Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Find out more about Lexology or get in touch by visiting our About page.
Table of Contents
E-commerce businesses are easy targets for lawsuits. Unlike traditional brick-and-mortar businesses, everything e-commerce businesses do is online for billions of people to see with the click of a button. So, the massive uptick in e-commerce litigation in recent years should not surprise anybody.
Despite these increased risks for e-commerce businesses, many make massive mistakes in the startup phase when cash is tight, then fail to correct those mistakes later. Today, I want to talk about five of the biggest and most common e-commerce mistakes, and how to fix them.
#1 No privacy policy, or a bad privacy policy
I’ve been doing privacy law work since 2016. Years before that, California did what it does best and required any person who operates a website anywhere have a privacy policy if the website obtains personal information from California residents. By 2016, most bigger businesses had them,.
I sometimes check websites I visit, just for fun, to see whether they have privacy policies. Most do, but many don’t. Even some e-commerce businesses neglect to get one. This is a bad idea!
Even putting aside California’s decades old requirement, a host of new laws like the California Consumer Privacy Act and the European Union’s General Data Protection Regulation essentially mandate it. Even for businesses that aren’t subject to CCPA or GDPR (and the list of these businesses decreases by the year), it’s a huge risk not having a policy that discloses what information is collected and how it is used and disclosed. E-commerce businesses that don’t have an online privacy policy are in the crosshairs of crafty plaintiffs’ attorneys and even government regulators.
On the other hand, I can’t tell you how many times I’ve seen privacy policies ripped from Google or a competitor’s website with virtually no customization. This is usually worse than just no privacy policy at all. For example, if a business copies a competitor’s privacy policy that says the competitor does not sell information to third parties, and that business in fact sells information to third parties, that business is in for a world of pain.
How does a company solve this problem? Easy. By getting a real privacy policy. Every e-commerce business is different, and each privacy policy should be different. For massive companies, compliance with GDPR and/or CCPA’s requirements will probably be expensive. But that doesn’t need to be the case for smaller e-commerce businesses, and privacy attorneys often put these together on a reasonable budget, depending mostly on the size and nature of an e-commerce business.
#2 Bad e-commerce terms
Next time you buy something online, scroll to the bottom of the page and look at the different types of policies the e-commerce vendor has posted. Chances are you’ll see at least one of the following: terms of use, terms of service, terms and conditions, refund/purchase terms, etc. Different e-commerce businesses may need different sets of terms. And like with privacy policies, it’s easy to botch them.
One thing e-commerce businesses routinely mess up is shipping terms. For example, they may say they ship anywhere in the United States, but do they ship outside the continental U.S.? What about Guam? What about APO/FPO?
Another area where it’s easy to land in hot water is on your terms governing refunds and exchanges. I’ve worked with many businesses that go the extra mile and think through dozens of possible contingencies about how they will accept and process refunds or exchanges. But I’ve also seen many policies that do not reflect the actual practices of the e-commerce vendor posting them. Posting refund and exchange policies and then not abiding by those policies is an easy way to get sued or get a state’s attorney general on your case.
I could give endless examples of problems with website terms here, but I think you get the picture. Just as is true with privacy policies, websites need well-crafted terms that reflect their actual business practices. Doing this correctly need not cost you an arm and a leg and it’s absolutely worth the investment on the front end, to save yourself from a lawsuit on the back end.
#3 No cyber liability coverage
When I started practicing privacy law, a big part of my practice was data breach response work. Back then, there were still a dozen or so states that didn’t have breach response laws. But today, every single state has a law on its books and these laws are often very different from one another. This means that a company that is a victim of a data breach might have to comply with the laws of 50 different jurisdictions, not to mention possible international data laws.
A breach, which may include something as innocuous as losing an unprotected laptop containing personal information, may result in a company having to hire legal counsel and forensic experts, work with law enforcement, and provide notification and certain legally mandated services (which vary by state) to all affected persons. If the information is protected health information, things get even more complicated. All this is incredibly expensive and time consuming.
Imagine, for example, an e-commerce business that collects personal information from 10,000 customers. Let’s just assume the personal information at issue is social security numbers. If that business gets hacked and the hacker gets its hands on all 10,000 customers’ social security numbers, that business may need to provide notice to all 10,000 people. This would require it track them down, compose a template letter (usually through counsel), send mass mailings, arrange for a call center to be established, provide notice to certain regulators in states where such notice is required, interface with regulators who have questions, and provide other state-mandated services.
In the more than two dozen data breaches on which I have worked, I cannot recall a single one that was “cheap” to the affected business. Larger breaches can be so expensive that a business could become insolvent. To deal with this problem, insurers began issuing cyber liability coverage. Today, cyber coverage is widely available and e-commerce businesses can find insurers offering coverages and deductibles that make sense for their particular line of business. But in 2023, not having cyber liability coverage can be like playing Russian Roulette.
#4 Advertising mishaps
When I started practicing law, I did a lot of intellectual property and commercial litigation, including false advertising matters. Though I’ve since given up litigation to focus on contract law, regulatory law, and counseling, I still routinely deal with advertising concerns in the e-commerce space and adjacent industries. Some of the bigger advertising mishaps I see today are: (1) running afoul of social media advertising policies, (2) not complying with the Federal Trade Commission’s (FTC) complex endorsement guidelines, (3) advertisements likely to upset the FDA (which I see when working in the healthcare, nutrition, and cannabis/CBD industries), and (4) straight-up false advertising.
I could write endless posts about each of these topics and ways I’ve seen companies drop the ball, but I’ll just highlight a few of the following pain points I see time and time again:
#5 ADA and TCPA
In the last few years, there’s been a massive uptick in Americans with Disabilities Act (ADA) and Telephone Consumer Protection Act (TCPA) litigation affecting e-commerce websites. For a description of the ADA cases, see the below by my colleague and our firm’s litigation department chair, Jihee Ahn:
[T]here is a growing trend of federal class action lawsuits claiming those websites and point-of-sale terminals violate Title III of the Americans with Disabilities Act (the “ADA”). The ADA requires all businesses to remove any obstacle that interferes with a disabled person’s ability to access their products or services online. If a claim is successful, the defendant can be required to pay the plaintiff’s attorneys’ fees and costs, and incur the cost of redesigning its website or point-of-sale system to comply. California also has its own, supplementary set of statutory law – the Unruh Civil Rights Act (“UCRA”), which mirrors the ADA but additionally opens the door to statutory damages.
These lawsuits have typically been brought by groups of visually impaired consumers who claim that a certain website fails to accommodate their disability . . . .
I remember first hearing about website accessibility cases years ago. Now it seems like one gets filed every five minutes, and certain attorneys have developed entire practice areas dedicated to just that. These cases can be expensive to litigate, as they are often filed as class action lawsuits.
Turning to TCPA, here’s a description from my colleague, Hilary Bricken:
Passed by Congress in 1991, the TCPA is a strict liability statute designed to fight incessant “robocalls” and aggressive/abusive telemarketers that plague unconsenting consumers.
. . .
The TCPA is terrifying because of the statutory damages in play, which are uncapped: it prescribes a penalty ranging from $500 to $1,500 for each text, call, or fax made in violation of the statute (think about that the next time your marketing team sends out 1,000 text messages to your customer list). It’s not unusual for larger companies to be hit with verdicts in the millions of dollars in recent years. The TCPA is also scary because it has a fairly robust four-year statute of limitations.
There are companies that assist businesses that want to engage in SMS marketing. Some of them are pretty good from a TCPA compliance point of view. But many are not, and far too many SMS marketing companies expressly disclaim liability for TCPA violations (which is why it is so critical to read those terms).
Fending off complex class action lawsuits can easily cost six or seven figures, and that’s not even countering the settlement payment or judgment. Complying with these laws need not be expensive, and doing so is a great investment. And trust me when I say that you will be better off spending a little money at the beginning than paying to defend against a class action later.
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR)
Americans with Disabilities Act 1990 (USA)
© Copyright 2006 – 2023 Law Business Research

source