• IT
  • DE
  • EN
Go to content

Opening an online store: legal requirements to keep in mind

Published by Incomedia in Management & Law · 3 October 2019
Just like brick-and-mortar stores, online stores are required to follow certain rules. What do you need to do to ensure that your virtual store follows the law?

We discussed this with Taxmen, a London-based company that' a one-stop shop for legal and financial services for online stores around the world.

The 5 most important legal and financial aspects for an online store to follow the law

Before launching an online store, you should understand the many legal obligations that Italian vendors are subject to. These also happen to be laws that apply on the European level.

1. Right to return

Unlike with traditional, off-line stores, online stores in Europe must grant clients the right to cancel an online purchase agreement, even without justified reasons, within fourteen days of receiving the products.

Basically, consumers have the option of returning products and receiving a refund of the initial purchase price and original shipping fees, without needing to provide any justification. In Italy, this is set down by the Consumer Code, which follows EU norms precisely.

As you can guess, this measure is based on the fact that distance selling doesn't allow the client to see the products in person.

The rate of returns is generally very high in the e-commerce sector, especially for fashion sales: in fact, clients often purchase two or three different sizes of the same product, then only keep the size that fits.

Your online store must explicitly inform site visitors about the terms and conditions of the right to return goods.
If you neglect to do so, the law automatically extends the return period to twelve months from the date on which the client receives the products. Furthermore, the online store must include a means for clients to notify the seller of the return, by providing a specific form for that purpose, or indicating the appropriate e-mail address.

The vendor is then obligated to issue the refund within fourteen days of being informed of the client's decision to return the product. The store must issue the refund through the same means of payment which the client used to make the purchase (unless otherwise agreed upon, as long as the client does not incur any additional costs in receiving the refund).

The Consumer Code states that, “The consumer is solely responsible for the depreciation of goods resulting from the handling of said goods other than what is necessary to establish their nature, features, and functioning,” (art 57).
In this view, most stores exclude the right of return - or at least, reduce amount to be refunded - if the client has removed the labels or tags from an article of clothing, or damaged or stained the product while trying it on.
Furthermore, the client must give the products to a courier for return service within fourteen days of the date on which they informed the vendor of the return.

2. Legal warranty for defective products

Just like traditional, off-line stores, online stores must guarantee the purchase of products that are free of defects, that work correctly, and furthermore, which serve the purpose stated by the vendor or for which products of the kind are normally intended.

If the products are defective, the consumer has the right to request a replacement product, for the defect to be repaired, or if this is not possible, for a refund of the purchase price.

The legal warranty for defective products expires after two years from the date on which the client received the defective product and the client must make the warranty claim within two months of discovering the problem. The client does not need to file a claim if the vendor was aware of the problem or knowingly concealed it.

Any civil suit for claims arising from defects, where these defects were not knowingly concealed by the vendor, must be filed within a period of twenty-six months of the receipt of the goods; however, should a vendor sue a client for payment of the purchase price, the client may contest that the product is defective, as long as the client reported the defect within two months of discovering it and before two years elapsed from the date of receipt of the product.

In fact, the vendor is not permitted to insert general terms of sale that derogate from the regulations of the Consumer Code to the detriment of the consumer. Any contractual clauses that exclude/limit the consumer's rights or protections with regards to the vendor's total or partial breach of contractual services are void.

In the case of defective products, the client may demand that the vendor repairs or replaces the product (in both cases, free of charge) as long as the requested remedy is not objectively impossible or excessively onerous
If repairing or replacing the product is impossible or excessively onerous, or if the vendor does not do so within a reasonable time frame, the client may demand an appropriate price reduction, or alternatively, the full termination of the contract.

The vendor has the obligation to inform clients of their rights in advance.

3. GDPR, protection of personal information, and Cookies

On May 25, 2018, the General Data Protection Regulation (2016/679), also known under the acronym “GDPR”, entered into force in Europe.

The main changes to privacy laws introduced by the GDPR include:
  • increased obligations of disclosure for e-commerce websites: sites must now provide users with more information, including: the defined data retention period (if this is not possible, then the criteria used to determine such a period, at a minimum), the users' right to “be forgotten”, the right demand a restriction of processing, to file a claim with the Privacy Authority, the right to data portability, and the right to receive more information;
  • stricter consent: the GDPR strengthens the requirements for user consent to considered valid; consent to data processing must be preventative, explicit, and unambiguous;
  • the right “to be forgotten”: in accordance with the jurisprudence of the European Court of Justice, the GDPR establishes the user's right to have their personal data erased or to obtain a restriction of the processing of that data (under specific conditions);
  • notification of a security breach: it is now mandatory for breaches of personal data to be reported to the Privacy Authority when that data breach could “constitute a risk to the rights and freedoms of natural persons";
  • Data Protection Officer and Data Privacy Impact Assessment: in certain cases, it is now mandatory to nominate a Data Protection Officer and/or to complete a Data Privacy Impact Assessment;
  • administrative sanctions: companies are now subject to stricter administrative sanctions for breaching privacy laws; these sanctions are commensurate with the company's business volume.

With regard to cookies, different types of cookies exist which generally allow websites to collect information about users’ visits and purchases, mostly for reasons related to publicity – these cookies are known as “profiling cookies” – and may potentially have negative consequences for the protection of the users’ privacy rights.

European regulations are strict when it comes to the use of profiling cookies, requiring websites to inform users in advance about the presence of such cookies, through the use of a banner created for that purpose, and allowing users to disable these cookies.

Upon first accessing the website, the banner must appear on the user's screen before profiling cookies may begin to collect browsing information. As specified on the Privacy Authority's website, this banner must indicate:
  • that the site uses profiling cookies in order to offer online advertising that is adapted to the preferences displayed by the user while browsing the web;
  • that the site also enables the use of “third party” cookies (where applicable);
  • a link to the full privacy policy, which provides information about the use of technical cookies and analytics, as well as the option to choose which specific cookies to authorize;
  • that the fully policy page includes the option of denying consent for the installation of any and all cookies;
  • that continuing to navigate the website by accessing another area of the site or clicking another element (for example, an image or a link), constitutes consent to the use of cookies. The cookie policy area must inform users of each installed cookie, and the option of disabling each of the cookies, regardless of the type of cookie (analytical, technical, profiling).

The banner must link to the website's fully privacy policy, which must be present within the website, and which must specifically, as well as analytically, describe the characteristics and purposes of the cookies installed on the site, and allow the user to select/de-select individual cookies.

After viewing the banner, the user can:
  • explicitly accept the banner's contents by clicking on the “OK” button (or “I understand,” “Accept,” etc.); or
  • tacitly accept by continuing to browse; or
  • access the full policy (by clicking on the link in the banner); or
  • interrupt their navigation of the website.

The European legislation on cookies will be subject to further modifications following the likely introduction of ad hoc EU regulations.

4. VAT

Distance selling is subject to special VAT rules.

Online sales of goods to consumers are not subject to obligations to provide tax certifications through an invoice, receipt, or proof of purchase, as generally apply to Italian companies. Nor is the issue of an invoice mandatory – if the client does not request one upon making the purchase – for the sales of goods by correspondence (art. 22 of Italian Presidential Decree 633/1972).

The special VAT rules for distance selling also concern sales made to consumers who are residents of other European member states.

For sales by correspondence to EU consumers, in accordance with current European laws,VAT is applied in the EU member state from which the products are dispatched, unless the vendor:
  • exceeds the expected annual e-commerce business volume of the EU member state in which the products will be received (from 35,000 to 100,000 Euro, depending on the state); or
  • chooses to apply VAT in the EU member state in which the product will be delivered.

For products subject to excise duties (like wine, beer, etc.) VAT always applies within the destination EU state, from the first sale made.

Occasionally, over the course of a calendar year, a business will reach a given turnover threshold within another EU member state, in which case they must immediately begin to apply VAT for that state - instead of applying Italian VAT, for the remainder of that calendar year and for the entirety of the next calendar year.

Of course, the current system is rather onerous, since it requires businesses to constantly monitor their online sales to consumers in each EU member state, and obliges them to identify themselves in several EU states for VAT purposes if they exceed those thresholds.

For this reason, an EU e-commerce VAT reform will come into effect on January 1, 2021 for vendors who conduct at least 10,000 Euros in intra-EU sales during a calendar year, VAT for e-commerce sales will apply directly in the EU state in which the products will be delivered, eliminating current protection thresholds.

Italian vendors will no longer need to identify themselves to other EU jurisdictions for EU purposes: they may choose to use the simplified MOSS procedure, which has been in force for direct electronic sales since 2015, in order to declare and pay VAT for cross-border sales.

5. Environmental contributions

Many European countries require foreign vendors introducing packaging into their territory to pay an environmental fee, similar to the Italian CONAI, for the disposal of that packaging.

In many EU states, this obligation applies regardless of the volume of the packaging put onto the market.
in these cases, companies must register with the relevant entity within the foreign state (for example, Ecoemballages in France, Ecoembes in Spain, and so on), to make periodic declarations as well as pay the relevant fees.

It is important to comply with these obligations, especially considering that for e-commerce businesses registered for VAT purposes in one EU state for distance selling, local authorities in other countries are made aware of the sales volumes generated in their countries as declared by the Italian authorities.

Thank you, Taxmen for clearing up the rules that online stores and the vendors who use these platforms must follow.
Want to build your own online store but don't know where to start? Try WebSite X5!

Back to content