Supermarkets may sell a wide range of age-restricted goods.
You should review our advice to specific sectors relevant to the goods you supply.
- Pharmaceutical
- Knives and Acids
We will not repeat these specifics here.
EU: GDPR (in force today)
If your customers open accounts on your website, you should be sure that your users are at least old enough to give consent for their personal data to be processed, if you rely on consent under Article 8 of GDPR, as a basis for processing some or all personal data you obtain from your users. (Remember, personal data even includes just an IP address.) In the UK, this “age of digital consent” is 13 but it varies between EU member states so if you have users in the EU, you will need to also determine their location and apply the relevant age as part of this check.
You may be dealing with sensitive personal data if you are gaining knowledge of the drugs prescribed to your users, so are more likely to be reliant on consent for permission to process data, so it is even more important that you establish the customer is old enough to give that consent in the country where they are located.
UK: Age Appropriate Design Code (in force today, but grace period in operation in the UK until 2 September 2021)
This requires sites to consider if they could risk the moral, physical or mental well-being of children under 18. And if so, to put in proportional measures to safeguard children and young people.
There is clearly a physical – and potentially mental – risk arising from providing pharmaceuticals to children. Our opinion is that online pharmacies clearly require age verification to be in place to keep children from acquiring drugs which may be unsuitable for their age. The rigor required is a matter for the judgement of the sites concerned – giving consideration to the nature of the content on the site, the number of users under 18 found to be using it, etc. But given the reputational risk if a child is harmed by drugs acquired from your online store, we recommend at least a standard level of assurance. See our page on levels of assurance for an explanation of the methods of age verification that achieve this degree of confidence in an age check.
UK: Online Safety Bill (only draft legislation, not yet passed by Parliament)
Online supermarkets do not generally allow users to interact and share content such as photographs, so they are not likely to be in scope for the Online Safety legislation. But if you do allow for online communities to discuss their shopping habits and preferences etc., then the site may fall within scope. There is a specific exemption for sites which allow comments on content produced and published directly by the site itself, not by users.
Online retailers’ sites may be “likely to be used by Children” so if they are in scope because they offer user-to-user services then further duties applicable. (But remember, children are defined as under 18-years-old.) It is recommended that sites monitor the age of their customers to check they have not become a site where:
- there are a significant number of children who are customers of the supermarket or of that part of it, or
- the supermarket, or that part of it, is of a kind likely to attract a significant number of users who are children – where a “significant” number includes a reference to a number which is significant in proportion to the total number of UK users of a service or (as the case may be) a part of a service. (This test is based on evidence about who actually uses a service, rather than who the intended users of the service are.)
Please read our briefing on the Online Safety Bill for further explanation of these new duties.