7 Legal Risks for eCommerce Business Owners

Ugis Pilabers

When business owners launch their eCommerce store, they first think about the design and content of the website. And that is correct, but the legal part is what they often forget – Terms of Use, Privacy Policy, right of withdrawal, cookies, and copyrights of text and photos. This blog post will help you avoid trouble and potential fines and claims.

1. Clear information for consumers


The EU Consumer Rights Directive obliges providing information in a clear, understandable, and easily accessible manner. This obligation applies not only to the Terms of Use but also issues related to the description and price of the product or service, warranty, technical requirements for digital content or digital service, out-of-court dispute resolution, etc.

If you do not provide complete and understandable information, you are exposed to a high risk not only that your buyers will not purchase from you but also that you will attract the attention of consumer watchdogs.

2. Right of withdrawal (and when it doesn’t work)

Consumers within the EU can withdraw from distance and off-premises contracts within 14 days of the delivery of the goods or the conclusion of the service agreement, subject to certain exceptions. Sellers shall not only provide the consumer with the opportunity to withdraw from the goods or services but also adequate information on the procedure for exercising the right of withdrawal.

If you do not provide information about the right of withdrawal at all, the consumer has the right to unilaterally withdraw from the contract within a much more extended period – one year from the end of the initial withdrawal period.

Remember that the right of withdrawal is not applicable in all cases, for example, if the product was made to the consumer’s specifications or was clearly personalized. That happens, for example, when goods are printed to order, or engraving is carried out. Important – the right of withdrawal is not applicable if your buyer is another company (not a consumer).

3. GDPR and Privacy Policy

Selling goods or providing services is impossible without processing the personal data of your customers. You must have a Privacy Policy even if you do not offer the option to order and pay for the product or service online. For example, a manufacturing company that only fulfills orders for retailers may also receive and process personal data when responding to emails, communicating through social media, or providing prizes in competitions.

But the Privacy Policy takes on a completely different role when one offers to buy goods or services in an online store, for example, an eCommerce site that offers products. The General Data Protection Regulation (GDPR) provides a series of requirements you must include in your privacy statement – starting with the company’s contact information, the categories of personal data received and processed, and ending with the rights of data subjects.

It is important to remember that the Privacy Policy is a company’s one-sided statement about the data processing, and you do not need to ask for consent to your Privacy Policy from your customers. The GDPR imposes an obligation to provide information about data processing rather than asking for consent to data processing (see exception in Section 6).

4. If children can access your website


Developing a Privacy Policy is a complex process. On the one hand, the company must provide a large amount of information about the planned activities with personal data (for example, types of data, duration of storage, possible recipients, rights of data subjects, etc.). On the other hand, the GDPR requires compliance with the principle of transparency, namely that all information addressed to the public or the data subject is concise, easily accessible, easy to understand, and that clear and simple language and, in addition, visualization is used.

Although it may seem that the principle of transparency can be disregarded because “everyone has incomprehensible privacy policies”, Data Protection Authorities believe otherwise – an online store was fined EUR 15,000 for having an unclear and incomprehensible Privacy Policy.

It is even more critical to provide information concisely and visually if the service is offered to children or if they can access it. It applies to social media, online gaming platforms, ed-tech and learning services, connected toys and services, and even the homepages of professional sports organizations such as football clubs. The GDPR, UK Children’s Code (or “Age appropriate design code” to give its formal title), and Ireland Fundamentals for a Child-Oriented Approach to Data Processing determine that children are entitled to special protection. Where the processing concerns a child, information should be provided and communicated in such clear and simple language that the child can easily understand it.

5. Cookies


It is hard to imagine the development of your business without marketing activities. For websites and online stores, it means two equally essential processes – advertising to attract new customers and analytics for measuring visitor activities. To achieve these purposes, you should use cookies or similar technologies (e.g., pixels), which measure and analyze the activity of website visitors, the most popular sections, and your audience. Also, with cookies, you can start customized advertising, for example, if a potential buyer visits your website, then on other websites, with the help of targeted ads, they are reminded of the relevant product.

The ePrivacy Directive is in force in the European Union countries, which states that the use of cookies for analytics and advertising purposes is allowed only if (a) the user has been provided with clear and accurate information about the purpose of the use of cookies before placing cookies and (b) the user has had the opportunity to refuse cookies storage in the device. The “EU cookie law” states that the cookies are OK only after the visitor clearly accepts them.

6. Do I need consent before sending marketing materials?

You can send advertising materials only in two cases – either based on consent or in accordance with the company’s legitimate interests to provide information to existing customers. In the first event, everything is simple – the visitor enters his or her email address through the homepage or mobile app and expresses the desire to receive promotional materials. It is important to remember that you must provide a convenient and easily accessible option to withdraw the consent. In the second event, i.e., in accordance with the legitimate interests of your business, you may send advertising materials only if all three conditions are met:

• you obtained the email address as part of a commercial transaction (for example, the customer has already placed an order for a product), and you send the notification about similar products or services

• the recipient has not initially objected to the further use of the email address

• each email letter contains a free option to opt-out of further use of the email address

It is important to remember that you must include information about sending advertising and notifications based on consent or legitimate interests in your Privacy Policy.

7. Copyrights

An essential element of website development is the content – text, pictures, videos, sounds, and songs. Someone has created all these works, and copyrights protect them. The use of these works without consent is strictly prohibited. When you outsource website development (either to an agency or a freelance developer), you must verify the content used and its origin.

One option is to choose the pictures and other copyrighter materials from a photo bank, such as FreepikPixabay, or Giphy (remember to read their licenses). The other option is to engage a professional photographer (remember to sign a copyright agreement).

But you definitely must avoid randomly searching for images and other content on the internet and using them without permission. The copyright owners can easily find their pictures and claim copyright infringement compensation from you for using the work without permission. The exact amount depends on several factors, but the claim can easily reach EUR 5,000 and go beyond.

Understand your legal obligations

eCommerce owners, just like all other entrepreneurs, must deal with legal issues. You should make sure to include policies that would be specific to your store. Each shop is unique, so make sure to adjust your policies accordingly.

Policies should be designed to protect you and your customers, but they don’t have to be long and complicated. We offer clear and concise Terms & Conditions, Privacy Policy, Cookie Policy, and Shipping & Returns templates to protect your business. You can use and edit our templates to suit your specifications or add templates to your website or app as they are.

Do not forget to consult with an attorney to ensure you do your best to comply with applicable laws and regulations.

Be compliant and pick legal document templates for your eCommerce store from the RockTerms builder.

Photo by Gabrielle Ribeiro on Unsplash

Configure cookies

We use cookies on our website. We will place mandatory cookies, and if you agree, also statistics cookies to analyze our website and marketing cookies to provide you with the most relevant advertising.

These cookies are necessary for the operation of our website, and you cannot switch them off. They are usually set up only in response to your actions and requests, such as privacy settings, authorization, and form filling. These cookies do not store any personally identifiable information.

These cookies allow us to count visits and traffic sources to evaluate and improve the performance of our website. They help us know which pages are most popular and how visitors navigate our website. All information these cookies collect is aggregated and therefore anonymous.

We may place these cookies on our website with the support of our advertising partners. These providers may use them to create their interest profiles and show you relevant ads on other websites. They do not directly store personal information but are based on the unique identification of a browser and device.

Get notified when the new plan is released

Enjoy early access when the new plan goes public.

By clicking Subscribe, you agree to our Terms. Learn how we process your data in our Privacy Policy.