The Compliance Minefield: What US and UAE Laws Actually Require From Your E-Commerce Store
Most e-commerce brands treat legal compliance as something that happens after they get big enough to have a lawyer on retainer. The reality is that the obligations apply from the first transaction — and the US and UAE markets each carry specific requirements that catch international sellers off guard.
This is not legal advice. It is a practical orientation to the compliance landscape for e-commerce businesses operating in or selling into the USA and UAE — the specific obligations that exist, what triggers them, and where the most common exposures are.
CCPA and US State Privacy Laws
The California Consumer Privacy Act (CCPA), and its 2023 amendment the CPRA, applies to businesses that collect personal information from California residents and meet certain thresholds — annual revenue over $25M, data on more than 100,000 consumers, or deriving more than 50% of revenue from selling personal data. For many e-commerce businesses selling into the US, this means CCPA applies well before the business considers itself "large."
In practice, CCPA compliance for e-commerce requires: a clear privacy policy that discloses what data you collect and how it is used, a mechanism for California residents to request deletion of their data, the ability to honour opt-out of data sale requests, and a "Do Not Sell My Personal Information" link if you share data with advertising platforms. The last point catches many brands — the data sharing that happens through Meta Pixel and Google Tag Manager may constitute "sale" of personal information under CCPA's broad definition.
Not just California: Virginia (VCDPA), Colorado (CPA), Connecticut, Texas, Florida, and a growing list of US states have enacted their own consumer privacy laws with slightly different thresholds and requirements. The practical response for most e-commerce businesses is a privacy programme that meets the highest common denominator rather than managing state-by-state variations.
UAE Personal Data Protection Law
The UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL) came into full effect and represents a significant shift in the UAE's data governance environment. For e-commerce businesses operating in the UAE or collecting data from UAE residents, the PDPL introduces consent requirements for data collection and processing, data subject rights including access, correction, and deletion, restrictions on cross-border data transfers, and mandatory data breach notification obligations.
The PDPL shares architectural similarities with GDPR and applies to businesses regardless of where they are headquartered — a US-based brand with UAE customers is in scope. The practical implications for e-commerce include reviewing the lawful basis for every data processing activity, updating privacy notices, and ensuring that any third-party data processors (email platforms, analytics tools, CRM systems) are compliant.
PCI-DSS and Payment Security Obligations
Any business that accepts card payments is subject to the Payment Card Industry Data Security Standard, regardless of size or transaction volume. Shopify's hosted checkout processes cardholder data in a PCI-compliant environment, which significantly reduces — but does not eliminate — the store owner's compliance scope.
The residual scope for Shopify merchants covers the security of the broader store environment: access controls to the admin, third-party app security, and any custom integrations that touch payment data. Annual Self-Assessment Questionnaire completion is required for most merchants, and failure to maintain compliance can result in higher processing fees from payment providers or loss of the ability to accept card payments in a breach scenario.
Not sure where your compliance gaps are?
HatchHope conducts compliance reviews for e-commerce businesses covering CCPA, UAE PDPL, and PCI-DSS scope — with practical remediation recommendations.
ADA Web Accessibility for US Storefronts
The Americans with Disabilities Act has been increasingly applied to e-commerce websites through court decisions and DOJ guidance. Businesses with US customers face meaningful litigation risk if their website is not accessible to users with visual, auditory, motor, or cognitive disabilities. WCAG 2.1 AA compliance is the de facto standard courts and regulators reference.
Shopify's default themes have improved in their accessibility baseline, but custom themes and heavily modified stores frequently introduce accessibility violations — missing alt text, insufficient colour contrast, keyboard navigation failures, and form fields without proper labels. An accessibility audit before launch is significantly cheaper than a demand letter after.
UAE Consumer Protection Regulations
The UAE Consumer Protection Law requires e-commerce businesses to provide clear pricing inclusive of all fees and taxes, a defined returns and refund policy that meets minimum statutory standards, accurate product descriptions, and clear identification of the seller. Businesses selling into the UAE from outside should be aware that these obligations apply based on where the customer is, not where the seller is incorporated.