E-Commerce — Compliance¶
OWNER: aimee (scoping) ALSO_USED_BY: anna (spec), urszula, maxim (backend), faye (PM Alfa), sytske (PM Bravo) LAST_VERIFIED: 2026-03-26
Overview¶
EU e-commerce compliance is non-negotiable. GE builds GDPR-compliant by architecture, not by afterthought. This page covers every regulatory requirement that affects scoping and implementation. Aimee must walk through these with the client — several items require client-side action (privacy policy text, cookie policy, terms & conditions).
GDPR (General Data Protection Regulation)¶
Data Collection & Consent¶
SCOPE_ITEM: Cookie consent management INCLUDES: Cookie banner on first visit, granular consent (necessary, analytics, marketing), consent storage, respect "reject all", load scripts only after consent OPTIONAL: Cookie consent platform integration (Cookiebot, CookieYes), consent history/audit log COMPLIANCE: Necessary cookies (session, cart) do not need consent. Analytics and marketing do. Pre-checked boxes are illegal. "Cookie wall" (block access without consent) is illegal in NL. ESTIMATE_COMPLEXITY: normal
SCOPE_ITEM: Privacy policy page INCLUDES: Dedicated /privacy page, what data is collected, why, legal basis, retention periods, third parties, data subject rights, DPO contact COMPLIANCE: Must be written in plain language. Must be accessible from every page (footer). Client provides content — GE provides template and technical data processing details. ESTIMATE_COMPLEXITY: simple (template provided)
SCOPE_ITEM: Marketing consent INCLUDES: Explicit opt-in checkbox (never pre-checked) for newsletter/marketing emails, separate from terms acceptance, double opt-in flow (confirmation email), easy unsubscribe in every email COMPLIANCE: GDPR Article 7 + ePrivacy Directive. Consent must be freely given, specific, informed, unambiguous. ESTIMATE_COMPLEXITY: simple
Data Subject Rights¶
SCOPE_ITEM: Right to access (Article 15) INCLUDES: "View my data" in account settings, display all personal data stored COMPLIANCE: Must respond within 30 days. Free of charge. ESTIMATE_COMPLEXITY: simple
SCOPE_ITEM: Right to portability (Article 20) INCLUDES: "Download my data" button, export as JSON and/or CSV, includes orders, profile, reviews, addresses COMPLIANCE: Machine-readable format. Must provide within 30 days. ESTIMATE_COMPLEXITY: normal
SCOPE_ITEM: Right to erasure (Article 17) INCLUDES: "Delete my account" flow, confirmation dialog, 30-day soft-delete grace period, hard delete after grace period, anonymize financial records (keep amounts, remove PII) COMPLIANCE: Cannot refuse unless overriding legal basis exists. Tax records (7 years NL law) override for financial data — anonymize name/address on invoices but keep amounts and VAT. ESTIMATE_COMPLEXITY: normal
SCOPE_ITEM: Right to rectification (Article 16) INCLUDES: User can edit all personal data in profile settings COMPLIANCE: Changes must be reflected across all systems (if ERP synced, update there too). ESTIMATE_COMPLEXITY: simple
SCOPE_ITEM: Consent audit log INCLUDES: Record every consent event (marketing opt-in, cookie consent, terms acceptance) with timestamp, IP address, user agent, consent text version COMPLIANCE: Must be able to prove consent was given if challenged. Store indefinitely (or until account deleted). ESTIMATE_COMPLEXITY: simple
Data Processing¶
SCOPE_ITEM: Data minimization INCLUDES: Only collect data necessary for the purpose (e.g., phone only if required for delivery), clear purpose for each field COMPLIANCE: GDPR Article 5(1)(c) — data must be adequate, relevant, and limited to what is necessary. ESTIMATE_COMPLEXITY: simple (design principle, not a feature)
SCOPE_ITEM: Data retention policy INCLUDES: Defined retention periods per data type, automated cleanup for expired data COMPLIANCE: Personal data — delete when purpose is fulfilled. Order data — 7 years (NL tax law). Marketing consent — until withdrawn. Logs — 90 days max. ESTIMATE_COMPLEXITY: normal
EU Consumer Rights¶
14-Day Withdrawal Right¶
SCOPE_ITEM: Withdrawal information INCLUDES: Clear withdrawal instructions on product pages and in order confirmation email, model withdrawal form (EU standard), withdrawal period displayed (14 days from delivery) COMPLIANCE: If not informed about withdrawal right, the period extends to 12 months. Include standard EU withdrawal form. ESTIMATE_COMPLEXITY: simple
SCOPE_ITEM: Withdrawal button (mandatory from June 2026) INCLUDES: "Withdraw from the contract here" button on customer order page, confirmation step ("Confirm withdrawal here"), available during entire 14-day period, auto-initiate return/refund flow COMPLIANCE: EU Directive 2023/2673 — effective 19 June 2026. Two-click maximum to complete withdrawal. Must be clearly visible, not hidden. ESTIMATE_COMPLEXITY: normal
CHECK: Withdrawal exemptions (cannot be withdrawn) IF: perishable goods → exempt (inform customer) IF: sealed goods opened by consumer (hygiene) → exempt IF: custom/personalized products → exempt IF: digital content delivery started with consent → exempt (must get explicit consent + acknowledgment of waiving withdrawal right) IF: sealed audio/video/software opened → exempt
Price Display¶
SCOPE_ITEM: VAT-inclusive pricing INCLUDES: All displayed prices include VAT, VAT amount shown separately at checkout, if B2B option exists show net + VAT toggle COMPLIANCE: EU Price Indication Directive — prices displayed to consumers MUST include all taxes. Showing net prices and adding VAT at checkout is illegal for B2C. ESTIMATE_COMPLEXITY: simple
SCOPE_ITEM: Previous price (Omnibus Directive) INCLUDES: When showing a "was" price / strikethrough, the reference price MUST be the lowest price in the previous 30 days, not the original RRP or any arbitrary higher price COMPLIANCE: EU Omnibus Directive (2019/2161) — specifically targets fake discounts. Fine up to 4% of annual turnover. ESTIMATE_COMPLEXITY: simple
SCOPE_ITEM: Total price transparency INCLUDES: Shipping costs shown before checkout completion (ideally on product page or cart), no hidden fees at final step, "Order with obligation to pay" button text COMPLIANCE: EU Consumer Rights Directive — all costs must be disclosed before the consumer commits. The order button must clearly indicate payment obligation. ESTIMATE_COMPLEXITY: simple
European Accessibility Act (EAA)¶
SCOPE_ITEM: WCAG 2.1 AA compliance INCLUDES: Semantic HTML, keyboard navigation, screen reader compatibility, sufficient color contrast (4.5:1 for text), focus indicators, form labels, alt text on images, error identification COMPLIANCE: EAA (Directive 2019/882) — in force since June 28, 2025. Applies to all e-commerce services. Must meet WCAG 2.1 Level AA and EN 301 549. Fines vary by country: up to EUR 1M (Spain), EUR 500K (Germany), EUR 300K (France). ESTIMATE_COMPLEXITY: normal (if built correctly from start; complex if retrofitting)
SCOPE_ITEM: Accessibility statement INCLUDES: Public /accessibility page, compliance status, known limitations, contact for accessibility issues, enforcement authority reference COMPLIANCE: Required by EAA. Must be kept up to date. ESTIMATE_COMPLEXITY: simple
CHECK: EAA exemption IF: client is microenterprise (<10 employees AND <EUR 2M revenue) → exempt from EAA IF: client is above thresholds → full compliance mandatory THEN: even if exempt, build accessible anyway (best practice, future-proofing)
Accessibility Implementation Checklist¶
- [ ] CHECK: All interactive elements reachable via keyboard (Tab, Enter, Escape)
- [ ] CHECK: Focus order follows visual layout
- [ ] CHECK: Color is not the only means of conveying information
- [ ] CHECK: Text contrast ratio meets 4.5:1 (normal text) and 3:1 (large text)
- [ ] CHECK: All images have descriptive alt text
- [ ] CHECK: Form inputs have associated labels
- [ ] CHECK: Error messages identify the field and describe the error
- [ ] CHECK: Page has proper heading hierarchy (h1 > h2 > h3)
- [ ] CHECK: Skip navigation link present
- [ ] CHECK: ARIA labels on custom components (dropdowns, modals, tabs)
- [ ] CHECK: Checkout works fully with screen reader
- [ ] CHECK: No content flashes more than 3 times per second
- [ ] CHECK: Touch targets minimum 44x44px on mobile
Payment Regulations¶
SCOPE_ITEM: PSD2 / Strong Customer Authentication INCLUDES: SCA on card payments (3D Secure 2.0), handled by Mollie/Stripe automatically COMPLIANCE: All electronic payments in EEA require SCA (two-factor). Payment provider handles implementation. ESTIMATE_COMPLEXITY: simple (handled by provider) STACK_REF: wiki/docs/archetypes/e-commerce/payments.md
SCOPE_ITEM: PCI DSS compliance INCLUDES: Use hosted checkout (Mollie/Stripe) to avoid handling card data, no card numbers stored in our database, no card numbers in logs COMPLIANCE: PCI DSS Level 1 via payment provider. Our responsibility: never handle or log raw card data. ESTIMATE_COMPLEXITY: simple (by not handling cards)
Age Verification¶
SCOPE_ITEM: Age-gated products INCLUDES: Age verification gate before product access (alcohol, tobacco, adult content), age confirmation checkbox at checkout OPTIONAL: iDIN age verification (Netherlands, bank-based, reliable), ID upload verification COMPLIANCE: NL alcohol law — must verify 18+. Self-declaration (checkbox) is minimum, iDIN is gold standard. ESTIMATE_COMPLEXITY: simple (checkbox) to normal (iDIN)
CHECK: Client sells age-restricted products? IF: alcohol → age gate mandatory (NL: 18+) IF: tobacco/vapes → age gate + additional restrictions (advertising limits) IF: none → skip this section
Terms & Conditions¶
SCOPE_ITEM: Terms & conditions page INCLUDES: Dedicated /terms page, linked from checkout (required checkbox), linked from footer COMPLIANCE: Client provides legal text. GE provides template structure. Must cover: identity of seller, product descriptions, price, payment methods, delivery, withdrawal right, complaints procedure, dispute resolution. ESTIMATE_COMPLEXITY: simple (template provided)
SCOPE_ITEM: Terms acceptance tracking INCLUDES: Checkbox at checkout (not pre-checked), record which version of terms was accepted, timestamp of acceptance COMPLIANCE: If terms change, returning customers must re-accept. ESTIMATE_COMPLEXITY: simple
EU VAT Reference Table (2026)¶
| Country | Standard Rate | Reduced Rate |
|---|---|---|
| Netherlands | 21% | 9% |
| Germany | 19% | 7% |
| France | 20% | 5.5% |
| Belgium | 21% | 6% |
| Spain | 21% | 10% |
| Italy | 22% | 10% |
| Austria | 20% | 10% |
| Ireland | 23% | 9% |
| Luxembourg | 17% | 8% |
| Portugal | 23% | 6% |
Reduced rates apply to: food, books, certain medical products, certain transport. Rates change — store in config, not hardcoded.
Anti-Patterns¶
ANTI_PATTERN: Cookie banner with "Accept all" prominent and "Reject" hidden FIX: Equal prominence for accept and reject buttons. Dutch DPA (AP) actively enforces this.
ANTI_PATTERN: Pre-checked marketing consent checkbox FIX: Always unchecked by default. Pre-checked consent is invalid under GDPR.
ANTI_PATTERN: No withdrawal information in order confirmation email FIX: Every order confirmation must include withdrawal instructions and standard form.
ANTI_PATTERN: Showing "50% OFF — was EUR 100, now EUR 50" when the 30-day lowest was EUR 60 FIX: Omnibus Directive — reference price must be the lowest in previous 30 days (EUR 60).
ANTI_PATTERN: Adding accessibility after launch FIX: Build accessible from day one. Retrofitting is 3-5x more expensive.
Cross-References¶
READ_ALSO: wiki/docs/archetypes/e-commerce/authentication.md READ_ALSO: wiki/docs/archetypes/e-commerce/payments.md READ_ALSO: wiki/docs/archetypes/e-commerce/cart-checkout.md READ_ALSO: wiki/docs/archetypes/e-commerce/order-management.md READ_ALSO: wiki/docs/archetypes/e-commerce/checklist.md READ_ALSO: wiki/docs/company/compliance/overview.md