Running an online store creates legal obligations that a standard business website doesn't have. Customers are making financial transactions, often cross-border, and consumer protection laws in every major market have specific requirements about what you must disclose and offer.
Privacy policy
Every eCommerce site collects personal data: names, addresses, payment details, purchase history. A privacy policy is legally required in all major markets. For EU/UK customers, you must also have a lawful basis for processing payment and transaction data, and you must tell customers how long you retain it.
Terms and conditions of sale
For online stores, terms of sale are effectively required by consumer law in the EU, UK, and most other markets — even if they're not technically mandated in isolation. You must provide customers with:
- A full description of the goods or services
- Total price including taxes and fees
- Delivery information: timescales, costs, restrictions
- Your cancellation and return policy
- Contact details for customer service
- Information about complaints and dispute resolution
In the EU, this information must be provided before the order is placed, not after.
Returns and refund policy
In the EU (Consumer Rights Directive) and UK (Consumer Contracts Regulations), customers who buy online have a right to cancel within 14 days of receiving goods and receive a full refund — no reason needed. This right must be clearly communicated before purchase. In the USA, there's no federal right to returns, but you must honour whatever policy you publish.
Cookie consent
eCommerce sites almost universally use analytics, remarketing pixels (Google Ads, Meta), and session tracking. EU and UK law requires prior consent for all non-essential cookies. This means a compliant cookie banner that allows users to reject tracking before any marketing cookies are set.
Payment and security
If you handle card payments, PCI DSS compliance is required. Using a payment processor like Stripe or Shopify Payments shifts most PCI obligations to them, but you still have responsibilities around how you store and transmit card data (typically: don't store it at all, and always use HTTPS).
VAT and tax disclosure
In the EU and UK, prices must be displayed inclusive of VAT when selling to consumers. If you sell internationally, you may have VAT/GST registration obligations in multiple countries once you exceed certain revenue thresholds. This is increasingly enforced for cross-border digital sales.
Product-specific regulations
Certain product categories have additional requirements. Food products require allergen information. Health supplements often require disclaimers. Electronic goods require CE or UKCA marking in the EU and UK respectively. Age-restricted products require age verification. Check the specific requirements for your product category in each market you sell to.
DSAR capability
Under GDPR and UK GDPR, customers can request access to all personal data you hold about them (a Data Subject Access Request). For eCommerce sites, this means being able to produce order history, delivery addresses, email marketing preferences, and any other data tied to that customer. You must respond within 30 days at no charge.