EU legal regulations for eCommerce

When running an online business, one should comply with specific regulations. The European Union is special in a way that companies here should not only observe laws of their countries, but also the European Law. Three main documents regulating online businesses within the EU are E-Commerce Directive (Directive 2000/31/EC), the GDPR- General Data Protection Regulation (Directive 2016/679), and Consumer Rights Directive (Directive 2011/83/EU).

Let’s have a closer look below.

• Contact details of the company (address, phone, email as well as some profession-specific registration, when applicable) must be clearly stated. It should also be explicit where the consumer can come with/address any complaints.
• Proof of PCI DSS compliance. Make sure that you keep payment data secure and let customers know about it.
• Contracting information:
  • Delivery details (delivery regions/countries, time, costs, courier partners, tracking).
  • Payment methods.
  • Terms and conditions of the cancellation. Whether the consumer has to bear the return costs, and how the goods can be returned. Circumstances in which the consumer loses his right of withdrawal.
    Consumer Rights Directive gives shoppers 14 days to return the products if they are not satisfied. The online store must inform the users of this, otherwise, the withdrawal period is automatically extended to 12 months.
  • Warranties, after-sales services, and commercial guarantees.
  • Complaints handling policy. In case of legal disputes, which court will consider the case.

Most of the contracting information is stated in Terms and Conditions. Make sure that customers have read and accepted the document before making a purchase. For this, it is recommended to place a link to the document on all pages of the site (e.g. in the footer) and at the order confirmation stage make customers tick a checkbox with a message like “I have read and accepted the terms and conditions”. Customers must also be able to save and/or print this document.

When gathering (via registration, purchase, or contact forms) and processing user information, such as names, email addresses, payment data, the GDPR must be applied.

• Users must have the possibility to contact the company and its data controller and make an inquiry regarding the purpose of the data processing and security measures as well as the tools available to them to modify, correct, or eliminate information.
• The data of EU citizens must be stored on servers located in the EU.
• The information about personal data treatment should be well explained in the privacy policy. When users are asked to enter their data, a link to the Policy should be visible and there should be a checkbox to tick to confirm they’ve read and agreed to the policy.

Obviously, the data protection measures should not only be written but actually adopted as a fine in case of a data breach can reach up to 20 million euros or more (in case 4% of the company’s annual turnover exceeds this amount).

• Visitors of a website must be notified that cookies are in use. They must be aware of what kind of cookies are in use and given the option to refuse having the cookies placed on their devices.
• All this information should be clearly explained in the cookies policy. The link to the cookies policy should be located on a permanent part of the website (e.g. footer).

When placing an order, a customer must be clear about certain things, such as:

• Main features of the goods and services.
• For digital content: its compatibility with hardware and software.
• The total price of the goods/services, including all taxes. In case the price can’t be fixed in advance, the calculating method should be given.
• Available payment and delivery methods.
• Any additional payments, such as delivery costs, insurance, additional options, etc., should be confirmed by the customer. It is not allowed to tick the checkboxes beforehand “by default”, this must be done by the client himself.
• Duration of the agreement, its termination, or automatic extension.

Once the order has been placed:

• The online store must confirm it by notifying the shopper within 24 hours.

Important note: user consents to the site Policies must be documented. For example, the nopCommerce cart supports the function of logging the consents in the database out-of-the-box. This excludes any additional headache around this requirement.

To sum up, online businesses in the European Union must follow certain regulations that are applicable in all member states. These regulations create obligations regarding contract formalities, privacy policies and certain measures to be taken in order to protect users’ data.

As for the implementation, you may always contact us.

Contact Us