Online retailers are subject to extensive mandatory disclosure obligations under EU consumer protection law and the German Civil Code (BGB). Before a consumer places an order, the retailer must clearly and prominently disclose: the main characteristics of the product or service, the total price including all applicable taxes and charges, delivery costs and estimated delivery times, payment terms, the identity and contact details of the retailer, and the right of withdrawal. Failure to provide this information correctly can invalidate the purchase contract and expose the retailer to cease-and-desist letters.
Consumers purchasing goods or digital services from an online retailer have a 14-day right of withdrawal (Widerrufsrecht) without stating any reason. The 14-day period begins when the consumer receives the goods (not when the order is placed). The retailer must provide a compliant withdrawal notice and a model withdrawal form before the order is confirmed. If the withdrawal notice is defective or missing, the withdrawal period extends to 12 months and 14 days. Certain goods are exempt from the right of withdrawal (e.g., perishables, sealed audio recordings once opened).
Online marketplaces (such as Amazon, eBay, Etsy, and similar platforms) and operators of their own multi-seller platforms are subject to additional legal obligations. The Digital Services Act (DSA) and the EU Platform-to-Business Regulation impose transparency requirements and complaint mechanisms on platform operators. Sellers on third-party marketplaces must comply with the marketplace's own policies in addition to applicable consumer protection law. Marketplace operators must have clear terms of service and provide traders with clear, transparent conditions and an internal complaints mechanism.
E-commerce pricing is subject to specific legal requirements. Since 2022, price reduction advertising requires disclosure of the lowest price charged in the preceding 30 days as the reference price (implementing the Omnibus Directive). Payment surcharges for specific payment methods are generally prohibited for consumer transactions. Automatic subscription renewals must be clearly communicated and easy to cancel. Subscription traps — arrangements that obscure the ongoing cost commitment — are subject to specific disclosure obligations and are a frequent target of cease-and-desist enforcement.
Yes. Under German law (Telemediengesetz / Digitale-Dienste-Gesetz), any commercial website must have a readily accessible imprint (Impressum) containing: the full legal name and address of the operator, a means of rapid electronic contact (email address), and other information depending on the legal form of the operator (e.g., commercial register entry, managing director name for a GmbH). Defective or missing imprints are a common target of cease-and-desist letters by competitors and warning organizations.
The right of withdrawal for digital content delivered electronically (downloads, streaming, software) can be excluded — but only if the consumer has expressly consented to delivery beginning before the withdrawal period expires, and has acknowledged that their right of withdrawal is thereby lost. This requires specific language in the checkout process and an active confirmation from the consumer. Without this procedure, the right of withdrawal cannot be excluded even for digital products.
A non-compliant online shop is at serious risk of cease-and-desist letters from competitors, consumer protection organizations, and qualified entities. Cease-and-desist letters can require the signing of a declaration of omission and claim significant legal costs. In addition, missing or defective withdrawal notices extend the consumer's withdrawal period, creating the risk of returns long after the sale. Regulatory investigations by consumer protection authorities are also possible for systematic violations.
Yes. The GDPR requires every website that processes personal data — which includes virtually all commercial websites — to have a compliant privacy notice. This must explain: what personal data is collected, for what purposes, on what legal basis, how long it is retained, and the rights of data subjects. A missing or defective privacy notice is a GDPR violation and is increasingly the subject of cease-and-desist actions. The privacy notice must be kept up to date as tools and processing activities change.
Your imprint must include the name and address of the provider, a quick electronic contact option (e.g., email), the authorized representative for legal entities, the register and registration number for registered companies, and the VAT identification number for VAT-registered businesses. The imprint must be easily recognizable, directly accessible, and constantly available – even on mobile.
