Last updated: July 2025

The Online Safety Act has changed age verification requirements for UK ecommerce. Here's a practical compliance checklist for Shopify merchants selling vape, CBD, supplements, adult products — and what non-compliance actually costs.

The Online Safety Act has real teeth — and UK merchants selling regulated products need to know what it requires

The Online Safety Act came into effect with a set of requirements that directly affect UK ecommerce merchants selling age-restricted or regulated products. Age verification is no longer optional for these categories — it's a legal requirement with enforcement mechanisms that include website blocking, fines, and platform-level account action.

For Shopify merchants selling vape products, CBD, supplements with health claims, adult products, or similar categories, the question isn't whether to comply but how quickly and how thoroughly. Merchants who wait for enforcement action before addressing compliance are exposed to disruption that's significantly more expensive than the compliance investment itself.

This guide provides a practical compliance checklist structured around the specific requirements UK Shopify merchants need to address, explains what the enforcement landscape looks like, and covers where payment infrastructure — including age verification capabilities in the payment flow via Fena — fits into a complete compliance approach.

Quick summary

• The Online Safety Act creates enforceable age verification requirements for UK merchants selling age-restricted products — self-declaration ("I confirm I am over 18") no longer meets the legal standard

• Regulated categories include vape and nicotine products, adult content and products, CBD, certain supplements with health or performance claims, and other age-restricted goods

• Non-compliance consequences include website blocking by UK ISPs, fines, and Shopify account suspension — the enforcement is active, not theoretical

• A compliant store requires: proper product identification, accurate and legally compliant product copy, robust age verification, legally sound policies, and a payment gateway that supports compliance requirements

• Shopify Payments and PayPal may freeze or terminate accounts for merchants in these categories regardless of content compliance — specialist payment infrastructure is required separately

• Pay by Bank via Fena provides FCA-regulated payment processing for regulated UK Shopify merchants with integrated age verification as part of the payment flow

Step one: identify whether your products are affected

The first step is determining which of your products fall within the Online Safety Act's scope and any parallel regulatory frameworks that apply to specific categories.

Products that require age verification under UK law or platform policy include:

vape and nicotine products (subject to TRPR requirements and age-restricted sale), adult content and products, CBD products where age restrictions apply, alcohol sold online, and certain supplements or performance products where age-restricted sale is required by the relevant regulatory framework.

Products that require particular care with content compliance include:

any supplement or health product making claims about treating, preventing, or curing medical conditions; products with ingredients subject to MHRA or FSA regulatory requirements; and any product whose marketing claims could be construed as targeting minors.

The practical action here is a product-by-product audit. For each product line, determine: is this product age-restricted by law? Does the product's description make any claims that trigger MHRA, FSA, or ASA regulatory requirements? Does the product fall within a category that Shopify's acceptable use policy restricts?

This audit forms the foundation of the compliance review — you can't address compliance requirements you haven't identified.

Step two: review and update your product listings and content

Content compliance sits alongside age verification as a legal requirement. The Online Safety Act's content requirements and existing ASA and MHRA guidelines on health claims apply independently, and Shopify's own acceptable use policy adds a platform layer on top of regulatory requirements.

What to remove or revise:

Health claims that imply a product diagnoses, treats, cures, or prevents a medical condition must be removed unless the product has specific MHRA authorisation. This includes direct claims ("cures inflammation," "treats anxiety") and indirect language that implies the same effect ("helps your body fight disease," "supports recovery from illness"). The ASA enforces these standards actively, and non-compliant claims are a common trigger for ad takedowns and platform flags.

Language that implies unrealistic or unverifiable outcomes — "miracle results," "100% effective," "guaranteed results" — creates both advertising compliance problems and customer expectation issues that drive disputes.

Content that could be construed as targeting minors, including imagery, language, or design choices that would be more attractive to under-18s than adults, requires careful review for any age-restricted product.

What to add or make more prominent:

Intended use statements for research or supplement products ("for research use only," "this is a food supplement and should not be taken as a substitute for a varied diet") need to be visible, not buried in terms and conditions.

Ingredient disclosures, composition information, and where applicable, certificates of analysis should be accessible from product pages.

Age restriction notices on product pages for age-restricted items, clearly stating the minimum age requirement before any purchase interaction.

Step three: implement legally compliant age verification

This is the requirement that has changed most significantly with the Online Safety Act. The previous practice of asking customers to check a box confirming they are over 18, or to enter a date of birth, no longer meets the legal standard for age-restricted product sales. Self-declaration is not verification.

Compliant age verification for UK ecommerce requires a method that actually confirms the customer's age rather than simply accepting their claim. The accepted approaches include:

Government ID verification.

Asking customers to submit a government-issued ID document — passport, driving licence — which is checked against the claimed identity. This provides a high level of certainty but adds meaningful friction and raises data handling questions that require careful privacy policy treatment.

Credit reference or bank-based age confirmation.

Using credit reference data or bank account information to confirm that the customer is of legal age. This is less friction-intensive than document submission because customers don't have to actively provide documents — the verification happens against data that already exists.

Digital identity verification services.

Third-party identity verification providers that have established compliant verification flows accepted by UK regulators. Several of these integrate with Shopify through the app ecosystem.

Pay by Bank via Fena includes age verification capabilities as part of the payment flow, using bank-level data to confirm customer age at the point of payment. This integrates age confirmation into the checkout itself rather than requiring a separate pre-checkout gate, which reduces friction while maintaining the legal standard.

Age verification should be implemented at both the product page level — preventing restricted content from being accessible to unverified visitors — and at the checkout, ensuring no age-restricted purchase can be completed without verification being confirmed.

Verification logs must be maintained. Every age verification event should be timestamped, linked to the relevant order, and stored in a form that can be produced in response to a compliance review. This documentation is what demonstrates that your verification process is functioning rather than just present.

Step four: ensure your legal pages meet current requirements

Legal pages for a regulated UK Shopify store need to reflect current requirements, be easily findable, and be written in language customers can actually understand. Legal pages that exist but can't be found, or that are written in impenetrable legal language that customers can't navigate, provide limited protection in practice.

Terms and Conditions

should include age restriction acknowledgements, intended use statements for any regulated products, clear statements about what the products are and are not, and jurisdiction-specific terms reflecting UK consumer protection law.

Privacy Policy

must comply with UK GDPR, covering the data collected during age verification specifically — what information is collected, why, how long it's retained, and how customers can request its deletion. Age verification data is sensitive and requires explicit treatment in the privacy policy.

Refund and Returns Policy

should reflect UK consumer law obligations — the 14-day cancellation right under Consumer Contracts Regulations — while being clear about any specific exemptions that apply to your product category (opened consumables, health protection exemptions for unsealed supplements).

Age Restriction Policy

should appear as a standalone page or a clearly labelled section explaining which products are age-restricted, what the verification process involves, and what happens if verification fails.

All of these pages should be linked from the footer on every page and referenced in the checkout flow. Difficult-to-find legal pages provide no consumer protection and no compliance protection.

Step five: choose a payment gateway that supports your compliance requirements

This is the step that causes the most operational disruption for merchants who get it wrong, and it's worth addressing directly: Shopify Payments and PayPal are not viable primary payment processors for most regulated UK product categories, regardless of how complete your content and age verification compliance is.

Both platforms apply categorical restrictions to regulated product categories through their acceptable use policies. These restrictions operate at the platform level and can result in account suspension or fund holds that affect the entire business, not just restricted product lines. The timing of enforcement action is unpredictable — accounts can operate for months before a routine risk review triggers action.

Specialist payment options designed for regulated UK merchants are required. Within this space, there's an important distinction between specialist card processors — which accept regulated categories but still operate on card network infrastructure, with the associated fees, chargeback exposure, and rolling reserves — and Pay by Bank via Fena, which bypasses card networks entirely.

Pay by Bank via Fena operates on FCA-regulated open banking infrastructure. Because card networks are not involved, card network acceptable use policies don't apply to the payment flow. Eligibility is determined by legal operation in the UK and compliance with Fena's requirements, not by card network categorical policies.

For compliance specifically, Fena's payment integration includes built-in age verification capabilities that operate at the point of payment — confirming age through bank data as part of the checkout flow. This means the age verification and the payment are handled in a single, integrated process rather than requiring separate systems that need to be maintained and coordinated.

Step six: maintain records and monitor ongoing compliance

Compliance isn't a one-time setup — it's a continuous operational commitment. The regulatory environment changes. Platform policies update. The products you sell may change. Each of these requires compliance to be revisited rather than assumed to remain current.

Verification logs.

Maintain timestamped logs of every age verification event, linked to the corresponding order. These should be stored for at least 24 months for high-risk categories and be accessible for compliance review without requiring manual reconstruction.

Content review cadence.

Schedule quarterly reviews of all product page content against current ASA CAP codes, MHRA guidance, and FSA requirements. Claims that were compliant when written can become non-compliant when regulatory guidance is updated.

Platform policy monitoring.

Shopify's acceptable use policies and payment processor terms update periodically. Changes to what's permitted or restricted can affect your store without direct notification. Monitoring these changes as part of a regular compliance review prevents being caught by policy changes you weren't aware of.

Incident logging.

Any verification failures, suspicious access patterns, or compliance-related customer interactions should be logged with timestamps. If a regulator or platform conducts a compliance review, demonstrating that you identified and responded to potential issues is meaningfully better than having no record at all.

What non-compliance actually costs

The enforcement context is worth understanding concretely, because the consequences of non-compliance extend well beyond a fine.

Website blocking.

UK ISPs can be directed to block access to websites that don't meet verification standards for age-restricted content. A blocked website is inaccessible to its entire UK customer base — the revenue impact is total rather than marginal.

Platform account suspension.

Shopify accounts suspended for compliance failures lose access to their storefront, their customer data, and in some cases their pending settlements. Rebuilding from a suspension is significantly more expensive and time-consuming than implementing compliance before it becomes an issue.

Payment account termination.

Merchants using card processors for regulated categories risk the termination described above — sudden loss of payment processing capability, held settlements, and the need to rebuild payment infrastructure under pressure.

Reputational impact.

Enforcement action against a brand in a category where customer trust is a primary commercial factor — supplements, wellness, specialist health products — has reputational consequences that extend beyond the immediate enforcement outcome.

For merchants who operate compliantly and have built their business on genuine product quality and responsible selling, the compliance investment is modest relative to the operational stability it protects.

Compliance checklist: audit your store before issues arise

Product audit:

have you identified every product that requires age verification or specific content compliance treatment? Is the list reviewed when you add new products?

Content compliance:

have all health claims been reviewed against current MHRA and ASA guidance? Are intended use statements visible on all relevant product pages? Have superlative or unverifiable claims been removed?

Age verification:

is a compliant (non-self-declaration) age verification method in place? Does it operate at both product page and checkout level? Are verification events logged with timestamps?

Legal pages:

do Terms and Conditions, Privacy Policy, Refund Policy, and any Age Restriction Policy reflect current UK law? Are they easily findable from every page?

Payment infrastructure:

are you using a payment processor that will remain stable for your product categories? Is age verification integrated into the payment flow or separately maintained?

Record keeping:

are verification logs stored and retrievable? Is there a documented process for quarterly content review and record maintenance?

Frequently asked questions

Do I need age verification for vape or supplement products on my Shopify store?

Yes, for products that are age-restricted under UK law. Vape and nicotine products require age verification before sale. For supplements, the requirement depends on the specific product and how it's classified. The key change introduced by the Online Safety Act is that self-declaration — a checkbox or date of birth field — no longer meets the legal standard. Verification must use a method that actually confirms the customer's age.

What happens if my Shopify store doesn't comply with the Online Safety Act?

Potential consequences include website blocking by UK ISPs, fines from the relevant regulatory body, and Shopify account suspension. For merchants selling through regulated product categories, non-compliance also creates risk at the payment processor level — accounts can be suspended by Shopify Payments or PayPal for compliance failures independent of Online Safety Act enforcement.

Does Pay by Bank via Fena help with age verification compliance?

Yes. Fena's Pay by Bank integration includes age verification capabilities as part of the payment flow, using bank-level data to confirm customer age at the point of payment. This integrates the verification and the payment into a single process, reducing friction compared to a separate pre-checkout age gate while maintaining the legal verification standard.

Can I use Fena alongside other compliance tools?

Yes. Fena's integration is compatible with existing Shopify setups and can work alongside dedicated age verification apps, content compliance tools, and other compliance infrastructure. It adds Pay by Bank with integrated age verification as an additional payment option rather than requiring a complete rebuild of your existing setup.

Does the Online Safety Act apply to small Shopify stores?

Yes. The size of the store is not a factor in the compliance obligation. Any UK merchant selling age-restricted products online is subject to the age verification requirements. Enforcement may focus initially on larger platforms and high-visibility non-compliance, but smaller merchants in regulated categories are not exempt.

Is Shopify Payments an option for CBD or vape stores in the UK?

No. Shopify Payments categorically restricts CBD, vape, and other regulated product categories regardless of the merchant's compliance posture. These restrictions operate at the platform level and can result in account suspension. Specialist payment options are required for these categories — including Pay by Bank via Fena, which operates on FCA-regulated open banking infrastructure outside card network acceptable use policies.