E-commerce Legal Compliance Checklist

Compare the live policy against CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and Utah UCPA requirements. Flag missing disclosures: categories of personal info collected, retention periods, sub-processors, opt-out rights. New laws take effect annually — last year's compliant policy is often this year's gap.

Open the site in a fresh EU/UK IP and confirm OneTrust, Cookiebot, Termly, or whatever CMP is in use blocks Klaviyo, Meta Pixel, and TikTok Pixel until consent. The most common gap is the Meta Pixel firing pre-consent in the theme header.

Submit a test DSAR through the website form and time the response. CCPA gives 45 days; GDPR gives 30. Confirm the export pulls Klaviyo, Recharge, Gorgias, and Shopify customer records — not just the Shopify customer object.

Reconcile the published sub-processor list with the actual stack (Klaviyo, Yotpo, Postscript, Gorgias, Recharge, Shopify, third-party 3PL). New vendor onboarded mid-quarter is the typical miss. GDPR requires advance notice of sub-processor changes.

Counsel reviews the redline, then publish to the storefront and any mobile app. Update the 'Last updated' date in the footer and notify subscribers if changes are material under the policy's own change-notice clause.

Pull the last quarter's posts from GRIN, Aspire, or Refersion and check each for #ad, 'paid partnership', or 'sponsored' tags per FTC Endorsement Guides. Story-only mentions and unboxing TikToks are the usual misses. The brand — not the influencer — is the FTC target.

Confirm Recharge or Smartrr offers one-click online cancellation matching how customers signed up — California and New York require parity. Retention offers are allowed but cannot block the cancel path. Time the flow end-to-end; anything over 90 seconds is a compliance and CX risk under the FTC's pending Negative Option Rule.

Pull every 'clinically proven', 'FDA approved', '#1', and percentage claim from PDPs, A+ content, and ad creative. Match each to a citation in the substantiation file. 'FDA approved' is rarely accurate for supplements or cosmetics — common failure mode that draws warning letters.

Walk an order from PDP to confirmation and verify shipping, taxes, and any handling or processing fees appear before the customer commits. FTC and several state AGs have moved against 'drip pricing' and surprise fees in 2023-2024.

Initiate a return through Loop or AfterShip Returns and verify the customer experience matches the published policy on window, restocking fees, and refund vs. store credit. Misalignment between the policy page and Gorgias macros is the typical defect.

Shopify Payments and Stripe Checkout typically scope merchants to SAQ A. Custom card fields or Stripe Elements push to SAQ A-EP. Confirm with the processor's compliance portal — adding a custom checkout extension can silently change scope.

Pull the last 90 days of disputes from Stripe or Shopify Payments. Win rates below 25% suggest the evidence template is weak — add proof of delivery, AVS match, and Gorgias conversation history. Watch the dispute rate against the 0.75% threshold that triggers Visa monitoring programs.

Shopify auto-renews the storefront cert, but custom subdomains for landing pages, status pages, and apps often miss auto-renewal. An expired cert on the checkout subdomain is revenue-fatal — add monitoring in UptimeRobot or Better Stack.

PSD2 Strong Customer Authentication is enforced in the EEA and UK. Confirm Stripe Radar or Shopify Payments triggers 3DS challenges on EU cards. Disabled 3DS shows up as a spike in EU declines or a chargeback liability shift back to the merchant.

Confirm Recharge and Stripe Customer use account updater services to refresh expired cards. Also verify the customer-facing flow to update or remove a saved card meets the FTC's 'simple cancellation' parity standard for stored credentials.

Brand Registry requires an active registered or pending trademark in each marketplace country. Confirm USPTO and EUIPO statuses and re-upload trademark certificates if registry status shows 'verification needed'. Without it, Project Zero, Transparency, and A+ content access are gone.

Use Helium 10 Alerts or Sellerise to pull the offer history on every owned ASIN. Flag any third-party seller on the Buy Box or sharing the listing. Test buy a unit to verify counterfeit vs. diverted authentic — the response paths are different (test buy + brand registry report vs. authorized-reseller cease-and-desist).

Pull last 30 days from Trackstreet or MarketTrack. Send a first-notice letter for first violations and de-authorize repeat offenders. Unenforced MAP collapses to a price floor competitors race below — Buy Box drops follow within weeks.

Audit Shutterstock, Adobe Stock, Epidemic Sound, and Artlist licenses against current usage. TikTok and Reels music is a frequent trap — a commercial license for organic posts does not cover paid ads. Photographer model releases must cover ad use, not just organic.

Confirm the DMCA agent registration with the U.S. Copyright Office is current — it expires every three years. Document the takedown response SLA and route inbound IP complaints to a single inbox so deadlines are not missed.

Pull rolling 12-month gross sales and transaction counts per state from Shopify, Amazon, and other DTC channels. Compare against each state's threshold (commonly $100K or 200 transactions, but California and Texas use $500K). Marketplace-facilitator sales count toward thresholds in some states even though the marketplace remits.

Verify Amazon, Walmart, eBay, and Etsy are collecting and remitting in every state where they operate as a marketplace facilitator. Missouri was the last holdout and is now in. Cross-check against the Avalara or TaxJar marketplace coverage matrix.

Pull 1099-K from Stripe, Shopify Payments, PayPal, Amazon, and Etsy. The IRS threshold has been moving — confirm the current year's threshold and reconcile gross amounts against QuickBooks or NetSuite. Marketplace 1099-K reports gross before refunds and fees, so the books will not match dollar-for-dollar.

In Avalara, TaxJar, or Anrok, confirm registered states match the live calculation list, product taxability codes match the catalog, and AutoFile is funded. Common defect: a new state was registered but never enabled in the tax tool, so collection lags registration.

Sample 10 recent orders and confirm the order confirmation, packing slip, and downloadable invoice show tax separately. EU/UK B2B orders need VAT-compliant invoices with the seller's VAT ID and the customer's VAT ID where provided.

File for a sales tax permit in each state crossed during this period — most states require registration before collecting. Then enable collection in Shopify and the tax automation tool, and backdate any remittance owed since the threshold-crossing date. Voluntary disclosure agreements limit lookback when liability has accumulated.