Navigation path

What should I do when setting up a webshop?

What should I do when setting up a webshop?

You should first decide whether you will develop your own system or whether you would like to opt for an existing web shop provider, in which case the website will be developed externally.  So, there are 2 types of online stores:

1. Hosted — the store software run on a server provided and maintained by the same company, with monthly payments;
2. Self-hosted — you pick and pay for the server, and download, install, and maintain the e-Commerce software yourself.

Choosing and registering your domain name is your very next step towards setting up your online business. Additionally, it is important to provide full and transparent information to your visitors (through your ‘Contacts’ section, in your disclaimer, and, when explaining the use of Cookies).

Make also sure that you do not apply any conditions (for instance, refusing to offer a service or deliver your product) which discriminate on the grounds of the residence/nationality of your customers. You can only do this if you can justify it on the basis of objective criteria.

Finally, there are several key and crucial technical aspects to be taken into account when setting up an eCommerce website. You should also think about having a security plan, on how to set up automatic backups, which shipping software will be used, and on how you will deal with the payment gateway.

Register your website’s domain name

A Domain Name is a name you use to refer to your website. It is a translation into an identifiable name of a series of numbers known as your IP (Internet Protocol) address. Anyone can register a domain name, individuals as well as companies.

Your choice of domain name is important. The domain name you use for your website can make a very great difference to whether people visit your website, come back to your site or can find you using a search engine. The name should be easy to remember and easy to associate with either the name of your company, its trading name or the product.

It is important to decide what Top Level Domain (TLD) name suits you (what comes after the dot). The choices are:

•    A generic TLD (gTLD). These generally have three or more characters like .com, .org, .net etc. The gTLD is often linked to the type/purpose of your activity (.com for a commercial enterprise, .edu for universities).
•    A two-letter geographic TLD linked to a country or territory (ccTLD), such as .be, .de, .fl, etc. or .eu; only companies and individuals in European Union Member States can register the .eu TLD. Some Member States impose similar requirements. You can verify a country’s requirements for registering its TLD by selecting it in the country filter.
•    You must choose your generic extension from the ones allowed by the controlling body, ICAAN (Internet Corporation for Assigned Names and Numbers). See the list all valid top-level domains.

Steps to take:

1. Choose a domain name that is short, easy to spell and easy to remember;
2. Check whether someone else has already registered it (domain names operate on the first come, first served principle). You can verify this via any accredited registrar and register your domain name via the registration agent you select;
3. Pay a registration fee (the cost varies depending on which type of TLD you choose) to obtain a license. The license is renewable.

In order to protect your brand online, consider registering variations of your main domain name (e.g. registering .com even if you plan to use .eu). This will help avoid any copycat sites or confusion for your customers. There is no restriction on the number of domain names that you can register. If a customer types in your .com address by mistake, they can automatically be redirected to .eu without even noticing.   

•    Internet Corporation for Assigned Names and Numbers (ICANN), available at https://www.icann.org/
•    101 domain.com (2014), “Domain Registration Rules”, available at https://www.101domain.com/rules.htm
•    European Commission (2012), Online services, including e-commerce, in the Single market, p 69-70

The advantage of choosing .eu is that customers will immediately understand that you are not focusing on a single country. The .eu TLD can overcome any misconceptions, and it is useful if you plan to expand into other countries.
You cannot register a domain name for less than one year. Make sure you renew the domain name before it expires, or you may lose it to somebody else. Registering through a registrar gives you the certainty that you are registered as the owner,and are the administrative and technical contact.

Provide general contact information

As an online trader, there is certain information that you must provide for customers in order to comply with the law. Customers must be able to find this information on your website at all times:

•    Your identity, such as your trading name;
•    Physical and e-mail address and telephone number, enabling your customers to contact you rapidly, and if different, the address of establishment;
•    Your legal status, legal form and, if you are registered in a trade or similar public register, the name of the public register for your activity and your registration number (plus your professional title and Member State in which it was granted if the activity is a regulated professional one);
•    VAT identification number, if the activity is subject to VAT (find more information);
•    Details of any supervisory authority if your activity is subject to an authorization scheme.

This information is most often to be found in a ‘Contact’ section on your website. There is additional information  on the sales transaction that you must provide to the customer during the ordering process.

Note that if you are subject to professional qualifications, you must make sure you comply with the requirements of your country and/or the country in which you want to provide services. You should also provide all the information about this to your customers (e.g. the reference details of your insurance or applicable financial guarantees, and a reference to the rules governing your profession and how to access them). Contact your Point of Single Contact, and also visit the Your Europe website for more information should you want to offer and provide your professional services abroad.

•    E-Commerce Directive (2000/31/EC), Article 5 ;
•    Services Directive (2006/123/EC) ;
•    European Commission (2012), Online services, including e-commerce, in the Single market, p 12

You must be “easily, directly and permanently accessible”. Forms of direct communication other than an e-mail address must be provided (in case your visitor does not have access to the Internet).

Integrate a disclaimer on your website

A disclaimer is a legal notice that sets out the liability of your website. The disclaimer is for general information purposes. It may also include (a reference to) the ‘General terms and conditions’ of using your website.

The disclaimer is usually displayed on every page of your website (for example in the footer of each page via a hyperlink).  It is also common practice to ask the user to read the disclaimer when using your services and to display the full text clearly.

In general, the disclaimer should include elements such as:

•    Copyright notice
•    Data protection and privacy compliance
•    The use of cookies
•    Information provided on the website

To find out more on “What is a Disclaimer and why should you have it on your website?”, please visit:  https://www.websitepolicies.com/blog/what-is-disclaimer.

The disclaimer needs to be clearly communicated.

Ask permission to use Cookies

Cookies are hidden information exchanged with the visitor to your website. They are stored in a text file on your visitor’s hard drive the moment he or she lands on your web page.

There are different types of cookie:

•    Session Cookies: these enable you to keep track of your visitors’ activities on your website, and to recognize them when they move from page to page within your website. Session Cookies are commonly used when you provide a shopping basket feature. (Without session cookies, your visitor’s shopping basket will always be empty each time your visitor opens a new page.). In this case, they meet the criterion of being ‘strictly necessary for the delivery of a service requested by the user’. That means you do not need the site visitor’s consent to use these cookies. They then expire at the end of your visitor’s browser session
•    Persistent, permanent or stored Cookies: these are not deleted when the browser is closed. They help remember your visitor’s information and settings, such as language preference and permanent log in, when they visit your website in the future. They are also used to provide information about the number of visitors, the average time spent on a particular page and the performance of your website in general.
•    Cookie profiling: this is the name given to the use of persistent Cookies to create profiles and track your visitor’s overall activity online. Information from cookies profiling can be sold to third parties and used for targeted advertising or for other kinds of (commercial and non-commercial) application.

Different Member States have different rules on providing information about how you are using Cookies or similar tracking devices and on asking for the site visitor’s consent. You might have to adopt the opt-in approach, that is, asking your visitors to consent explicitly to the use of cookies; otherwise, you can use the opt-out approach. In this case, consent is ‘implied’ – you publish the information about cookies and give consumers the right to refuse them (e.g. either by a simple click or by advising them that they can prevent the use of Cookies by changing their browser settings). You can find the most common approach for all EU member States by using the country filter.

•    Directive on privacy and electronic communications (2002/58/EC)
•    Chris Ingram (2011), “Focus on Europe: amendments to the E-Privacy Directive - will the "cookie" crumble?”, available at http://www.ashurst.com/publication-item.aspx?id_Content=5665, IP/IT newsletter, January 2011
•    All About Cookies.org, available at http://www.allaboutcookies.org
•    Field Fisher Waterhouse (2014), “Cookies ‘consent rule: EEA implementation”, available at http://www.fieldfisher.com/pdf/Cookie%20Consent%20March%2014.pdf
•    European Commission (2012), Online services, including e-commerce, in the Single market, p 56

Storing information, or gaining access to information already stored, is only allowed on the condition that the visitor has given his or her consent and has been provided with clear and comprehensive information of the purpose of the intended operation(s).

Comply with the GDPR

The General Data Protection Regulation (Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) has recently entered into force. It provides for some new obligations on certain businesses, in particular those processing data. The Commission has given advice to enterprises on what to do in order to comply with the GDPR when setting up a business (see “Seven steps to get ready for the GDPR” which can be downloaded at the following link, and has also issued guidance on further aspects.

Comply with the ODR Regulation

The Online Dispute Resolution (ODR) Platform is provided by the European Commission to help traders resolve disputes with your online customers without going to court. It can be used for any contractual dispute arising from online purchases of goods or services where the trader and consumer are both based in the EU or Norway, Iceland, and Liechtenstein.

If you trade online in the EU, Norway, Iceland or Liechtenstein, you have the following obligations in relation to the ODR platform:

•    You have to provide a link from your website to the Online Dispute Resolution platform.
•    This link has to be visible and easily accessible on the website.
•    If you are legally obliged to use any particular dispute resolution body or if you are committed (for example contractually or by virtue of membership of a particular trade organization) to using one, you must state this on your website and name the body concerned.

These obligations APPLY TO ALL ONLINE TRADERS whether they intend to use the ODR platform or not.

Sources:

•    Regulation (EU) No 524/2013 on online dispute resolution for consumer disputes.
•    Trader information page, traders obligations
•    Online Dispute Resolution Platform

Comply with EU non-discrimination requirements

When you sell goods or offer services, you cannot offer less favourable terms or deny  access to them solely on the grounds that a customer originates from or lives in another country. Those practices are referred as Geo-blocking practices and are targeted by a new Regulation entered into force on March 2018 (Regulation (EU) 2018/302), and with application from December 2018. The Regulation covers online and offline sales of tangible goods (e.g. clothing, footwear and accessories) and as well certain online digital services (cloud services, data warehousing, website hosting). For more information on the new  regulation, please consult the following document and page.
The different treatment of different customers is only allowed if you can justify it on the basis of objective criteria e.g. additional costs incurred because of the distance involved. The absence of sufficient intellectual property rights in a particular territory is another possible reason. You might need to comply with additional administrative procedures to offer your service across borders. Such additional costs might justify, for example, higher prices to a client abroad.

If you are wondering whether you are applying discriminatory conditions to your customers, ask the Point of Single Contact of the country where you want to provide your services.  

Sources:

•    Services Directive (2006/123/EC), Article 20(2)
•    Your Europe, Providing services abroad (including information on cross-border VAT)
•    REGULATION (EU) 2018/302 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 28 February 2018 on addressing unjustified geo-blocking and other forms of discrimination based on customers' nationality, place of residence or place of establishment within the internal market and amending Regulations (EC) No 2006/2004 and (EU) 2017/2394 and Directive 2009/22/EC.

Country Top Level Domain Name Consent on the use of cookies
Austria There is no requirement to use that country’s Top Level Domain Name. Unclear
Currently, the TKG (Telecommunications Act) does not expressly address the conditions for the use of cookies, neither does it state expressly whether the use of browser settings
There is therefore no clear guidance on compliance. Read more on Telecommunication Act (section 96.3)
Belgium There is no requirement to use that country’s Top Level Domain Name. Implied
You are allowed to rely on "implied" consent (for example, through appropriate browser /application settings or other means), provided it is "freely given, unambiguous, specific and informed".
Read more: Section 129 of the Belgian Electronic Communications Act (NL)
Bulgaria In order to use that country’s Top Level Domain Name, the company or physical person has reside or belong to a country of the European Union. Implied
You must provide “clear and comprehensive information” about the use of cookies and give individuals “the opportunity to refuse” those cookies.
Croatia In order to use that country’s Top Level Domain Name, you must:
•    Provide ONE of the following: EU tax ID number, Croatian company OIB number or local Personal ID (OIB number).
Personal registrations are limited to one domain. Croatian company can register up to 10 domains.
Explicit
You must ask your visitors to consent explicitly to the use of cookies (‘strict opt-in approach).
Cyprus In order to use that country’s Top Level Domain Name, you must:
•    Companies: Copy of certificate from Cyprus Registrar of Companies proving your rights to the domain. Include trademark from Cyprus Registrar of Trademarks if applicable. Local address, phone required;
•    Individuals: copy of Cyprus Identification card, local address, phone.
Explicit
You must ask your visitors to consent explicitly to the use of cookies (‘strict opt-in approach).
Czech Republic There is no requirement to use that country’s Top Level Domain Name. Implied
You are allowed to rely on "implied" consent (for example, through appropriate browser /application settings or other means).
Denmark There is no requirement to use that country’s Top Level Domain Name. Implied
You must provide information on the use of cookies, including potential use of third party cookies in the notice. You are allowed rely on "implied" consent (for example, through appropriate browser /application settings or other means), Follow the guidelines provided by The Danish Business Authority (in English).
Estonia In order to use that country’s Top Level Domain Name, an administrative contact with an Estonian personal identification code is required. Implied
You are allowed to rely on "implied" consent (for example, through appropriate browser /application settings or other means).
Finland In order to use that country’s Top Level Domain Name, you must:
•    Provide copy of document from Finish Trade;
•    Registry along with address, phone, contact person of company.
Private persons can register with Finnish identity number and home address.
Implied
You are allowed to rely on "implied" consent (for example, through appropriate browser /application settings or other means).
France     In order to use that country’s Top Level Domain Name, the company or physical person has to reside or belong to a country of the European Union or Switzerland, Norway, Iceland or Lichtenstein. Implied
Permanent cookies do not need prior consent (clear information must be provided and readily access to opt-out mechanism).
However, you must ask your visitors to consent explicitly to the use of tracking cookies.
Guidance on the French law can be found on the CNIL website.
Germany In order to use that country’s Top Level Domain Name, the contact person must have a valid street address and phone number within Germany. Explicit (For personal data)
The current rules impose an opt-in for cookies collecting personal information, but accept an opt-out approach for all other types of cookies.
Greece There is no requirement to use that country’s Top Level Domain Name. Implied
You are allowed to rely on "implied" consent (for example, through appropriate browser /application settings or other means).
Hungary In order to use that country’s Top Level Domain Name, you must:
•    Provide AT-ID number of company of European Union country and a contact person in Hungary;
•    Be able to communicate in Hungarian.
If individual, you must provide personal ID number from any EU country and contact person in Hungary.
Implied
You are allowed to rely on "implied" consent (for example, through appropriate browser /application settings or other means).
Ireland In order to use that country’s Top Level Domain Name, as a foreign company, you can register if you are currently doing business in Ireland or have a trademark. Unclear
There is no official guidance on how information is to be provide or consent is to be given (although ‘should be as ‘user-friendly as possible’).
Italy In order to use that country’s Top Level Domain Name, the company or physical person has reside or belong to a country of the European Union. Implied
Users are expected to be informed in advance of the use of cookies - and to have given their consent, unless the cookies are necessary to perform a user-requested service.and for session cookies.
Read more in FAQ on the Garante per la protezione dei dati personali website.
Latvia There is no requirement to use that country’s Top Level Domain Name. Explicit
You must ask your visitors to consent explicitly to the use of cookies (for personal data).
Lithuania There is no requirement to use that country’s Top Level Domain Name. Explicit
You must ask your visitors to consent explicitly to the use of cookies (‘strict opt-in approach’).
Luxembourg There is no requirement to use that country’s Top Level Domain Name. Implied
You are allowed to rely on "implied" consent (for example, through appropriate browser /application settings or other means).
Malta In order to use that country’s Top Level Domain Name, you must be able to demonstrate the right to use the proposed domain as a Full Trade Mark or Trade or Business Name. Implied
In the regulations (Legal Notice 239 of 2011), there is no mandatory guidance on how consent is to be given.
Netherlands There is no requirement to use that country’s Top Level Domain Name. Explicit
You must ask your visitors to consent explicitly to the use of cookies (‘strict opt-in approach’).
Poland There is no requirement to use that country’s Top Level Domain Name. Implied
You are allowed to rely on "implied" consent (for example, through appropriate browser /application settings or other means).
Portugal There is no requirement to use that country’s Top Level Domain Name. Explicit
Users are expected to be informed in advance of the use of cookies - and to have given their consent, unless the cookies are necessary to perform a user-requested service.
Romania There is no requirement to use that country’s Top Level Domain Name. Implied
You are allowed to rely on "implied" consent (for example, through appropriate browser /application settings or other means).
Slovakia In order to use that country’s Top Level Domain Name, you must:
•    Companies: Provide copy of company registration document in Republic of Slovakia;
•    Individuals: Copy of ID from Republic of Slovakia.
Implied
You are allowed to rely on "implied" consent (for example, through appropriate browser /application settings or other means).
Slovenia There is no requirement to use that country’s Top Level Domain Name. Implied
You are allowed to rely on "implied" consent (for example, through appropriate browser /application settings or other means).
Spain There is no requirement to use that country’s Top Level Domain Name. Implied
You are allowed to rely on "implied" consent (for example, through appropriate browser /application settings or other means). Although the guidelines (Spanish only) indicate a preference for an opt-in approach.
Sweden There is no requirement to use that country’s Top Level Domain Name. Implied
You are allowed to rely on "implied" consent (for example, through appropriate browser /application settings or other means).
Read more in FAQ of the Post and Telecom Authority (PTS), responsible for the legislation
United Kingdom In order to use that country’s Top Level Domain Name, an Administrative contact in the United Kingdom must be provided. Implied
You are allowed to rely on "implied" consent (for example, through appropriate browser /application settings or other means). Follow the Information Commissioner’s Office (ICO) guidelines.