As the COVID-19 pandemic continues, retailers have been required to adapt quickly to ensure that their online market place is established, up-to-date and secure not only in order to continue to sell their goods, but to keep their brand relevant and active as the economy remains in this uncertain period.

Online revenues have experienced significant growth since the outbreak of COVID-19, while retailers have had to build their online capabilities as well as increasing capacity to service growing demand. The retail sector has been managing increased online volumes while some have needed to close for a period of time in order to ensure safe employee working conditions.

While cloud service providers such as Amazon Web Services, Microsoft Azure and Google Cloud Platform can allow for online retail stores to be set up and expanded quickly, the daunting shift to a focus on online commerce within a short space of time has been a source of considerable difficulty and expense particularly for small businesses who did not have an online retail option prior to the beginning of the COVID-19 crisis.

The purpose of this brief is to guide Irish retailers in relation to the three key documents which should be displayed on their websites – Terms and Conditions, a Privacy Policy, and a Cookie Policy.

Terms and Conditions

Retailers offering goods and services for sale must ensure that appropriate protection is in place for customers purchasing these goods and services from the retailer's online store. This is where Terms and Conditions come in – this document is used to set out the terms of sale and rights of customers before and after a sale has been concluded. At a minimum, Terms and Conditions must cover the following:

  • The retailer's name and address (and the address to which complaints may be sent);
  • The main characteristics of the goods or services being offered for sale;
  • The steps customers must follow in order to conclude their agreement with the retailer;
  • A description of how the customer can identify and correct errors before continuing an order;
  • Confirmation of whether a copy of the contract will be filed and whether the customer can access it;
  • The price of the goods (including taxes and delivery costs) and the manner in which payment is to be made;
  • The consumer right to receive an order confirmation and the manner in which this is to be provided to the consumer;
  • The consumer's right to cancel the contract within 14 days of receiving the product or signing up to the service, in addition an explanation of how the consumer may exercise this right;
  • Provisions concerning non-delivery – a consumer who purchased a product from a retailer based in the EU is entitled to delivery within 30 days (unless a different time is agreed at the time of purchase), and if the product is not delivered to the consumer within this timeframe the consumer is entitled to either agree a new delivery date, or cancel the contract and receive a full refund;
  • How the retailer will deal with complaints;
  • The estimated cost of returning the goods if they cannot be returned by standard delivery;
  • Details and conditions of any after-sale customer assistance; and
  • Provisions dealing with when the contract with the customer may be terminated.

It is important that the retailer's website is clear with regards to the point in which a binding contract is being entered into and the Terms and Conditions are deemed as accepted.

Privacy Policy

Retailers setting up an online presence for the first time must be aware that when customers purchase products or services through a website, personal data is collected from the customer in the form of first and last names, home addresses, email addresses, etc. Some retailers may also collect personal data for marketing purposes and in order to send out marketing emails to customers who purchase a good or service from the website. The collection and use of this personal data is restricted in accordance with the GDPR and Irish data privacy legislation, and care should be taken to ensure that the provisions contained in the legislation are followed when customers purchase products or services from the retailer's website. This means that the retailer will be held entirely responsible for the processing and use of personal data it collects from customers who use its website, and must be able to point to records showing that their use of individuals' personal data is and has been GDPR-compliant.

A Privacy Policy is therefore required in order to tell customers which personal data you will collect, the purposes it will be used for, and the manner in which it is used, while also serving to inform customer of their privacy rights and how they are protected under the law. A Privacy Policy must be clearly visible and easily accessible via a link present on every single page of the retailer's website.

A Privacy Policy should reflect the particular processing activities of each retailer and is therefore often drafted by data privacy solicitors. However, in general a Privacy Policy must include the following at a minimum:

  • The types of personal data the retailer collects via the website;
  • How this personal data is collected;
  • The purposes for which the data is collected;
  • The legal basis relied upon by the retailer in processing the personal data;
  • A list of any third parties to whom personal data may be transferred;
  • Whether personal data is being transferred outside the EU;
  • How the personal data is secured and how long it is stored for; and
  • The legal rights of customers in relation to their personal data.

One common issue that we see time and time again is the use of 'pre-ticked boxes', whereby the default position on the website is that the customer is automatically accepting that he or she is subscribing to receive marketing communications or to accept the terms of the Privacy Policy or Terms and Conditions when making a purchase, illustrated in the example below:


In this example, the customer would need to untick the 'Subscribe to our newsletter' box if he or she does not in fact wish to subscribe. This is unlawful under the GDPR as 'silence' does not constitute consent. Instead, customers will need to provide consent through a clear affirmative action, i.e. by actively ticking an opt-in box themselves. It is not enough to simply offer a customer an opt out, for example by checking a box saying you don't want to receive marketing emails. The customer has to opt in and agree to his or her personal data being used for this stated purpose.

Retailers can limit their exposure to liability under the GDPR by simply not collecting personal data which is unnecessary. If there is no value in requesting a customer to provide details of the company that he works for, for example, the GDPR is an incentive not to request these details in the first place.

Cookie Policy

Cookies are text files containing small amounts of information which are downloaded to a user's device when they visit a retailer's website. Cookies are then sent back to the retailer's website on each subsequent visit. Cookies are helpful in ensuring that customers can navigate the website efficiently by remembering their preferences and showing advertisements relevant to them and their interests.

Users of a website must consent to the use of cookies and the GDPR requires that this consent must be obtained by means of a clear, affirmative act and be freely given, specific, informed and unambiguous. As above, consent to the use of cookies is not valid where it is permitted by way of a pre-checked checkbox, which the user must deselect to refuse his or her consent. Similarly, banner pop-ups on websites stating that, for example, "by continuing to browse this site you consent to the use of cookies" are also insufficient.

From 5 October 2020, cookie banners placed on websites must contain a button either allowing users to reject cookies or allowing users to access cookie settings on the retailer's website. Cookie banners must be designed in such a way that they do not 'nudge' users into accepting cookies and an option to reject must have equal prominence in any banner or user interface.


In a post-COVID-19 economy, industry consensus is that it is likely that the shift in consumer's behaviour to a predominantly online platform will outlast the pandemic. Consumers have seen how online retail can be a credible alternative to brick-and-mortar stores, and this shift is likely to continue after this crisis is over as both retailers and brands build their online capacity and capability. Retailers that invest time to understand this sentiment and plan accordingly will survive and succeed in the difficult months ahead, as the retailers who emerge stronger will be those which adapt to the shifting consumer perspective.

It is therefore of critical importance for Irish retailers to understand the importance of consumer and data protection law. Failure to draft and display legally-compliant Terms and Conditions, Privacy Policies and Cookie Policies can lead to audits, investigations, complaints and enforcement proceedings which can not only slow down business considerably, but lead to significant fines and penalties.

Originally published by BSHM, October 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.