The regulation of cannabinoids varies significantly by jurisdiction.
This page addresses the position in the United Kingdom only, and applies to online retailers of cannabinoid products serving UK customers.
Legal status and age restrictions in the UK
There is currently no explicit statutory minimum age in UK law for the purchase of lawful cannabinoid products such as cannabidiol (CBD).
However, the absence of a statutory age limit does not mean unrestricted access, nor does it remove regulatory expectations around child safety, data protection, product presentation, or consumer protection.
As the market has matured, both regulators and industry bodies have increasingly treated cannabinoids as age-sensitive products, particularly where products are ingestible, inhaled, or presented in ways attractive to younger users.
Many UK retailers now impose voluntary minimum age policies, commonly 18+, as a risk-management and consumer-protection measure.
Where a retailer adopts such a policy, it is expected to apply and enforce it in practice. In an online context, this requires age assurance. Reliance on payment methods alone, including credit cards, does not establish the purchaser’s age.
Controlled substances and THC
UK law draws a strict distinction between lawful CBD products and controlled drugs.
THC and controlled status
• Any product containing detectable THC is a controlled substance under the Misuse of Drugs Act 1971
• THC vape liquids are illegal in the UK
• Products must not claim or imply psychoactive effects
Marketing language, imagery, or branding that implies intoxication or being “high” may attract enforcement action even where THC is absent.
CBD vaping products
CBD vape products may be lawfully sold only if they meet all applicable legal requirements:
• No detectable THC
• No nicotine
• No medicinal or health claims
• Packaging and presentation must not imply therapeutic benefit
Products packaged in a manner similar to nicotine or medicinal products, or suggesting added vitamins or health effects, may breach UK product and advertising law.
CBD food products and novel foods
CBD food products are subject to novel food regulation.
• Products must be linked to a validated or pending novel food application
• Products not on the Food Standards Agency’s public list should not be sold
• Enforcement action may be taken against non-compliant products
Retailers should consult the Food Standards Agency’s guidance and public registers when assessing product legality.
Age Appropriate Design Code
The Age Appropriate Design Code, also known as the Children’s Code, is fully in force.
It applies to any online service likely to be accessed by children under 18 that processes personal data, regardless of whether children are the intended audience.
For cannabinoid retailers, this means:
• Assessing whether products, imagery, flavours, or marketing could appeal to children
• Considering physical and psychological risks to under-18s
• Applying proportionate safeguards where harm is foreseeable
Where a retailer reasonably concludes that its products are not appropriate for children, the Code supports the use of effective age gating or age assurance to restrict access.
UK GDPR and age assurance
Under UK GDPR, personal data includes identifiers such as IP addresses, device data, and behavioural information.
If a retailer relies on consent as a lawful basis for processing personal data, Article 8 requires that the user is old enough to give valid consent. In the UK, the digital age of consent is 13.
If a retailer does not know the user’s age, it cannot know whether consent is valid. This is particularly relevant where:
• Accounts are created
• Purchase histories are stored
• Behavioural or marketing analytics are used
Where health-related or ingestible products are involved, regulators expect heightened care.
The regulator, the Information Commissioner’s Office, can impose fines of up to £17.5 million or 4% of global annual turnover for serious breaches.
Our view
Although there is currently no statutory age limit for lawful CBD products in the UK, online cannabinoid retailers operate in a high-risk regulatory environment.
Taken together:
• Product safety law
• Drugs legislation
• The Age Appropriate Design Code
• UK GDPR
• Consumer protection expectations
create strong regulatory incentives to prevent access by children.
Where a retailer adopts a voluntary age limit, it must be enforced. Given the physical and psychological risks associated with inappropriate use, and the reputational consequences of harm to a child, we generally recommend at least a standard level of age assurance for online cannabinoid retailers.
PLEASE NOTE
This website does not constitute legal advice. You should always seek independent legal advice on compliance matters.