Top 5 E-Commerce Mistakes, and How to Avoid Them

E-commerce businesses are easy targets for lawsuits. Unlike traditional brick-and-mortar businesses, everything e-commerce businesses do is online for billions of people to see with the click of a button. So, the massive uptick in e-commerce litigation in recent years should not surprise anybody.

Despite these increased risks for e-commerce businesses, many make massive mistakes in the startup phase when cash is tight, then fail to correct those mistakes later. Today, I want to talk about five of the biggest and most common e-commerce mistakes, and how to fix them.

#1 No privacy policy, or a bad privacy policy

I’ve been doing privacy law work since 2016. Years before that, California did what it does best and required any person who operates a website anywhere have a privacy policy if the website obtains personal information from California residents. By 2016, most bigger businesses had them,.

I sometimes check websites I visit, just for fun, to see whether they have privacy policies. Most do, but many don’t. Even some e-commerce businesses neglect to get one. This is a bad idea!

Even putting aside California’s decades old requirement, a host of new laws like the California Consumer Privacy Act and the  European Union’s General Data Protection Regulation essentially mandate it. Even for businesses that aren’t subject to CCPA or GDPR (and the list of these businesses decreases by the year), it’s a huge risk not having a policy that discloses what information is collected and how it is used and disclosed. E-commerce businesses that don’t have an online privacy policy are in the crosshairs of crafty plaintiffs’ attorneys and even government regulators.

On the other hand, I can’t tell you how many times I’ve seen privacy policies ripped from Google or a competitor’s website with virtually no customization. This is usually worse than just no privacy policy at all. For example, if a business copies a competitor’s privacy policy that says the competitor does not sell information to third parties, and that business in fact sells information to third parties, that business is in for a world of pain.

How does a company solve this problem? Easy. By getting a real privacy policy. Every e-commerce business is different, and  each privacy policy should be different. For massive companies, compliance with GDPR and/or CCPA’s requirements will probably be expensive. But that doesn’t need to be the case for smaller e-commerce businesses, and privacy attorneys often put these together on a reasonable budget, depending mostly on the size and nature of an e-commerce business.

#2 Bad e-commerce terms

Next time you buy something online, scroll to the bottom of the page and look at the different types of policies the e-commerce vendor has posted. Chances are you’ll see at least one of the following: terms of use, terms of service, terms and conditions, refund/purchase terms, etc. Different e-commerce businesses may need different sets of terms. And like with privacy policies, it’s easy to botch them.

One thing e-commerce businesses routinely mess up is shipping terms. For example, they may say they ship anywhere in the United States, but do they ship outside the continental U.S.? What about Guam? What about APO/FPO?

Another area where it’s easy to land in hot water is on your terms governing refunds and exchanges. I’ve worked with many businesses that go the extra mile and think through dozens of possible contingencies about how they will accept and process refunds or exchanges. But I’ve also seen many policies that do not reflect the actual practices of the e-commerce vendor posting them. Posting refund and exchange policies and then not abiding by those policies is an easy way to get sued or get a state’s attorney general on your case.

I could give endless examples of problems with website terms here, but I think you get the picture. Just as is true with privacy policies, websites need well-crafted terms that reflect their actual business practices. Doing this correctly need not cost you an arm and a leg and it’s absolutely worth the investment on the front end, to save yourself from a lawsuit on the back end.

#3 No cyber liability coverage

When I started practicing privacy law, a big part of my practice was data breach response work. Back then, there were still a dozen or so states that didn’t have breach response laws. But today, every single state has a law on its books and these laws are often very different from one another. This means that a company that is a victim of a data breach might have to comply with the laws of 50 different jurisdictions, not to mention possible international data laws.

A breach, which may include something as innocuous as losing an unprotected laptop containing personal information, may result in a company having to hire legal counsel and forensic experts, work with law enforcement, and provide notification and certain legally mandated services (which vary by state) to all affected persons. If the information is protected health information, things get even more complicated. All this is incredibly expensive and time consuming.

Imagine, for example, an e-commerce business that collects personal information from 10,000 customers. Let’s just assume the personal information at issue is social security numbers. If that business gets hacked and the hacker gets its hands on all 10,000 customers’ social security numbers, that business may need to provide notice to all 10,000 people. This would require it track them down, compose a template letter (usually through counsel), send mass mailings, arrange for a call center to be established, provide notice to certain regulators in states where such notice is required, interface with regulators who have questions, and provide other state-mandated services.

In the more than two dozen data breaches on which I have worked, I cannot recall a single one that was “cheap” to the affected business. Larger breaches can be so expensive that a business could become insolvent. To deal with this problem, insurers began issuing cyber liability coverage. Today, cyber coverage is widely available and e-commerce businesses can find insurers offering coverages and deductibles that make sense for their particular line of business. But in 2023, not having cyber liability coverage can be like playing Russian Roulette.

#4 Advertising mishaps

When I started practicing law, I did a lot of intellectual property and commercial litigation, including false advertising matters. Though I’ve since given up litigation to focus on contract law, regulatory law, and counseling, I still routinely deal with advertising concerns in the e-commerce space and adjacent industries. Some of the bigger advertising mishaps I see today are: (1) running afoul of social media advertising policies, (2) not complying with the Federal Trade Commission’s (FTC) complex endorsement guidelines, (3) advertisements likely to upset the FDA (which I see when working in the healthcare, nutrition, and cannabis/CBD industries), and (4) straight-up false advertising.

I could write endless posts about each of these topics and ways I’ve seen companies drop the ball, but I’ll just highlight a few of the following pain points I see time and time again:

  • Influencers and brand ambassadors are notorious for violating FTC endorsement guidelines and even social media advertisement policies. It’s usually the company (not the influencer) that pays the biggest price for these violations. And to the extent an influencer loses a social media account, a company could face even more liability (“Hey why didn’t you tell me not to say that?!?”). One way to address this is with a good written agreement with the influencer that lays out rules for social media posts and limits liability for the company.
  • Internal and external marketing teams often make claims that would give a company’s general counsel heartburn. Training programs and internal/external guidelines are absolutely key – especially for e-commerce companies in regulated industries.
  • A big part of my practice is reviewing websites for legal compliance, and I can’t tell you how many times something problematic or even false flown under the radar of the people who designed the website.
  • Websites that hide prices or tack on fees later in the shopping process upset their customers. Upset customers seldom return to buy again and they also are the ones who usually sue.

#5 ADA and TCPA

In the last few years, there’s been a massive uptick in Americans with Disabilities Act (ADA) and Telephone Consumer Protection Act (TCPA) litigation affecting e-commerce websites. For a description of the ADA cases, see the below by my colleague and our firm’s litigation department chair, Jihee Ahn:

[T]here is a growing trend of federal class action lawsuits claiming those websites and point-of-sale terminals violate Title III of the Americans with Disabilities Act (the “ADA”). The ADA requires all businesses to remove any obstacle that interferes with a disabled person’s ability to access their products or services online. If a claim is successful, the defendant can be required to pay the plaintiff’s attorneys’ fees and costs, and incur the cost of redesigning its website or point-of-sale system to comply. California also has its own, supplementary set of statutory law – the Unruh Civil Rights Act (“UCRA”), which mirrors the ADA but additionally opens the door to statutory damages.

These lawsuits have typically been brought by groups of visually impaired consumers who claim that a certain website fails to accommodate their disability . . . .

I remember first hearing about website accessibility cases years ago. Now it seems like one gets filed every five minutes, and certain attorneys have developed entire practice areas dedicated to just that. These cases can be expensive to litigate, as they are often filed as class action lawsuits.

Turning to TCPA, here’s a description from one of our previous posts:

Passed by Congress in 1991, the TCPA is a strict liability statute designed to fight incessant “robocalls” and aggressive/abusive telemarketers that plague unconsenting consumers.

. . .

The TCPA is terrifying because of the statutory damages in play, which are uncapped: it prescribes a penalty ranging from $500 to $1,500 for each text, call, or fax made in violation of the statute (think about that the next time your marketing team sends out 1,000 text messages to your customer list). It’s not unusual for larger companies to be hit with verdicts in the millions of dollars in recent years. The TCPA is also scary because it has a fairly robust four-year statute of limitations.

There are companies that assist businesses that want to engage in SMS marketing. Some of them are pretty good from a TCPA compliance point of view. But many are not, and far too many SMS marketing companies expressly disclaim liability for TCPA violations (which is why it is so critical to read those terms).

Fending off complex class action lawsuits can easily cost six or seven figures, and that’s not even countering the settlement payment or judgment. Complying with these laws need not be expensive, and doing so is a great investment. And trust me when I say that you will be better off spending a little money at the beginning than paying to defend against a class action later.

Read More

Business Basics