Ecommerce Compliance for Small Businesses

What Online Businesses Are Required to Have

Running an online store or selling products and services through a website comes with a set of legal obligations that many small business owners overlook until something goes wrong. Ecommerce compliance for small business covers privacy policies, terms of service, accessibility requirements, and disclosure rules. None of these are optional, and together they protect both your customers and your business.

This guide walks through the key compliance areas every online business needs to address.

Privacy Policies

A privacy policy is a legal document that tells your website visitors what data you collect, how you use it, how you store it, and whether you share it with third parties. Almost every online business is legally required to have one.

When a Privacy Policy Is Required

Federal law requires a privacy policy if you collect personal information from children under 13 (COPPA). Beyond that, several state laws trigger the requirement. California’s CCPA requires a privacy policy for businesses that collect personal data from California residents and meet certain thresholds. Virginia, Colorado, Connecticut, and several other states have similar laws. Even if your state does not have a specific privacy law yet, most payment processors, app stores, and advertising platforms (including Google Ads and Meta) require a privacy policy as a condition of using their services.

In practice, if your website collects any personal information at all, including names, email addresses, payment information, or even just IP addresses through analytics, you need a privacy policy.

What a Privacy Policy Must Cover

• What personal data you collect and how you collect it
• Why you collect it and how you use it
• Whether you share it with third parties and who those parties are
• How long you retain data
• How users can request access to, correction of, or deletion of their data
• How you protect the data you collect
• Your contact information for privacy-related inquiries

Your privacy policy must be easy to find. Link it in your website footer, at checkout, and anywhere you collect personal information such as contact forms and email signup boxes.

If you use Google Analytics, Facebook Pixel, or any other third-party tracking tool on your website, your privacy policy must disclose this. These tools collect visitor data on your behalf and must be mentioned explicitly.

Terms of Service

A terms of service agreement (also called terms and conditions or terms of use) is a contract between your business and your customers that governs how they may use your website and purchase your products or services. Unlike a privacy policy, terms of service are not universally required by law. However, they are strongly recommended for any e-commerce business because they establish the rules of the relationship and limit your liability.

What Terms of Service Should Cover

• Acceptable use. What customers may and may not do on your site or with your products.
• Purchase terms. Pricing, payment, order confirmation, and what constitutes a completed sale.
• Refund and return policy. Your specific policy stated clearly. Vague refund policies generate chargebacks.
• Shipping and delivery. Estimated timelines, risk of loss during shipping, and what happens if an order is lost.
• Intellectual property. That your content, images, and branding are owned by your business and may not be reproduced without permission.
• Limitation of liability. Caps on your liability for indirect or consequential damages.
• Governing law. Which state’s laws govern any disputes.
• Dispute resolution. Whether disputes go to arbitration or court.

For your terms to be legally binding, customers must affirmatively agree to them. A checkbox at checkout that says “I agree to the Terms of Service” with a link to the full document is the standard approach. Simply posting your terms on the website without requiring agreement is generally not sufficient to make them enforceable.

ADA Website Accessibility

The Americans with Disabilities Act (ADA) requires businesses to provide equal access to people with disabilities. Courts and the Department of Justice have consistently applied this requirement to websites, meaning your online store must be reasonably accessible to people who use screen readers, keyboard navigation, and other assistive technologies.

Why This Matters

ADA website accessibility lawsuits against small businesses have increased significantly in recent years. Plaintiffs’ attorneys file these cases in volume, and the cost of defending one far exceeds the cost of making your site accessible in the first place. Retail, hospitality, and food service businesses are the most frequently targeted.

What Accessibility Requires

The Web Content Accessibility Guidelines (WCAG) 2.1 at Level AA is the standard most courts and regulators reference. Key requirements include:

• All images have descriptive alt text
• Videos have captions
• The site is fully navigable by keyboard without a mouse
• Text has sufficient color contrast against its background
• Forms have clearly labeled fields
• Error messages are descriptive and helpful
• The site works with screen reader software

Tools like the WAVE Web Accessibility Evaluation Tool (wave.webaim.org) and Google’s Lighthouse auditor can scan your site for free and identify specific issues to fix. Many website platforms including Squarespace, Wix, and Shopify have built-in accessibility features, but they do not guarantee full compliance on their own.

Overlay tools that claim to make your site ADA compliant with a single script are widely criticized by accessibility experts and have not reliably protected businesses from lawsuits. Genuine accessibility requires fixing the underlying issues in your site’s code and content.

FTC Disclosure Requirements

The Federal Trade Commission (FTC) requires clear disclosure whenever there is a material connection between someone endorsing a product and the brand behind it. This applies to paid partnerships, affiliate relationships, sponsored content, free products given in exchange for reviews, and any other arrangement where compensation influences what someone says about your business.

What Requires Disclosure

• Affiliate links on your website or in your content (you earn a commission when someone clicks and buys)
• Sponsored blog posts or social media content you pay for
• Products or services you give to influencers or reviewers in exchange for coverage
• Reviews written by employees, friends, or family without disclosure
• Endorsements from anyone with a financial relationship to your business

How to Disclose Correctly

Disclosures must be clear, conspicuous, and placed where people will see them before engaging with the content. Burying a disclosure at the bottom of a long page or hiding it in a sea of hashtags does not satisfy the FTC’s requirements. Acceptable disclosure language includes “Ad,” “Sponsored,” “Paid partnership with [brand],” or “I received this product for free in exchange for my honest review.”

If you run an affiliate program or pay influencers to promote your products, you are responsible for ensuring they disclose properly. The FTC can hold brands accountable for the disclosures of the influencers they work with.

CAN-SPAM and Email Marketing

The CAN-SPAM Act governs commercial email marketing in the United States. If you send promotional emails to customers or leads, you must follow these rules:

• Do not use deceptive subject lines or sender information
• Identify the message clearly as an advertisement
• Include your physical mailing address in every email
• Provide a clear and easy way to unsubscribe
• Honor unsubscribe requests within 10 business days

Email marketing platforms like Mailchimp, Klaviyo, and ConvertKit build most of these requirements into their templates automatically. Still, review your emails to make sure your subject lines are accurate and your unsubscribe link is clearly visible.

Cookie Consent

If your website serves visitors from the European Union, California, or several other jurisdictions with cookie laws, you may need to obtain consent before placing non-essential cookies (tracking, advertising, and analytics cookies) on visitors’ devices. A cookie consent banner that allows visitors to accept or decline cookie categories is the standard implementation.

For businesses that operate exclusively within the United States and do not actively target EU visitors, cookie consent requirements are less stringent. However, California’s CCPA gives residents the right to opt out of the sale of their personal data, which can include certain types of tracking. A “Do Not Sell My Personal Information” link in your footer is required if your business meets CCPA thresholds.

Common Ecommerce Compliance Mistakes

• Copying another company’s privacy policy. Privacy policies must reflect your actual data practices. Copying one that does not match what you actually collect and do creates legal exposure rather than protection.
• Not updating your privacy policy when your practices change. Adding a new analytics tool, third-party integration, or email platform requires updating your policy to reflect the new data flows.
• Assuming your website platform handles all compliance automatically. Shopify, WordPress, and similar platforms provide tools, but compliance is ultimately your responsibility.
• Posting terms of service without requiring agreement. Terms must be actively accepted to be enforceable. Use a checkbox at checkout and during account creation.
• Ignoring accessibility until you receive a demand letter. Fixing accessibility issues proactively costs far less than responding to litigation.

Where to Go Next

The Federal Law section covers FTC disclosure requirements, CAN-SPAM, COPPA, and ADA obligations in detail. For multi-state sales tax compliance, see the Taxes 101 guide, which covers economic nexus and when online sellers must collect sales tax across state lines. If you process card payments on your site, the Accepting Payments guide covers PCI compliance requirements that apply alongside these other obligations.