5 Essential Agreements Every E-Commerce Site Should Have


Founders of e-commerce businesses can often be so wrapped up in getting to market and scaling as quickly as possible that they overlook legal protection for their business. Operating any business, let alone one providing goods or services over the Internet, without important legal safeguards in place is like trying to cross the 101 Freeway every day wearing a blindfold. Could you get away with it? For awhile, perhaps. However, sooner or later, the odds will catch up–with potentially catastrophic results.

In this post, we’ll cover the five essential legal agreements which every e-commerce site should have. Understand that this list is merely intended to describe the most basic documents that your e-commerce site should have in place. It is not meant to be exhaustive. There are other, no less important agreements separate from your website that you will also want to consider with your employees, contractors, and strategic partners at some point.

1. Terms and Conditions

Ah, those long, dense agreements that nobody reads, right? Maybe, but your basic Terms and Conditions (sometimes referred to as the “Terms of Service” or “Terms of Use”) should actually be the first legal document uploaded to your site when starting an e-commerce business. Some payment gateways and credit card processing companies even require you to have T&Cs in place before agreeing to handle a site’s transactions.

Whether your venture is more website or app based, I cannot stress the importance of this key legal agreement enough. Tremendous care should be taken to make sure that your T&Cs are drafted properly and tailored to your business model and its user base.

In addition to describing to visitors and users what your website/app is about, well-drawn T&Cs can specify how the site can and cannot be used, both identify and protect your ideas and any intellectual property, as well as establish who owns the rights to published content (including that uploaded by users).

T&Cs can also establish a user code of conduct, including what specific behavior is prohibited, as well as setting forth your company’s right to suspend or terminate user accounts for violating the terms. Good T&Cs will also provide for which state’s law will interpret the T&Cs and in which jurisdiction any disputes will be heard (and resolved).

On that score, I’ve prepared a few T&Cs that address procedures to be followed by both user and the site itself in case of a dispute, in addition to specific provisions limiting the types of claims and capping a site’s liability for certain damages (see Warranty Policy below).

2. Privacy Policy

Like with Terms and Conditions above, a privacy policy is an agreement between a website/app operator and its users. As I previously wrote about here , the European Union’s General Data Protection Regulation (GDPR) has been in effect for over a year now and, although something similar has yet to be adopted at the federal level in the United States, a number of states are considering online privacy laws to protect their own citizenry, and many companies are wisely getting ahead of this trend and being proactive.

Until a national-level GDPR-like law is passed, the Federal Trade Commission is on the beat. Sort of. In this section, we take a look at the patchwork of U.S. laws and regimes involving general (as opposed to medical or financial) online privacy that the FTC has as part of its enforcement toolbox.

Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), prohibits “unfair and deceptive acts or practices in or affecting commerce”. Using this very broad language, the FTC can issue an administrative complaint against a company when it has reason to believe that the law is being violated and that a proceeding is “in the public interest”.

Recent FTC complaints have named businesses which, while they have adopted stated privacy policies for their customers, have failed to follow them (e.g., Venmo) or have even acted contrary to them. You should try and avoid having your e-commerce site named in an FTC complaint by making sure that your privacy policy is clear and well laid out and that your company is sticking to it. As these well-known companies found out, a consent order from the FTC can result in fines of tens of thousands of dollars for each violation of such order in addition to having other restrictions imposed on your business.

Next, customer-facing sites must also be sure their activities do not violate the Children’s Online Privacy Protection Act (“COPPA”). COPPA was intended to protect the safety and privacy of children online by making illegal the unauthorized or unnecessary collection of children’s personal information online by Internet sites and services. Bottom line: If your e-commerce business is covered by COPPA, you need to have certain information in your privacy policy and get parental consent before collecting some types of information from kids under 13.

As explained in a particularly hilarious scene in HBO’s Silicon Valley, e-commerce site and online-service operators that fall under COPPA must meet very specific requirements prior to collecting online, using, or disclosing personal information from children, including having certain statements in their privacy policy and clearly addressing what information the operator collects from children, how it uses such information, its disclosure practices for such information, and other specific disclosures required by the COPPA Rule. As video social networking app TikTok recently found out, this includes obtaining verifiable parental consent prior to such collection, use, or disclosure of childrens’ personal information.

Finally on the general privacy front, if your e-commerce company has started its application to participate in initiatives like EU-U.S. Privacy Shield, Swiss-U.S. Privacy Shield (which replaced the U.S.-EU and U.S.-Swiss “Safe Harbor” regimes, respectively), or APEC’s CBPR system, avoid claiming participation in such a program unless and until your application has actually been approved.

The FTC has dropped the hammer on several companies whose use of the Privacy Shield logo and descriptors on their site was found to be deceptive to consumers–particularly since these companies had yet to receive certification from the Department of Commerce! It is important to remember that Privacy Shield participation requires ongoing compliance and re-certification. Letting your e-commerce site or app’s certification lapse means that a claim of participation in Privacy Shield is now untrue.

3. Cookie Policy

“Cookies”, or tiny files are stored on a user’s computer or device intended to hold that user’s data specific to a third-party client or website, are commonly used by e-commerce sites to do such things as identify and count visitors, retain user login details and preferences, and help users to shop and make use of e-billing services.

Third-party tracking for the purpose of advertising and affiliate sales is one of the primary uses of HTTP cookies. The problem is, if your e-commerce site or mobile app is using cookies for this purpose, the FTC has said that you must let your site visitors know what you’re doing. The Commission has taken the position that a failure to provide truthful information about your tracking practices could violate the FTC Act.

A well-crafted cookie policy provides meaningful information to consumers about cross-device tracking in order to help them decide whether to use existing “opt-out” tools, silo their activities, or stop using your site, app, or service altogether. If your visitor or user does choose the latter, the FTC requires that your site or app respect those choices. If your company partners with a cross-device tracking firm, you should also make sure that such vendor’s disclosures are truthful, so that you in turn can make accurate disclosures to your users.

Lastly, as of May 2011, all websites in the EU are required to ask for permission to place cookies on a user’s device and in return users can choose whether or not to give it. If your e-commerce business is in the EU or targets (or has even a chance of reaching) citizens of the EU, you should be aware of the EU Cookie Law and get appropriate permission from your users to use cookies.

Complying with the EU Cookie Law isn’t all that difficult but will require some amount of diligence on your business’ part in drafting its cookie policy. You want to make sure that your policy affords users the opportunity to acknowledge that your site or app uses cookies. If your e-commerce business allows paid advertisements or the placement of affiliate ads, disclose that information up front on your website in a very clear and obvious way. Also, if your business’ site or app tracks user activity or collects any user data, explain in your policy what data you gather and how it is used.

4. Return Policy

Just because you’re not selling out of a traditional “brick and mortar” store doesn’t mean you can ignore the return policy. Whether your site sells (or re-sells) widgets or services, a clear and well thought-out return policy can be critical to your customer’s happiness and, consequently, your business’ reputation and brand.

A good return policy should cover such things as: how many days the customer has to return the purchase, whether the customer will get a refund (or a credit or replacement), who pays for the shipping or return of the product, how and by when the product must be returned, as well as the refund policy for digital products or in-app purchases, among other information.

In addition to creating legally enforceable terms between you and the customer, a well drafted (and especially fair) return policy has the power to turn a new client into a long-term customer. While the tendency may be to ignore the return policy, or leave it up to your Customer Support team to improvise when the time comes, take some free advice and don’t. Doing so could be very costly to you and your e-commerce business.

5. Warranty Policy

A warranty is like insurance for your customers but specifically giving them certain guarantees (which you establish) for the performance of your products or services.

Depending on your business and customer base, the warranty policy can be either a part of the terms of service, or can be a standalone agreement (I’ve done it both ways).

There are several business-related and competitive reasons why your e-commerce company would want to have a warranty policy. It might be customary in your industry to do so, your competitors may offer similar warranties, or your product or service may be so novel and unproven that you want to help reduce the perceived risk for the customer. 

From our standpoint as a business and technology law firm, however, the warranty policy offers the cleanest and most practical way of adjusting or shifting risk from your business to the customer.

What do I mean? A carefully crafted warranty policy can address such issues as the product’s intended use, prohibited uses, maintenance and care requirements, and shelf-life information, how long the warranty will run and what it will and will not cover. Perhaps more importantly (to us lawyers anyway!) an express warranty can also help to reduce or place a limit on your liability should the product fail, thereby reducing you and your e-commerce business’ risk exposure.

Ben Bhandhusavee is the Managing Attorney for BHANDLAW, PLLC, a Phoenix business and technology law firm working with start-up companies, creative intellectual property, Internet and digital media matters, and complex corporate M&A and technology transactions.  Ben can be reached at (602) 222-5542 or by e-mail at bbhand@bhandlaw.com