Laws and regulations every eCommerce owner should know – and how to comply

Why? Under most countries’ laws it’s mandatory that you disclose details related to privacy and your data processing activities. Failure to do so can result in massive fines, legally invalidate your mailing list, leave you open to litigation and negatively affect the credibility of your brand.

When do you need it? Whenever processing personal user data in any way (e.g. Via social connect buttons, payment portals, analytics services, shopping cart plugins etc.). Keep in mind that privacy policies should be dynamic documents as they must be reasonably up-to-date in order to be considered legally compliant.

Practical

• How to generate a privacy policy ›
• How to integrate the privacy policy with your site (General Guide) ›

Platform-specific integration

• WordPress websites ›
• Magento websites ›
• Shopify website ›
• PrestaShop website ›
• ePages websites ›

Informative

• Basic elements of a privacy policy ›
• Do You Need More Than One Language in Your Privacy Policy ›
• Which Countries Is Your Privacy Policy Good For? ›

Why? E-commerce websites often use cookies for everything from analytics statistics to social buttons and re-marketing services.

When do you need it? If you use cookies and you have EU-based users, you’re required by both law and by law-abiding third-parties such as Google, Amazon, Apple, Facebook etc. to comply with legal requirements; this generally means having valid cookie policy and cookie management solution in place.

Practical

• Getting started with the Privacy Controls and Cookie Solution ›
• Customize the Look & Behavior of the Cookie Banner › [Click here for Video]
• How to create a cookie policy ›
• Introduction to the Prior Blocking of Cookie Scripts ›
• How to Further Configure Your Privacy Controls and Cookie Solution (Advanced Guide) ›

Informative

• Introduction to the ePrivacy (Cookie Law) ›
• Cookies and GDPR ›
• What’s the IAB Transparency and Consent Framework (TCF)? ›

Why? Terms and Conditions (also called ToS – Terms of Service, Terms of Use or EULA – End User License Agreement) set the way in which your product, service or content may be used, in a legally binding way. Not only are crucial for protecting you from potential liabilities, but (especially in cases of ecommerce) they often contain legally mandated information such as users’ rights, withdrawal or cancellation disclosures.

When do you need it? In general, you’ll likely need to set Terms & Conditions if you have an ecommerce website. Specific instances where they might needed are where you:

• need to make legally required disclosures related to consumer rights (especially withdrawal and cancellation rights);
• have different user levels (eg. registered vs non-registered);
• run a service or platform which allows users to sell or trade with other users;
• facilitate or otherwise process payments and/ or other sensitive user data;
• want to set the rules for user behavior (including comments) and state grounds for termination of accounts;
• participate in affiliate programs;
• provide a product or service which can potentially cause harm if misused;
• would like to have some legally enforceable control over, and set rules about, how your product, service or content may be used.

Practical

• How to generate terms and conditions
• How to integrate iubenda’s terms and conditions on your site and app

Informative

• What are the terms and conditions and when are they needed?
• How using Terms and Conditions can protect your online store
• What should basic terms and conditions include?

Why? The GDPR requires that you keep and maintain valid records of consent if processing user data based on consent. Without these records, the consent you collect is considered invalid.

When do you need it? When processing the personal data of EU-based users on the legal basis of Consent. Common Scenarios of this include collecting personal data via forms for newsletters, email lists, subscriptions etc. This does not typically apply to consent for cookies as cookies are still largely governed by the ePrivacy Regulation (Cookie Law).

Practical

• Maintaining valid records of Consent – iubenda Consent Database ›
• Consent Database Implementation – JS Method Guide ›
  • Tutorial: How to set up the Consent Database using Contact Form 7 ›
• Consent Database Implementation – HTTP API Method Guide ›

Informative

• GDPR’s consent requirements ›

Why? The GDPR requires that you keep and maintain valid records of processing if processing the personal data of EU-based persons. Without these records, your processing activities would be in violation of the law. This is especially relevant to E-commerce businesses as they typically process sensitive data such as payment information.

When do you need it? If you fall under the scope of the GDPR and your processing activities are not occasional, could result in a risk to the rights or freedoms of others, involves sensitive data or if you have more than 250 employees — in short, it’s almost always required.

Practical

• Guide to the Register of Data Processing Activities›
• Register of Data Processing Activities Video tour and tutorial ›

Informative

• GDPR requirements for records of processing activities ›
• Register of Data Processing Activities features ›