Let’s be honest: legal compliance isn’t sexy. It doesn’t boost your CTR, it won’t win a design award, and it definitely won’t be the slide your CMO shows off in a pitch deck. But you know what it will do? Save your business from lawsuits, market bans, and five-digit fines that eat your margin alive.
If you’re doing business in Europe—or even just selling to EU customers—your website is not just a marketing tool. It’s a legal entity. One that’s bound by some of the strictest digital regulations in the world. And yes, that includes your cookie banners, your checkout flow, and even whether your “Buy Now” button is legally binding.
Many companies think compliance is something to figure out “later.” But when “later” means your site gets reported to a national watchdog—or worse, targeted in a cross-border investigation—that ignorance becomes very expensive, very fast. We’re talking fines of €20 million or more in some cases, or being forced to stop selling in a major market altogether.
This guide is here to help you avoid that fate. In this first part, we’ll walk through the laws that apply across the entire EU—foundational rules like GDPR, the E-Commerce Directive, and the fast-approaching Accessibility Act deadline. In Part 2, we’ll dig into the national specifics that can quietly wreck your launch or expose you to legal action. Think Germany’s notorious Impressum, Italy’s disclosure quirks, and Denmark’s cookie consent precision. If you're serious about selling in Europe, you’ll need both.
In This Article:
Let’s clear something up: GDPR isn’t just a checkbox on your privacy policy page. It’s the law that underpins every form, every tracking script, and every data point you collect. And it’s not going anywhere.
The General Data Protection Regulation (GDPR) applies to any business that processes personal data of people inside the EU—even if your company is based outside it. So if your website collects emails, tracks user behavior, or lets customers make a purchase from France, you’re in scope.
Here’s the core deal: GDPR gives individuals control over their personal data. That includes the right to know what data is collected, how it’s used, and with whom it’s shared. Users must also be able to access it, correct it, request deletion, or take it with them. And all of that must be explained clearly and up front, typically through a Privacy Policy that’s not buried in legal jargon.
But GDPR doesn’t stop at transparency. It demands lawful processing—which often boils down to consent. Not vague “by using this site you agree” statements, but freely given, informed, and specific consent. This is where most websites screw up. A pre-checked box? Not valid. A cookie banner that says “by continuing, you accept cookies” without an actual option to reject? Also not valid.
This leads us into the murky world of cookies.
Under GDPR—and reinforced by the ePrivacy Directive—any non-essential cookie requires prior consent. That means analytics, ads, remarketing, even social share buttons that set cookies—all of these need a clear opt-in. “Essential” cookies are narrowly defined as those strictly necessary for basic site functionality, like keeping items in a shopping cart.
Design matters here. Your cookie banner needs to do more than just notify—it must offer an easy way to accept or reject non-essential cookies, ideally with equal visibility for both. Many European regulators, like Germany’s Bundesnetzagentur and France’s CNIL, have fined companies over misleading cookie prompts or failing to block trackers before consent.
In short: if your cookie banner doesn’t respect user choice or if tracking kicks in before consent is granted, you're legally exposed.
Think of the E-Commerce Directive as the legal blueprint for any business website operating in the EU. It’s not just about slapping a logo and an email address on your contact page—it’s about clearly identifying who you are, what you offer, and what rights your users have.
First up: identity. If your site sells goods or services online, you’re legally required to disclose detailed information about your business. That includes your company name, geographic address, a direct email address (not just a form), any trade or business registration number, and if applicable, your VAT identification number. This isn’t optional. According to Article 5 of the directive, this information must be “easily, directly and permanently accessible”—which is why you often see an “Impressum” or legal notice page on EU websites.
But here’s where a lot of businesses miss the mark: providing only general contact info isn’t enough. You need to disclose your full legal identity. That means the registered company name, not just the brand name. It means your official physical address—not a PO box. And if you’re regulated (like in finance or healthcare), you also need to name the competent authority overseeing your sector.
The directive goes further. It outlines rules for how contracts are formed online. You must make it crystal clear to users when they’re entering into a binding agreement. This includes showing a full summary of the order before checkout, specifying terms and conditions, and confirming the contract in a durable medium—usually email.
Digital signatures? Covered. The directive encourages their use and requires that Member States not deny the validity of contracts simply because they were concluded electronically.
And then there’s the matter of commercial communication. If you’re sending marketing emails or placing banner ads, the directive requires that these be clearly marked as such—and that promotional offers like discounts or contests come with transparent terms.
In short, the E-Commerce Directive is what makes a business website legally recognizable and operational across the EU. If you skip these basics, you're not just being sloppy—you're potentially in breach of foundational EU law.
If you’re selling to consumers in the EU, the Consumer Rights Directive sets the ground rules. And no—it doesn’t matter if you’re a one-person Shopify store or a multinational brand. If you target EU customers, these obligations apply.
The most famous one? The 14-day cooling-off period. This means every consumer who buys online has the right to cancel the purchase within 14 days, no questions asked. The clock starts ticking from the day the goods are delivered—or in the case of services, from the date the contract is signed. Crucially, you must tell your customers about this right before the sale happens. Burying it in your terms and conditions won’t cut it.
And when a customer cancels? You have to refund them—including the standard delivery cost—within 14 days of getting the goods back. You can delay the refund until the goods are returned, but you can’t invent extra hoops or “restocking fees” that aren’t clearly outlined upfront.
Then there’s what must happen before the purchase: clear contract info. You’re required to present a detailed summary of the total cost (including VAT and delivery), product features, payment terms, contract duration (if relevant), and your complaint-handling process. All of this needs to be visible before the user clicks “Buy.”
Even the design of that final button is regulated. The Directive on Consumer Rights specifies that any order submission must be attached to an “explicit acknowledgement” of the obligation to pay. That’s why many EU sites use labels like “Order with obligation to pay” or their local-language equivalents. Buttons labeled ambiguously—like just “Order” or “Continue”—can actually be deemed non-binding in court.
Oh, and don’t forget about order confirmation. Once a user completes a purchase, you’re legally obligated to send a confirmation (usually via email) that includes all the key contract info again. If you skip this step, the sale could be invalid.
Miss these details, and you're not just risking returns—you’re violating laws that protect buyers across the EU. And regulators are quick to crack down on those who make purchasing intentionally unclear or deceptive.
Here’s a ticking clock too many businesses are ignoring: by June 28, 2025, most websites selling goods or services in the EU will be legally required to comply with the European Accessibility Act (EAA). This isn’t a “nice-to-have.” It’s mandatory, and it’s about making sure digital content is usable by people with disabilities—including those using screen readers, voice commands, or other assistive tech.
Who’s on the hook? In short: most of the private sector. E-commerce shops, banking platforms, ticketing systems, e-books, mobile apps, and any digital interface tied to a product or service must meet accessibility requirements. Even third-party vendors selling through marketplaces may fall under this umbrella.
At the heart of it all are the Web Content Accessibility Guidelines (WCAG)—currently version 2.1 at Level AA compliance. These are the practical standards that define whether your site is actually usable by someone with impaired vision, hearing, mobility, or cognitive function. Things like keyboard navigation, contrast ratios, screen reader compatibility, and captioning aren’t optional anymore.
But don’t just take it from the law—take it from the marketing perspective too. We covered this shift in How the European Accessibility Act Will Impact Marketing, where we break down why accessibility isn’t just legal risk mitigation—it’s smart business. An accessible website means a larger market, better SEO, improved user experience for everyone, and a brand that’s seen as inclusive rather than reactive.
If you’re segmenting your online store by country and showing different pricing, delivery terms, or checkout access based on location—read this twice. The Geo-Blocking Regulation makes it illegal to treat EU customers differently based purely on their nationality, place of residence, or IP address.
This law was introduced to crack down on unjustified digital borders. For years, consumers in one EU country were blocked from accessing the same offers, products, or services available to their neighbors. That practice is now banned—unless you have a very specific, legally valid reason.
Here’s what you can’t do anymore:
Instead, you’re required to provide the same access and conditions to all EU users, regardless of where they’re browsing from. If you offer delivery to one EU country, users from another should still be able to purchase and arrange pickup or delivery independently, even if you don’t ship there directly.
The regulation doesn’t force you to offer cross-border delivery everywhere. But you must let customers access the site, see the correct prices, and place an order if they’re willing to handle shipping themselves.
A good rule of thumb? If your site targets the EU, you need to treat EU users as a unified market when it comes to online access and sales conditions. Anything less, and you could be violating the principle of the digital single market.
Bottom line: territorial restrictions and discriminatory pricing are no longer just bad UX—they’re against the law.
Here’s the next section, fully aligned with your tone, structure, and sourcing requirements:
If your website hosts content uploaded by users—reviews, listings, comments, profiles—you’re likely affected by the Digital Services Act (DSA). This sweeping regulation came into full force in early 2024 and is rewriting the rules for digital platforms across the EU.
At its core, the DSA targets online intermediaries, especially platforms and marketplaces. If your site enables third-party sellers, facilitates user-generated content, or connects buyers and providers in any structured way, you’re expected to step up your moderation game.
One of the biggest mandates? Transparency. The DSA requires clear, plain-language terms of service that outline what is and isn’t allowed on your platform. These rules can’t be vague or buried in fine print—they must be front and center for users to see before participating.
Then there’s the issue of content moderation. You’re now legally required to provide users with accessible reporting tools to flag illegal content, misleading listings, or abuse. And it’s not enough to just collect reports—you must act on them transparently, document your moderation decisions, and inform users of the outcomes.
For marketplaces in particular, there’s another major requirement: seller traceability. You need to collect, verify, and store key business details about third-party sellers using your platform. Think legal names, business addresses, VAT numbers, and contact details. If a shady vendor starts scamming customers through your site, the DSA says it’s your job to know who they are and help authorities reach them.
Larger platforms (those with over 45 million monthly active EU users) face even stricter rules, including independent audits, risk assessments, and algorithmic transparency—but even small and medium-sized businesses aren’t off the hook.
If your website plays pricing games—like tacking on extra charges late in the process or hiding taxes until the final click—you’re setting yourself up for legal trouble. Under the Consumer Rights Directive and the Price Indication Directive, EU law is crystal clear: prices must be honest, visible, and complete—before the customer hits “Buy.”
That means the price shown on a product or service page must include all taxes—especially VAT—and any other unavoidable fees. “Excl. VAT” price tags are not acceptable for B2C websites targeting EU consumers. If you’re selling to end users, you show the final price, full stop.
The same goes for delivery charges. If shipping costs vary depending on the location or method, you must either list all possible fees clearly before the checkout or provide a cost calculator that shows the total before the order is submitted. Surprising users with added costs after they’ve already filled in their info isn’t just annoying—it’s illegal.
One more pitfall? Drip pricing. That’s when you show a low base price and then slowly add extra fees—processing, handling, whatever—along the checkout flow. This practice has been called out by multiple national regulators as a violation of consumer protection law because it misleads users about the true cost.
Where and how you show prices matters, too. They must be clearly associated with the product and easy to read—no fine print footnotes or hidden toggles. According to the European Commission, transparency isn’t just about the numbers—it’s about layout, visibility, and clarity of presentation.
Finally, keep in mind that if you operate in multiple EU countries, you’re responsible for applying the correct VAT rates for each jurisdiction. That’s a logistical headache, yes—but it’s non-negotiable.
If your website uses pressure tactics, manipulative UX, or selective disclosure to nudge users toward buying—this one’s for you. The Unfair Commercial Practices Directive (UCPD) sets the baseline for what’s considered honest digital marketing across the EU. And it's not just about blatant lies—it also covers what you fail to say.
Let’s start with misleading omissions. You’re legally required to provide all the information a typical user would need to make an informed decision. If you leave out key conditions (like limited stock availability, recurring billing, or exclusion clauses), you could be in breach—even if the rest of your claims are technically true.
Next: urgency manipulation. Creating fake scarcity—like saying “Only 1 left!” when there’s actually a warehouse full—is explicitly banned. So are countdown timers for discounts that automatically restart when they hit zero. If it’s designed to pressure the user into a hasty decision, it’s fair game for enforcement.
And yes, that includes so-called dark patterns—a term used for design strategies that trick users into actions they might not take if fully informed. Think hidden unsubscribe links, sneaky add-ons at checkout, or pre-checked consent boxes. These practices are being systematically targeted by national consumer protection authorities and were recently addressed again under the Omnibus Directive, which strengthens enforcement powers and tightens rules for online platforms.
So, what are you legally expected to disclose?
It’s not enough to be technically accurate—you must be comprehensively transparent. Anything less and you risk being classified as unfair, misleading, or aggressive in your commercial practices.
