None of us are in business to manage and deal with all the legal requirements we are faced with, and online businesses seem to have more than their fair share of obligations that must be addressed. From GDPR to ADA, you need to make sure your business and its online applications are accessible, user-friendly, and secured to meet the latest federal and international regulations and remain accessible to your users.

Disclaimer: So, first things first: I am not a lawyer. So, you shouldn’t take this as legal advice from a professional by any means. I’d suggest getting in touch with an actual lawyer for that. I am however a website designer, so I have picked up on a couple things over the years about website best practices which I’ll share here with you. Further, every single country differs with their legal requirements. What I’m sharing here today is what I’ve learned that relates to what Americans need to do site-wise, as the vast majority of people reading this blog are from the US.

GDPR and the California Consumer Privacy Act

According to the TCPA litigator database, General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. That includes most of the world, even small US based sites that don’t typically do business in Europe, but who might get European visitors to their website.

In late June, 2018, California passed a consumer privacy act, AB 375, that could have more repercussions on U.S. companies than the European Union’s General Data Protection Regulation (GDPR) that went into effect this past spring. The law went into effect on January 1, 2020, but enforcement began on July 1. AB 375 allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.

All companies that serve California residents and have at least $25 million in annual revenue must comply with the law. In addition, companies of any size that have personal data on at least 50,000 people also fall under the law. Companies don’t have to be based in California or have a physical presence there to fall under the law. They don’t even have to be based in the United States. You can see complete details about the law here.

If you have a WordPress website, I suggest you look at this plugin called Cookie Notice for GDPR and CCPA. This plugin allows you to inform users that your site uses cookies and helps you comply with the EU GDPR cookie law and CCPA regulations.

Privacy Policy and Terms & Conditions

California passed the first state law back in 2003 requiring commercial websites on the World Wide Web and online services to include a privacy policy on their website. For most websites today, you must include an easily accessible privacy policy.

While you can certainly pay an attorney to draft one for you, my recommendation is that you start with a free online generator such as this one at Termly.io You should carefully read what the site generates for you, add in your own information, and then simply have it reviewed by your lawyer to make sure it protects you.

This site also has a terms and conditions generator, a disclaimer generator, and a returns generator.


Do you use email in your business? The CAN-SPAM Act, a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.

Despite its name, the CAN-SPAM Act doesn’t apply just to bulk email. It covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” including email that promotes content on commercial websites. The law makes no exception for business-to-business email. That means all email – for example, a message to former customers announcing a new product line – must comply with the law.

Complete information about the CAN-SPAM act can be found on the FTC website.

Copyrighted Content and Image Licenses

Images are key for making your website attract visitors and keep them engaged. As the owner of the website, you are legally obligated to make sure that any image used on your site, you have the right to use it. This is your responsibility, not your web designer’s, so make sure you know where the images came from.

The best way to get images for your website of course is to photograph them yourself (or hire someone to photograph your products for you). Often however, that is not feasible, and you must use stock photos. Never just copy an image off the internet. Instead either use a stock photo site where you pay for the images. For example, here is my affiliate link to Shutterstock.

An alternative to using purchased stock photos is to use a site that contains images lisenced under the creative commons act. Sites such as Pixabay and Pexels are ideal for obtaining free images that can be used without attribution on your site.

ADA Accessibility

The Americans with Disabilities Act (ADA), when it was first established as law 30 years ago, did not include the term “website” as a form of Public Accommodation for Title III. It applies to physical buildings.

When it comes to ADA website compliance, there are no clear rules. That doesn’t let businesses off the hook, though; they still must provide an accessible website that accommodates users with disabilities. California’s new California Consumer Privacy Act (CCPA) has a provision for web accessibility and making any privacy policies accessible starting July 1, 2020. Because of Covid and many students being required to take classes online, there has been a rash of lawsuits filed recently over websites not being ADA compliant, especially educational sites. So, what’s the best way to build an ADA-compliant website if there isn’t a clear definition of what that means?

Improving the accessibility of your company’s website to individuals who are visually impaired, hearing impaired, or those who must navigate by voice can be done multiple ways, including some that are not immediately obvious. One suggestion would be to make your site adhere to the Web Compliance and Accessibility Guidelines (WCAG) an initiative created by the world internet organization. Federal agencies and their contractors are required to conform with WCAG. Private businesses are not required by law to comply with any specific standard like WCAG, but their websites should be accessible to avoid predatory lawsuits.

Here is a WordPress plugin called WP Accessibility Helper. This plugin does not “fix” your website or make it comply with ADA guidelines, rather it identifies areas where you can improve, such as adding alt-tags to images and making sure that the contrast of text to the background images is high enough that a person who is visually impaired can read it. Since this plugin only evaluates your website without actually making changes to it, you might also consider a tool like the WAVE browser extension. The WAVE Chrome and Firefox extensions allows you to evaluate web content for accessibility issues directly within Chrome and Firefox browsers.

It is not difficult for a sighted person to imagine how being blind or visually impaired could make using a computer difficult. Just close your eyes and you will instantly experience that even processing text is impossible – or impossible without additional software at least. Now a range of software is available that can help to make using a computer an easier, more enjoyable and more productive experience for blind or visually impaired users. This article identifies several free screen readers for you to test your site.

Tax Collection

If you have an ecommerce website, you must adhere to even more laws and regulations, not the least of which is tax collection. The basic rule for collecting sales tax from online sales is: If your business has a physical presence, or “nexus”, in a state, you must collect applicable sales taxes from online customers in that state. If you do not have a physical presence, you generally do not have to collect sales tax for online sales.

However, in its decision in South Dakota v. Wayfair Inc., the Supreme Court effectively stated that individual states can require online sellers to collect state sales tax on their sales. This extended the definition of nexus to include:

  • Economic nexus: Seller meets a set level of sales transactions or gross receipts activity within a state. No physical presence is required.
  • Marketplace nexus: Marketplace facilitators may be required to collect and remit sales tax instead of the individual seller.
  • Affiliate nexus: Remote retailer holds substantial interest in, or is owned by, an in-state retailer that sells the same or similar line of products under the same or similar name.
  • Click-through nexus: Seller meets sales threshold in a state from the activities of an in-state referral agent.

Some of the things that can cause economic nexus include: affiliate relationships, trade show exhibiting, commissions to resellers, investors / borad meetings, marketing / web advertising, drop shipments, hosted data centers, field sales / service staff, licenses, inventory / warehouses, and just about any kind of economic activity. As of this writing, there are only 5 states (Alaska, Oregon, Montana, Missouri, and Florida) that do not recognize economic nexus. Every other state has its own rules for remote selling thresholds for tax obligation. For example, in Colorado, you must pay tax on sales over $100,000. In Hawaii, it is either $100,000 or 200 transactions. and in Tennessee, the threshold is $500,000.

To further complicate things, different products and services are exempt in different states. Tree trimming in California is taxable with lights, but exempt for labor only. Takeout in Colorado is taxable for straws and cup lids, but cups are exempt. Donuts in Texas are taxable for 5 or fewer, but exempt for 6 or more. Snow removal is taxable in Ohio but exempt in Illinios. Bagels in New York are taxable if sliced, but exempt if whole. Snickers candy bars are taxable in Indiana, but KitKat and Twix are exempt.

According to the Colorado Department of Revenue, if your business will be selling, renting or leasing tangible personal property, you must obtain a sales tax license and file sales tax returns. You are required to do this in every state, unless you are exempt. Colorado exempts groceries, prescription drugs, and certain medical devices from the general sales tax. Services in Colorado are generally not taxable. Delivery and freight charges are generally exempt from Colorado sales tax so long as they’re both separable from the purchase and separately stated on the customer invoice. Purchases by public schools are exempt from sales tax. Purchases by private schools are not exempt unless the private school is a charitable organization. When you sell wholesale you do not charge sales tax on the order (the retailer will tax the customer for each item at time of purchase and that will be paid to the state as sales tax on that item.) See all exemptions and tax rates here: https://www.salestaxhandbook.com/local-salestax-map

In all, there are over 1,800 different rules. How is a small business ever supposed to comply with the tax regulations?

My suggestion: (remember I am not a lawyer!) Always collect sales tax where you have physical nexus. If you are using WooCommerce, it’s enticing to enable automated tax calculations. You will still have to file and pay the taxes if you exceed the state thresholds, but at least you won’t have to try to figure it out! The problem is that this method requires you to use Jetpack – a plugin known to cause update and speed problems on your website. Better yet – Alavara has a sales tax tool you can use for free. They also provide a Woocommerce automated sales tax integration that includes filing your taxes. When it’s time to file, you can reconcile a single worksheet and pay one amount for your total tax liability. Avalara then works with state and local governments to file and pay on your behalf. If you are selling a lot across state lines, this service is what you need!

Other Regulations and Guidelines

Of course there are a ton of other things you must be concerned with as a website owner, such as SSL certificates to encrypt personal information, disclosure of affiliate links, digital signatures, and more. One could write an entire book on this subject. And the number of laws you must follow will only continue to grow.

In addition to retaining a good lawyer, my recommendation is to look for cyber liability insurance. Just because you are a small business does not mean you won’t get hacked. Sure, the hackers like to take down governments and big companies, but they program bots to break a website. And the bot don’t distinguish between large sites and small ones. You likely will get hacked at some point, even if you keep all your software up-to-date and use a security plugin. To be extra safe, take out a cyber insurance policy.

Cyber insurance generally covers your business’ liability for a data breach involving sensitive customer information, such as Social Security numbers, credit card numbers, account numbers, driver’s license numbers, health records, and email addresses. If you’re facing a data disaster, insurance won’t come to your rescue if you’re not in compliance. Without digital compliance, you’re putting your customers at risk and holding your business liable to long lawsuits, hefty fines, and even bankruptcy or closure.

When it comes to building your brand, there’s no question that creating your own website gives you more control of your brand image. But now you know why many businesses opt for selling through marketplaces like Ebay, Amazon, Etsy, Walmart, Overstock etc. rather than selling on their own website.