The latest xneelo news, customer success stories and best-practice advice to enable your business.

Important legal considerations for your online business

August 4, 2020

Editor’s note. This guest post is from the Insights archive and some information may be out of date. 

You’ve come up with your online business idea and planned your product or service offering. Good work! Now it’s time to think about the laws that may affect you.

Despite the boom in online business over the last decade, many people still aren’t comfortable with buying goods or services online. The crucial reason is that consumers find it difficult to trust online businesses because of fears about privacy and security. Since the COVID-19 pandemic caused more people to operate from home, many online businesses rapidly saw an increase in sales. But trust is still a central issue.

Across the globe, regulators have stepped in to create trust by enacting various laws that protect consumers and regulate online businesses. We believe that building a good online business and brand means considering all the relevant legal aspects.

We asked three experts from Michalsons law firm to share the most important legal considerations for online businesses. Here’s what they had to say.

Types of online businesses

Understanding how you relate to your customers is the crucial first step in building your online business. Before you think about contracts, it’s essential to understand precisely what type of relationship you have – and what responsibilities.  

A clear understanding of the relationship will help you focus on the laws, contracts, and general considerations that are relevant to your business.

There are various types of online businesses, each with different responsibilities.

  • An online store may sell physical goods. For instance, Plant Gardening Supplies* provides delivery of seedlings to gardeners at home. They deliver the seeds either through couriers from their physical store or directly from the supplier via dropshipping.
  • An online service might provide bespoke consulting services over the Internet. Leaf Gardening Consulting* is a business that provides bespoke gardening advice to its users over video conferencing software like Zoom.
  • An online platform may take the form of a marketplace. Like Lotus Garden Planner*, a marketplace that connects gardeners with landscapers.

*Not actual businesses. 

Legal terms

There is no all-purpose solution for legal terms, primarily because of how unique and intricate your relationships might be. That said, a few standard business models can benefit from the same general kinds of legal terms. You will need to get specific guidance on how to tweak those terms for your use.

The most common legal terms that online businesses use are:

  • Terms of use: the simple terms and conditions that cover people who visit your website before becoming your customer.
  • Terms of service: more complex terms that cover the legal relationship between you and your customer.
  • Orders: a separate document or web form that covers the specific commercial terms relating to a transaction, and that incorporates the terms of service by reference.

Acceptable use

Acceptable use policies are recommended for any online business that has a social component. This component could be a feature of your service (for example, where users can interact with each other), or a community group on a third-party social media platform. This policy describes the way that your customers are (and are not) allowed to engage with your service. It sets clear rules of engagement, preventing unwelcome content like hate speech or discrimination. Describing and enforcing these rules is an important legal consideration.


Privacy is the set of obligations that businesses have to protect personal data from unwanted observation or disruption, among other things. The customer’s privacy should be front and centre for online businesses and fully compliant with the privacy laws (the GDPR in the EU and POPIA in South Africa). If South African online businesses are trading internationally and processing the data of EU-resident data subjects, they will have to comply with the GDPR as well as POPIA.

Privacy policy

Even the most simple online store collects a name, email address, and physical address to process an order. This collection includes personal data which the law requires you to protect and process lawfully. A privacy policy lets your customers know that you are protecting their personal data, and legitimises your online business. For example, see our privacy policy.

Cookie policy

Cookies are small text files that websites put on your device to track you. They’ve been around for a long time, but there has recently been a high-profile law in Europe that regulates how they work in the form of the PECR or ePrivacy Regulation. These laws oblige websites to get consent to put cookies on their customers’ machines. This is usually in the form of a pop-up or a notice letting visitors to your website know that cookies are being collected.

PAIA manual (Promotion of Access to Information Act)

South Africa’s access to information law defines how people can get information from your organisation. 

Data processing agreements

Data processing agreements are relevant because your organisation is not an island. You are often processing personal data together with other organisations. Data protection law generally requires a data controller to enter into a written agreement with their processors to regulate how they process personal data on their behalf. Precisely what that agreement contains depends on the relevant data protection law. POPIA requires that the processor follow the controller’s instructions and secure the personal data they process on their behalf against unauthorised access.


Security is another critical issue for online businesses. It’s essential to have the necessary safeguards in place to keep your systems and data free from danger, threat or harm. Here are a few dos and don’ts for password management, and how to prevent your website from being hacked.

Returns and Refunds

A returns policy is most necessary when you are an online store selling physical goods to consumers. The CPA and ECTA give consumers a variety of ways to return goods. A policy acknowledging these helps to build trust with your customers and avoids unnecessary arguments. 


Direct marketing includes email newsletters or SMS messages. Previously, a business could send direct marketing messages to prospects in South Africa, provided they give the recipient the opportunity to opt out. Since POPIA has taken effect, this has changed. 

Under POPIA, section 69(3), you may communicate via electronic means (emails, instant messaging) with customers if you:

  • obtain their details in the context of a sale of products or services; and
  • market your similar goods or services.

You can only market to your customers (under this provision) if you also meet the requirements in section 69(3)(c). In essence, this section says the client must be able to object:

  • when you collect their personal information; and
  • on each communication that you send to them.

Only once you’ve complied with all the requirements above can you market to a customer.

The opportunity to object means giving your customers the ability to refuse your marketing communication.

Would you like more practical advice for your business? Read our Tax primer for small businesses.

About the Authors

Associate David Luyt is a POPI professional, electronic signature expert, and online business aficionado.

Associate Kevin Hoole specialises in creative problem solving, information technology contracts and intellectual property law.

Candidate Attorney, Nathan-Ross Adams is a creative thinker with commercial experience in the software and advertising industries.


Launching online?

Your online success starts with the right domain.