Online Business Laws Your Small Business Needs to Know

What are online business laws?

E-commerce, or the buying and selling of products over the internet, has exploded in recent years as people across the globe have become familiar with this type of shopping and feel more comfortable using it. That opportunity hasn’t been lost on business owners, who are increasingly selling their goods online with the help of e-commerce platforms and marketplaces.

Online shopping is regulated to protect customers, with safeguards in place to prevent consumers from deceptive marketing practices and data breaches. These legal rules are known as online business laws. Though the laws about how your business sells online vary from state to state, there are also national laws and international regulations. The laws cover everything from taxes to privacy. Further, because of constant advances in technology, e-commerce laws are often changing.

6 types of online business laws to be aware of

There are a lot of online business laws all e-commerce business owners must know, but here are the six most important ones.

1. Sales tax collection

Death and taxes are life’s two certainties. For online merchants, the latter gets extremely complicated regarding sales tax.

“The No. 1 thing to think about is sales tax,” said Lisa Lewis, a certified public accountant and the TurboTax blog editor. “It used to be you collect sales tax where your business has a physical presence. Now, states have the right to sales tax no matter if you have a physical presence in the state or not.” States also get to set the rules on what to tax and when. [Read our TurboTax review to find out how the tax software can help your business.]

To prevent costly mistakes, Lewis said business owners must look at state sales tax on a state-by-state basis. One state may not expect sales tax unless the merchant exceeds a certain amount of sales, while another will expect it for even a single, small-dollar sale.

“It’s extremely cumbersome. We’re hoping the government streamlines it and has all 50 states change to a flat tax,” said Mike Nunez, founder of Tilde Enterprises. “You may have state, city and even county taxes. That’s three levels of taxes you have to calculate.”

The good news, however, is that highly rated tax software, the best POS systems and the top e-commerce platforms take the guesswork out of calculating sales tax. It’s crucial for online merchants to take advantage of these programs, since ignorance isn’t a defense. When the Supreme Court ruled on a relevant case in 2018, Associate Justice (Ret.) Anthony Kennedy noted there is software available to help small businesses navigate the hurdles of collecting sales tax.

2. Privacy and data security

Protecting customers’ personal information and taking cybersecurity for your business seriously are paramount. One data breach or hack is all it takes to destroy a small business. According to Verizon‘s Data Breach Investigations Report, there were 715 data breaches among small businesses in 2021.

E-commerce companies request and retain a lot of key customer data, including credit card numbers, personal contact information, bank account numbers and Social Security numbers, and need to protect the privacy and security of that data. While the U.S. doesn’t have a federal privacy rule, such as Europe’s General Data Protection Regulation (GDPR), some states, including California, Maine and Nevada, have passed their own laws.

In 2020, California passed a privacy act that will require businesses to disclose the information they’re collecting. Consumers will have the choice to limit the sharing of their data or opt out completely. California’s law applies to businesses that collect data from at least 100,000 consumers. It also applies to companies that gross more than $25 million annually or earn over 50% of their revenue from selling consumers’ personal information. The law goes into full effect on Jan. 1, 2023. 

Virginia also passed a data protection act that applies to businesses that process data from more than 100,000 consumers. It, too, affects companies that make at least half their revenue from selling consumer data. The law will empower customers to correct and delete data or opt out of data collection entirely. This law also goes into effect on Jan. 1, 2023. Utah and Colorado recently passed laws with the same or similar criteria.

It’s vital that you adhere to best practices when it comes to data security. One way to do that is to follow the Federal Trade Commission’s “privacy by design” recommendations, which include the following.

• Privacy and security should be built into products and services from the beginning.
• Companies should only collect data they need for business purposes and dispose of it once the transaction is complete.
• E-commerce sites should have reasonable security in place to protect consumer data.
• Data management personnel, procedures and controls should be implemented to protect customers’ privacy.

3. GDPR

The aforementioned GDPR is a law that applies to all businesses collecting data from European Union-based consumers. The GDPR requires companies to obtain clear permission from these consumers before using their data. Businesses must also be transparent about data collection and follow certain security standards for storing data. As you surf the web, you’ll notice many websites have pop-ups related to GDPR compliance. Your site may need to have them as well if you’re doing business in the EU.

4. Marketing infringement

The internet provides ample opportunities for businesses to market their products online, but certain rules must be followed. Online merchants, no matter how small, are subject to federal regulations when selling their products over the internet. For example, businesses can’t make false claims about products and services and must disclose paid endorsements.

Email marketing is a popular way to reach potential and existing customers. Business owners (and their employees) must ensure their email campaigns comply with the CAN-SPAM Act. Passed in 2009 by the Federal Trade Commission, the act states that business owners may be subject to penalties of up to $46,517 for each separate email violation. Under the CAN-SPAM Act, online merchants may be fined due to the following:

• The email contains a deceptive subject line.
• The email contains false or misleading headers.
• The email doesn’t disclose that the message is an advertisement.
• The business doesn’t divulge its location to email recipients.
• The email doesn’t instruct recipients how to opt out of receiving future emails.
• The company doesn’t honor opt-out requests within 10 business days.
• The business fails to monitor the actions of an email marketing service it hired. (According to the FTC, “Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.”)

In addition, e-commerce merchants must not infringe on trademarks or patents. “It’s too easy for a small business owner to search for product images, download them and use them on [their] website, but if that’s copyrighted or trademarked now, you’re in violation of the law,” said Nunez. “You can’t use celebrities’ likenesses [and] you can’t use other people’s trademarks or copyright. You have to be really careful to avoid that.”

Further, Nunez added, if your business sells products geared toward children, take care not to violate the Children’s Online Privacy Protection Act.

“You can’t advertise to children [and] you can’t try to convince children to buy something. You have to be careful targeting children,” said Nunez. [Looking for tips to help you legally market your company online? Check out our small business marketing guide.]

5. PCI compliance

Implemented in the early 2000s by credit card issuers Visa, MasterCard, Discover and American Express, the Payment Card Industry Data Security Standard (PCI DSS) is designed to protect consumers’ payment data. An online merchant who accepts credit card payments must meet PCI compliance when storing, processing and transmitting credit card data. The penalties for noncompliance include steep fines, and your merchant account agreement can be terminated. Fortunately, the best credit card processors usually have PCI measures built into their services.

6. Terms and conditions

An online store needs ground rules for its e-commerce site that are legally enforceable – that’s where terms and conditions come in. They explain your policies on aspects of your business like returns and shipping, and may reduce your legal liability if you run into a disagreement with a customer. The terms and conditions should include pricing and payment terms, as well as your company’s policies for shipping, exchanges, returns and order cancellations. They should also explain the process for resolving a dispute. List your jurisdiction and liability limitations in the terms and conditions as well.

Handling the legal side of your business

Making sales through your e-commerce store can help you reach a larger audience and generate more revenue. However, when venturing into the digital world, there are fundamental laws and regulations you’ll need to follow to avoid costly penalties. Taking some time to get familiar with these regulations can help you run a safe, successful online business.

Shanya Waltower contributed to the writing and reporting in this article. Source interviews were conducted for a previous version of this article.