The more commonplace online business becomes, the more complex online business legal requirements grow. But despite the complexity, every e-commerce business owner must understand and abide by online business laws. Doing so helps to not only avoid legal repercussions but also maintain the trust of consumers. In this article, we’re going to break down 13 of the most important e-commerce legal regulations around the world.
1. General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a comprehensive data privacy law in the European Union that protects consumers’ control over their personal data. Personal data, in this context, refers to any information that could be used to identify a real, living person, including but not limited to name, email address, location data, IP address, or social security number.
The GDPR establishes specific rules regarding the way businesses collect, process, and store their customers’ personal information, requiring them to obtain explicit consent from customers before collecting their data. It also grants consumers the right to access and correct their data as well as request to have their data completely removed from online databases.
If your business processes data from EU citizens, the GDPR applies to you — regardless of where in the world your business is based. To remain compliant with GDPR requirements, you must obtain explicit consent from your online customers before collecting, processing, and storing their personal data. You also need to inform your customers about your business’s data processing practices and provide them with the ability to access and correct their personal data.
Read More: How to Make Your Magento Store Compliant with GDPR
2. California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is a privacy law in the United States that’s designed to enhance consumer privacy rights in the state of California. It requires businesses to inform customers in California about the personal data that’s collected from them and gives California residents the right to request the deletion of their data and to opt out of the sale of their information. The CCPA protections extend to all residents of California, but its requirements only apply to your business if you:
- Generated a gross annual revenue of over $25 million in the preceding calendar year (measured on January 1 of the calendar year)
- Buy, sell, or share the personal information of 100,000 California consumers or households (or more) per year
- Derive 50% or more of their annual revenue from selling or sharing personal information
If your business meets one or more of these criteria, you must comply with the CCPA’s requirements for handling California residents’ data.
To comply with the US Privacy Laws in general, we recommend updating your privacy policy to communicate your business’s data collection and processing practices to your customers. You also need to create an accessible channel through which your customers can request that their data be deleted, and your business must follow through on such requests.
3. Lei Geral de Proteção de Dados (LGPD)
The Lei Geral de Proteção de Dados (LGPD) — Portuguese for “General Data Protection Law” — governs the way businesses collect and process Brazilian customers’ personal data. It’s similar to the GDPR in that it grants consumers control over their own data, requires e-commerce businesses to obtain consent before collecting personal data from customers, and gives consumers the right to access and correct their personal information online. Additionally, the LGPD establishes rules for the transfer of data across borders and obligates businesses to adopt certain security measures to protect their customers’ personal data.
To keep your business compliant with the LGPD, you’ll first need to follow the same steps you would take to ensure compliance with the GDPR or CCPA, including:
- Getting consent from customers before collecting their data
- Providing them with transparent information about your business’s data handling practices
- Offering a clear route for them to have their data deleted if they desire.
Furthermore, you should establish concrete processes for complying with cross-border data transfer requests.
4. Australia Privacy Principles (APPs)
The Australia Privacy Principles (APPs) are a set of business regulation laws outlined in the Privacy Act 1988, governing the handling of personal information by Australian businesses and organizations. The APPs aim to ensure the protection of individuals' privacy and, just like the previous 3 laws listed above, provide guidelines for the responsible collection, use, and disclosure of personal information. Under the APPs, businesses are required to provide:
- Open and Transparent Management of Personal Information
- Anonymity and Pseudonymity
- Notification of the Collection of Personal Information
- Security of Personal Information
- Access to and Correction of Personal Information.
If your business handles personal information in Australia, you need to comply with these principles to ensure the privacy rights of Australian citizens.
5. The Omnibus Directive
The Omnibus Directive is a directive issued by the European Union to align various regulations related to electronic communication and digital services across EU member states. Its contents range from consumer rights to data privacy, to digital security in general. The directive is broad, but its core goal is to establish a unified regulatory framework for e-commerce in the EU.
Some of the main regulations the EU Omnibus Directive outlines include:
- Businesses must be fully transparent with customers about the price histories of products in cases of price reductions (including the 'lowest price in 30 days' data).
- Businesses are responsible for verifying the authenticity of customer reviews posted to the business’s website or to which the business provides access.
- Businesses are subject to GDPR consumer protection regulations even when exchanging digital goods or services for personal data instead of money.
- Businesses must inform customers about how pricing decisions are made and what criteria are being used to rank product search results.
These are just a few of the main e-commerce requirements imposed by the Omnibus Directive on businesses that sell to customers in the EU (regardless of the business’s location). If your organization does online business in the EU, you should review the Omnibus Directive in full to make sure you're compliant.
Read More: How to Comply with the Omnibus Directive?
6. Consumer Rights Directive (CRD)
Separate from the Omnibus Directive, the Consumer Rights Directive (CRD) in the European Union (EU) is a collection of sale laws aimed at protecting consumers engaging in distance and off-premises contracts. Naturally, this includes online transactions. The CRD addresses issues related to unfair commercial practices, ensuring that consumers are not misled or subjected to aggressive marketing tactics. It prohibits hidden costs and pre-ticked boxes during online transactions, promoting fair and transparent dealings. According to CRD, your EU businesses are obliged to provide:
- Clear details about the seller
- The main characteristics of the product or service
- The total price of the product or service
- Any additional charges
Moreover, consumers must also be allowed to cancel the contract within a specified timeframe without providing a reason.
To ensure e-commerce compliance with CRD, update terms and conditions, provide clear and accessible information on the website, and implement mechanisms for easy cancellation or withdrawal by consumers.
7. Electronic Commerce (EC) Regulations UK
The Electronic Commerce (EC Directive) Regulations in the UK is a set of regulations that implement the EU Electronic Commerce Directive in the United Kingdom. Similarly to CRD, these regulations are designed to establish a legal framework for electronic commerce activities and online services. They cover various aspects of e-commerce, including information disclosures, online contracts, and liability of service providers.
According to these regulations, if your business is engaged in electronic commerce within the UK, it must remain transparent about its identity, the products or services offered, prices, and any applicable taxes or delivery charges. This information should be easily accessible on the website or online platform.
To comply with the Electronic Commerce (EC Directive) Regulations, review and update your online practices, ensuring that you provide accurate and up-to-date information to consumers. This includes displaying terms and conditions, privacy policies, and contact details.
8. Americans with Disabilities Act (ADA)
The Americans with Disabilities Act (ADA) is a United States law that prohibits discrimination against individuals with disabilities in employment, public services, and various accommodations. The ADA is not exclusively applicable to the e-commerce industry, but many of its requirements impact e-commerce businesses — particularly when it comes to website legal requirements regarding accessible website design.
The ADA’s website laws regarding accessibility apply to all state and federal websites, as well as all businesses that are open to the public. To comply with the ADA, your e-commerce website must be built in a way that does not prevent people with protected disabilities from using it. Some of the most important questions you should ask yourself when designing an accessible website include:
- Is there adequate color contrast between text and backgrounds?
- Is any information communicated purely through color (such as using green vs. red text to differentiate which features do and do not come with a certain subscription)?
- Do images include alt text?
- Are videos captioned?
- Are online forms screen-reader compatible?
These are just a handful of the most important accessibility factors to consider when designing your online store.
Read More: Magento Accessibility Compliance
9. Web Content Accessibility Guidelines (WCAG)
The Web Content Accessibility Guidelines (WCAG) are a set of guidelines developed by the Web Accessibility Initiative (WAI) of the World Wide Web Consortium (W3C). These guidelines can be viewed as a global alternative to ADA targeting online spaces. It aims to make web content more accessible to people with disabilities, including those with visual, auditory, cognitive, and motor impairments.
WCAG provides a framework for creating accessible web content by offering specific recommendations for designing and developing websites and web applications. The website regulations are organized into four principles, often referred to as POUR: Perceivable, Operable, Understandable, and Robust.
For businesses engaged in e-commerce, adhering to WCAG guidelines is essential to ensure that their websites are accessible to a diverse range of users, including those with disabilities. Compliance with WCAG not only aligns with ethical principles of inclusivity but also helps businesses reach a broader audience and may be required by law in certain jurisdictions.
Read More: What Does WCAG's 'POUR' Actually Mean?
10. Fair Packaging and Labeling Act (FPLA)
The Fair Packaging and Labeling Act (FPLA) is a United States law issued through the Federal Trade Commission and the Food and Drug Administration. It requires all consumer commodities to be labeled according to certain criteria, indicating:
- The identity of the commodity
- The name and location of the manufacturer, packer, or distributor
- The net quantity of the commodity in weight, measure (both metric and imperial), or numerical count
Similar to the ADA, the FPLA is not explicitly an e-commerce regulation, but its requirements apply to many e-commerce businesses too. Whether you’re selling your products online or in brick-and-mortar stores, you need to make sure they’re properly labeled. Remember to regularly verify the accuracy of your product labeling and update packaging whenever there are any changes to a product.
The only time the FPLA does not apply is when a business is not selling a physical, packaged commodity — for example, if you have an online SaaS business that sells cloud-based software subscriptions.
11. Minimum Advertised Price (MAP)
MAP or Minimum Advertised Price policy is where a manufacturer or brand sets the lowest price at which their products can be advertised or sold. This is often done to maintain brand value and prevent price erosion. While MAP policy isn't exactly a law, it is still a legal regulation enforced by individual brand owners who monitor retailers and distributors to ensure compliance with their pricing rules. Violations of MAP policies can result in consequences such as loss of privileges, termination of contracts, or legal action.
You shouldn't confuse MAP with MSRP. While MAP is the lowest price at which a manufacturer allows its products to be advertised, the Manufacturer's Suggested Retail Price (MSRP) is the price suggested by the manufacturer for retailers to sell the product to consumers.M SRP serves as a benchmark for retailers and is not a mandatory price regulation. So while you should abide by the minimum price requirements (MAP), you can choose to sell the product at a higher or lower price than MSRP.
Read More: How to Comply with MAP Policy?
12. Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure the safe handling of payment card information. Developed by major credit card companies, including Visa, MasterCard, American Express, Discover, and JCB, PCI DSS aims to protect sensitive cardholder data and reduce the risk of data breaches and fraud in the payment card industry.
The standard outlines specific requirements for secure purchases and subscriptions via card data, including:
- Secure Network and Systems
- Protect Cardholder Data
- Vulnerability Management
- Access Control Measures
- Regular Monitoring and Testing
- Information Security Policy
Compliance with PCI DSS is mandatory for any business that stores, processes or transmits credit card information. Failure to comply can result in fines, penalties, and potential damage to a company's reputation. It's best to run regular assessments and audits to ensure ongoing compliance with this fundamental payment standard.
13. Payment Service Directive (PSD2)
The Payment Service Directive (PSD2) is a European Union regulation that builds upon the original PSD law and aims to enhance the security and efficiency of electronic payments within the EU. PSD2 focuses on several key aspects:
- Strong Customer Authentication (SCA)
- Access to Account (XS2A)
- Liability and Security Requirements
- Transparency and Consumer Protection
- Prohibition of Surcharge Fees
While both PCI DSS and PSD2 aim to enhance security in electronic transactions, PSD2 focuses on a broader spectrum, encompassing liability and security requirements, transparency, and consumer protection. On the other hand, PCI DSS primarily concentrates on securing cardholder data globally and maintaining a secure payment card environment, making it applicable to a wider international context beyond the EU.
If your business operates within the European Union and provides payment services or is involved in electronic transactions, it is essential to comply with PSD2 regulations. This may involve implementing strong customer authentication measures, updating security protocols, and ensuring transparency in your payment services.
Wrapping Up
As e-commerce laws continuously evolve, online businesses are expected to rapidly change alongside them. E-commerce merchants need to not just stay legally compliant, but also to be one step ahead of the latest trends in the industry. Remaining aware of changes to online business regulation laws is one of the best ways to predict the direction in which the e-commerce industry is headed.
