Skip to content
web1o
Blog

Is your website legal in the EU? An imprint, privacy & terms checklist

A practical checklist for a legally compliant EU business website: legal notice, privacy policy, cookie consent, terms, EAA accessibility, and consumer rights for online shops.

  • legal compliance
  • GDPR
  • EU regulations
  • website accessibility
  • ecommerce

Launching a business website in Europe is easy. Making it legal is where founders trip up — because "your website's legal pages" is really a stack of separate rules, some EU-wide, some country-specific. This checklist walks through the six things most European SMB sites need: a legal notice, a privacy policy, cookie consent, terms, accessibility, and consumer-rights basics for online shops. It is part of our guide on how to start an online business in Europe.

This is general information, not legal or tax advice — rules vary by country and change; confirm with a qualified professional before acting.

1. A legal notice / imprint (Impressum)

If you run a commercial website in the EU, you must be identifiable. This flows from Article 5 of the E-Commerce Directive (2000/31/EC), which requires providers to make certain information "easily, directly and permanently accessible" to users.

At minimum that usually means:

  • Your business or trading name and the legal form
  • A geographic address (a PO box is not enough)
  • Contact details allowing rapid communication — typically an email address, often a phone number
  • Trade or company register and registration number, where you have one
  • Your VAT identification number, where applicable

Every EU country has transposed this, but the intensity varies a lot. Germany and Austria are the strictest: Germany's Telemedia Act and Austria's E-Commerce Act require a dedicated, clearly labelled Impressum page, and missing or faulty imprints are a well-known source of warning letters (Abmahnungen). Other member states apply the same baseline more lightly. Practical rule: publish a clear "Legal notice" / "Impressum" page linked from every page, and if you sell into Germany or Austria, treat it as mandatory. Sources: E-Commerce Directive Art. 5 (EUR-Lex); German TMG §5.

2. A privacy policy

Any site that processes personal data — and that includes contact forms, analytics, and server logs holding IP addresses — needs a privacy policy under the GDPR. It should explain what data you collect, why, the legal basis, how long you keep it, who you share it with, and how visitors exercise their rights (access, deletion, objection).

This is the single most common gap on small business sites, and it is closely tied to your cookie setup. We cover the practical minimum in our companion post on GDPR for small websites. If you want a fast read on what your live site is actually doing, run it through our GDPR / cookie checker before you write a word.

3. Cookie consent done properly

Cookies (and similar tracking) are governed by the ePrivacy Directive — the so-called "cookie law" — working alongside the GDPR. The rule is stricter than most banners suggest:

  • Prior consent is required before non-essential cookies (analytics, ads, embeds) are set. A banner that drops tracking cookies on page load already fails.
  • Consent must be freely given, specific, informed and unambiguous — so "accept" and "reject" should be equally easy, with no pre-ticked boxes.
  • Strictly necessary cookies (session, security, load-balancing) do not need consent, but you should still explain them.
  • Visitors must be able to withdraw consent as easily as they gave it.

If your banner only has an "Accept" button, or loads Google Analytics before anyone clicks, that is a compliance problem, not a cosmetic one. Sources: ePrivacy Directive 2002/58/EC; GDPR consent standard (gdpr.eu; Your Europe).

4. Terms and conditions

Terms are not universally mandatory for a brochure site, but they are strongly advisable and effectively required once you transact. They set the contract between you and the visitor or customer: scope of service, payment, liability limits, intellectual property, and governing law. For any site taking payments, bookings, or sign-ups, terms are where you define what the customer is actually agreeing to — skipping them leaves the default statutory rules to fill the gap, rarely in your favour.

5. Accessibility — the European Accessibility Act

This is the newest item and the one most SMBs have missed. The European Accessibility Act (Directive 2019/882) has applied since 28 June 2025. It requires a defined set of digital products and services — including e-commerce, consumer banking, ticketing, and many websites and apps — to meet accessibility requirements (in practice, aligning with WCAG via the EN 301 549 standard).

Key details:

  • Services placed on the market from 28 June 2025 must comply now; services already running before that date generally have a transition period until 28 June 2030.
  • Microenterprises providing services — broadly under 10 staff and under €2 million turnover — are exempt from the service obligations, though this is a common misread, so check your national transposition.
  • It applies regardless of where your business is based, as long as you serve the EU market.

Because every member state sets its own penalties, the safe move is to test rather than assume. We break down what actually needs fixing in our guide to the European Accessibility Act, and you can scan your pages with the EAA accessibility checker. Sources: EAA Directive 2019/882 (EUR-Lex); AccessibleEU (European Commission).

6. Consumer-rights basics for online shops

If you sell to consumers online, the Consumer Rights Directive adds obligations on top of everything above:

  • The 14-day right of withdrawal: consumers can cancel a distance contract within 14 days — 14 days from delivery for goods, from the day the contract is concluded for services — with no reason and no penalty, subject to specific exceptions (e.g. custom-made goods).
  • Clear pre-contract information: total price, delivery costs, your identity and address, and how to exercise the withdrawal right must be given up front. If you fail to inform the consumer of the withdrawal right, the period extends by up to 12 months.
  • Refunds must be made within 14 days of a valid withdrawal, using the same payment method.
  • New for June 2026: an EU rule requires online sellers to add a clearly labelled, easy-to-find withdrawal button on their site — worth planning for now if you run a shop.

Sources: Consumer Rights Directive 2011/83/EU (EUR-Lex); Your Europe.

Where to start

If reading this made you slightly nervous, that is the right reaction — and it is fixable in an afternoon of planning plus some careful implementation. A sensible order: run the two checkers, write or update your privacy policy and legal notice, fix your cookie banner, then handle accessibility and (if you sell) the consumer-rights pieces.

If you would rather have it built in from the start, that is exactly what we do when we build websites — legal pages, a compliant consent setup, and accessibility baked into the design rather than bolted on later. Not sure which items apply to your business? Grab a free consultation and we will map it to your specific setup.