We run our business from Estonia. We sell to EU customers. We've dealt with GDPR audits, VAT registration, and consumer rights regulations firsthand. This isn't a theoretical legal overview — it's what you actually need to do to sell legally in the EU using WooCommerce.
Disclaimer: I'm not a lawyer. This guide covers practical compliance based on our experience. For complex cases, consult a legal professional who specializes in EU e-commerce law.
The Big Three: GDPR, Consumer Rights, VAT
EU e-commerce compliance has three pillars:
- GDPR — How you handle personal data
- Consumer Rights Directive — Return rights, information requirements
- VAT — Tax collection and reporting
Each affects your WooCommerce store differently. Let me break them down.
GDPR: Data Protection
The General Data Protection Regulation applies if you:
- Are based in the EU, OR
- Sell to EU residents (regardless of where you're based)
If your WooCommerce store accepts orders from EU customers, GDPR applies to you.
What GDPR Requires (Practically)
1. Cookie consent. You must get consent before setting non-essential cookies (analytics, marketing, tracking).
WooCommerce implementation:
- Install a cookie consent plugin: Complianz (recommended, free + premium), CookieYes, or Cookie Notice for GDPR
- Configure it to block marketing/analytics cookies until consent is given
- Essential cookies (cart, session) don't require consent
- The banner must have a genuine "Reject" option (not just "Accept" and "Settings")
Common mistake: Installing a cookie banner that doesn't actually block cookies. Google Analytics fires before consent? That's a violation. Complianz handles this correctly by default.
2. Privacy policy. You need a comprehensive privacy policy explaining:
- What data you collect (name, email, address, payment, browsing behavior)
- Why you collect it (order fulfillment, marketing, analytics)
- How long you store it
- Who you share it with (payment processors, shipping carriers, email providers)
- Customer rights (access, deletion, portability)
- Your contact details as data controller
WooCommerce implementation:
- WordPress has a Privacy Policy template generator (Settings → Privacy)
- Customize it with your actual data practices
- Link to it in your footer, checkout page, and registration form
- Complianz can also generate a GDPR-compliant privacy policy
3. Right to access and deletion. Customers can request all data you hold about them, and can request deletion.
WooCommerce implementation: WooCommerce has built-in tools:
- Tools → Export Personal Data → Enter customer email → Export
- Tools → Erase Personal Data → Enter customer email → Erase
You must respond to data access requests within 30 days. In practice, these are rare for small stores (we get maybe 2-3 per year) but you need the process ready.
4. Data processing agreements. Every third-party service that processes your customer data needs a Data Processing Agreement (DPA).
Most major services have these ready:
- Stripe: DPA available in dashboard settings
- Mailchimp/Klaviyo: DPA available in account settings
- Google Analytics: DPA in admin settings
- Your hosting provider: Check their terms
Download and store these DPAs. You'll need them if audited.
5. Consent for marketing emails. You cannot add customers to your marketing email list automatically. They must actively opt in (unchecked checkbox, not pre-checked).
WooCommerce implementation: Add an unchecked checkbox at checkout: "I'd like to receive news and offers via email." Only add to your marketing list if they check it. Order confirmation emails don't require separate consent (they're transactional).
GDPR Checklist for WooCommerce
- Cookie consent banner installed and working (blocks cookies until consent)
- Privacy policy published and linked from footer/checkout
- Personal data export/erasure tools configured
- Marketing email opt-in is unchecked by default
- DPAs signed with all third-party processors
- Data retention policy defined (how long you keep order data)
- SSL certificate active (encryption of data in transit)
Consumer Rights: The 14-Day Rule
The EU Consumer Rights Directive gives online shoppers specific protections. The big one: the 14-day right of withdrawal.
14-Day Cooling-Off Period
Every EU consumer has the unconditional right to return any online purchase within 14 days of receiving it. No reason needed.
Key details:
- 14 calendar days from the date of delivery (not order)
- Customer must notify you of the return (email is sufficient)
- After notification, they have another 14 days to ship the item
- You must refund within 14 days of receiving the return
- Refund includes original shipping costs (standard rate — you don't need to refund expedited)
What you can't do:
- Require a reason for the return
- Charge a restocking fee
- Only offer store credit (must offer original payment method refund)
- Make the return process intentionally difficult
Exceptions:
- Sealed goods opened after delivery (hygiene products)
- Personalized/custom-made items
- Perishable goods
- Digital content once download started (with prior explicit consent)
For a broader perspective on return policies as a conversion tool, see the return policy guide.
Pre-Purchase Information Requirements
Before checkout, you must clearly display:
- Product description and main characteristics
- Total price including all taxes and fees
- Delivery costs
- Right of withdrawal details
- Your company name, address, and contact information
- Payment methods accepted
WooCommerce implementation: Most of this is standard WooCommerce display. Add a "Right of Withdrawal" page and link it in your footer and pre-checkout information.
Model Withdrawal Form
The Consumer Rights Directive requires you to provide a "model withdrawal form" — a template customers can use to notify you of a return. It doesn't have to be fancy — a simple form with fields for customer name, order number, date, and a statement that they're withdrawing from the purchase.
Include it on your returns/withdrawal page.
VAT: The Complex One
VAT (Value Added Tax) is where EU compliance gets genuinely complicated. Bear with me.
Basic VAT Rules for E-commerce
Selling within your own EU country: Charge your country's VAT rate. Simple.
Selling to consumers in other EU countries (B2C): Since July 2021, the OSS (One-Stop Shop) system applies:
- If your total EU cross-border sales exceed €10,000/year, you must charge the destination country's VAT rate
- Register for OSS in your home country
- File quarterly OSS returns declaring sales by country
- Pay the collected VAT through OSS
Before €10,000 threshold: You can charge your home country's VAT rate for all EU sales.
Selling to EU businesses (B2B): Reverse charge mechanism — no VAT charged if the buyer provides a valid VAT number.
WooCommerce VAT Setup
1. Enable taxes: WooCommerce → Settings → General → Enable tax rates and calculations.
2. Configure tax rates: WooCommerce → Settings → Tax:
- Tax based on: "Customer shipping address" (for EU compliance)
- Add tax rates for each EU country
EU VAT rates (2026):
| Country | Standard Rate |
|---|---|
| Germany | 19% |
| France | 20% |
| Netherlands | 21% |
| Spain | 21% |
| Italy | 22% |
| Estonia | 22% |
| Poland | 23% |
| Sweden | 25% |
| Denmark | 25% |
| Hungary | 27% |
(Rates vary — check current rates on the EU taxation website.)
3. Automated tax calculation plugin:
Manually maintaining tax rates for 27 EU countries is error-prone. Use automation:
- WooCommerce Tax (free, powered by Jetpack): Auto-calculates tax rates by address
- Taxamo Assure ($19+/month): Full EU VAT compliance with OSS reporting
- Quaderno ($29+/month): VAT calculation + invoicing + OSS reporting
4. EU VAT number validation (B2B): Install EU VAT Number for WooCommerce ($29/year) or YITH EU VAT (free). This:
- Adds a VAT number field at checkout
- Validates the number against the EU VIES database
- Applies reverse charge (no VAT) for valid B2B purchases
- Adds proper reverse charge notation to invoices
VAT Registration
If you're EU-based: You likely need to register for VAT in your home country. Thresholds vary (Estonia: €40,000/year, Germany: €22,000/year).
If you're non-EU selling to EU consumers: Once you exceed €10,000 in EU sales, register for the EU Import One-Stop Shop (IOSS) to handle VAT.
Invoicing Requirements
EU countries have specific invoicing requirements. Your WooCommerce order confirmation emails may not meet them.
What a Legal EU Invoice Must Include
- Sequential invoice number
- Invoice date
- Seller's name, address, and VAT number
- Buyer's name and address
- Description of goods/services
- Quantity
- Unit price (excluding VAT)
- VAT rate applied
- VAT amount
- Total amount
- For reverse charge: "VAT reverse charge" notation
WooCommerce Invoicing Plugins
WooCommerce PDF Invoices & Packing Slips (free):
- Auto-generates PDF invoices attached to order emails
- Sequential numbering
- Customizable template
- Add VAT number and company details
Jetstash PDF Invoices ($49/year):
- EU-compliant templates
- Multiple numbering sequences
- Credit note generation
- Proforma invoices
Quaderno ($29+/month):
- Full EU invoicing compliance
- Automatic tax calculation
- OSS reporting
- Multi-currency support
For most WooCommerce stores, the free PDF Invoices plugin with proper configuration meets EU requirements.
Country-Specific Nuances
Germany (Your Pickiest Market)
Germany has the strictest consumer protection enforcement in the EU:
- Impressum required: A detailed legal notice page with company info, VAT number, and responsible person. Non-negotiable. Fines for missing Impressum start at €5,000.
- Widerrufsbelehrung: Formal cancellation policy in specific legal German. Templates are available from legal services like IT-Recht Kanzlei.
- Button labeling: The final checkout button must say "Kaufen" (buy) or equivalent. "Continue" or "Submit order" is not sufficient under German law.
- Price display: Prices must include VAT and mention "inkl. MwSt." (including VAT).
If Germany is a significant market, consider using a German legal compliance service (€30-50/month) for legally vetted texts.
France
- Anti-waste law: Must display repairability scores for electronics
- Cookie consent: CNIL (French data authority) is aggressive about enforcement
- Language: Product descriptions and legal texts should be in French for French customers
Netherlands
- KvK (Chamber of Commerce) number required on website
- GDPR enforcement is active
Practical Implementation Order
If you're feeling overwhelmed, here's the priority order:
Week 1: GDPR Basics
- Install Complianz cookie consent
- Publish privacy policy
- Add marketing opt-in checkbox at checkout
Week 2: Consumer Rights 4. Publish withdrawal/return policy (14-day minimum) 5. Add required pre-purchase information 6. Set up return handling process
Week 3: VAT 7. Enable WooCommerce taxes 8. Configure EU VAT rates (or install automated tax plugin) 9. Install EU VAT number validation for B2B
Week 4: Invoicing & Cleanup 10. Install PDF invoice plugin and configure 11. Review all policies for completeness 12. Test the full purchase → return flow
The Cost of Non-Compliance
GDPR fines: Up to €20 million or 4% of global revenue (whichever is higher). In practice, small business fines are €5,000-50,000 — still devastating for a small store.
Consumer rights violations: Vary by country. In Germany, competitor-driven cease-and-desist letters (Abmahnungen) are common and cost €1,000-5,000 each.
VAT non-compliance: Back taxes plus penalties of 10-100% of the unpaid amount, depending on the country.
Compliance isn't optional. The good news: for a typical WooCommerce store, full compliance costs $100-300/year in plugins and a few days of setup time.
The Bottom Line
EU compliance for WooCommerce stores is manageable. Most requirements are covered by free or affordable plugins, and the legal frameworks, while strict, are logical once you understand them.
The key principles:
- Be transparent about data collection (GDPR)
- Give customers genuine rights and make those rights easy to exercise (Consumer Rights)
- Charge the right tax rate and document it properly (VAT)
Do these three things well, and you'll operate legally, build customer trust, and avoid the fines that trip up stores who ignore compliance until it's too late.
List AI is built by Fit Labs OÜ, an EU-based company operating from Estonia. We understand EU compliance firsthand. Our AI cart filling tool is GDPR-compliant by design — minimal data collection, transparent processing, and proper consent handling.