E-Commerce Law in the EU: A Store Owner Guide to the Most Important Rules

Selling online in the European Union means following a set of consumer protection, privacy, and tax laws that are among the strictest in the world. The good news: most of these laws are straightforward once you understand them. The bad news: ignorance is not a defense, and fines for violations — especially GDPR — can be severe. This guide covers the rules that matter most for online store owners, in plain language, without the legal jargon.

GDPR: Data Protection

The General Data Protection Regulation governs how you collect, store, and use personal data from EU residents. For an online store, "personal data" includes names, email addresses, shipping addresses, IP addresses, purchase history, and browsing behavior tracked by analytics tools.

What You Must Do

• Privacy policy — publish a clear, accessible privacy policy that explains what data you collect, why, how long you keep it, and who you share it with. This is legally required and must be written in plain language, not legal copy-paste.
• Cookie consent — before setting any non-essential cookies (analytics, marketing pixels, social media trackers), you must obtain explicit, informed consent. A banner that says "By continuing to browse you accept cookies" is not compliant. The user must actively opt in, and your site must function without those cookies if they don't. Our Cookies Revolution module handles this correctly — it blocks tracking scripts until consent is given, logs consent for audit purposes, and lets customers modify their preferences at any time.
• Right to access and deletion — customers can request a copy of all data you hold about them, and they can request deletion. You must respond within 30 days. PrestaShop has built-in GDPR tools for this (back office > Customers > GDPR).
• Data breach notification — if customer data is compromised, you must notify the relevant data protection authority within 72 hours and notify affected customers without undue delay.
• Data processing agreements — if you use third-party services that process customer data (email marketing platforms, analytics, payment providers), you need data processing agreements (DPAs) with each. Most major services provide these — check their GDPR pages.

Practical Reality

GDPR enforcement focuses on the biggest offenders — major companies and egregious violations. Small stores are unlikely to face a €20 million fine. But customer complaints to data protection authorities are increasingly common, and smaller fines (€5,000–50,000) do happen. More importantly, a privacy-respecting store builds customer trust — especially with European shoppers who are increasingly aware of data rights.

Consumer Rights Directive: Distance Selling

EU consumers have specific rights when buying online that override whatever your terms and conditions say:

14-Day Right of Withdrawal

Customers have 14 days from receiving their order to return it for any reason — or no reason at all. They don't need to explain why. You must refund the full purchase price including original shipping costs within 14 days of receiving the returned goods. You can require the customer to pay return shipping, but only if you clearly stated this before the purchase.

Exceptions exist: personalized/custom-made products, sealed hygiene products that have been opened, digital content once downloading has begun (with explicit consent), and perishable goods.

Information Requirements

Before the customer completes a purchase, you must clearly display:

• Your full business identity (company name, address, registration number)
• Total price including all taxes and fees
• Shipping costs (or the method for calculating them)
• Payment methods accepted
• The right of withdrawal and how to exercise it
• Estimated delivery time
• Your complaint handling procedure

The "order confirmation" button must clearly indicate that clicking it creates a payment obligation. In most EU countries, the button text must say something like "Order with obligation to pay" or equivalent — "Complete Order" alone may not be sufficient in some jurisdictions.

VAT: Tax Compliance

Domestic Sales

If your store is in the EU and you're VAT-registered, you charge VAT at your country's rate. Prices displayed to consumers must include VAT (B2C). This is non-negotiable in most EU countries — showing net prices to consumers is misleading and illegal in many jurisdictions.

Cross-Border B2C Sales

Since July 2021, the One-Stop Shop (OSS) system simplifies EU cross-border VAT. If you sell more than €10,000/year to other EU countries, you must either register for VAT in each destination country or use OSS — which lets you file a single VAT return covering all EU countries through your home country's tax authority. OSS is simpler. Use it.

B2B Sales (VAT Reverse Charge)

When selling to VAT-registered businesses in other EU countries, you can apply the reverse charge mechanism — the buyer accounts for VAT instead of you charging it. This requires verifying the buyer's VAT number. Our Automatic EU VAT Checker validates VAT numbers in real time at checkout using the EU VIES database and automatically applies the tax exemption when valid. No manual verification needed.

Digital Services Act (DSA)

The DSA, effective since February 2024, introduces new obligations for online platforms including e-commerce stores. The main requirements for store owners:

• Transparency on ads — if you run targeted advertising, you must clearly label it and explain why the customer is seeing it
• Contact point — designate a point of contact for authorities and users, displayed on your site
• Terms of service — must be written in clear, plain language

Product Safety and CE Marking

If you sell physical products in the EU, they must comply with EU product safety regulations. Most consumer products need CE marking (self-declared by the manufacturer for most categories). As a seller, you have a due diligence obligation — if you're selling products from third-party manufacturers, you should verify that CE marking and safety documentation exist. Selling non-compliant products exposes you to liability.

Accessibility: European Accessibility Act

Starting June 2025, the European Accessibility Act requires e-commerce stores to be accessible to people with disabilities. This means: keyboard navigation, screen reader compatibility, sufficient color contrast, text alternatives for images, and accessible forms. The law applies to any business selling to EU consumers. While enforcement is still ramping up, building an accessible store is both legally prudent and commercially smart — accessible stores reach more customers.

Practical Compliance Checklist

1. Privacy policy — published, accurate, in plain language
2. Cookie consent — proper opt-in mechanism (not just a banner), scripts blocked until consent
3. Terms and conditions — including withdrawal rights, returns procedure, company details
4. Imprint/legal notice — required in most EU countries (especially Germany's Impressum), containing company details, registration, VAT number
5. Price display — all prices including VAT for B2C, with shipping costs visible before checkout
6. Order button text — must indicate payment obligation
7. Order confirmation email — must include all purchase details and withdrawal information
8. VAT compliance — OSS registration if selling cross-border above €10k/year
9. Accessibility — WCAG 2.1 AA compliance for store frontend

EU e-commerce law is not designed to make your life difficult. It's designed to protect consumers — and stores that respect these protections build stronger customer relationships than stores that don't. Compliance is not a burden. It's a trust signal. Get the fundamentals right, and the legal framework becomes an advantage rather than an obstacle.

Related Articles

• Distance Selling Regulations: Right of Withdrawal and What You Must Offer
• Terms and Conditions for Your Store: What Must Be Included
• GDPR and Cookie Compliance for PrestaShop: What You Actually Need