Selling medical devices online means operating at the intersection of ecommerce regulation, healthcare regulation, and data protection law. The compliance landscape is complex, and the consequences of getting it wrong range from financial penalties to criminal liability. This guide covers the key regulatory frameworks that medical device ecommerce businesses in the UK and Europe need to understand and implement.
GDPR and data protection
The General Data Protection Regulation, retained in UK law as the UK GDPR alongside the Data Protection Act 2018, applies to any ecommerce business handling personal data – and medical device ecommerce often handles data that falls into special categories. If your platform collects information about a customer's medical condition, disability, or healthcare needs in order to recommend or sell products, that data attracts the highest level of protection under the regulation.
Practical requirements include explicit, informed consent for data collection, particularly where health-related data is involved. Privacy policies must be specific and readable, not generic boilerplate. Customer data must be stored securely with appropriate access controls. You need documented data processing agreements with any third-party processors – payment gateways, analytics providers, marketing platforms. And you must have a clear process for handling subject access requests and data deletion requests within the statutory timeframes.
Medical Device Regulation
The EU Medical Device Regulation (MDR 2017/745) and its UK equivalent govern how medical devices are classified, marketed, and sold. For ecommerce, the key obligations relate to how products are presented and what information is made available to buyers.
Every product listed on your site must display accurate classification information, the correct CE marking (for EU sales) or UKCA marking (for UK sales), and the identity of the manufacturer and, where applicable, the authorised representative. Instructions for use must be accessible. Product descriptions must not make claims that are not supported by the device's conformity assessment. This is particularly relevant for consumer-facing content, where the temptation to simplify can lead to claims that go beyond what the regulatory approval covers.
If you are a distributor rather than a manufacturer, you still have regulatory obligations. You must verify that devices bear the correct markings, that the manufacturer can be identified, and that you maintain records of your supply chain. Post-market surveillance obligations may also apply – if you become aware of a safety issue with a device you sell, you have a duty to report it.
PCI-DSS and payment security
Any website that processes, stores, or transmits cardholder data must comply with the Payment Card Industry Data Security Standard. For most medical device ecommerce businesses, the practical approach is to minimise your PCI scope by using a hosted payment page or tokenisation service from your payment gateway. This means card data never touches your servers, significantly reducing your compliance burden.
Even with a hosted payment approach, you are not exempt from PCI requirements entirely. You still need to complete a Self-Assessment Questionnaire, maintain secure infrastructure, keep software up to date, and ensure that your checkout flow does not introduce vulnerabilities. Regular vulnerability scanning and penetration testing are strongly recommended, and may be required depending on your transaction volume and acquirer requirements.
Accessibility
The Equality Act 2010 requires that services – including online services – are accessible to people with disabilities. For medical device ecommerce, this has particular relevance: many of your customers may have conditions that affect their ability to use a standard website. Visual impairments, motor difficulties, and cognitive conditions are all common among buyers of medical devices.
The Web Content Accessibility Guidelines (WCAG) 2.2 at level AA is the accepted standard. This covers requirements such as sufficient colour contrast, keyboard navigability, screen reader compatibility, clear form labelling, and meaningful alt text for images. Beyond legal compliance, accessibility is simply good practice – an accessible site is easier for everyone to use, which directly improves conversion rates.
Consumer protection and distance selling
The Consumer Contracts Regulations 2013 apply to all B2C online sales in the UK. Key requirements include providing clear pre-contractual information – the total price including taxes, delivery costs, and the trader's identity and contact details. Consumers must be given a 14-day cancellation period for most goods, though there are exceptions for sealed goods that are not suitable for return for health or hygiene reasons once opened. This exception is relevant for many medical devices, but it must be clearly communicated before purchase.
Putting it into practice
Compliance is not a one-time project. Regulations evolve, and your platform must evolve with them. The transition from MDD to MDR, the ongoing development of UK-specific device regulations post-Brexit, and the evolving interpretation of GDPR by supervisory authorities all require ongoing attention.
Build compliance into your platform architecture from the start. Use structured product data that includes regulatory fields. Implement consent management that can adapt to changing requirements. Choose a payment architecture that minimises PCI scope. Test for accessibility regularly, not as an afterthought. And maintain clear documentation of your compliance posture – you may need it for customer due diligence, a regulatory inquiry, or acquisition-level scrutiny.