Ecommerce Regulations to Need to Know

When starting a small business ecommerce site, retail is one type business that many people lean toward. While it may seem that the requirements for conducting retail business online are easier than those for a brick-and-mortar store, it's important to know you still have rules, regulations and standards to comply with.

In the United States, the Federal Trade Commission (FTC) is the primary agency that regulates ecommerce activities. This includes regulations for a number of ecommerce activities such as commercial email, online advertising and consumer privacy. Another organization that ecommerce site owners should become familiar with is the PCI (Payment Card Industry) Security Standards Council. This organization provides security standards and regulations for handling and storing your customer’s financial data.

Some of the important regulations you will need to learn about before starting your online retail business include protecting consumer privacy, handling customer data, collecting taxes and complying with online advertising regulations. In this ecommerce regulations guide we discuss these four issues and provide details that every ecommerce site owner should know to comply with federal laws in the U.S.

Protecting Your Customer's Privacy Online
Online privacy is a big issue as many ecommerce sites collect and retain personal information about customers. Some of the personal data you will likely obtain would include a customer's name, address, email address, and possibly their credit card and other types of financial information. As the ecommerce site owner it is your responsibility to ensure this personally identifiable information is protected, and that when you collect such data you comply with federal and state privacy laws.

Ecommerce site owners should provide a privacy policy and post it on the ecommerce website. This policy should clearly identify what kinds of personal information you will collect from users visiting your website, who you will share the information you collect with, and how you will use and store that information.

Most small business ecommerce site owners approach a privacy policy like any business requirement. You could have a lawyer draft a privacy policy document for your business, or secure a trusted service provider to manage and host your privacy policy. Once you have privacy policy in place, be sure to remain in compliance with it -- if not your business can face costly legal fees. For more tips on creating a privacy policy, see Ecommerce Content: Writing a Good Privacy Policy.

Online Advertising Compliance
Ecommerce site owners must know about the applicable laws for online advertising. Like traditional advertising for brick-and-mortar stores, online retailers must also comply with regulations when advertising online. The FTC regulations for advertising are designed to protect consumers and to prevent deceptive and unfair acts or practices.

One of the main forms of online advertising for a small business ecommerce owner is email. For this reason, ecommerce business owners need to become familiar with federal advertising laws to ensure the content of any emails is compliant, but also be familiar with the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act) of 2003. This act establishes requirements that any business that engages in email marketing must follow.

Under the CAN-SPAM Act, hefty penalties can be levied against email marketers who violate the law -- each email sent that violates the act is subject to penalties of up to $16,000. Additionally, any commercial email message you send must include notice that the message is an advertisement, and it must also include opt-out information and your business postal address. To comply with this law you must also honor opt-out requests promptly. The FTC website defines the laws you need to know about email marketing.

How to Collect Taxes Online
When you shop at a store you pay tax on the purchase, and the Internet does not change this -- but there are differences.

Have you ever noticed that some ecommerce websites charge you tax when you make an online purchase, while others don’t? The reason is because if a business has a physical presence in a state (e.g. a store or office), then it is required by law to collect state and local sales tax from customers. However, if the business doesn’t have a "physical presence,” then collecting tax on purchases is not required.

This dates back to a 1992 Supreme Court ruling that said states cannot require mail-order businesses, and by extension, online retailers to collect sales tax unless they have a physical presence in the state.

For ecommerce site owners, the one thing you will have to research is how your state classifies a physical presence. In legal terms, this is called a "nexus," and each state defines nexus differently.

Navigating sales tax laws can be difficult. To ensure you are in compliance with tax laws, it's always best to contact your state's revenue agency to ensure you have the correct information on taxation before starting your ecommerce venture.

How to Handle Customer Financial Data
PCI compliance is a term familiar to many people researching ecommerce regulations. As an ecommerce site owner, one of the standards you will need to know about is the PCI DSS standard, which is short for Payment Card Industry (PCI) Data Security Standard (DSS). All organizations, including online retailers, must follow this standard when storing, processing and transmitting credit card data.

The PCI Security Standards Council is the organization -- founded by a number of financial institutions including JCB International, MasterCard and Visa -- that is responsible for the development and implementation of security standards for account data protection. Through its PCI Security Standards, the organization seeks to enhance payment account data security.

There are a number of security initiatives in this standard, such as using a firewall between a wireless network and the cardholder data environment, making use the latest security and authentication, and using a network intrusion detection system. The PCI DSS standard, as of September 2009 (DSS v 1.2), includes the following 12 requirements for best security practices:

To achieve PCI compliance, an online retailer must meet all PCI DSS requirements. The PCI DSS standard is broken down into six milestones with a number of requirements to be fulfilled at each stage. The PCI Security Standards Council website offers this PDF, which is designed to help merchants to better understand the requirements. It is probably the best resource online to begin to understand what compliance entails.

There's no question that meeting PCI compliance is a challenge for small business ecommerce site owners -- and being certified as PCI-compliant is a time-consuming process. One way that a small business can meet standards is to outsource PCI to a third party that has the experience and payment system to ensure your business meets PCI regulations.