Compliance for Shopify businesses USA

Introduction (Why compliance matters for Shopify merchants) - Briefly state the legal and operational risks from taxes, payments, product safety, privacy and consumer law. Emphasize that online sellers must comply with federal rules and each state where they do business.

Introduction (Why compliance matters for Shopify merchants)

Briefly state the legal and operational risks from taxes, payments, product safety, privacy and consumer law. Emphasize that online sellers must comply with federal rules and each state where they do business.

Choose a business entity and register correctly - Form the right entity for liability and tax purposes (sole proprietorship, LLC, S-corp or C-corp). Obtain federal EIN from the IRS and register with your state. Open a dedicated business bank account. (Action

visit SBA guidance and IRS resources; register in your home state and foreign-qualify if you have nexus in another state.) - Practical tip: keep separate personal and business finances, document formation and operating agreements.

Sales tax

economic nexus, marketplace facilitator laws, and state registration - Explain South Dakota v. Wayfair (economic nexus): remote sellers may owe sales tax once they meet state-specific thresholds (sales or transactions). Each state sets its economic nexus threshold; many use $100k or 200 transactions, some use $500k. - Marketplace facilitator laws: many states require marketplaces to collect and remit sales tax for third-party sellers. Shopify’s platform and features can affect collection, but merchants remain responsible for registration and recordkeeping if they meet nexus thresholds or if the marketplace does not collect. (Action: Determine where you exceed thresholds and register with each state’s Dept. of Revenue; obtain sales tax permits; collect resale certificates where appropriate.) - Practical steps in Shopify: enable tax collection, configure nexus settings, track where you ship and where customers are located, use Shopify Tax/third-party tax tools or an automated tax solution like Avalara/TaxJar. Regularly reconcile Shopify tax reports with state returns.

Payments & data security (PCI DSS and Shopify responsibilities) - PCI DSS

Card data handling rules apply. Shopify as a platform maintains PCI compliance for its card environment (Shopify provides compliance reports and PCI attestations), but merchants must still follow best practices: use Shopify Payments or PCI-validated gateways, do not store sensitive card data, and maintain secure admin accounts and two-factor authentication. (Action: review Shopifyâ€ôs compliance reports and the PCI SSC merchant resources; complete any merchant-level Self-Assessment Questionnaires (SAQs) required for your merchant level.)

Consumer protection, advertising, and returns (FTC and state law) - Truth-in-advertising

the FTC enforces accurate claims, clear disclosures, and proper handling of negative option billing, endorsements, and testimonials. Abide by FTC rules on online advertising and email marketing. Provide clear refund, shipping and contact policies. (Action: publish clear terms, refund policy, shipping policy, and disclosures for promotional claims.)

Data privacy

CCPA/CPRA and other state privacy laws - California’s CCPA/CPRA grants disclosure, deletion, correction, and opt-out rights for California residents; CPRA expanded rights effective

Several other states (Virginia, Colorado, Connecticut, Utah, etc.) have passed consumer privacy laws — each has different thresholds and obligations. (Action

prepare a privacy policy, cookie banner, data subject request processes, and internal procedures to respond to consumer requests. Determine whether your business meets thresholds that trigger coverage in those states.)

Product safety and restricted items (CPSC, FDA, other regulators) - Products intended for children may require third-party testing and a Children’s Product Certificate (CPC). Certain categories (toys, cosmetics, food, supplements, medical devices, hazardous items) require specific regulatory compliance (CPSC, FDA, DOT, PHMSA/USPS rules for hazardous materials). Shopify’s Acceptable Use Policy also prohibits certain goods (weapons, drugs, counterfeit goods, etc.). (Action

research product-specific rules for your category, obtain CPCs and test reports when required, and ensure labelling and warnings comply.)

Shipping, carriers and restricted goods - Carriers (USPS, UPS, FedEx) have rules for hazardous or restricted items and destination restrictions. Some products cannot be shipped or require special packaging and labeling. International sales may need customs documentation and import/export screening. (Action

check carrier policies and Shopify shipping settings; restrict checkout for prohibited goods.)

Intellectual property and branding - Avoid selling counterfeit or trademark-infringing goods. Register trademarks for brand protection. Take DMCA and IP enforcement steps when necessary. (Action

run clearance searches for logos and names; add takedown procedures in your terms.)

Accessibility (ADA) and website practices - Implement website accessibility best practices (semantic HTML, alt text, keyboard navigation, accessible checkout flows). Though ADA litigation is active in ecommerce, a proactive accessibility program reduces legal risk and improves UX. (Action

use accessibility audits, include an accessibility statement, and remediate common issues.)

Employment and hiring obligations (if you hire staff) - Understand state-level employer registration, payroll withholding, unemployment insurance, workers’ compensation and local wage/hour laws. Properly classify contractors vs employees. (Action

Recordkeeping, accounting, and tax filing - Maintain sales, tax and financial records for the period required by state and federal law; reconcile Shopify reports with accounting software and prepare for audits. (Action

adopt an accounting workflow, retain receipts and records, and schedule periodic tax reviews.)

Practical compliance checklist for Shopify merchants (one-page) - Form your business entity & get EIN - Register for state sales tax where you meet nexus thresholds - Configure Shopify tax collection and collect resale certificates - Use PCI-validated payment gateway and enable 2FA for accounts - Publish privacy policy, cookie banner and DSAR process - Post clear refund/return and shipping policies - Verify product safety rules (CPSC/FDA) and obtain CPCs if needed - Check carrier restrictions and shipping rules - Run an accessibility audit and remediate major issues - Consult an attorney and accountant for complex or high-risk issues 14) Where to get state-specific information and a suggested process - Explain that state laws vary and change; merchants should

1) identify states where they have nexus (sales, inventory, employees); 2) visit each state Dept. of Revenue to confirm thresholds and registration process; 3) check marketplace-facilitator rules; 4) consult state AG or state privacy law trackers for privacy requirements; 5) keep a central compliance spreadsheet and set calendar reminders.

Closing and recommended next steps - Encourage merchants to run a compliance audit using the checklist, subscribe to alerts for state law changes, and consider automated tax and privacy tools and consultations with qualified counsel.