Age Verification
eCommerce Compliance: 5 Key Requirements and How to Comply
Learn about the 5 key compliance requirements most eCommerce businesses must know, and understand the PACT act regulating e-sales of nicotine products.
October 30, 2023
min read

What is eCommerce Compliance?

Millions of online shoppers around the world share their private data with eCommerce websites, in return for a customized and streamlined consumer experience. It is upon the merchants to guard that information and make sure it is not misused.

Unfortunately, high-profile data breaches are a common occurrence, and consumers are demanding tighter protection of personal data. Increasingly strict regulations control the collation, storage, and use of personal data. To succeed, software and SaaS companies are forced to constantly update their best practices to protect their customers and stay compliant with regulatory and industry standards.

In this article, you will learn:

Which 5 Compliance Requirements are Applicable to Most eCommerce Businesses?


1. Privacy Policy

Consumers have the right to know what dealers do with the information they gather. Subsequently, the law requires eCommerce providers to disclose their privacy policies and data processing activities to the public. The consequences of failing to create a privacy policy can include regulatory fines, mailing list invalidation, litigation, and damage to reputation.

How to comply

Under most regulatory frameworks, privacy policies and related documents (see below) should be regularly updated and clearly accessible on your website. 

In the USA, a privacy policy should include, at a minimum, what information you collect through your eCommerce store, which information you intend to collect in the future, how you collect, store and share personal data, how you use that data, now and in the future, and which third parties receive your customer’s personal data.

2. Cookie Management

Cookies are small scripts sent by web servers and stored on computer browsers for a variety of reasons, including analytics, integration with social networks, remarketing advertisements, maintaining user sign-in and preferences, and enhancing the user experience. 

How to comply

You must have a valid cookie policy and a cookie management solution, which allows users to opt out of cookies if they so desire. Visitors from the European Union have the legal right to be informed as to how and why you make use of cookies. Many third party suppliers, such as Google, Facebook, Apple, and Amazon, also require their clients (advertisers, for example) to adopt cookie policies.

3. Terms and Conditions 

Terms and conditions formalize the relationship between a provider and a user, a merchant and a client. They set forth the manner in which the client must be treated and the manner in which a client may use a service and its corollaries. The document is legally binding, and states that the use of a site serves as a de-facto agreement by the user to the terms. 

Terms and conditions not only protect the client; they protect the supplier, as well. For the client, they determine user rights, cancellation policies, and so forth; for the supplier, they are invaluable protection against potential liability.

How to comply

eCommerce websites must have terms of services in place, which should be reviewed by a legal counsel. Misuse of a product can sometimes cause personal, financial, or even physical harm, and responsibilities must be legally defined to minimize risk and liability, while providing reasonable protection for the buyer. 

As privacy laws around the world become stricter, it is important to require buyers to tick a box in order to explicitly agree to the terms of service, and not merely assume they agree to the terms by browsing the site (known as a browsewrap agreement).

Terms and conditions should cover, at a minimum:

  • The rules shoppers should follow when purchasing from the eCommerce site
  • Pricing and payment terms, including legally required disclosures on consumer rights such as cancellation and withdrawal
  • User/client behavior and grounds for dismissal or withdrawal of services
  • Limitation of liability and protection of intellectual property or trademarks
  • Disclosure of affiliation and marketing programs

4. Valid Records on Customer Consent

The European Union’s General Data Protection Regulation (GDPR) requires suppliers to maintain valid records of consent for processing the personal data of their clients. Consent without a valid recording mechanism renders the consent invalid.

How to comply

When collecting personal data using email or newsletter forms, subscriptions, and so on, if your clients are citizens of the European Union, the law requires consent to process this data. Cookies are currently not governed by GDPR, and are governed by the EU’s ePrivacy directive (2002/58/EC, amended by 2009/136/EC).

5. Records of Processing Activities

To be within European law, the GDPR requires valid records of data processed for EU-based clients, especially by eCommerce entities. 

How to comply

Entities with 250 or more employees that collect sensitive and/or personal data, whose regular processing activities could impinge upon the rights or freedom of EU citizens, must maintain records of processing activities.

What is the Prevent All Cigarette Trafficking (PACT) Act?

The US Congress added restrictions on shipping vape products to its 2021 omnibus spending bill that provides relief for the coronavirus pandemic. The “Preventing Online Sales of E-Cigarettes to Children Act” requires the US postal service to create regulation to prevent mail deliveries of products containing nicotine or cannabis within 120 days. It also forces those transporting nicotine or cannabis vaping products to adhere to the Prevent All Cigarette Trafficking (PACT) Act, a part of the Jenkins act.

The legislation applies to e-liquid and devices that contain no nicotine, only CBD, or THC oil. Devices are those that deliver, through an aerosolized solution, nicotine, flavor, “or any other substance to the user.”

Under current legislation, retailers must:

  • Register with the office of the U.S. Attorney General, with the federal government, and with tobacco tax administrators in a state that requires it.
  • Verify customer age using publicly available datasets.
  • Use shipping services that require a signature by an adult upon delivery
  • Collect local/state taxes, and add tax stamps to products.
  • In states that have a tobacco tax administrator, send a list of tobacco transactions including names, addresses, product names and quantities.
  • Keep a record for at least five years of any case of “delivery interrupted because the carrier or service determines or has reason to believe that the person ordering the delivery is in violation” of the PACT regulation.

Sellers who are in violation may face fines up to $10,000 per violation, and up to three years in prison.

eCommerce and PACT Act Compliance with BlueCheck

At BlueCheck, we provide the best identity verification infrastructure to grow your business. We move faster to build solutions tailored to the needs of our customers, including PACT Act and eCommerce compliant offerings. Schedule a call with BlueCheck Solutions Advisor today to learn more.