E-commerce is used as the mechanism for delivering information, products, services or payments by electronic means including computer, telephone, or other automated means. The use of e-commerce operations has emerged across a range of business activities and may be provided through the following  business models: business-to-business (B2B), business-to-consumer (B2C), consumer-to-consumer (C2C), and consumer-to-business (C2B). There are several advantages for businesses to engage in e-commerce operations including significant cost reductions, flexible operating arrangements, rapid response to consumer and market demands, and swifter transaction processes.

In order to take advantage of e-commerce solutions, businesses must ensure that they comply with a wide range of legal requirements related to licensing, contracting, e-commerce regulatory, tax, anti-money laundering, consumer protection, cybersecurity, and data protection. E-commerce businesses providing goods and/or services in the global market must also consider the laws of multiple jurisdictions, regardless of where they are headquartered. For example, the data protection obligations under the EU General Data Protection Regulation (GDPR) apply not only to EU-based businesses, but also to non-EU companies that offer goods and services within EU jurisdictions.

In e-commerce operations, businesses regularly collect, use, share, and store a myriad of information  including the personal information of employees, platform users, and consumers. The types of personal information collected through e-commerce platforms and used for online transaction processing include names, physical addresses, identification details, passwords, and credit card details. E-commerce businesses must ensure that they have effective information governance practices in place to properly protect and maintain personal information, implement data protection and cybersecurity measures, and engage in the routine disposition of information in a legally compliant manner.

Many jurisdictions around the world continue to regulate e-commerce businesses including information governance related requirements (e.g., recordkeeping, privacy, cybersecurity, etc.):

  • In Turkey, the recently adopted Law on the Amendment of the Law on the Regulation of Electronic Commerce (No. 7416/2022) introduces new and broadly applicable obligations for intermediary service providers, service providers, financial entities, payment companies and electronic money issuers, in the e-commerce space including increasing the retention duration for information, documents, ledgers and electronic records of their businesses and transactions from 3 years to          10 years from the date of the operation or transaction.[1]
  • In India, the Ministry of Electronics and Information Technology’s Indian Computer Emergency Response Team (CERT-In) recently issued Direction No. 20(3)/2022 under the Information Technology Act, 2000 obliging certain entities (e.g., service providers, intermediaries, data centres, corporate entities and government organisations) to comply with security practices, procedures, prevention, response, and incident reporting. This new direction includes the following recordkeeping requirements: (i) obliged entities must enable logs of all Information and Communications Technology (ICT) systems and maintain them securely for a rolling period of 180 days within India; (ii) data centres, Virtual Private Server (VPS) providers, cloud service providers, and Virtual Private Network Service (VPN Service) providers must maintain records relating to subscribers/customers hiring services for 5 years or a longer duration as mandated by the law following the cancellation or withdrawal of the service; and (iii) virtual asset service providers, virtual asset exchange providers and custodian wallet providers must maintain all KYC information and records of financial transactions for a period of 5 years in order to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets.
  • In China, new e-commerce rules, Measures for the Supervision and Administration of Online Transactions (2021), entered into effect last year, replacing the previous rules on online transactions. These rules apply to business activities related to the selling of goods or providing services through the Internet and other information networks. These rules require obliged entities to maintain the following information for specified times periods: (i) identity information of an operator on a platform for 3 years from the date of withdrawal from the platform; (ii) transaction information for 3 years from the date of completion of the transaction; (iii) live video of online trading activities for 3 years from the end of the live broadcast; and (iv) historical versions of modified platform service agreements and trading rules for 3 years from the effective date of the revised version.

In managing e-commerce operations, businesses should consider implementing the following information governance strategies:

  • Routinely audit their e-commerce operations to ensure that they understand the different types of information being created, collected, used, and stored including any personal and/or sensitive information in routine business practices.
  • Review their records retention schedule(s) and policies to ensure that records arising from their operations are adequately accounted for such as, third-party contracts, network security logs, breach notification, consumer complaints, customer accounts and profiles, records of processing, and transaction records.
  • Ensure that e-commerce related records are retained for an appropriate duration: (i) to meet statutory/regulatory requirements in jurisdictions in which the business is operational and/or provides goods and services; (ii) to resolve consumer complaints and/or respond to regulatory investigations; (iii) for litigation purposes; (iv) to meet industry standards if operating in a regulated sector (e.g., financial, telecommunications, pharmaceuticals, etc.); and/or (iv) to meet reasonable business needs (e.g. routine internal/external audits, statistical/historical purposes, etc.).
  • Avoid collecting any personal information that is not necessary for business purposes.
  • Retain personal information in compliance with local and regional data protection laws for a duration which is no longer than is necessary for the purpose for which it is collected/processed including to meet any mandated statutory obligations.
  • Engage in the routine audit and deletion of records in accordance with the retention rules provided for in their retention schedule(s) and related policies.
  • Ensure adequate privacy policies and related cybersecurity measures are in place including consents, breach notification, incident reporting, and emergency preparedness.
  • Document use of any third-party IT service providers and ensure recordkeeping and data protection responsibilities are adequately reflected in contractual arrangements.

[1] Can Sozer, Aybuke Gundel Solak, and Ecenur Etiler, New Era in E-Commerce! (July 4, 2022): www.esin.av.tr/2022/07/04/new-era-in-e-commerce/


Nadia Rauf is a Research Lawyer with the global Information Governance group within Baker McKenzie’s Information Technology & Communications Practice in Canada. She focuses her legal expertise in the areas of information governance, privacy, media/format, cross-border data transfers, and regulatory compliance, among other areas.


Lisa Douglas is a member of Baker McKenzie’s Technology Practice. She currently focuses on information governance, drawing on a rich background in knowledge management, legal research, and library science to provide compliance advice on the enterprise information lifecycle.