Blog
Enforcement, regulation, dark patterns, and platform gotchas. Written by engineers who read the directive text.
The EU AI Act (Regulation 2024/1689) entered force on 1 August 2024. The transparency obligations in Article 50, which catch every EU storefront using a chatbot or AI-generated product imagery, become enforceable from 2 August 2026. Here is what each of the four obligations actually requires, who has to comply, and what "appropriately marked" means in practice.
Regulation (EU) 2024/3228 permanently shut down the EU Online Dispute Resolution platform on 20 July 2025. Every reference to ec.europa.eu/consumers/odr that remains in a footer, an Impressum, a terms-of-service page, or a checkout flow now points at a service that no longer exists. Consumer-protection authorities have begun citing those references as misleading omissions under the UCPD. Here is what the law changed, what you need to remove, and what to display instead.
EDPB Opinion 08/2024 confirms that a binary choice between paying a subscription and accepting tracking is unlikely to produce freely given consent under GDPR for large online platforms. The Opinion does not catch every storefront, but the structural test is now public. Here is when your store is exposed, what the EDPB actually said, and what regulators have done since.
From 19 June 2026 every German consumer contract concluded online for a continuous obligation has to expose a one-click withdrawal button. Section 356a of the German Civil Code, transposing Directive (EU) 2023/2673, requires the button to be permanently accessible, labelled with statutory wording, and reachable without a login. Here is what is in scope, what the button must do, and where Shopify and WooCommerce stores are most exposed.
We scanned en.zalando.de and found one of the cleanest CRD and EAA structures in EU e-commerce. Zalando publishes a dedicated accessibility statement, covers every CRD Article 6 disclosure in its T&Cs, and renders VAT-inclusive pricing across 15 EU languages. Here is what your storefront can copy.
We scanned apple.com/de and the German storefront satisfies the Consumer Rights Directive disclosures most cleanly. Here is how Apple presents the 14-day withdrawal right, the model withdrawal form, and the trader identity, and what smaller stores can copy.
Germany has the most active enforcement of GDPR, ePrivacy, and UCPD in the EU. Before pointing Meta and Google spend at German traffic, run through this seven-item list. It catches the violations consumer associations file abmahnungen on most often.
Dark patterns map cleanly to specific UCPD articles. Here is the operational version: four patterns, the article they breach, and the enforcement decisions regulators have already issued.
Directive 2019/882, the European Accessibility Act, became enforceable on 28 June 2025. For e-commerce, it incorporates WCAG 2.1 Level AA. Here is what that means for product pages, checkout, account flows, and which storefronts are exempt.
GDPR Article 4(11) requires unambiguous, affirmative consent. A pre-ticked email opt-in at checkout fails that test. Here is how the default flow looks in two common stacks, recent enforcement, and the two configurations that work.
France's CNIL ruled in February 2022 that Google Analytics, as deployed by most operators, breached GDPR Chapter V. The July 2023 EU-US Data Privacy Framework changed the transfer mechanism but did not solve every issue. Here is the 2026 view: what a defensible GA4 install on an EU storefront actually looks like.
Article 13 of GDPR lists the information a controller must provide at the point of data collection. It is more specific than "have a privacy policy." Here is the full checklist, with the four disclosures most storefronts miss.
If a product countdown timer resets when the page reloads, the urgency it advertises is false. UCPD Annex I point 7 lists false impressions of limited availability as a blacklisted practice. Intent is not required.
Shopify's Meta channel injects Meta Pixel through the web pixel manager. The manager respects the Customer Privacy API only if you have enabled it. If the API is off, every visitor is treated as consented and Meta Pixel fires on the first pageview. Here is what to enable and what to verify.
Google Analytics, Meta Pixel, and TikTok pixel firing before a visitor accepts cookies is the single most-fined GDPR violation pattern in the EU. Here are the recent decisions with amounts, what regulators specifically cite, and the one-minute DevTools check that confirms whether your store is exposed.
The Omnibus Directive's Article 6a requires every discounted product to display the lowest price from the 30 days before the sale began. Here is what the rule says, who enforces it, and where it breaks on Shopify and WooCommerce stores.
Free baseline scan. No install. No credit card.
Run a Free Scan