1. Sales Tax Nexus and Marketplace Obligations
The Supreme Court's decision in South Dakota v. Wayfair fundamentally reshaped e-commerce taxation. Sellers now have sales tax collection obligations in states where they have economic nexus, typically defined as $100,000 in annual revenue or 200 transactions. New York imposes a lower threshold of $20,000 in annual sales. This is where disputes most frequently arise, because many online businesses fail to register for seller permits in all states where they trigger nexus, and then face audit assessments and penalties years later.
Multi-State Compliance Exposure
In practice, these cases are rarely as clean as the statute suggests. A business selling through multiple marketplaces may aggregate sales across platforms, triggering nexus in states where direct sales are minimal. From a practitioner's perspective, the first step is conducting a sales analysis across all channels and jurisdictions. New York requires registration with the Department of Taxation and Finance if you meet the threshold; failure to register can result in back taxes, interest, and penalties up to 100 percent of the tax owed. Consider whether your current accounting systems track sales by state and customer location accurately enough to support compliance.
Marketplace Facilitator Rules
Amazon, eBay, and other marketplaces are now required to collect and remit sales tax on behalf of third-party sellers in most states. However, this does not eliminate your obligation to track and verify compliance. Some states impose additional reporting requirements even when the marketplace handles collection. If you sell through multiple platforms, audit each one to confirm whether they are registered in your state and whether they are collecting on your behalf. Gaps in marketplace compliance can expose you to secondary liability.
2. Consumer Data Protection and Privacy Compliance
Federal law, including the Children's Online Privacy Protection Act (COPPA) and the Gramm-Leach-Bliley Act, imposes strict requirements on how you collect, store, and use customer information. New York's data breach notification law requires businesses to notify consumers without unreasonable delay if personal information is compromised. Additionally, the New York Privacy Act (pending state-level updates) and proposed federal privacy legislation are tightening standards for opt-in consent and data retention.
Data Breach Notification in New York Courts
New York General Business Law Section 668 requires notice to affected individuals if a business database containing personal information is breached. The New York Attorney General has enforcement authority and has pursued numerous cases against e-commerce businesses for inadequate notification protocols. Courts in New York have held that "without unreasonable delay" means within days, not weeks. If your business processes payment cards, PCI-DSS compliance is mandatory; failure to meet these standards can trigger both regulatory fines and private litigation from affected consumers.
Third-Party Data Processors and Vendor Risk
If you use payment processors, email marketing platforms, or customer service tools, you must have data processing agreements in place that comply with applicable privacy laws. Many vendors include indemnification clauses that shift liability to you if they experience a breach. Review your vendor contracts carefully, and ensure they include appropriate data security standards and audit rights. A vendor breach can become your liability if your contract does not allocate risk appropriately.
3. Payment Processing and Anti-Fraud Compliance
Credit card processing involves compliance with Payment Card Industry Data Security Standard (PCI-DSS) requirements, which are enforced by card networks and acquiring banks. Chargebacks, disputes, and fraud claims can trigger account freezes and merchant account termination. Beyond PCI compliance, you must also comply with the Electronic Funds Transfer Act and regulations governing payment processors.
Chargeback Disputes and Merchant Account Suspension
High chargeback ratios can result in account suspension or termination. Most payment processors reserve the right to hold funds in reserve if your chargeback rate exceeds industry thresholds (typically 1 percent). When a customer disputes a charge, the burden falls on you to provide evidence of delivery and authorization. Retain detailed transaction records, shipping confirmations, and customer communication. A well-documented transaction history is your primary defense in chargeback disputes; without it, you lose the dispute by default.
4. Product Liability and Consumer Protection Laws
If you sell physical products, you may face liability under state consumer protection statutes and the Federal Trade Commission Act Section 5. Deceptive advertising, undisclosed material facts about product condition or origin, and failure to honor return policies can trigger regulatory enforcement and private litigation. When selling products manufactured by third parties, you may still bear liability as the retailer under product liability doctrine, depending on your role in the supply chain.
Warranties and Return Policy Compliance
Implied warranties of merchantability and fitness for a particular purpose apply to most product sales unless explicitly disclaimed in your terms of sale. Your return and refund policy must be clearly disclosed before purchase. Many e-commerce businesses underestimate exposure here: a vague or buried return policy may be unenforceable under state consumer protection law. New York courts scrutinize whether terms are conspicuous and whether the consumer had a meaningful opportunity to review them before purchase.
Third-Party Product Liability and Insurance Coverage
You may face product liability claims even if you do not manufacture the products you sell. General liability insurance and product liability coverage are critical, particularly if you curate or bundle products from multiple suppliers. Consider whether your insurance regulations compliance includes adequate coverage limits and whether your policy covers e-commerce channels specifically. If you are planning to scale operations or acquire another e-commerce business sale, insurance coverage should be a material component of your due diligence.
5. Regulatory Enforcement and Audit Risk
The Federal Trade Commission, state attorneys general, and state revenue agencies all maintain enforcement authority over e-commerce practices. The FTC has increased focus on deceptive marketing, fake reviews, and undisclosed endorsements in influencer partnerships. State revenue agencies conduct regular audits of seller tax compliance, particularly in states with lower nexus thresholds like New York.
| Regulatory Agency | Primary Jurisdiction | Common Enforcement Issues |
| Federal Trade Commission | National | Deceptive advertising, endorsements, data security |
| New York Attorney General | New York | Data breach notification, sales tax, consumer fraud |
| New York Department of Taxation and Finance | New York | Sales tax nexus, seller registration, audit assessments |
| State Consumer Protection Agencies | Multi-state | Return policies, product claims, warranty compliance |
As you evaluate your e-commerce compliance posture, prioritize a sales tax audit first, and then conduct a data security and privacy review. Identify gaps in your current practices before a regulator does. If you operate across multiple states or handle sensitive customer data, an early compliance assessment by counsel can prevent costly remediation later. The regulatory landscape continues to evolve, particularly around privacy and environmental claims; staying informed about emerging state-level legislation is essential for long-term operational stability.
04 Feb, 2026
