Supermarkets sell a wide range of age-restricted goods, often alongside products with no age limits. This creates particular compliance challenges, especially for online supermarkets where age restrictions must be applied selectively, consistently, and at scale.
You should review our sector-specific guidance for individual product categories, including:
• Pharmaceuticals and regulated treatments
• Knives, bladed articles, and corrosive substances
• Alcohol, tobacco, vapes, and nicotine products
• Lottery and gambling products
These requirements are not repeated here.
UK GDPR and customer accounts
Under UK GDPR, personal data includes identifiers such as IP addresses, device data, purchase history, and behavioural information.
If customers open accounts, and you rely on consent as a lawful basis for processing personal data, Article 8 requires that users are old enough to give valid consent. In the UK, the digital age of consent is 13.
If a supermarket serves customers in the EU, the applicable digital age of consent may be higher, up to 16, depending on the Member State. This means that where consent is relied upon, user age and location must be known in order to determine whether consent is valid.
Where supermarkets process health-related or sensitive data, for example relating to prescriptions or pharmacy services, the regulatory expectations are higher and reliance on valid consent becomes even more critical.
The regulator, the Information Commissioner’s Office, may impose fines of up to £17.5 million or 4% of global annual turnover for serious breaches.
Age Appropriate Design Code
The Age Appropriate Design Code, also known as the Children’s Code, is fully in force.
It applies to any online service likely to be accessed by children under 18, including supermarkets, even where children are not the intended customers.
For supermarkets, this requires consideration of:
• Whether age-restricted goods are visible or promoted to children
• Whether site design, imagery, or recommendations could expose children to harmful products
• Whether safeguards are proportionate to the risks involved
Where products present a physical or psychological risk to children, such as medicines, sharp implements, or chemical substances, effective age controls are expected.
If a supermarket concludes that certain goods are not appropriate for children, it must take steps to ensure children cannot access or purchase them online.
Enforcing age-restricted sales online
Many supermarkets already apply age limits in-store through Challenge 25 or similar policies. Online, the same obligation exists but requires different mechanisms.
Where a supermarket adopts an age restriction, whether statutory or policy-based, it is expected to apply and enforce it in practice. Reliance on payment method alone does not establish age.
Online supermarkets may need to apply age assurance:
• At account creation
• At point of purchase for restricted goods
• At delivery, where required by law e.g. bladed items
The level of rigour required depends on the nature of the goods and the risk involved.
Our view
Online supermarkets operate in a complex age-regulatory environment because they sell both unrestricted and age-restricted goods through a single service.
While supermarkets are not generally child-facing services, they are clearly likely to be accessed by children, whether browsing, using shared devices, or participating in household shopping.
As a result:
• Age-restricted products must be properly gated
• Minimum age rules must be enforced, not just stated
• Age assurance should be applied proportionately to risk
Given the potential for serious harm and reputational damage, we generally recommend at least a standard level of age assurance for online supermarkets selling age-restricted goods.
PLEASE NOTE
This website does not constitute legal advice. You should always seek independent legal advice on compliance matters.