Legal Requirements for Indie Authors Selling Direct
Selling direct means running a business — not just writing books. When a reader buys from your Shopify or Payhip store, you are responsible for protecting their financial data, handling their personal information according to applicable privacy laws, collecting and remitting applicable taxes, disclosing your affiliate relationships, and complying with the email marketing laws of their country. Amazon handles all of this on your behalf when you sell through their platform. Your direct store does not.
Most of these requirements are manageable and many can be addressed with standard tools rather than custom legal work. The goal of this article is to help you understand which requirements are non-negotiable before launch, which arise as your store grows and international sales increase, and when a legal template or compliance tool is sufficient versus when you need advice from an actual professional.
This is not legal advice. It is an orientation to the legal landscape for indie authors selling direct. Specific questions about your situation — especially around tax obligations, business structure, and international compliance — warrant professional consultation.
Before Launch — The Four Legal Pages Every Store Needs
Before you send a single reader to your store, four legal documents should be live and linked in your footer:
1. Privacy Policy
A privacy policy tells readers what data you collect about them, how you use it, how long you keep it, who you share it with, and how they can request it be deleted. This is legally required if you collect any personal data — which you do the moment you capture an email address, process a payment, or install analytics on your site.
Your privacy policy must cover: what data is collected (names, email addresses, IP addresses, purchase history, browser cookies), what tools process that data (Stripe, PayPal, ScribeCount Email or your email platform, Google Analytics), how readers can request data access or deletion, and your contact information for privacy requests.
Termageddon generates and automatically updates privacy policies as laws change — the most practical solution for authors who don't want to maintain a legal document manually. Iubenda and Termly are alternatives. Shopify auto-generates a basic privacy policy template; it's a starting point, not a complete solution. Link your privacy policy in your site footer, at checkout, and in your email signup forms.
2. Terms of Service
Your terms of service (also called terms and conditions) governs the legal relationship between you and your buyers. For an author direct store, key terms include: your refund policy for digital and physical products, intellectual property ownership (you own the content; buyers receive a personal use license for digital products), dispute resolution, jurisdiction (which state or country's laws govern), and limitation of liability.
The Contract Shop offers author-specific legal templates that cover ecommerce terms of service. At $50-150 for a professionally drafted template, this is worth the investment over a free generic template. Link your terms of service in your footer and reference them at checkout with a checkbox or acknowledgment statement.
3. Cookie Policy and Consent
Any website that uses cookies — which includes any site with Google Analytics, Facebook Pixel, Shopify's analytics, or remarketing tags — must disclose this to visitors. For EU visitors, GDPR requires an active cookie consent banner that appears on first visit and records the visitor's consent before non-essential cookies fire.
Cookiebot and Iubenda's cookie solution provide compliant cookie banners that detect cookies on your site, categorize them, and manage consent records. Configure your banner before driving EU traffic to your store. If you're using Shopify, the Shopify Cookie Banner app handles GDPR cookie consent natively for Shopify-hosted stores.
4. Refund Policy
A clearly stated refund policy reduces chargebacks and disputes by setting expectations before purchase. For digital products: state that files are non-refundable once downloaded, but that you will replace defective files at no cost. For physical products: state your return window (14-30 days is standard), condition requirements (unused, undamaged), and who pays return shipping. Your refund policy should appear on your Terms of Service page, on each product page near the buy button, and in your order confirmation email.
GDPR — The Compliance Requirement That Applies to Every Author
The General Data Protection Regulation applies to any business that collects personal data from EU residents — regardless of where the business is based. A US-based author whose store collects email addresses from readers in Germany, France, or the Netherlands is subject to GDPR. This is not a threshold question; it applies from your first EU visitor.
GDPR compliance for an author direct store requires:
Lawful basis for data collection: for email marketing, this is typically explicit consent — readers must actively opt in, not be added to your list automatically
Privacy policy meeting GDPR requirements: what data you collect, why, how long you keep it, who you share it with, and how readers can exercise their rights (access, correction, deletion)
Cookie consent: active consent before non-essential cookies fire — not a notice that cookies are in use, but a choice that must be made before tracking begins
Data processor agreements: if you use third-party tools that process EU reader data (your email platform, payment processor, analytics tool), those tools must have GDPR-compliant data processing agreements in place. Stripe, PayPal, MailerLite, Klaviyo, and ScribeCount Email all maintain these
Right to erasure: a process for readers to request their data be deleted — email address, purchase history, and any other data you hold about them
The practical compliance path for most authors: use Termageddon for your privacy policy (auto-updates as laws change), Cookiebot or Iubenda for cookie consent, and an email platform with GDPR-compliant signup forms and one-click unsubscribe (ScribeCount Email, MailerLite, and Klaviyo all provide these).
⚠ GDPR fines for non-compliance can be substantial — up to 4% of annual global turnover or €20 million, whichever is higher, for serious violations. Small author stores are unlikely to face maximum penalties, but complaints from individual readers to their national data protection authority can trigger investigations. The practical risk for most authors is not a fine but the operational disruption of responding to a compliance complaint while running a business. Compliance is cheaper than remediation.
Sales Tax and Economic Nexus — US Authors
US sales tax law changed significantly after the 2018 Supreme Court decision in South Dakota v. Wayfair. States can now require out-of-state sellers to collect and remit sales tax based on economic nexus — the volume of sales into a state, regardless of physical presence. Most states set nexus thresholds at $100,000 in annual sales or 200 transactions into the state.
For most indie authors selling direct, US sales tax obligations are manageable:
Your home state: you likely have sales tax nexus in your home state by default. Register with your state's revenue department and configure your store to collect the applicable rate.
Other states: monitor your sales volume by state. If you're approaching a state's threshold (usually $100,000 or 200 transactions), consult a tax professional about registration requirements.
Digital goods: some states exempt digital goods (ebooks, audiobooks) from sales tax entirely; others tax them. The rules vary and change periodically. TaxJar and Quaderno maintain current rate databases and handle this automatically.
Physical goods: taxability of print books varies by state — many states exempt books from sales tax, but not all. Again, TaxJar or Quaderno handle this through your storefront integration.
For most authors starting out with a US-focused direct store, configuring TaxJar or Quaderno in your Shopify or WooCommerce store before your first sale is the most practical path. These tools monitor your nexus obligations automatically and alert you when you're approaching registration thresholds.
EU and UK VAT — International Authors and Non-EU Sellers
Selling digital goods — ebooks, audiobooks — to EU residents requires collecting and remitting VAT at the buyer's country rate, from your first EU sale, regardless of your location. This is covered in detail in the International Sales article (DS09) in this section. The short version:
Payhip handles EU VAT automatically for digital products — nothing to configure
Shopify requires TaxJar or Quaderno for EU VAT compliance on digital goods
WooCommerce requires the EU VAT Assistant plugin or TaxJar/Quaderno integration
UK VAT has a separate £85,000 annual threshold for non-UK businesses — most indie authors don't approach this
Configure VAT before your first EU sale. VAT liability accumulates from day one and retroactive compliance is significantly more difficult than proactive setup.
KDP Select Exclusivity — What It Actually Prohibits
KDP Select enrollment requires that your ebook be exclusive to Amazon's Kindle ecosystem for the duration of each 90-day enrollment period. This prohibition is specific and worth stating precisely:
|
Field / Spec |
Value / Requirement |
Notes |
|
Prohibited during KDP Select enrollment |
Selling or distributing the same ebook through any other channel |
Your direct store, Kobo, Apple Books, Google Play, D2D, Payhip — all prohibited |
|
Permitted during KDP Select enrollment |
Selling the print edition anywhere |
KDP Print, IngramSpark, your direct store — all permitted |
|
Permitted during KDP Select enrollment |
Selling the audiobook anywhere |
ACX non-exclusive, Findaway, your direct store — all permitted |
|
Permitted during KDP Select enrollment |
Selling merchandise |
No restriction |
|
Permitted during KDP Select enrollment |
Selling the ebook after enrollment expires |
Turn off auto-renewal; wait for the 90-day term to complete |
⚠ 'Selling through your own store' counts as distribution outside Amazon's Kindle ecosystem. If your ebook is enrolled in KDP Select and you list it on Payhip or Shopify, you are in violation of your KDP Select agreement. Amazon can terminate your KDP Select enrollment and, in repeated cases, your KDP account. Turn off auto-renewal immediately if you plan to sell direct. Do not upload an enrolled ebook to your store until the enrollment period has fully expired.
KDP Select enrollment is per-title and per-90-day period. You can have some titles in KDP Select and others wide and selling direct simultaneously. Check each title's enrollment status individually — the KDP Select dashboard shows each enrolled title's current term end date.
Affiliate Disclosure Requirements
If you receive commission from purchases made through links on your website, blog, or emails — Amazon Associates, Bookshop affiliate program, or any other affiliate arrangement — you are legally required to disclose that relationship. This is required by the FTC in the US and by equivalent regulations in most other jurisdictions.
The disclosure must be clear, conspicuous, and placed near the affiliate link — not buried in a footer or on a separate disclosure page. 'As an Amazon Associate, I earn from qualifying purchases' placed visibly near Amazon links in a blog post is sufficient. A single disclosure page linked from your footer is not sufficient if readers may not see it before encountering the affiliate links.
On product pages in your store, affiliate links are less common — you're selling your own products. But if you include links to products you don't sell (a recommended reading order that links to Amazon, for example) and those are affiliate links, the disclosure requirement applies.
Email Marketing Compliance — CAN-SPAM, GDPR, and CASL
Email marketing laws vary by country and affect how you build and communicate with your list:
|
Field / Spec |
Value / Requirement |
Notes |
|
CAN-SPAM (US) |
Applies to commercial email sent to US recipients |
Requires: physical business address in footer; one-click unsubscribe; honest subject lines; no deceptive headers |
|
GDPR (EU) |
Applies to email marketing to EU residents |
Requires: explicit opt-in consent; clear explanation of what they're signing up for; one-click unsubscribe; right to be forgotten |
|
CASL (Canada) |
Applies to commercial email sent to Canadian recipients |
Requires: express or implied consent; identifying information; unsubscribe mechanism; strict penalties for violations |
The practical compliance path: use an email platform with built-in legal compliance features (ScribeCount Email, MailerLite, Klaviyo, and ConvertKit all provide GDPR-compliant signup forms, automatic unsubscribe handling, and footer address management). Never add email addresses to your list without the recipient's explicit opt-in. Import lists from other sources (business cards, in-person events) only with clear consent documentation.
For SMS marketing — if you're using text message campaigns — the legal bar is higher than email. TCPA in the US requires written express consent for marketing texts, specific opt-in language, message frequency disclosure, and opt-out instructions in every message. SMS is a high-return channel used sparingly but requires careful setup. Use a platform like Postscript or Attentive that manages TCPA compliance within its system.
Payment Security and Fraud Protection
Processing payments on your own store creates obligations around financial data security. The practical requirement: never collect or store card details yourself. Route all payment data through a PCI-compliant processor — Stripe, PayPal, or Shopify Payments — and let the processor handle encryption, storage, and security. Your store collects the payment information and passes it to the processor; the processor handles everything else. This is the default behavior of standard payment integrations and requires no special configuration.
Fraud — chargebacks and unauthorized transactions — is the operational risk, not the compliance risk. Enable fraud detection in your payment processor: Stripe Radar (included), Shopify Fraud Protect (available on some plans), and PayPal's seller protection all provide automated fraud screening. Set manual review rules for unusually large orders or orders from high-fraud-rate countries if your volume warrants it. The chargeback handling process is covered in the Payment Processing article (DS07) in this section.
Amazon Reviews — What You Cannot Do
If you quote Amazon reviews in your store marketing — on product pages, in emails, or in advertising — a few rules apply:
You can quote reader reviews with attribution and accuracy — reproduce what was actually written, attributed to the platform it appeared on
You cannot claim '#1 Bestseller on Amazon' unless the book was genuinely #1 in a significant category (not a minor subcategory) and you link to verification
You cannot ask direct buyers from your store to leave reviews on Amazon — Amazon's review policies prohibit soliciting reviews in exchange for purchase from any channel. This includes 'if you bought from my store, please leave a review on Amazon' messaging. You can ask buyers to review your book generally without directing them to Amazon specifically
Never offer incentives (discounts, free products) in exchange for Amazon reviews — this is a clear violation of Amazon's policies and can result in review removal and account consequences
When to Get Professional Advice
Tools and templates handle the majority of legal compliance for most indie author direct stores. Professional advice is warranted when:
You're unsure about your sales tax nexus obligations across multiple US states — a one-time consultation with a sales tax specialist (not a general accountant) is worth the cost
Your EU sales are significant and you want to ensure your VAT registration and remittance are correct — an accountant familiar with EU digital services VAT can review your setup
You receive a formal complaint or inquiry from a data protection authority, FTC, or state revenue department — respond only with legal representation
You're forming a business entity (LLC, corporation) and need advice on structure for your specific tax and liability situation
You're licensing rights, entering co-authoring agreements, or dealing with IP ownership questions — an attorney specializing in publishing or intellectual property
The majority of authors selling direct who follow the guidance in this article — four legal pages live before launch, VAT compliance configured before EU sales, email list built with explicit opt-in, payment data routed through PCI-compliant processors, KDP Select exclusivity tracked carefully — will never need reactive legal assistance. Compliance is significantly cheaper than remediation. Do it before your first sale, not after a problem arises.
Legal Infrastructure Checklist
Privacy Policy live, linked in footer, compliant with GDPR
Terms of Service live, linked in footer, referenced at checkout
Cookie consent banner active for EU visitors
Refund policy visible on product pages and in order confirmation emails
EU VAT configured: Payhip (automatic), Shopify (TaxJar/Quaderno), WooCommerce (EU VAT Assistant)
US sales tax configured in your home state; monitor thresholds in other states
Email list built with explicit opt-in only; unsubscribe mechanism working
Physical business address in email footer (CAN-SPAM requirement)
KDP Select enrollment status checked for each title before listing on direct store
Affiliate disclosure placed near affiliate links, not just on a separate disclosure page
Payment data routed through PCI-compliant processor — no card details handled by your store directly
Fraud detection enabled in your payment processor
Legal compliance for a direct author store is not complicated, but it does require deliberate attention before launch. The four legal pages, VAT configuration, and email consent setup are one-time investments that protect every sale you make afterward. Review this checklist before your store goes live and revisit it annually — laws change, platforms update their requirements, and your compliance needs evolve as your sales volume and geographic reach grow.
-Randall Wood