Legality in e-commerce, everything you need to know to be in good standing!

Key points:

Mandatory legal documents → Legal notice, terms and conditions, and privacy policy are non-negotiable in most jurisdictions. Their absence can result in significant fines.

GDPR/Data protection from the first email → As soon as you collect customer data, you must comply with applicable data protection laws: cookie banner, privacy policy, and respect for user rights. Non-compliance can result in substantial penalties.

Consumer protection rights → Many countries require clear return policies and consumer protection measures. Check your local requirements.

Legal structure required → Selling without proper business registration is illegal in most countries and can be heavily sanctioned.

Securing payments → HTTPS mandatory + certified payment solution (Stripe, PayPal...). Never store bank details yourself.

‍

The 5 non-negotiable elements:

1. Full legal information
2. Terms and conditions (acceptance process)
3. Privacy policy & data protection compliance
4. Clear return/refund policy
5. Registered legal business structure

Legal information

Legal information

It is the identity card of your online business. Without it, you risk legal issues from day one.

What you should include:

• Full name (or company name if you have a registered business)
• Physical business address
• Contact email and phone number
• Business registration number (varies by country: EIN, ABN, Company Number, etc.)
• Tax identification number if applicable
• Name of the person responsible for the website
• Hosting provider information

COPYFY tip: This information should be accessible in one click from any page on your site. Generally, it's placed in the footer with a clearly visible link.

‍

‍

Terms and conditions (T&Cs)

The T&Cs are your contract with your customers. They protect both parties and set the rules of engagement.

Essential elements:

• Precise description of products and services
• Pricing details including taxes and delivery costs
• Accepted payment methods
• Delivery times and conditions
• Return and refund policy
• Applicable warranties and guarantees
• Dispute resolution procedure
• Limitation of liability

Key point: Depending on your jurisdiction, customers may need to actively accept your T&Cs (checkbox) or acceptance may be implicit upon order completion. Check your local requirements for the best conversion approach.

‍

‍

Privacy policy & GDPR/Data protection

Data protection laws apply as soon as you collect any personal data: an email, an address, a phone number. Requirements vary by region (GDPR in UK/EU, CCPA in California, PIPEDA in Canada, etc.).

What you need to explain clearly:

• What data you collect and why
• How long you retain it
• Who has access to it (you, your suppliers, your marketing tools)
• Your customers' rights (access, modification, deletion)
• How to exercise these rights (dedicated email address)
• Security measures you have in place
• International data transfers (if applicable)

Important: If you use tools like Klaviyo, Google Analytics, or Facebook Pixel, you must mention them and explain their role.

‍

‍

Specific rules for online sales

Beyond legal documents, there are obligations specific to e-commerce that vary depending on your location.

Return & refund policy

This is a sensitive subject in e-commerce. Many jurisdictions have consumer protection laws.

Common requirements in various regions:

• UK/EU: 14 calendar days from receipt (mandatory cooling-off period)
• Australia: Returns required if goods are faulty, but not for change of mind unless advertised
• USA: No federal law requiring returns, but many states have specific rules. Clearly state your policy.
• Canada: Varies by province, but generally must accept returns for defective items

Common exceptions (where applicable):

• Customized or personalized products
• Perishable goods
• Sealed products that cannot be returned for hygiene reasons
• Downloaded digital content

Good to know: Where mandatory refund rights exist, you typically must reimburse within a specified timeframe, including initial delivery costs (unless premium delivery was chosen).

Cookies & consent banner

Most modern data protection laws require transparent cookie policies and user consent.

The golden rules:

• Banner must appear BEFORE any non-essential cookies are placed
• Users should be able to refuse as easily as to accept
• Explain what cookies are for (analytics, advertising, functional)
• Consent should be freely given, specific, and informed
• Some regions allow implied consent for non-tracking cookies

Recommended tools: Axeptio, Cookiebot, CookieYes, or solutions integrated with Shopify like Pandectes GDPR.

Product warranties & compliance

As a seller, you are responsible for the compliance and quality of the products you sell, even if you are dropshipping.

Warranty requirements vary by jurisdiction:

• UK/EU: Minimum 2-year conformity guarantee
• USA: Implied warranty laws (merchantability and fitness for purpose) at state level
• Australia: Consumer guarantees under Australian Consumer Law
• Canada: Provincial consumer protection acts

What this means in practice: If a customer receives a defective, broken, or non-compliant product, you must offer a solution (exchange, repair, refund), regardless of whether it's your fault.

⚠️ Compliance starts with product research: Many e-retailers discover too late that their products don't meet safety standards (CE marking in EU, FCC compliance in US, etc.), contain prohibited substances, or violate patents. To avoid costly legal problems, learn how to validate product compliance during the research phase using our guide to product research in e-commerce. It's better to exclude a non-compliant product early than to manage a recall or legal action.

‍

‍

Tax obligations and registration

Tax authorities worldwide are increasingly scrutinizing e-commerce.

Business registration

Common structures (names vary by country):

• Sole proprietorship: Quick and easy to start, personal liability
• Limited liability company (LLC/Ltd): More fees but better protection
• Corporation (Inc/Corp): For ambitious projects with multiple partners

Tax compliance

Key considerations:

• VAT/GST/Sales Tax: Requirements vary dramatically by country and revenue thresholds
• Cross-border sales: Research destination country tax obligations
• Digital products: Often subject to special tax rules
• Dropshipping from abroad: Import duties, customs declarations, and tax simplification schemes may apply

International tax systems:

• EU: IOSS (Import One-Stop Shop) for shipments under €150
• UK: VAT registration often required for overseas sellers
• USA: Sales tax nexus rules vary by state
• Australia: GST registration threshold at AUD $75,000
• Canada: GST/HST requirements for non-residents selling to Canadians

‍

‍

The checklist to be in compliance

Now that we've seen the theory, let's move on to action. Here is your plan of attack to get your site up and running, step by step.

Step 1 → Draft legal documents

Immediate actions:

• Create a "Legal Information" or "Imprint" page with all mandatory details
• Write your terms and conditions adapted to your specific business
• Write your privacy policy listing all the tools and data you collect
• Add a "Cookie Policy" if you use tracking cookies

Templates ready: No need to reinvent the wheel. Sites like Termly, TermsFeed, or your e-commerce platform often offer templates you can adapt. The important thing is to customize them to your real business.

Step 2 → Set up data protection compliance

Concrete actions:

• Install a compliant cookie consent banner
• Create a contact form for data protection requests
• Document where your customer data is stored
• Establish a procedure for responding to access/deletion requests
• Verify that all your tools (analytics, email marketing) are configured properly
• Review third-party data processors and ensure they're compliant

Response time: Most laws require responding to data requests within 30 days.

Step 3 → Secure payments and data

The fundamentals:

• SSL certificate (HTTPS): Mandatory to reassure and protect data. Free with Let's Encrypt or included with most hosts.
• Secure payment: Use certified payment solutions like Stripe, PayPal, or Shopify Payments. NEVER store bank details yourself.
• Regular backups: Automate backups of your customer database.
• Trust signals: Display security badges (SSL, secure payment) on your product and checkout pages. It can boost conversion by 15-30%.

6. Helpful tools and resources

To help you navigate the legal landscape, here's a list of recommended tools:

Compliance information:

• Your local government website: Official information on legal obligations for your country
• Data protection authority: Find your country's authority (ICO in UK, FTC in US, OAIC in Australia, etc.)

Document generation:

• Termly: Comprehensive legal document generator
• TermsFeed: Free privacy policy and terms generator
• Shopify Legal Generator: Free for Shopify users
• iubenda: Privacy and cookie policy generator

Cookies & compliance:

• Cookiebot: Automatic cookie scanner and consent management
• CookieYes: GDPR/CCPA cookie consent solution
• OneTrust: Enterprise-level consent management

Legal support:

• LegalZoom: Business formation and legal documents (US)
• Rocket Lawyer: Legal documents and attorney advice
• E-commerce lawyer: For complex projects or specific questions

‍

‍

FAQ: the 5 frequently asked questions

Is dropshipping legal?

Yes, 100% legal. But you remain legally responsible for the quality of the products and the respect of delivery deadlines. You must have clear terms and conditions, respect the right of withdrawal, and be transparent about deadlines.

Am I affected by the GDPR?

Yes, as soon as you collect an email. Regardless of your size, if you sell to European citizens or if you are based in Europe, the GDPR applies. Even a simple contact form makes you concerned.

Can I sell without CGV?

No, it's illegal. The terms and conditions are mandatory for all online sales. Without them, you risk a fine and you have no protection in the event of a dispute with a customer.

Do I need to start a business to sell online?

Yes, in 99% of cases. Selling without a legal structure is considered to be hidden work. You risk heavy fines and problems with the tax administration. Start as a micro-business or a self-employed person, it's simple and inexpensive.

How long should customer data be retained?

It depends on the type of data:

• Billing data: 10 years (legal obligation)
• Marketing data (prospect): 3 years without interaction
• Bank data: NEVER keep them (use a PSP)
• Browsing data: 13 months maximum for cookies

‍

‍

Compliance protects you and your customers

There you go ! You now have all the tools to bring your e-commerce into compliance. It takes time, and it won't directly generate revenue. But it will protect your business in the long run.

Think of legal compliance as insurance: you're investing now (in time and effort) to avoid paying 100 times more later (in fines, stress, and reputation damage).

The right mindset: It's not a constrain, it's a sign of professionalism. Your customers trust you when they see you take their safety seriously. And that trust converts into sales.

Important disclaimer: This guide provides general information and is not legal advice. Laws vary significantly by country and region. Always consult with a local attorney or legal expert for your specific situation.

👉 Try Copyfy free for 5 days and access our winning product base + advertising espionage + AI store generation