E-Commerce Legal Requirements: What Online Businesses Need to Know

Starting an online store or digital business feels, in many respects, simpler than starting a brick-and-mortar operation. There is no lease to negotiate, no storefront to outfit, no geographic constraints on your customer base. But e-commerce comes with its own set of legal obligations that are no less demanding than those governing physical retail. Understanding these requirements before you launch — and building compliant practices from the start — is far easier than retrofitting compliance onto an established business.

Business Formation and Registration

An online business is a business, and it needs to be properly formed and registered just like any other. Choosing the right legal entity — a sole proprietorship, LLC, or corporation — determines the owner’s personal liability exposure, tax treatment, and the formality required to operate the business. For most online businesses, an LLC provides a good combination of liability protection, tax flexibility, and operational simplicity. If the business plans to raise outside investment or issue stock options to employees, a corporation may be more appropriate.

In addition to forming the entity in the state of organization, e-commerce businesses that operate physically in other states — by maintaining inventory in a warehouse, employing remote workers, or otherwise having a physical presence — may need to register as a foreign entity in those states and comply with their business registration requirements. Sales tax nexus — the connection between a business and a state that triggers the obligation to collect and remit sales tax — is a particularly important issue for e-commerce businesses, discussed further below.

Terms and Conditions

Every e-commerce website should have a terms and conditions (or terms of service) document that governs the relationship between the business and its customers. Well-drafted terms and conditions serve several important functions. They establish the rules for using the website and purchasing products or services. They limit the business’s liability for various types of claims. They set out the business’s policies for returns, refunds, exchanges, and dispute resolution. They protect the business’s intellectual property by making clear who owns the website content, logos, and other materials. And they establish which state’s law governs disputes and where those disputes must be resolved.

Terms and conditions are only enforceable if customers have meaningful notice of them and have agreed to them. The most enforceable approach is a clickwrap agreement, in which customers affirmatively check a box or click a button indicating that they have read and agreed to the terms before completing their purchase. A browsewrap agreement, in which the website merely states that using the site constitutes agreement to the terms, is more vulnerable to challenge — courts have increasingly declined to enforce browsewrap terms where it was not clear that customers had actual notice of and agreed to the terms.

Privacy Policy Requirements

A privacy policy is legally required for virtually every e-commerce website. Multiple federal and state laws require businesses to disclose their data collection and use practices. The Children’s Online Privacy Protection Act requires websites that collect personal information from children under 13 to post a specific type of privacy notice and obtain verifiable parental consent before collecting children’s information. The California Consumer Privacy Act requires businesses that meet specified thresholds to provide a comprehensive privacy policy disclosing categories of personal information collected, the purposes of collection, and consumers’ rights. Many other state privacy laws impose similar requirements.

Even for businesses that do not meet any state law’s coverage thresholds, the FTC has authority to act against businesses whose privacy practices are unfair or deceptive. A website that has a privacy policy but whose actual practices differ materially from what the policy states — or a website that collects personal information without any disclosure — is at risk of FTC enforcement. A privacy policy that accurately reflects actual data practices is both a legal necessity and a basic obligation to customers.

Sales Tax: The E-Commerce Obligation

The Supreme Court’s 2018 decision in South Dakota v. Wayfair fundamentally changed the sales tax landscape for e-commerce businesses. Before Wayfair, the traditional rule was that a state could only require a business to collect sales tax if the business had a physical presence in the state. Wayfair eliminated this limitation. States can now require out-of-state e-commerce businesses to collect and remit sales tax based solely on the volume or value of their sales into the state, even without any physical presence.

Most states have now enacted economic nexus laws that require out-of-state sellers to collect sales tax once they exceed a specified threshold of sales into the state — typically $100,000 in sales or 200 separate transactions in the state per year. For an e-commerce business with a national customer base, this potentially creates sales tax collection obligations in dozens of states simultaneously. Complying with multi-state sales tax collection obligations is one of the most operationally complex e-commerce compliance requirements, and most growing e-commerce businesses use automated sales tax software to manage it.

Consumer Protection Laws

E-commerce businesses are subject to a wide range of federal and state consumer protection laws that govern how products are marketed, sold, and delivered. The FTC’s regulations on mail and telephone order merchandise — which also apply to internet orders — require businesses to ship orders within the time stated in their advertising or, if no time is stated, within 30 days, and to notify customers and provide the option to cancel if the shipment will be delayed. Businesses that advertise specific shipping or delivery timeframes must honor them or provide appropriate notice and refund options.

Subscription businesses — those that charge customers on a recurring basis — face specific regulatory requirements. The FTC’s Negative Option Rule, significantly expanded in 2023, requires businesses that use negative option marketing (where consumers are automatically enrolled in recurring charges unless they affirmatively cancel) to clearly disclose all material terms of the subscription before obtaining billing information, to obtain the consumer’s express consent, to provide simple cancellation mechanisms, and to send confirmation notices. State laws, including California’s Automatic Renewal Law, impose similar requirements.

Advertising practices must comply with the FTC’s guidelines for honest advertising: all material claims must be truthful, advertising must not omit information that would be material to a consumer’s decision, and any endorsements or testimonials must be genuine and representative. If your products have environmental or sustainability attributes that you want to promote, the FTC’s Green Guides provide standards for making accurate environmental marketing claims. Influencer marketing requires clear disclosure that the endorsement is sponsored when a material connection exists between the endorser and the brand.

Return and Refund Policies

While there is no general federal law requiring e-commerce businesses to accept returns, many states have consumer protection laws that affect refund and return practices. Regardless of legal requirements, clearly written return and refund policies are essential for managing customer expectations and disputes. The policy should be easy to find on the website, should clearly state the timeframe for returns, what items are eligible for return, the process for initiating a return, and whether customers will receive a refund, store credit, or exchange. Policies should be consistent: if your policy says returns are accepted within 30 days but you actually accept returns outside that window, the inconsistency creates legal exposure.

Payment Processing and PCI Compliance

E-commerce businesses that accept credit card payments are required by their payment processor and card network agreements to comply with the Payment Card Industry Data Security Standard, known as PCI DSS. PCI DSS establishes security requirements for businesses that store, process, or transmit cardholder data. The specific requirements depend on the volume of card transactions and the manner in which card data is handled. Most small e-commerce businesses use payment processors or platforms like Stripe or Square that handle most of the PCI compliance burden by ensuring that cardholder data is processed through the processor’s systems rather than being stored on the merchant’s servers. However, merchants still have compliance responsibilities and should confirm with their payment processor what PCI compliance obligations they retain.

Accessibility: ADA and Digital Accessibility

The Americans with Disabilities Act applies to places of public accommodation, and courts have increasingly held that websites operated by businesses that sell goods or services to the public qualify as places of public accommodation subject to the ADA. Businesses whose websites are inaccessible to people with disabilities face ADA discrimination claims, and website accessibility litigation has become a significant area of plaintiff-side legal activity. The Web Content Accessibility Guidelines, or WCAG, provide the technical standards for website accessibility. E-commerce businesses should ensure their websites meet at minimum WCAG 2.1 Level AA standards and should test their accessibility with actual assistive technology tools.

Building an e-commerce business that is legally compliant from the start requires attention to a range of legal requirements across entity formation, website documentation, consumer protection, sales tax, payment processing, and accessibility. The investment in getting this right early — with the guidance of a business attorney and, for areas like sales tax and PCI compliance, specialized technical advisors — pays dividends in reduced legal exposure and increased customer trust throughout the business’s life.