Brexit and has been in operation since January 1, 2021. UK REACH applies to England, Scotland, and Wales, whereas Northern Ireland continues to follow EU REACH under the Northern Ireland Protocol.
Under UK REACH, here are the rules on registration:
- Manufacturers and importers based in Great Britain must register substances over 1 tonne/year with the UK Health and Safety Executive (HSE).
- Non-GB businesses must appoint a Great Britain-based Only Representative (OR) to handle registrations.
- Downstream users in Great Britain may need to notify or register substances if their EU suppliers do not.
Great Britain-based companies holding valid EU REACH registrations as of December 31, 2020 could “grandfather” these into UK REACH by opening an account with the “Comply with UK REACH” service and providing initial data by the set deadline. Great Britain companies importing substances from the EU, previously covered under EU REACH, had to submit a Downstream User Import Notification (DUIN) to the HSE to continue importing while preparing a full registration.
Extension of Transitional Deadlines
Businesses importing substances into the UK must register by the following deadlines:
- Substances ≥1,000 tonnes/year, CMRs, or very toxic to aquatic life: registration deadline extended to October 27, 2026.
- Substances ≥100 tonnes/year: deadline October 27, 2028.
- Substances ≥1 tonne/year: deadline October 27, 2030.
Key Steps for Compliance with UK REACH
- Set up a UK REACH-IT account and file the necessary notifications or registrations.
- If you are a non-GB manufacturer, appoint a GB-based Only Representative.
- Keep records and update dossiers as new data becomes available.
⚠️ Remember, even if you only import or sell finished cosmetic products, you may have REACH obligations if the product is designed to release substances during normal use (e.g., fragrance sprays, wipes, exfoliating products) or your product contains SVHCs above 0.1% w/w, triggering notification and communication duties under REACH.
5. Privacy rules
Now that we’ve covered the key rules on cosmetics and consumer laws, don’t let data protection trip you up. These are the key privacy regulations that apply to EU and UK beauty e-commerce businesses.
GDPR & UK GDPR
Both the EU General Data Protection Regulation (GDPR) and the UK GDPR apply to businesses processing personal data of consumers in their respective jurisdictions. This includes common e-commerce activities such as email marketing, cookie consent during checkout, and customer profiling for personalized offers.
Lawful Basis for Processing
You must have a lawful basis to process personal data. For e-commerce, this is typically either consent or contractual necessity. With consent, this must be specific, informed, and freely given by the consumer by way of an opt-in (e.g., ticking a box to receive marketing emails). With contractual necessity, this includes processing data required to fulfill an order or deliver services.
Both EU and UK GDPR are very clear that consent must be freely given, specific, informed, and unambiguous. It must also be granular if you are processing data for different purposes. For example, you need to obtain consent separately for marketing and analytics. Consent isn’t needed when it comes to things like processing orders, as contractual necessity is used for that.
Generally speaking, pre-ticked boxes are not allowed; instead, the consumer has to actively opt-in and must be able to easily withdraw consent at any time without having to fight through complex unsubscription mechanisms.
However, there is an exception, commonly called “the soft opt-in,” when consent is not required to send electronic marketing to existing customers provided the following conditions are met:
- The company collected the personal data directly from the customer in the course of a sale.
- The product or service that will be marketed to the customer is the company’s own product or service.
- The product or service that will be marketed to the customer is similar to the product/service the customer bought.
- The customer was given a clear and easy way to refuse or opt out of electronic marketing when their personal data was collected.
- The customer is given a clear and easy way to refuse or opt out of electronic marketing in each following communication (e.g., an unsubscribe link in an email).
Data Subject Rights
Consumers have rights, including the right to access their data, correct it, delete it, and move it. Businesses must respond to data access requests within 30 days to avoid heavy fines (up to £18 million or 4% of global turnover in the UK).
Privacy Policies
You need a privacy notice that clearly explains:
- What data your business collects (e.g., names, emails, IP addresses)
- Why you collect it (e.g., order processing, marketing)
- How you use and share it
- What your retention periods are
- What your consumers’ rights and how to exercise them
Data Transfers
When transferring personal data from the UK to countries that do not have an “adequacy decision” from the UK government—meaning their data protection standards are not officially recognized as equivalent to the UK’s—businesses must implement additional safeguards to comply with the UK GDPR. One of the primary mechanisms for this is the International Data Transfer Agreement (IDTA).
The Information Commissioner’s Office (ICO) requires exporters to use the IDTA or the UK Addendum to the EU’s Standard Contractual Clauses (SCCs) as a lawful tool for restricted transfers. This became mandatory for new contracts after March 2022.
Differences Between EU GDPR and UK GDPR
Post-Brexit, the UK GDPR mirrors the EU GDPR with a few notable divergences, especially regarding data transfer rules and enforcement. UK businesses must comply with UK GDPR, and EU businesses with EU GDPR. Businesses operating in both regions must comply with both frameworks. If in doubt, seek legal guidance on which frameworks apply to your business.
ePrivacy Laws: PECR (UK) vs. EU ePrivacy Directive
The Privacy and Electronic Communications Regulations (PECR) govern electronic marketing, cookie use, and tracking technologies in the UK, implementing the EU’s ePrivacy Directive.
The EU ePrivacy Directive applies across the EU, regulating the use of cookies and similar tracking technologies; consent requirements for marketing communications via email, SMS, or automated calls; and the use of tracking pixels and online identifiers.
Cookie Consent
Both regimes require that non-essential cookies (e.g., for analytics or marketing) can only be placed after obtaining valid, informed consent. Cookie banners must clearly explain cookie purposes and allow users to accept or reject categories of cookies. It is best practice to avoid “cookie walls” that block access if consent is refused.
Marketing Communications
Consent is required for unsolicited marketing emails and SMS messages, with opt-in being mandatory.
Audit Your Consent Mechanisms
Ensure your cookie consent banners and pop-ups capture valid, GDPR-compliant consent for analytics and marketing cookies. Consent must be freely given, specific, and revocable.
When setting up email marketing opt-ins, confirm that your email marketing signup forms use explicit opt-in checkboxes, not pre-ticked boxes, and provide clear information on how data will be used.
Proper handling of data processing documentation requires that you maintain records of consent and data processing activities to demonstrate compliance in case of audits or investigations.
6. E-commerce beauty regulations watchlist
Regulations are always changing, and several upcoming laws could affect your beauty e-commerce business. Here are some key developments to monitor.
EU Digital Services Act (DSA)
The DSA’s core rules are already in force, but there are still some aspects of the regulation that are yet to come into effect. From May 2025, expect new guidance on protecting minors and from July 1, 2025, mandatory use of harmonized transparency reporting templates will be implemented. In general, businesses should keep a close eye on evolving DSA rules, especially concerning the continued enforcement of marketplace safety, product traceability, and user protection requirements.
UK Online Safety Bill
The UK’s Online Safety Act is highly relevant to beauty e-commerce businesses, especially those whose platforms allow user-generated content such as product reviews, Q&As, or social features. The beauty sector is seeing a growing number of children and young teens engaging with makeup and skincare content online. Research shows that children are interested in beauty products at increasingly young ages, with social media and influencer marketing accelerating this trend. This means beauty e-commerce platforms are likely to attract significant child and teen traffic, making them subject to the Act’s strictest requirements for protecting young users from harmful or inappropriate content. The law applies regardless of where your business is based if you target or have a significant number of UK users. As a result, beauty brands must take proactive steps to ensure their sites are safe for children, including moderating reviews and other interactive features to prevent exposure to harmful material.
In early 2025, the Online Safety Act moved into new enforcement phases. By March, all in-scope online services had to complete illegal content risk assessments and put systems in place to prevent and remove illegal content, such as fraudulent reviews or harmful user interactions. Businesses also had to assess whether their platforms are likely to be accessed by children and, if so, conduct a dedicated children’s access assessment by April 2025. Ofcom, the UK’s online safety regulator, published new guidance on protecting children and began monitoring compliance. The next major deadline is July 2025, when children’s risk assessments must be completed and child protection safety duties become enforceable. After July, Ofcom is expected to continue issuing further guidance and enforcing compliance, with a strong focus on child safety, content moderation, and transparency. Beauty e-commerce businesses should stay alert for additional updates, as non-compliance can result in significant fines and reputational damage.
2025 EU Nano-material & Preservative Rules
EU law strictly regulates the use of nanomaterials and preservatives in cosmetics to protect human health. In March 2024, the EU published Commission Regulation (EU) 2024/858, which amends the Cosmetics Regulation to ban or restrict a range of nanomaterials previously used in cosmetics due to potential health risks. The affected substances include nano forms of styrene/acrylates copolymer, copper, silver, gold, platinum, and certain peptides, among others. The first major compliance deadline was on February 1, 2025, by which point cosmetic products containing the newly banned nanomaterials (Annex II) or those not meeting new restrictions (Annex III) can no longer be placed on the EU market. A second compliance deadline is set for November 1, 2025, by which point such products must no longer be made available on the EU market—meaning they must be withdrawn from shelves if still present.
Businesses may need to undergo product reformulation, supply chain audits, make advance notifications to relevant authorities, and prepare for tougher regulatory scrutiny.
Grow your e-commerce beauty business compliantly
To help your e-commerce beauty business navigate existing and upcoming laws and tap into new markets compliantly, get support from Legal Nodes. We offer targeted guidance and solutions to help you meet your compliance obligations and adapt to new laws as your business expands. We can help with:
- Privacy and data protection compliance: we help you implement GDPR and UK GDPR-compliant practices for handling customer data, marketing, and cookie consent, so you can build trust and avoid costly data protection fines.
- General regulation compliance: we guide you through cosmetic and consumer law requirements, including product registration, labeling, REACH, and the latest changes in UK and EU consumer protection rules, ensuring your products and operations are always up to standard.
- Operational support: we’ll connect you with the experts on your tax and VAT matters. We’ll also help you set up robust internal policies and documentation to keep your business running smoothly and legally as you scale.
With Legal Nodes, you get clear, cost-effective compliance support tailored to your needs, so you can focus on growing your business with confidence. Speak to us today to find out how we can help your business grow compliantly.
Frequently asked questions on UK and EU cosmetic regulations
What are the key differences between EU and UK cosmetic labeling in 2025?
EU products require an EU-based Responsible Person (RP) and country of origin. UK products need a UK-based RP and cannot use “Made in the EU”; the specific country must be named. Both require ingredient lists and safety information. For more support, contact Legal Nodes.
Can I use the same cosmetic label for both the EU and UK in 2025?
Until December 31, 2025, you may use the same labels for Great Britain and the EU if they meet Article 19(1)(a) of the EU Cosmetics Regulation, but both EU and UK Responsible Person details may be needed.
What is a Product Information File (PIF) and why is it required?
A PIF is a dossier containing safety, manufacturing, and ingredient details for each cosmetic product. It’s mandatory for both EU and UK markets to demonstrate compliance and ensure consumer safety.
How does Brexit affect VAT and tax for beauty e-commerce in the UK?
Post-Brexit, UK VAT rules differ from the EU. UK sellers must register for UK VAT, while EU sellers may use the One Stop Shop (OSS) for EU-wide VAT reporting. Import VAT applies to foreign sellers shipping to the UK. For help with VAT matters, speak to Legal Nodes.
What is the role of the Responsible Person (RP) in cosmetics compliance?
The RP ensures each product meets all safety, labeling, and notification requirements. The RP must be based in the EU for EU sales and in the UK for UK sales, acting as the main regulatory contact. For help with cosmetics compliance, get in touch with Legal Nodes.
Boost your e-commerce business with compliance solutions
