Legality in e-commerce, everything you need to know to be in good standing!

In short: the 5 pillars of e-commerce compliance

1. Mandatory legal documents → Legal notice, terms and conditions and privacy policy are non-negotiable. Their absence can cost you up to €75,000 in fines.

2. RGPD from the first email → As soon as you collect customer data, you must be GDPR compliant: cookie banner, privacy policy and respect for user rights under penalty of €20M in fine.

3. Mandatory right of withdrawal → 14 days in Europe, you must clearly mention it and respect it, even when dropshipping.

4. Legal structure required → Selling without registration (auto-entrepreneur, SARL, license...) is considered to be hidden work and heavily sanctioned.

5. Securing payments → HTTPS mandatory + PCI-DSS certified payment solution (Stripe, PayPal...). Never store bank details yourself.

Try Copyfy for free

You've just launched your online store, the first sales are coming in, and everything seems to be working out. But one question is running through your head: am I really in good standing? Spoiler: if you're wondering, there are probably adjustments that need to be made. And believe us, it is better to anticipate than to receive a registered letter from the DGCCRF or the CNIL. In this guide, we give you all the keys to secure your business and sleep soundly.

1. Why is legality crucial in e-commerce?

Let's talk cash: selling online without being compliant is like driving without insurance. It may take a while, but the day it gets stuck, it hurts your wallet and your reputation a lot.

Risks and sanctions incurred

Sanctions are not urban legends. In France, the absence of legal information can cost you up to €75,000 fine. For the GDPR, we go up to 20 million euros or 4% of your global turnover (Yes, you read that right).

But beyond the fine, it's your credibility that takes a hit. A customer who cannot find your terms and conditions or who does not feel safe on your site will buy elsewhere. Trust is built block by block, and legal compliance is the foundation.

The concrete consequences:

• Blocking your site by the authorities
• Inability to advertise Facebook/Google
• Loss of customers and bad reviews
• Complications with payment providers
• Legal risks with your unhappy customers

Try Copyfy for free

2. Essential legal obligations

Let's get down to business. Here are the documents that you absolutely MUST have on your site. Not negotiable.

Legal information

It is the identity card of your online business. Without them, you are illegal from day one.

What you should definitely include:

• Name and surname (or company name if you have a company)
• Physical address of your business
• Telephone number and contact email
• SIRET number or equivalent depending on your country
• Intra-community VAT number if applicable
• Name of the director of publication
• Information about the host of the site

COPYFY tip: These mentions should be accessible in one click from any page on your site. Generally, they are put in the footer with a clearly visible link.

Try Copyfy for free

CGV (General Sales Conditions)

The CGV is your contract with your customers. They protect both parties and set the rules of the game.

The essential elements:

• Precise description of products and services
• Price including VAT with details of delivery costs
• Accepted payment terms
• Delivery times and conditions
• Detailed right of withdrawal
• Applicable legal guarantees
• Procedure in the event of a dispute

Key point: The customer MUST check a box confirming that he has read and accepted the Terms and Conditions before validating his order. It is mandatory and it protects you legally.

Try Copyfy for free

Privacy policy & RGPD

The RGPD (General Data Protection Regulation) applies as soon as you collect any personal data: an email, an address, a telephone number.

What you need to explain clearly:

• What data do you collect and why
• How long do you keep them
• Who has access to it (you, your suppliers, your marketing tools)
• The rights of your customers (access, modification, deletion)
• How to exercise these rights (dedicated email address)
• The security measures you put in place

Important: If you use tools like Klaviyo, Google Analytics, or Facebook Pixel, you should mention them and explain their role.

Try Copyfy for free

3. Specific rules for online sales

Beyond legal documents, there are obligations specific to e-commerce that change depending on your location.

Right of withdrawal

It is THE sensitive subject in e-commerce. The law protects consumers who buy remotely.

In Europe: 14 calendar days from receipt of the product. The customer can return any item without justification.

Important exceptions:

• Customized or custom products
• Perishable goods
• Sealed products that cannot be returned for hygiene reasons
• Downloaded digital content

Good to know: You must reimburse the customer within 14 days of the withdrawal notification, including initial delivery costs (unless you have offered a premium delivery option).

Cookies & consent banner

Since the RGPD, it is impossible to escape the famous cookie banner. And no, pre-ticking them by default is not legal.

The golden rules:

• The banner must appear BEFORE any cookie is deposited
• The user should be able to refuse as easily as to accept
• You must explain what cookies are for (analytics, advertising, functional)
• Consent should be free, specific, and informed

Recommended tools: Axeptio, Cookiebot, or solutions integrated with Shopify, such as Pandectes GDPR.

Legal guarantees & product compliance

As a seller, you are responsible for the compliance and quality of the products you sell, even if you are dropshipping.

Mandatory guarantees:

• Conformity guarantee: 2 years in Europe. The product must correspond to the description and be free of defects.
• Guarantee against hidden defects: Protects against defects that were not apparent at the time of purchase.

What that means in concrete terms: If a customer receives a defective, broken or non-compliant product, you must offer a solution (exchange, repair, refund), even if it is not your fault.

Try Copyfy for free

4. Tax obligations and registration

The less sexy part but absolutely crucial. The tax administration is not joking with e-commerce.

In Europe

Registration:

• Micro-business (ex auto-entrepreneur): quick and easy to start
• SASU/EURL: more charges but better protection
• SAS/SARL: for ambitious projects with several partners

Intra-community VAT:

• Mandatory if you sell to professionals in the EU
• The number starts with the country code (FR, BE, etc.)

RGPD: Non-negotiable as soon as you process data from European citizens, regardless of your location.

DSA (Digital Services Act): New 2024 regulations for more transparency on marketplaces and online platforms.

Dropshipping from China:

• IOSS number mandatory for shipments < 150€
• Simplifies the payment of import VAT
• Avoid unpleasant customs surprises for your customers

Try Copyfy for free

5. How to become compliant: the checklist ✅

Now that we've seen the theory, let's move on to action. Here is your plan of attack to get your site up and running, step by step.

Step 1 → Draft legal documents

Immediate action:

1. Create a “Legal Information” page with all the mandatory information
2. Write your terms and conditions by adapting a model to your specific activity
3. Write your privacy policy listing all the tools you use
4. Add a “Cookie Policy” page if you use one

Template ready: No need to reinvent the wheel. Sites like Captain Contrat or Shopify offer free templates that you can adapt. The important thing is to personalize them to your real business.

COPYFY tip: Use our automatic generator of compliant legal documents. In a few clicks, you get legal notices and terms and conditions that are perfectly adapted to your activity and your location. [Try it for free]

Step 2 → Set up GDPR compliance

Concrete actions:

1. Install a compliant cookie banner (Axeptio, Cookiebot)
2. Create a contact form for GDPR requests
3. Document where your customer data is stored
4. Establish a procedure for responding to access/deletion requests
5. Verify that all your tools (Klaviyo, Google Analytics) are configured in RGPD mode

Response time: You have 1 month to respond to a RGPD request, extendable to 3 months in case of complexity.

Step 3 → Secure payments and data

The fundamentals:

• SSL certificate (HTTPS): Mandatory to reassure and protect data. Free with Let's Encrypt or included with most hosting providers.
• Secure payment: Use PCI-DSS certified solutions like Stripe, PayPal, or Shopify Payments. NEVER store bank details yourself.
• Regular backups: Automate the backups of your customer database.

Signals of trust: Display security badges (SSL, secure payment) on your product and checkout pages. It boosts the conversion by 15 to 30%.

6. Useful tools & resources

To help you navigate the legal jungle, here is a list of recommended tools and resources.

Compliance check:

• CNIL (cnil.fr): THE reference for the RGPD in France
• Service-public.fr : Official information on legal obligations
• economie.gouv.fr : E-commerce guide and consumer rights

Document generation:

• Captain Contrat : CGV and personalized legal notices
• Shopify Legal Generator : Free for Shopify users
• COPYFY : Auto-generated legal documents + integrated compliance

Cookies & RGPD compliance:

• Axeptio : French solution, clean interface
• Cookiebot : Automatic cookie scanner
• GDPR pandectes : All-in-one Shopify app

Fiscal:

• france : autopreneur.urssaf.fr, Infografe.fr
• Accountancy : Pennylane, Indy, Dougs (outsource if you can)

Legal:

• LegalPlace : Creation of an online company
• E-commerce lawyer : For large projects or complex questions

Try Copyfy for free

7. FAQ: the 5 frequently asked questions

Is dropshipping legal?

Yes, 100% legal. But you remain legally responsible for the quality of the products and the respect of delivery deadlines. You must have clear terms and conditions, respect the right of withdrawal, and be transparent about deadlines.

Am I affected by the GDPR?

Yes, as soon as you collect an email. Regardless of your size, if you sell to European citizens or if you are based in Europe, the GDPR applies. Even a simple contact form makes you concerned.

Can I sell without CGV?

No, it's illegal. The terms and conditions are mandatory for all online sales. Without them, you risk a fine and you have no protection in the event of a dispute with a customer.

Do I need to start a business to sell online?

Yes, in 99% of cases. Selling without a legal structure is considered to be hidden work. You risk heavy fines and problems with the tax administration. Start as a micro-business or a self-employed person, it's simple and inexpensive.

How long should customer data be retained?

It depends on the type of data:

• Billing data: 10 years (legal obligation)
• Marketing data (prospect): 3 years without interaction
• Bank data: NEVER keep them (use a PSP)
• Browsing data: 13 months maximum for cookies

Try Copyfy for free

8. Compliance is your protection

There you go, you now have all the cards in hand to bring your e-commerce into compliance. We're not going to lie to each other: it's a bit boring, it takes time, and it's not what will directly generate revenue. But that's what's going to protect your business in the long run.

Think of legality as insurance: you're paying now (in time and effort) to avoid paying 100 times more later (in fines, stress, and a lousy reputation).

The right mindset: It is not a constraint, it is a sign of professionalism. Your customers trust you when they see that you take their safety seriously. And that trust is transformed into sales.