Navigating Ecommerce & Retail Compliance: The Ultimate Guide

When we talk to brand founders, we always ask: 

What inspired you to launch this business?

Wildly, not once has the answer had anything to do with compliance. 

Absurd, right? Twenty-five years of fulfilling millions of products and helping brands scale from good to great and not one of them did it for the compliance. 

The reality is this: No one launches the next great apparel or beauty brand because they geek out on ecommerce or retail compliance. They do it because they saw a market opportunity. They do it because they relentlessly believe in a dream.

But compliance remains. It is a requirement that is critical to success. Cut corners on it and the potential for failure grows. 

For young brands with momentum, though, figuring out compliance requirements – and maintaining them – isn’t easy. To help sort through what’s what, we tapped the Capacity hive mind and our 25 years of beauty and apparel fulfillment experience and put together a guide. It’s broken down into two main categories: ecommerce compliance and retail compliance. Within each of those buckets, we dive into tablestake requirements, common pitfalls (and how to avoid them) and best practices. 

Let’s get to it. But before we do, note that this is by no means an exhaustive list. Each brand’s compliance requirements are unique. 

Ecommerce Compliance for Beauty and Apparel Brands

These days, most up-and-coming beauty or apparel brands do so direct-to-consumer (D2C) via ecommerce. With platforms like Shopify it’s easier than ever to get an online store live. 

Through the lens of D2C ecommerce, compliance helps deliver a seamless shopping experience, builds trust and brand loyalty and, perhaps most importantly, keeps the brand in good legal standing. 

A number of ecommerce compliance solutions are built into the actual ecommerce platform. Since we mentioned Shopify, let’s use that as an example – and let’s dig into payments first. 

Payment Processing Security and Compliance

Whose responsibility? Tech / IT Security (CISO), Finance / Controller, Legal / Compliance Lead

Shopify Payments allows brands to accept online payments. This eliminates the hassle of having to set up a third party payment processor. Shopify handles all of the payment processing and customer data management. As such, they are certified Level 1 PCI DSS compliant. 

What’s that mean?

Back in 2006, the PCI Security Standards Council (PCI SSC) was formed by major credit card brands including American Express, Discover Financial Services, JCB International, MasterCard and Visa. The purpose? To manage the ongoing evolution of the Payment Card Industry Data Security Standard (PCI DSS) which, at the time, consisted of 12 core requirements developed to help businesses measure their own payment card security policies procedures.

There are four levels of PCI DSS compliance, each with their own increasingly stringent set of requirements. Level 1 is the highest. It requires businesses processing over 6 million card transactions annually to undergo rigorous annual audits by a Qualified Security Assessor (QSA) and quarterly network scans. 

Long story short, Shopify has its customers covered. PCI DSS compliance is built into every Shopify store. 

What About Other Customer Data?

Whose responsibility? Tech, Data Protection Officer (if required), Legal, Marketing Ops

Payment data is obviously the most sensitive, but other customer data points like name and email address warrant protection. Ecommerce platforms like Shopify offer tools brands can use to evaluate compliance requirements like GDPR and CCPA. But, using those tools alone does not ensure compliance. That requires some effort on the brand’s end. So say, for example, a U.S.-based ecommerce brand is expanding into Europe. Now they have to ensure they are GDPR compliant. They can do that themselves or hire expertise. 

For any brand selling D2C through ecommerce, ensuring payment and consumer data is handled priority is non-negotiable. A degree of this sort of compliance is typically built into the ecommerce platform, but brands should always consult with an attorney. 

Related: Check out these resources from data privacy platform, Osano. Lots of good webinars, best practices and other content that can help you wrap your head around your brand’s customer data management strategy. 

There are also industry-specific consumer data compliance requirements that brands need to be familiar with. For example, if a brand is selling medical products covered in any way by insurance, HIPAA compliance needs to be on its radar. Again, loop in legal.

Lastly, data privacy rules are constantly evolving. This state privacy legislation tracker from IAPP, a policy neutral, not-for-profit association, is worth bookmarking. 

Accessibility Compliance

Whose responsibility? Tech / UX & Front-End Dev, Legal / ADA Counsel, Product Owner

Brands should ensure that their ecommerce experiences are accessible, or usable by people with disabilities, including those with visual, auditory, motor, and cognitive impairments. Not only is this the right thing to do, but it is in compliance with the Americans with Disabilities Act (ADA) and Web Content Accessibility Guidelines (WCAG). Ignoring accessibility could expose brands to potential litigation.

While the ADA doesn’t explicitly mention websites, federal and state case law has made web accessibility a de-facto expectation. Plaintiffs filed ≈2,450 federal ADA web cases in 2024 with settlements averaging $15k–$35k.

Product Claims and Advertising Compliance

Whose responsibility? Marketing, Legal, Regulatory Affairs / QA

The short version of this section of the guide is “Tell the truth,” but there’s a deeper dive… 

All brands selling D2C should ensure that their product claims are accurate, but beauty and apparel brands need to pay special attention. Differentiating value props like “organic” or “anti-aging” are meticulously defined by government agencies like the FDA and the FTC. Ignoring those guidelines in product descriptions or marketing materials exposes the brand to risk. 

Social Media Marketing Compliance

Whose responsibility? Marketing / Social-Media Lead, Legal, PR / Comms

Influencer relationships can spark exponential growth for upstart D2C beauty and apparel brands, but doing so without disclosure of the financial relationship between brand and influencer can generate significant consumer backlash. The FTC has guidelines specifically related to social media disclosures for influencers who work with brands. (While the onus is typically on the influencer, it’s good practice for compliance to be a collaborative effort between brand and influencer.) 

Ingredients and Sourcing

Who’s responsible? Supply-Chain / Sourcing, Quality Assurance, Regulatory Affairs, Sustainability

Beauty and apparel brands, in particular, need to practice total transparency when it comes to listing product ingredients and sources. Not doing so opens a Pandora’s Box of potentially backbreaking possibilities ranging from allergic reactions to trade violations. 

Make it clear what’s in products and where those materials came from and life will be much easier.

Related: Products sold in California may need Prop 65 warnings if they contain any of the ~900 substances on the list known to cause cancer or reproductive harm. This list is updated annually and should be reviewed accordingly. However, there are numerous exceptions, so it’s important to have a resource who has a solid understanding of whether you are impacted and how to stay compliant.

Beyond California, Washington, Oregon, Maine, and Vermont have adopted similar regulations requiring product ingredient disclosures or limiting specific hazardous chemicals. Brands expanding into these states should familiarize themselves with these regional compliance obligations as well.

Product Labeling Compliance

Who’s responsible? Packaging Engineer, Quality Assurance, Regulatory Affairs

It’s pretty straightforward: beauty and apparel brands must let their customers know what’s in their products. Beauty brands must comply with FDA cosmetic labeling requirements. All ingredients need to be properly listed. Similarly, apparel brands have to follow FTC textile labeling rules, including fiber content, country of origin, and care instructions. 

Further Reading: Threading Your Way Through the Labeling Requirements Under the Textile and Wool Acts (Love that government humor!)

Ecommerce Fulfillment Compliance

Who’s responsible? Operations (Logistics Manager, Packaging & Compliance, 3PL Partner), Tech (WMS Admin), Legal, Sustainability, Hazmat Certified Specialist (3PL Partner)

Smooth logistics. Packaging and shipping efficiency. Regulatory issue avoidance. Data privacy. Seamless returns management. Customer trust. 

These are just a few reasons why ecommerce fulfillment demands serious attention. 

Let’s Start with Packaging and Shipping Compliance

Using the right shipping materials and adhering to proper requirements not only ensures product integrity but also has a major impact on customer satisfaction and lifetime value. Think about it: If a bottle of nail polish was hastily packed in material that offered no padding, the bottle itself could crack, the lid could come undone. Now your carriers have hot pink nail polish dripping in their trucks, on to other parcels and your customer is beyond disappointed. If this happens once, you probably get a pass. Repeat occurrences? Carriers aren’t interested in delivering your product anymore and you’re probably seeing a drop in orders.

Some jurisdictions have sustainable packaging laws too. While those laws, like California’s Plastic Waste Reduction Law, don’t specifically call out ecommerce companies and the packaging they use, it’s typically to a brand’s benefit to find that sweet spot between packaging delight and sustainability through the use of recycled, recyclable or biodegradable packing materials. Several states including California, Colorado, Maine and Oregon have passed Extended Producer Responsibility (EPR) laws that require brands to report, reduce and finance end-of-life recycling of packaging materials.

Then, particularly for beauty brands, there’s FDA compliance to consider. Beauty products must often include tamper-evident seals to prevent contamination and comply with FDA and consumer protection regulations. Beyond that, they also often need to consider their products against the FDA’s Food, Drug & Cosmetics Act. “Passed in 1938 to regulate the safety, purity, and labeling of food, drugs, medical devices, and cosmetics” the act was designed to protect public health. It makes for wonderful weekend reading. 

And don’t forget about MoCRA! MoCRA, or the Modernization of Cosmetics Regulation Act (2022), expands the FDA’s authority over cosmetic products, aligning more closely with modern food and drug regulations added over the decades since the FD&C’s inception. Under MoCRA, cosmetics and personal care brands must register their facilities with the FDA, submit ingredient lists, ensure products are for safe use, report health-related customer complaints, follow good manufacturing practices and disclose certain fragrance allergens. 

Deeper Dive: Are You Ready for MoCRA?

Bottom line, this stuff is tough to sift through. Working with a fulfillment provider that deeply understands tamper-evident seals and countless other FDA standards goes a long way towards getting product safety compliance right. 

Some beauty products, like perfumes, nail polish, and aerosol sprays, are classified as hazardous materials (HAZMAT). Those products need to comply with Department of Transportation (DOT) and International Air Transport Association (IATA) regulations for safe shipping.

The DOT requires a broad range of materials to be properly classified, packaged, labeled, handled, and stowed for transportation. The idea is to protect workers, emergency responders, and the general public from the risks associated with the transportation of hazardous materials. 

Seems reasonable. But determining what’s HAZMAT and why is a wildly complex responsibility that requires constant vigilance. As product mixes change or new products are added, brands need to consider HAZMAT. When products are bundled or packed together, perhaps creating a potentially combustible situation, brands need to consider HAZMAT. When HAZMAT regulations are updated, brands need to determine how those changes affect their products and shipping procedures. 

“Consumers today often buy multiple items, such as sunscreen, eyeshadow, and nail polish remover simultaneously, resulting in these items being shipped together. Brands must consider their entire product mix to effectively navigate hazmat challenges.”

• Tony Ruiz, VP of Logistics at Capacity

Related Read: Demystifying Hazardous Materials Shipping

The IATA has its regulations and requirements too. The IATA is “the trade association for the world’s airlines, representing some 340 carriers over 80% of global air traffic. It exists to support many areas of aviation activity and help formulate industry policy on critical aviation issues.​” Specifically related to HAZMAT, the IATA establishes HAZMAT classifications (i.e., flammable liquids, oxidizing substances, corrosives, etc.). The organization also sets standards around packaging, packing, labeling, training and certification. 

If this is starting to sound like a lot for an ecommerce brand to handle, that’s because it is. And it’s precisely where the right fulfillment provider can make all the difference. Ecommerce brands with HAZMAT products in their mix (or even those that aren’t sure!) must partner with a fulfillment provider that:

1. Has deep HAZMAT experience and actually know what they are doing
2. Is certified to ship HAZMAT consumer products via ocean, air and ground.

For what it’s worth, here at Capacity, we satisfy both of those requirements. 

Sales Tax and Cross-Border Compliance

Who’s responsible? Finance / Indirect-Tax Lead, Legal, ERP Admin

Ohhhhh, the really fun stuff! Jokes aside, ecommerce beauty and apparel brands can’t afford to cut corners when it comes to sales tax and cross-border compliance. 

In the U.S., many states require D2C brands to collect and remit sales tax. In South Dakota vs. Wayfair, the Supreme Court decided “in favor of South Dakota’s imposition of sales tax collection obligations on remote sellers meeting economic thresholds based on in-state receipts or transaction volume.” Translation: Wayfair now had to pay sales tax on orders shipped to South Dakota even though they, the brand, had no physical presence in South Dakota. 

By early 2023, all states with sales tax had enacted sales tax economic nexus.

Luckily, most ecommerce platforms like Shopify track and collect sales obligations at customer checkout and make filing and remittance a snap. That said, brands are still responsible for knowing where they have nexus, registering with state tax authorities and ensuring filing and remittance meets deadlines. Apps like TaxJar, Avalara and Quaderno can help automate registration, filing, and compliance across multiple states.

For our international brands, platforms like OpenBorder, Passport and Global-E are capable of solving virtually any international duties and customs compliance challenges. Oh, and they all integrate with our warehouse management system here at Capacity. 

Returns Compliance

Who’s responsible? Operations / Reverse Logistics Lead, Customer Care, Finance

A number of states require ecommerce brands to clearly disclose return policies or provide full refunds by default. And since we’re talking primarily about apparel and beauty, brands should be conscious of state and federal health regulations concerning returned items.

Learn how Capacity and UPS’ Happy Returns are changing the way businesses handle returns while driving customer satisfaction to new heights.

That’s a Crash Course in Ecommerce Compliance. Now Let’s Talk B2B.

Today, adding retailer channels once D2C ecommerce has critically scaled is the norm. So when a brand does muster up the case to initiate retailer relationships (or retailers start courting them), a whole new roster of compliance requirements will present themselves. 

Many ecommerce compliance requirements apply to B2B, but there are a few that are unique to doing business with retailers. 

On we go. 

EDI

Who’s responsible? Tech / EDI Analyst, Operations / Vendor-Compliance Mgr, Finance / AP

Perhaps the most unique piece of the brand-retailer relationship is EDI, otherwise known as electronic data interchange. Done by fax until alarmingly recently, EDI is the automated exchange of business documents between organizations. There are dozens of these documents ranging from purchase order and purchase order acknowledgement to advanced shipping notice, invoice and payment remittance advice. These documents are coded. Under one EDI standard, X12, documents are assigned three digit numbers. Under the other EDI standard, EDIFACT, they’re assigned six letter codes. For example, the purchase order. In X12, it’s 850. In EDIFACT, it’s ORDERS. 

These documents go back and forth stipulating exactly what the brand needs to get to the retailer and when. It is very much in the brand’s best interest to comply with their retailer’s EDI standards. Mess things up and send the wrong volume of the wrong color product to the wrong location and the retailer will issue the brand a chargeback. A chargeback is a financial penalty issued by the retailer to the brand for noncompliance. If a brand racks up too many chargebacks, the retailer will simply drop them. Partnership over.

Today, EDI is virtually fully automated by software. Top providers include TrueCommerce and SPS Commerce, both of which integrate with our warehouse management system. That last bit is key: EDI software must integrate with a brand’s warehouse management system to ensure inventory accuracy. Most EDI platforms also integrate with accounting systems like Quickbooks, ERPs like NetSuite and ecommerce platforms like Shopify. 

Pro Tip: When a brand is expanding into B2B, it should fully consider dedicating a point person to building out its EDI functionality and managing retailer relationships. 

It’s worth noting that while retailers generally treat EDI the same, each one has its nuances. For example, did you know that Burlington requires an advance shipping notice to be submitted for all orders, and to be received no later than 24 hours before carrier pickup? Of course you did! 

The point is this: Staying up to date on retailer-specific EDI rules will dramatically help a brand maintain compliance – especially if it has relationships with multiple retailers. 

Get Familiar with Retailer Vendor Compliance Guides

Who’s responsible? Operations / Account Manager, Vendor Compliance, Legal

Beyond EDI, each retailer has its own set of rules. These are defined in what’s called a vendor compliance guide, sometimes referred to as a retailer vendor manual. 

These guides set standards around product quality and consistency expectations. They cover purchase orders, shipping and logistics, pricing and invoicing, payment terms, chargebacks, legal and ethical standards, issue resolution frameworks and escalation, and a variety of other areas that establish the rules of engagement. 

These guides are also often updated, making regular communication between brand and retailer all the more important. 

Side Note About Payment Terms: As many retailers make adjustments to their business models in reaction to broader economic and consumer trends, we’ve seen retailers make significant changes to payment terms. Saks Global, for example, announced in February 2025, that it will “pay for all purchase orders 90 days from when the inventory is received.” Yes, received.

Get Your Labels Exactly Right

Who’s responsible? Operations (Vendor Compliance Manager, Packaging Engineer), Tech (EDI Analyst, WMS Admin), Quality Assurance / Regulatory Affairs

Retailers typically have specific barcode and labeling requirements. (Think GS1-certified UPC codes or specific placement of labels on boxes and palettes.) Get them wrong and they’ll reject shipments and issue chargebacks. Your vendor compliance guides will spell this stuff out and when in doubt (especially in the early stages of the relationship)… ask!

Related, if a brand’s retailer relationship is opening up international markets, it needs to consider foreign language labeling.

Understand Minimum Advertised Price and Pricing Compliance

Who’s responsible? Marketing / Channel Sales, Finance, Operations

Make no mistake, a retailer takes on brands to make money. As such, brands must adhere to agreed-upon pricing structures. Said differently, you better not undercut us. Retailers, too, have to stick to what’s called the minimum advertised price (MAP). The brand sets the MAP, determining the lowest price the retailer can set for a given product. The main idea is to avoid price wars. 

Brands are typically also required to monitor third party sellers (think eBay or Amazon) to prevent unauthorized discounts. And it’s in their best interest to communicate pricing changes to their retail partners well in advance. 

What About Brands Selling Through Their Retail Partner’s Online Store?

Who’s responsible? Operations / Retail-Dropship Lead, Tech / Integration Engineer

When Ulta sells a brand’s products through ulta.com, there are often compliance requirements the brand must satisfy. This channel often requires the brand’s product to be shipped to Ulta’s ecommerce fulfillment warehouse. Ulta then sends the product to the retail locations or direct to the customer if purchased online. Compliance guidelines govern this process, setting parameters for order processing and fulfillment timelines, order accuracy expectations, packaging and branding requirements, inventory and EDI integration to avoid overselling and return policies. 

Comply with Retailer Marketing and Merchandising Programs

Who’s responsible? Marketing, Trade-Marketing Lead, Operations / Demand-Planning

Retailers often expect their brands to participate in promotional campaigns, in-store displays and digital marketing efforts. A meeting of marketing teams prior to a brand’s launch within a retailer. This will help align calendars, roles and responsibilities, and requirements like product images and branded assets. This collaboration will also help the brand understand the retailer’s in-store display requirements. 

Are you a beauty brand looking to scale into B2B with the industry’s mega-retailers? Learn more about Capacity’s consolidator status with Sephora and Ulta.

Compliance is… A Lot

But it’s a pleasant problem to have. Think about it. When a beauty or an apparel brand has to really start putting an emphasis on compliance, they’re likely growing. They’re ecommerce is scaling. They’re striking retailer relationships. Things are moving. 

The good news? Brands don’t have to figure out compliance on their own. Their best strategic resource when it comes to navigating ecommerce and retail compliance is often their closest partner: their 3PL. 

Here at Capacity, we’ve spent 25+ years building out deep compliance expertise. We’ve designed a comprehensive approach to ecommerce fulfillment compliance. We’ve helped brands develop relationships with and achieve incredible success with Ulta, Sephora and other retailers.

So if any form of compliance has you up at night, let’s talk.