COVID 19 has forced many businesses who were otherwise content to ply their merchandise through more traditional forms of retail, to jump on the online retail bandwagon in order to offer their products online, thereby ensuring business continuity and meeting customer demand.

In this rush to set up online retail platforms it is however crucial for business owners to understand their legal obligations towards consumers, which are more amplified in the case of online retail.

The contract of sale is essentially the execution of two basic obligations on the part of the seller, namely, to deliver the object of the sale and to ensure that the product is of the agreed upon quality and the obligation on the part of the buyer to pay the price agreed upon.  This is quite straightforward in ordinary over the counter transactions, however, in the case of online retail there are several implications which must be taken into consideration and addressed.  For instance, how will delivery be affected?  Within which time-frames?  What should a customer do if he is not satisfied with a product?  Within which period must a product be returned?  How can a product be returned, and at whose cost?  These are a few of the issues which traders must address when selling products online, along with other legal obligations arising in terms of the Consumer Rights Regulations which specifically regulate distance selling and off-premises contracts.  The most effective and common way for a business to meet such legal obligations is through Terms and Conditions which are to be prominently displayed on the business’ website.  Customers should also be required to confirm their agreement to the Terms and Conditions and should be provided with a link to same when asked to confirm their agreement.

What should I include in our Terms and Conditions?

The following should be considered when setting up your online retail service and outlined in the Terms and Conditions:

  • Areas within which deliveries will be affected and any delivery restrictions
  • Time-frames for deliveries
  • Any age restrictions which apply, for example, certain products, such as alcoholic beverages cannot be sold to persons below the age of 17.
  • Product Descriptions
  • Applicable warranties
  • Prices and how these can vary
  • Any other applicable charges, ex. delivery charges
  • How payment will be processed. The trader is required to ensure that when placing his order, the consumer explicitly acknowledges that an order implies an obligation to pay.
  • Cancellation/Returns Policy
  • Refunds Policy
  • Complaint Handling Policy

Consumers are to be provided with clear information on the identity of the trader, such as the trading name of the business, and all relevant contact details such as the business address, telephone number, and email address.

Am I bound to accept returns?

Yes, in most cases.  Some exceptions include personalised merchandise, perishable goods, and goods which are sealed due to health protection or hygiene reasons if such goods are unsealed after delivery.  Any such exceptions must be clearly stated in the Terms and Conditions.

Your business is required to have a returns policy outlining the time limits and procedures for customers to exercise their right to return a product, and any applicable costs for returning the goods, if any.  The law grants consumers a period of fourteen (14) days to exercise their rights to withdraw from a sale concluded online. 

What about Data Protection?

Data Protection takes on a different dimension in the context of online shopping.  The majority of company websites which do not include an online shopping facility are informative in nature and do not involve the processing of personal data.  Online shopping will invariably involve the processing of customer data, including name, surname, address, email address and possibly credit card details, and such processing must comply with the General Data Protection Regulation (GDPR)[1] and the Data Protection Act[2].  One requirement arising from such legislation is that customers as data subjects must be informed what data is being collected from them when they make use of your online services, and for what purpose.  This is most commonly addressed through a Privacy Policy which is uploaded on the website.  Security of data is a major issue in online trading, and you must ensure that the proper technical and organisational measures are in place to safeguard the integrity, availability and confidentiality of personal data. You must also have a retention policy in place regulating how long such data is to be retained.

Another important privacy aspect is the use of cookies.  Visitors of your website must be given adequate information regarding the use of cookies and should also be given the option to choose which cookies to accept.  This is commonly addressed through cookie banners which appear when a visitor first accesses the website.  There are those cookies which are necessary, and others related to the website’s performance while other cookies track user behaviour.  Explicit consent would be required for cookies which track user behaviour and any consent boxes in relation to such cookies cannot be pre-ticked.      

Data protection principles also dictate that data is used for the specific purpose for which it was collected.  Of particular relevance in this respect is the issue of direct marketing.  Companies should not make use of personal data which was collected from customers availing themselves of their online services in order to send customers promotional material.  Should the company wish to send promotional material to customers who subscribe to their services, customers should be asked to provide their consent for such purpose when they first input their data.

While strengthening a business’ online presence is a positive move, meeting the business’ legal obligations should be a primary consideration in such process. Ensuring that your business has the proper policies in place and is fully compliant with its legal obligations will prevent you from having to deal with the complexities which could arise, and also possible hefty fines, if such legal obligations are overlooked at this crucial stage of taking your business online. 

If you require further information or assistance contact Dr. Rita Mifsud or Dr. Simon Galea Testaferrata or send us an email on

The information provided in this article does not, and is not intended to, constitute legal advice.  Any information is provided for general informational purposes only. 

[1] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

[2] Chapter 586 of the Laws of Malta