We thought it would be useful to run through the things that you need to consider for your online store to ensure that you're legally compliant. As a merchant, compliance is your responsbility so we would advise that you seek professional legal guidance based on your specific business needs and circumstances.
Shopify Specific Considerations
Please familiarise yourself with Shopify Acceptable Use Policy in order to understand what the platform does and does not allow.
Shopify does provide the framework for compliance but ultimately it is the merchant's responsibility to ensure that their site is compliant.
Within Settings >Policies Shopify provide templates for the following:
- Terms of Service
- Privacy Policy
- Return & Refund Policy
- Shipping Policy
These templates are not legal advice, and you are responsible for ensuring its accuracy and complying with applicable laws.
Theme licenses
A Shopify theme license is for one specific store and is purchased from the official Shopify Theme Store, granting rights to support and updates. You will need a separate license for each store.
Font licenses
Shopify has it's own suite of fonts that are licensed to use on your store. If you are using a custom font, it is your responsibilty to ensure that you have a license which allows the font to be used for commercial purposes on a website.
Image licenses
As the store owner, it is your responsibilty to ensure that any images that you use on your store are appropriately licensed. In particular, be wary of using someone elses product images as this can lead to copyright infringement and legal consequences.
Even if you are using licensed images from an online stock media provider such as iStock or Adobe Stock, always check the terms for commercial use and modification rights.
Selling Alcohol
In order to sell alcohol online you must have:
- Premises licence - obtained from your local council this authorises you to sell alcohol from a specific location even if you don't have a physical shop
- Personal licence - obtained from your local council after passing an approved training exam, required for whoever supervises alcohol sales. A Personal Licence holder must generally act as the Designated Premises Supervisor (DPS) for the licensed premises. Depending on your fulfilment setup (e.g., warehouse, third-party logistics), your licensing authority may advise on how to appoint the DPS correctly.
- Age Verification - as per the Licensing Act (2003) you must ensure alcohol isn't served to anyone under the age of 18. It is recommended to have a Challenge 25 policy displayed on the site and some form of Age Verification software.
-
Delivery and Courier requirements - ensure that you use a courier who allows alcohol and agrees to ID check on delivery
- Show policies on site - make sure you display your licence details, age restriction notice and outline returns and delivery policies.
Shipping and taxes
Shopify helps you set up tax settings to charge the correct rates, but it is your responsibilty to ensure that you file and remit the collected VAT to HMRC or relevant EU authority.
We would recommend to consult with an accountant or tax specialist who understands the compliance rules and regulations for e-commerce businesses.
VAT
The current threshold to register for VAT in the UK is a rolling 12 month period turnover in excess of £90,000. If VAT-registered, you must charge the appropriate UK VAT rate on all sales shipped within the UK, including to Northern Ireland.
Selling to the EU:
- Sales to the EU are considered exports and are zero-rated at the point of sale from the UK side.
- For goods under €150 in value, you can register for the Import One-Stop Shop (IOSS) scheme to collect the customer's local EU VAT at checkout and remit it yourself, which simplifies the process for the customer.
- For goods over €150, the customer is typically responsible for paying import VAT and duties upon delivery, unless you choose to handle these costs upfront via Delivered Duty Paid (DDP) shipping.
- If you exceed the EU-wide distance selling threshold of €10,000 in total annual sales to the EU, you must register for VAT in the customer's country or use the One-Stop Shop (OSS) scheme.
Selling Internationally (Outside UK/EU):
Sales to customers outside the UK and EU are zero-rated for UK VAT purposes, but the customer may have to pay local import duties and taxes upon delivery.
- Digital Products: For digital services sold to consumers in the EU, there is no threshold — VAT is charged based on the customer’s location. UK sellers must use the Non-Union OSS scheme to report this.
Duties and Import taxes
If you ship internationally, then your customers might be charged additional duties and import taxes when they receive their shipments. You can charge duties and import taxes at checkout if you meet the requirements.
Plagarism and Copyright
Copyright protects content (text, images, code).
Trademark protects brand identifiers (name/logo).
There is using other brand's websites, design and content as inspiration and then there is blatent copying!
Be sure to write your own original content and if you are using someone elses be sure to cite it appropriately.
As well as copy and images, also be aware of using copied source code or scripts from other websites.
There are useful online plagarism checker tools such as Grammarly
Copyright protection is automatic, however including one on every page of your website in the footer is good practice and acts as a reminder to visitors.
Data Protection
You, the merchant, determine why and how customer data is processed. Shopify acts as your data processor for store operations. This means that it is you that must ensure lawful processing of personal data and be responsible for compliance, not Shopify.
Since Brexit, there was some confusion over GDPR (General Data Protection Regulation), however, since Brexit, the UK Government have revised the “EU-GDPR” to remove references to Europe and the EU and to refine it to the requirements of the UK.
The UK GDPR works alongside the Data Protection Act 2018 to protect individual's personal data.
Lawful basis for processing
You must identify a legal basis when collecting personal data, commonly:
| Data use | Typical lawful basis |
|---|---|
| Order processing | Contract necessity |
| Marketing emails | Consent (opt-in) |
| Fraud prevention | Legitimate interest |
| Tax / accounting | Legal obligation |
Key point: You cannot pre-check marketing consent boxes. Customers must actively opt in.
Privacy Notice / Policy
Your store must have an accurate, accessible Privacy Policy explaining:
-
What data you collect
-
Why you collect it
-
How long you store it
-
Who you share it with (e.g., Shopify, shipping carriers, payment gateways)
-
Customer rights (access, deletion, portability, etc.)
-
How customers can contact you about privacy
As mentioned earlier, Shopify provides a template, but it is your responsibility to tailor it for your circumstances.
Cookie & Tracking Consent
If you use tracking, analytics, or marketing cookies (e.g., Facebook Pixel, Google Analytics):
-
You must ask for consent before placing non-essential cookies.
-
A proper cookie banner with conditional loading is required — not just a notice.
-
Consent must be granular (e.g., separate marketing vs analytics).
Data Processing Agreements (DPAs)
Shopify provides a Data Processing Addendum that already includes:
-
Standard Contractual Clauses for international transfers
-
Processor obligations
You don’t need to write your own DPA, but you should keep a copy for records.
International Data Transfers
Shopify stores data mainly in Canada and the U.S. Both transfers are lawful under:
-
UK’s adequacy decision for Canada (commercial organizations)
-
Standard Contractual Clauses and UK Addendum (for U.S. services)
You just need to reference this in your Privacy Policy.
Data Retention
You should define and document how long you retain customer data. For instance, you are required to retain order data for tax purposes for at least 5 years.
Responding to Data Rights Requests
Customers have rights, including:
-
Access (what data do you have)
-
Rectification (correct inaccurate data)
-
Deletion (unless you must keep it for tax reasons)
-
Objection to marketing
-
Data portability (provide data in structured format)
Shopify provides admin tools to help with these.
If You Use Apps, they must be GDPR compliant
Every app that accesses customer data is an additional data processor so it is your responsiblity to ensure that they are reputable and compliant. Good practice is to delete any apps you no longer use.
Security
You must show appropriate security practices, such as:
-
Using strong admin passwords + 2FA
-
Restricting staff access roles
-
Ensuring secure connections for fulfillment partners
Within Settings on your Shopify Store there is a section for Customer Privacy - this provides a framework of settings for you to work through to ensure you are compliant.
Consumer Rights
The following Acts need to be adhered to when selling online:
- Consumer Rights Act 2015
- Consumer Contracts Regulations 2013 (Distance Selling)
- Digital Markets, Competition & Consumers Act (DMCCA) 2024
To ensure compliance for your Shopify store, consider:
- Clear product descriptions and pricing - UK law requires customers to know what they’re buying and who from
- Don't falsify testimonials or reviews - this is considered a form of false advertising and fraud
- Returns & Refunds Policy - for most online purchases consumers have the right to a 14 day cooling off period
- Delivery Policy
- Clear terms and conditions
- Comply with trading standards - don't make false claims such as 'limited stock' if this isn't true and can't be proved. Also be careful with terminology such as 'eco-friendly' - it must be substantiated
- Data Protection and Privacy Policies
- Payment and Security - by default, Shopify Payments ensures PCI compliant, secure payment processing. Be transparent about recurring billing if offering subscriptions.
