About

Legal Guides for Ecommerce

Legal Guides for Ecommerce

On this page

Creating Your Own Store vs Using a Third Party Platform

A properly functioning ecommerce store seamlessly integrates the front end and back end of your retail website. It not only enables customers to buy your products, but it also makes it more likely that they'll do so. An ecommerce store should fulfill your customers' purchases in a quick and secure way.

A poorly functioning ecommerce store will not only make you lose sales, but could land your business in serious legal trouble. Data breaches happen, and they can have disastrous consequences for any company.

Ecommerce is no longer the domain for those with advanced web development expertise or access to an in-house IT department. You can now outsource the software development and payment handling aspects of your store to an out-of-the-box third-party ecommerce platform. This allows anyone to create an ecommerce store in literally minutes.

But doing this doesn't relinquish you from guarding against potential legal issues.

Creating Your Own Ecommerce Store

An ecommerce store has several elements. For example, there's the shopping cart software - the user interface that allows your customers to choose products. There's the payments gateway, which allows your customers to pay for those products. The payments gateway links the front-end of your website with a payment processing bank.

Creating a payments gateway from scratch would be a huge undertaking. Some of the implications include:

  • Setting up a merchant account with a major bank and letting them know your intentions to become a payment processor
  • Becoming certified with the bank's card acquirer (e.g. Worldpay)
  • Becoming Payment Card Industry Data Security Standard (PCI DSS)-compliant. This involves an annual certification process

Taking on a project like this and dealing with the associated legal ramifications goes beyond the scope of this book.

PayPal logo - small Logo of the Stripe

However, you could consider developing your own shopping cart software, then using a third-party payment gateway like PayPal or Stripe to take your customers' payments. This is an option for those who want to have a more customized online store and maintain more control over it. But it does take a lot of work.

You'll need to have knowledge of web development to create your own online store, including:

  • Client and server-side coding techniques and languages
  • Database access
  • Domains, DNS, HTTP requests and responses

Advantages of Creating Your Own Ecommerce Store

The advantages of building your own software very much depend on the context in which you're running your business.

  • You can create something truly tailored to your brand.
  • You maintain control over your software indefinitely.
  • You are free to experiment with the framework (within limits), and you might have greater opportunities to run conversion rate optimization.

Disadvantages of Creating Your Own Ecommerce Store

Taking this level of control over your operations is not an unequivocally good thing.

  • Development and maintenance will be resource-heavy.
  • It will take real skill to build software that looks good and functions well.
  • Each extra feature (e.g. abandoned cart recovery) will require a whole new round of development.

The more control you have over your ecommerce website, the more work you'll have to do to keep your customers' information safe.

Creating shopping cart software may not by itself require you to become PCI-compliant. But it does require you to take steps to keep your customers' data safe.

Flag of EU

The EU has very strict data protection laws. Although your business might not be operating in the EU, it's worth considering a principle from EU privacy law here. Article 25 of the GDPR speaks of "data protection by design and default." Under Recital 78, developers are required to implement technical measures like pseudonymization and data minimization when creating software.

When it comes to collecting your customers' personal information, the following principles should apply throughout your development process:

  • Only collect the personal information from your customers that you absolutely need.
  • Ensure that your customers' personal information is deleted at the earliest opportunity.
  • You'll normally need to ensure that your customers' personal information doesn't appear in your log files. This might happen if you're collecting log data from payment forms, for example.

You also need to consider how you might guard against, respond to, and recover from data breaches.

  • Consider how your website can continue to function throughout denial of service (DNS) attacks.
  • Maintain effective security measures such as encryption, firewalls, and virus protection.
  • Make sure you have a system in place that allows you to inform your customers and any relevant data protection authorities if a breach occurs.

As privacy and data protection laws continue to become stricter and more comprehensive, providing a secure website that keeps your customers' data safe is increasingly a matter of law.

Using a Third-Party Platform

Businesses now have scores of different ecommerce platforms to choose from. The software is written and administered by someone else, and you simply have to follow their instructions and agree to their terms to use it on your website.

These platforms vary in what extra features they'll provide, and in what they require you to do to comply with their terms.

It's important to remember that outsourcing some of the groundwork around taking payments and maintaining your store doesn't mean outsourcing all of your legal obligations. There are actually some legal implications in using a third-party platform that aren't relevant if you're doing everything yourself. Overall, however, this option is a lot simpler.

Advantages of Using a Third-Party Platform

There are obvious benefits to choosing to integrate a third-party ecommerce platform into your website rather than developing one from scratch:

  • You don't need to spend time, effort and resources developing the platform.
  • You can choose the extra features you want without having to develop them individually.
  • You have a support team available that's trained in delivering advice on how to make the most out of the platform.

Disadvantages of Using a Third-Party Platform

There are potentially some downsides to using a third-party ecommerce platform. These are mostly relevant only in the long term.

  • You could have serious problems if the platform provider ever goes out of business.
  • You will have to accept the platform provider's terms. Only very large merchants will have much hope of negotiating on prices or contractual clauses.
  • You're trusting a third party company with your customers' personal data.

Even with that having been said, there are positives to these negatives.

Yes, you're handing over some control over one aspect of your business to a third party. But keeping control over this part of your business would divert resources away from actually selling your products and services.

You're trusting a third party company with your customers' personal data. You need to check that they've done the work required to keep it safe. And you need to keep your customers informed each step of the way. But it's very likely that a third-party company whose business is payment-processing will do a better job of keeping it secure than you could.

We've all been guilty of agreeing to Terms and Conditions that we haven't read. But when it comes to choosing an ecommerce platform, it's not enough to quickly scroll to the bottom and click "I Agree." You're obliged, both legally and on principle, to ensure that you know what you're agreeing to.

You must ensure that any third party platform you choose is PCI DSS-compliant. If you're asked to provide proof that your ecommerce store is compliant, you'll need to produce an Attestation of PCI DSS Compliance.

Here's an example:

PCI DSS Attestation of Compliance for Onsite Assessments - Service Providers: BigCommerce Section 1: Assessment Information

You'll need to consider whether the platform of your choice is compliant with the privacy laws of your customers' home countries. If you're trading in the EU, for example, is the platform compatible with the EU's main privacy law, the GDPR?

Case Study

A US-based ecommerce business, Solomon's Shoes, hopes to sell shoes to customers in the EU. Under Article 3 of the GDPR, any business that offers goods or services in the EU is bound by EU privacy law, whether it has any physical presence in the EU or not.

Solomon's Shoes has a website. It asks customers to submit their names, credit card details, billing and shipping addresses, email addresses to this website. Solomon's Shoes asks its customers for this information so it can sell them shoes.

Solomon's Shoes is, therefore, deciding how and why its customers should provide it with their personal information. In legal terms, Solomon's Shoes qualifies as a "data controller" under Article 4 of the GDPR.

Solomon's Shoes plans to use Shopify as its ecommerce platform. Shopify will carry out certain activities for Solomon's Shoes in order to help it serve its customers. Because Shopify is handling personal information on behalf of Solomon's Shoes, Shopify qualifies as a "data processor" under Article 4 of the GDPR.

Article 28 of the GDPR requires data controllers, such as Solomon's Shoes, to ensure that any data processors it employs, such as Shopify, comply with the GDPR. This is a legal requirement on Solomon's Shoes. It's not good enough for a data controller to say that it didn't know that a data processor wasn't legally compliant.

Happily, Shopify has taken the necessary steps to comply with the GDPR and has added a Data Processing Addendum to make its duties under EU law clear.

Which Option is Best?

It's clear that using a third party platform to provide a payment gateway and shopping cart for your ecommerce website will save you a lot of work. But there's no getting away from your legal obligations.

You need to carefully check that any platform you use is legally compliant before you ask your customers to submit their personal information to it. This is true even if you're just using a payments gateway like PayPal, or an out-of-the-box ecommerce platform like Shopify. This will require some knowledge of the privacy laws and payment protection regulations of the jurisdictions in which your website operates.

You'll need to inform your customers that you'll be sharing their personal information with third parties when they make a purchase from you. You can do this in your Privacy Policy. You may also need to make reference to the privacy implications of some of the platform's functions.

We'll look at this in more detail in the next chapter.

Previous

Chapter 1: What this Book Covers

Next

Chapter 3: Privacy Policy and Ecommerce Businesses