Online Business Laws You Should Know

6 Online Business Laws You Should Know

There are many online business laws that every e-commerce business owner should be aware of, but here are the six most important ones.

1. Collection of consumption tax

Death and taxes are two certainties in life, and for online merchants, taxes can get extremely complicated when it comes to sales tax.

“The first thing to think about is sales tax,” says Lisa Lewis, CPA and editor of the TurboTax blog. “Previously, sales tax was collected wherever a business was located. Now, states have the right to impose sales tax whether or not a business is located in their state.” States also get to set the rules for what and when to tax. [Read our TurboTax review to find out how the tax software can help your business.]

To avoid costly mistakes, Lewis said business owners should consider state sales taxes on a state-by-state basis: Some states don't charge sales tax unless a store makes a certain amount of sales, while others require sales tax even on small, one-time sales.

“It's very cumbersome, and we hope the government will simplify this and switch to a flat tax system across all 50 states,” said Mike Nunez, founder of Tilde Enterprises. “You have state tax, city tax, and maybe even county tax. So you've got three levels of tax that you have to figure out.”

But the good news is that with highly rated tax software, the best POS systems, and top-rated ecommerce platforms, you don't have to guesswork when it comes to calculating sales tax. It's crucial for online merchants to take advantage of these programs, because ignorance is not a defense. When the Supreme Court ruled in a related case in 2018, former Justice Anthony Kennedy noted that software exists to help small businesses get past the hurdles of collecting sales tax.

2. Privacy and Data Security

Protecting your customers' personal information and taking your business' cybersecurity seriously is paramount. It only takes one data breach or hack to devastate a small business. According to Verizon's Data Breach Investigations Report, 715 data breaches occurred at small businesses in 2021.

E-commerce companies request and hold a lot of sensitive customer data, such as credit card numbers, personal contact information, bank account numbers, and social security numbers, and they must protect the privacy and security of that data. The United States does not have a federal privacy regulation like Europe's General Data Protection Regulation (GDPR), but some states, such as California, Maine, and Nevada, have enacted their own laws.

In 2020, California passed a privacy law requiring companies to disclose what information they are collecting. Consumers can choose to limit data sharing or opt out entirely. California's law applies to companies that collect data from at least 100,000 consumers and also applies to companies with more than $25 million in annual revenue or that derive more than 50% of their revenue from selling consumers' personal information. The law will go into full effect on January 1, 2023.

Virginia also passed a data protection law that applies to businesses that process data on more than 100,000 consumers. Again, this affects companies that derive more than half of their revenue from selling consumer data. The law allows customers to correct or delete their data, or opt out of data collection entirely. This law also goes into effect on January 1, 2023. Utah and Colorado have also recently passed laws with the same or similar standards.

When it comes to data security, it's important to follow best practices. One way to do this is to follow the Federal Trade Commission's “Privacy by Design” recommendations, which include:

• Privacy and security must be built into products and services from the beginning.
• Companies should only collect data that is necessary for business purposes and destroy it once the transaction is complete.
• E-commerce sites must have adequate security measures in place to protect consumer data.
• Data management personnel, procedures, and controls must be in place to protect customer privacy.

3. GDPR

The aforementioned GDPR is a law that applies to all companies that collect data from consumers based in the European Union. Under GDPR, companies must get explicit permission from consumers before using the data. Companies must be transparent about data collection and follow certain security standards for data storage. As you browse the web, you'll notice that many websites have popups about GDPR compliance. If you do business in the EU, you may need to have a popup on your site as well.

4. Marketing Infringement

The Internet provides ample opportunities for businesses to sell their products online, but they must follow certain rules. Online sellers, regardless of size, are subject to federal regulations when selling products on the Internet. For example, businesses cannot make false claims about products or services and must disclose any paid endorsements.

Email marketing is a popular way to reach potential and existing customers. Business owners (and their employees) need to ensure that their email campaigns comply with the CAN-SPAM Act. Passed in 2009 by the Federal Trade Commission, this law states that business owners can be fined up to $46,517 per email violation. Under the CAN-SPAM Act, online merchants can be fined for the following reasons:

• The email contains a misleading subject line.
• The email contains false or misleading headers.
• The email does not state that the message is an advertisement.
• The company does not reveal its location to email recipients.
• The email does not provide recipients with instructions on how to unsubscribe from receiving future emails.
• The company will not honor opt-out requests within 10 business days.
• Companies do not monitor the actions of the email marketing services they hire (according to the FTC, “both the companies advertising their products in the messages and the companies that actually send the messages may be subject to legal liability”).

In addition, e-commerce businesses must not infringe trademarks or patents. “For small business owners, it is a great opportunity to search for and download product images, [their] “Websites are protected by copyright and trademark, but if it's already protected by copyright or trademark, that's a violation of the law,” Nunez said. “If you use the likeness of a celebrity on your website, you're violating the law.” [and] “You can't use someone else's trademark or copyright. You have to be really careful to avoid that.”

Nuñez added that if your company sells products aimed at children, you need to be careful not to violate the Children's Online Privacy Protection Act.

“You can't advertise to children. [and] “You shouldn't try to get kids to buy things. You have to be careful when targeting kids,” Nunez said. [Looking for tips to help you legally market your company online? Check out our small business marketing guide.]

5. PCI Compliance

Introduced in the early 2000s by credit card issuers such as Visa, MasterCard, Discover, and American Express, the Payment Card Industry Data Security Standard (PCI DSS) is intended to protect consumer payment data. Online merchants that accept credit card payments must adhere to PCI compliance when storing, processing, or transmitting credit card data. Penalties for non-compliance include heavy fines and even termination of your merchant account. Fortunately, the best credit card processors usually have PCI measures built into their services.

6. Terms of Use

Your online store needs some legally enforceable ground rules for your e-commerce site. This is where terms of use come in. Terms of use explain your policies regarding aspects of your business like returns and shipping, and can reduce your legal liability if a disagreement arises with a customer. Your terms of use should include your company's policies regarding pricing and payment terms, delivery, exchanges, returns, and order cancellations. They should also explain the process for resolving disputes. Your terms of use should also include jurisdiction and limitations of liability.