Getting your shop legit! 7 steps to trading online legally

Cookies, Data Protection, EC Directive, Distance Selling, PCI Compliance... where do you start!?

Legal requirements for ecommerce covers many aspects of your shop and how you run it. Some people find it daunting, most find it a chore - and many just don’t know where to start thanks to the jargon surrounding it all. It’s tempting to bury your head in the sand, especially if you consider how random or non-existent the enforcement of certain laws seem to be.

But the law is the law, whether we like it or not - and it’s not worth being caught out with the risk of fines, closure or worse – prison! Things crop up in business, so it’s best to be covered from the start...

We’ve come up with a one stop guide to help you tackle the whole area of legal requirements in one go. Work your way through these steps to trade freely with peace of mind. Should take an hour or two then you’re done!

1. Add your business contact and trading details
This is an easy one. Set up your contact page with a valid phone number, email address AND postal address. Also include your company’s trading name. If you’re a limited company then display your registration number and your VAT registration number (if you have one) somewhere on your shop. Company and VAT numbers could be displayed in your footer or on your ‘about us’ page for instance. Take a look at and check ours out in the footer.

It may seem like an obvious one... but you also need to make sure your product prices are clearly visible, and if you're dealing direct with consumers state whether they include or exclude VAT.

2. Get some ‘Terms and Conditions’ on your shop
You’ll need a page dedicated to terms and conditions - your ekmPowershop comes with an empty page ready and waiting for you to fill in. “What do I put in there?” many people ask. It’s easy really… just Google ‘terms and conditions template for ecommerce’ to get some inspiration. Look at other ecommerce websites too, but be sure to cover the following: what you sell, how customers pay you (payment terms) and your refund and returns/cancellation policy. There are plenty of resources out there if you’re looking for inspiration.

3. Display Delivery details (P&P costs and info)
Most checkouts are pretty clear about how much it will cost and how long it will take for goods to arrive (they should be – you don’t want any nasty surprises at the checkout causing people to abandon the cart!)

As well as having a clear and easy to fathom checkout, you need some details in your terms and conditions page, or like many shop owners - you could have a page especially for delivery info (there’s no harm in having it on both pages). Call it ‘Delivery & Returns’ for instance.

4. Privacy (data protection)
This bit is largely about data protection… so you need to let customers know what information you will keep (such as name, address, email address etc.) and the purposes for which you'll use those details. You’ll need a ‘Privacy Policy’ page especially for this. Again, see our privacy page for an example of this in action. You’ll need to register yourself as a data controller under the data protection act with the ICO too.

5. Cookies
Thanks to the latest law surrounding cookies, you’ll need to adapt the legally required ‘Privacy Policy’ from step 4 to include info on cookies. We recommend you just change the name of your privacy policy page to ‘Privacy and Cookies’, then all you need to do is list all of the cookies your online shop uses (see here for the cookies used by – however if you add 3rd party scripts for things like analytics, live chat software, Facebook/Twitter plugins etc. then there will be more cookies you need to declare.) If you want to see what a compliant ‘Privacy and Cookies’ policy looks like then take a look at ours. We’ve also written an informative article about the cookie law] here and we also offer a ‘cookie crumbler' service if you want us to put the necessary measures in place for you.

6. PCI compliance
This one’s all about credit and debit card data. It’s not so much a law, but something brought in by the major card schemes, Visa and Mastercard to try and tackle credit card fraud. PCI compliance makes merchants responsible for the security of card details if they come into contact with them in any way (and then heftily fines merchants who aren’t compliant)

It’s simply better AND easier for you to use a hosted payment gateway, such as PayPal, Google Checkout, SagePay, CardSave etc. so you don’t actually handle or come into contact with the card details in any way. This removes you from the scope of PCI compliance, and makes it the payment gateway’s problem - as they’re the ones who handle the sensitive data during the payment process (all payment processors which are compatible with are level 1 compliant).

If you do choose to handle card details then be prepared to fill out lots of paperwork in order to receive a compliance certificate. There are differing levels of compliance depending on things like your business sector, size and transaction volumes. The higher the level of compliance required, the more expensive it is to attain. So save yourself a headache and use a hosted payment solution with your online shop! We’ve also written a guide on PCI compliance which simplifies the whole jargon-riddled topic.

7. Send an invoice!
An easy one to finish with. automatically creates ready to print invoices once an order has been placed. Ensure your logo and VAT registration number have been added to the ‘printer friendly version’ of your order form, prior to processing any orders (you only need to do this once - your logo and VAT number will then automatically appear on all invoices created by your shop).

Ensure your invoice shows an itemised summary of the products bought, the total amount charged, a delivery breakdown and a VAT breakdown (easy - does all of that for you too!)

It’s also a legal requirement to ‘acknowledge’ orders when they’ve been placed, again already does this for you, via email as soon as an order is placed.

That’s it - you’re all done and legit. You’ve covered all of the bases required for trading online legally, so now you can get on with the important stuff - selling your products!

Shop owner checklist

1. Contact, trading and pricing details clearly displayed

2. Terms & Conditions

3. ‘Delivery and Returns’ information (in your t’s and c’s, on a special page or both)

4. Register as a controller with the Data Protection Act

5. Have a page especially for ‘Privacy and Cookies’

6. PCI compliance - use a hosted payment gateway

7. Acknowledge orders and send written confirmation (invoice)


Links to guides, articles and resources surrounding the legal requirements for ecommerce:

‘Legal requirements for ecommerce’ (

PCI DSS Compliance Guide for Small to Medium Online Shops (

‘The data protection act 1998’ (

‘Distance Selling Regulations’

Information Commission Officer’s e-privacy directive (EU Cookie Law) (

Consumer Protection Regulations 2000 (Distance Selling) (


Have more questions? Submit a request