← Back to Blog

EU Legal Pages Every Shopify Store Needs: The Complete 2026 Checklist

Selling to EU customers without the right legal pages on your Shopify store is like driving without a licence — you might get away with it for a while, but the consequences catch up. EU e-commerce law requires six distinct legal pages across your store, and missing even one can trigger fines, competitor complaints, or a 12-month extension of your customers' return window. This guide covers every page you need, what each must contain, which countries enforce what, and the common mistakes that trip up Shopify merchants.

Privacy policy: GDPR Articles 13 and 14 set the bar

Every Shopify store collecting data from EU visitors — which includes all stores using analytics, email marketing, or payment processing — needs a privacy policy that meets GDPR standards. Articles 13 and 14 are specific about what must be included.

Your privacy policy must state the identity and contact details of the data controller, the purposes of processing with the legal basis for each (not just "legitimate interest" as a blanket claim), the categories of recipients who receive personal data, details of any transfers to countries outside the EU (including the safeguards in place), data retention periods, and every data subject right — access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority. If you use automated decision-making or profiling, you must explain the logic, significance, and consequences.

A generic privacy policy copied from a US template will almost certainly fail this test. US-style policies rarely specify legal bases per processing purpose, don't mention EU supervisory authorities, and often omit data transfer mechanisms. Articles 12, 13, and 14 are among the top five most-cited violations in GDPR enforcement actions — transparency failures are what regulators look for first.

Terms of sale and the 14-day withdrawal right

EU consumer protection law, primarily the Consumer Rights Directive (2011/83/EU), requires you to provide comprehensive pre-contractual information before a customer completes a purchase. This typically lives in your terms of sale or general conditions.

Article 6(1) of the Directive mandates disclosure of: the main characteristics of the goods, your business identity and full contact details (name, address, email, phone), the total price including all taxes and charges, delivery costs, payment and delivery arrangements, and — critically — the customer's right to withdraw from the purchase within 14 calendar days without giving any reason.

This 14-day cooling-off period (Articles 9–16) is non-negotiable for distance sales. You must provide a model withdrawal form (from Annex I(B) of the Directive), explain who bears return shipping costs, and list any exceptions (personalised goods, sealed hygiene products opened after delivery, perishable items). The penalty for failing to inform customers about this right is severe: under Article 10, the withdrawal period extends to 12 months plus 14 days.

A new wrinkle arrived in late 2025: Directive (EU) 2023/2673 requires member states to implement a visible "withdrawal function" — essentially a button or mechanism — enabling consumers to exercise their cancellation right directly. The deadline for national implementation was December 19, 2025, though practical rollout varies by country.

You must also include a link to the EU Online Dispute Resolution (ODR) platform (ec.europa.eu/consumers/odr) in your terms of sale. This is a frequently missed requirement.

Impressum: mandatory in Germany, Austria, and beyond

The E-Commerce Directive (2000/31/EC), Article 5 requires all online service providers to make certain business identification details easily accessible. Most EU countries have transposed this into national law, but enforcement intensity varies dramatically.

Germany is the strictest. The impressum requirement (now under § 5 DDG — the Digitale-Dienste-Gesetz, which replaced the Telemediengesetz on May 14, 2024) demands: full legal name, legal form, physical address, contact email plus an additional rapid communication method, commercial register number and court of registration, VAT ID, and managing director or authorised representative. It must be accessible within two clicks from any page. Fines reach €50,000, but the real threat is Germany's unique Abmahnung system — competitors and consumer protection organisations actively scan websites and send formal cease-and-desist letters. Legal costs per Abmahnung typically run €1,000–€5,000.

France requires "mentions légales" under the LCEN (Loi pour la Confiance dans l'Économie Numérique), with fines up to €75,000 for individuals and €375,000 for companies. Austria, Spain, Italy, and the Netherlands all have comparable requirements under their own national transpositions.

If your Shopify store targets any German-speaking market, update your impressum reference from the old "§ 5 TMG" to "§ 5 DDG" — or omit the statutory reference entirely, since citing a repealed law can itself trigger an Abmahnung.

Cookie policy: a separate page from your privacy policy

While your privacy policy covers how you handle personal data generally, the ePrivacy Directive (2002/58/EC, Article 5(3)) requires specific disclosure about cookies and similar technologies. Best practice — and a requirement in several member states — is a dedicated cookie policy page.

This page should list every cookie your site sets (including those from third-party apps like Google Analytics, Meta Pixel, and Shopify's own tracking), each cookie's purpose, its duration, and whether third parties can access the data. Your cookie consent banner should link to this page so users can review it before making a consent choice.

For detailed guidance on implementing cookie consent correctly on Shopify, including why the native banner isn't sufficient, see our EU cookie consent guide for Shopify.

Accessibility statement: the newest required page

Since June 28, 2025, the European Accessibility Act (Directive 2019/882) applies to e-commerce services. Among its requirements is a publicly available accessibility statement describing how your service meets accessibility standards, what limitations exist, and how users can report barriers.

Your accessibility statement should include: your conformance status relative to WCAG 2.1 AA (or EN 301 549), a description of accessibility features you've implemented, known limitations with planned remediation timelines, a contact mechanism for reporting accessibility issues, and the name of the relevant national enforcement authority.

France imposes a specific penalty of up to €25,000 per year for a missing accessibility statement alone. Germany requires naming the competent market surveillance authority. The statement must be in the local language of each market you serve.

Microenterprises (fewer than 10 employees and under €2 million annual turnover) are exempt from the EAA's service requirements, though this exemption applies only to services — not to products. For a deeper look at what the EAA requires, see our European Accessibility Act guide for online stores.

What this means for Shopify merchants

The most common legal page mistakes on Shopify stores follow a pattern. Merchants use US-style terms of service that omit withdrawal rights and ODR links. They copy a generic privacy policy that doesn't specify legal bases or data transfer mechanisms. They skip the impressum entirely, not realising it's mandatory if German customers can reach their store. They rely on Shopify's auto-generated privacy policy, which may not reflect the specific third-party apps and tracking tools installed on their store.

The EU Consumer Protection Cooperation (CPC) Network flagged Shopify web shops specifically in a 2021 enforcement action. Among the findings: missing company identification (listed as "on demand" rather than displayed), absent withdrawal rights information, and misleading delivery claims on dropshipping stores. Shopify subsequently updated its EU consumer protection documentation, but the responsibility for individual store compliance remains with merchants.

Here's your checklist of required pages:

• Privacy policy — GDPR Articles 13/14 compliant, specific to your data processing activities
• Terms of sale — Consumer Rights Directive compliant, with full withdrawal information and ODR link
• Impressum / legal notice — Required in Germany, Austria, France, Spain, Italy, Netherlands, and others
• Cookie policy — Dedicated page listing all cookies, purposes, and durations
• Accessibility statement — Required under the EAA since June 2025
• Withdrawal policy — Can be part of terms of sale, but must include the model withdrawal form

Conclusion: legal pages are your compliance foundation

Every other EU compliance obligation — GPSR product safety data, cookie consent mechanics, accessibility features — builds on having the right legal pages in place. Getting these pages right is the lowest-cost, highest-impact compliance step you can take.

Related articles

• EU Cookie Consent for Shopify Why your Shopify cookie banner probably isn't enough — what GDPR and ePrivacy require, and how Google Consent Mode v2 works.
• European Accessibility Act for Online Stores The EAA applies to online stores since June 2025. Who's affected, what WCAG 2.1 AA requires, and penalties by country.