Having a compliant e-commerce website

Find out how automated screenshots can help keep your e-commerce website complaint amidst the endless operational regulations.

Having a compliant e-commerce website

There is a growing effort from governments and other bodies to regulate e-commerce activity, as more people choose this medium to make purchases instead of brick and mortar. As a result, online businesses need to have many elements in place to avoid trouble and provide a better shopping experience for users.

This article will look at what businesses need to include in their eCommerce sites to comply with different regulations.

What are the main e-commerce regulations?

Before diving into the elements of a compliant e-commerce site, let's look at the regulations affecting your business right now. They all aim to protect consumer privacy and safety but will have different requirements. Therefore, you must be familiar with them and know which ones you fall under. 

General Data Protection Regulation

We're sure you're familiar with GDPR, as the European Union's conversation on data privacy is pretty recent. You may think that if your business is not in the EU, you'd be exempt from these regulations. However, that's not quite the case. For example, suppose your business is open to European users, and you collect their data. In that case, even if you're not headquartered there, you must comply with GDPR for eCommerce.

Children's Online Privacy Protection

The Children's Online Privacy Protection (COPPA) applies to websites that target and collect information from children under 13. It provides regulations on how to craft a privacy policy when to ask for parent consent, company responsibilities regarding children's safety, and more. The main goal is to give parents control over what information is collected from their children online.

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) looks to protect Californian consumers by granting three privacy rights. Businesses must provide information about these rights to their consumers, which include:

  • the right to know about the data collected by a website, 
  • the right to delete this data, 
  • the right to opt-out of the sale of their personal data, 
  • the right of non-discrimination for exercising these rights.

With these regulations in mind, let's dive into the elements your eCommerce site must have to comply with.

What your eCommerce site needs to stay compliant

Cookie management

One of the main areas covered by online business regulations is cookie management. Cookies are pieces of data collected by websites and stored on a user's device to help with future web browsing. While cookies can make a user's visit to a website easier next time, they are considered a security risk. Therefore, online businesses are required to have a cookie policy in place.

A cookie policy provides users with information about the types of cookies collected on a site. In this list, you should give details about what is tracked when a person visits your website and how that information is processed and used. It must be updated regularly, as cookies are dynamic, and the data collected can change.

Additionally, it would be a good idea to count on a cookie management solution. A tool like this helps you automate collecting and storing user consent regarding cookies. You know when you visit a site, and there is a pop-up or a small window asking to accept cookies? That's part of a cookie management tool.

Even if you're unaware, your website may collect user data, especially e-commerce that deals with transactions. In addition, cookie management is not only required by GDPR but also by other regulations. So it's one of the main areas your site has to look into.

Privacy policy

Speaking of data and policies, here's another critical eCommerce compliance element. Besides cookies, many governments and regulating bodies require companies to disclose information on how they're collecting, processing, and managing user data. But, of course, that also applies to the online world.

Since this is one of the most important elements an online business should have to avoid legal trouble, legal help is advised. As an introduction, here are some of the main items you should disclose in your eCommerce privacy policy:

  • What data is being collected?
  • How and why is it being collected? For example, for marketing efforts like emailing news.
  • What third parties will have access to that information?
  • How will you let users know if the policy has changed?
  • What was the last time the policy was updated?

In addition to these general questions, a privacy policy should indicate users' rights regarding personal information. That can include how they can amend or delete their personal information from the company's database, which will vary depending on your particular business and regulations. 

For example, the CCPA secures four rights regarding data privacy for California residents, as described earlier. Therefore, privacy policies affected by this act should include this information.

Take into account that the information you must include in your policy will depend on the regulations you fall under. For example, COPPA has its requirements regarding privacy policies for children under 13, including parents' rights to revoke information. 

Privacy policies must be available to the user as soon as personal information is collected, or even before. Like cookie policies, they should be updated periodically. If you need help writing your own, the GDPR website offers a compliant privacy policy template.

Terms and conditions

In some regions like the EU, it is required to state contractual procedures on eCommerce sites before a user makes a purchase. That means users should know what they agree to when buying a product or service from your organization. That can be done through clear terms and conditions.

This document can inform users about their rights since many regulations require so. For example, the EU's legal regulations for e-commerce states that consumers should have 14 days to retract the contract if unsatisfied with the product. You can include such withdrawal information on terms and conditions and payment, cancellation, shipping, and delivery terms.

Providing this information allows users to be aware of the terms of their purchase, so they can agree to them beforehand and spare you from future complaints.

Terms and conditions are also useful to limit liabilities and protect intellectual property. If you're looking to inform users about their rights regarding personal information, that should be done on the privacy policy.

Records of consent

Believe it or not, we often ask for users' consent on eCommerce sites. It can be related to marketing efforts, like subscribing to a newsletter, or to the previous items we've covered, like accepting terms and conditions, cookies, and a privacy policy.

Not only is consent required by different regulations by GDPR and COPPA, but you may also have to keep records of that consent.

Remember what we mentioned regarding when you should share privacy policies? As soon as information about the user is collected. Suppose you're offering a subscription to an emailing list or similar marketing communications. In that case, you must provide a privacy policy before the person can subscribe. In addition, there should be an option for the user to provide their consent, confirming they have read and that they accept the policy.

Making a purchase works similarly: before pressing the "buy" button, users must go through your terms and conditions and privacy policy and be able to provide consent.

Before moving on to other consent requirements, it is important to note that according to GDPR, implicit consent does not qualify as consent. What does this mean? Users must be able to make an action to provide their consent, like checking a box or pressing an "I accept" button. Pre-ticked boxes or statements like "by continuing to use this website, you're agreeing to our privacy policy" are not compliant. 

Businesses affected by COPPA need consent from a parent or guardian before collecting personal information from a child under 13. Parents also have the right to revoke consent and have that information deleted, and that right should be noticed to them. The CCPA has a similar requirement.

And where do records of this consent come in? According to GDPR, website controllers need to prove that user consent was given to process their data. Therefore to comply, you're advised to keep a record of the user who consented, when they consented, the version of the policy they gave consent to, and the medium by which the user provided their consent and data. Saving this information will help prove consent at any time.

ICO registration

In the UK, the body overseeing data privacy for individuals is the Information Commissioner's Office or ICO. Businesses or individuals that process personal information need to pay a data protection fee to the ICO unless they are exempt. A free online assessment is available to know whether you're exempt.

The fee varies depending on the organization's size, annual turnover, and other criteria.

Not registering your e-commerce can result in a fine of up to £4,000. However, remember that paying the fee doesn't automatically make you compliant; your business still needs to follow data privacy regulations like GDPR.

Additional regulations

These aren't necessarily elements you should display on your website like all the previous items on this list, but they're still important aspects of eCommerce compliance. Take these additional regulations into account to investigate further:

  • Suppose your online store features a payment gateway. In that case, you need to pay attention to laws like PCI DSS and PSD2, which aim to reduce transaction risks through a secure approach to sensitive data. PCI website compliance includes installing a firewall, using secure passwords, encrypting the transmission of cardholder data, and more.
  • Suppose you're using email for marketing efforts, like a newsletter. In that case, the Federal Trade Commission's CAN-SPAM Act requires you to give recipients a chance to opt out of these communications.
  • In case of a data breach, some regulations specify how to act. For example, GDPR states that the controller has 72 hours after having become aware of a breach to notify the supervisory authority competent. The ICO and the FTC also have regulations regarding this phenomenon.
  • Your eCommerce should be accessible to everyone so that any customer can have a great shopping experience. You may not fall under accessibility regulations since most apply to government institutions, but it's advised to comply to avoid future complaints. Our guide on web accessibility standards can be a great starting point for your business, including eCommerce ADA compliance.

Staying compliant with screenshot records

After this list of policies and other elements, you should also know that compliance doesn't end there. Once those items are on your website, you may still have inspections or user complaints. So how do you prove you were always compliant?

Keeping a website archive that includes policies, consent opt-ins, and other required widgets can complement compliance. However, to create it, going through each page and taking a screenshot every time something is updated is a no-no. However, there is a way to perform this task while avoiding manual work!

With an automated website screenshot tool like Stillio, you can save a copy of your entire website with just a few clicks. You can set these captures at the interval you need, which can be daily, weekly, monthly, or even up to 5 minutes for the best plan. Choose the interval that best fits your policies, depending on how often they update.

Screenshots can help you safeguard evidence of terms and conditions before purchase, unticked opt-in boxes, and more. In addition, all captures are saved to your account for you to reference later, so you can also go back and see previous versions of your policies.

Suppose your business operates overseas and you need screenshots taken from a different place. In that case, geo IP locations are here to help. With Stillio, you can change the server location to other continents to archive your website from every destination. Screenshots are also timestamped so that you can prove compliance at any given point in time.


Having your own online business is exciting and can bring lots of benefits. But, don't lose them along the way for not being aware of regulations! Use this article as an introduction and seek legal help to go one step further. At Stillio, we want to help make the entire process easier for you. Feel free to book a demo with us so you can discover all our features.

Starting at $29/m

Start capturing website screenshots automatically and save a lot of grunt work. You'll be set up in minutes. No credit card required. Check our pricing plans.