11 areas of regulation
€35M max fine under the AI Act / DSA
30 days lowest-price rule for discounts
Legal obligations for online stores 2026 — the complete checklist

The Czech Trade Inspection (ČOI) has long reported that breaking the rules on discount promotions and reviews is far from rare among online stores — during its checks it typically finds faults with the majority of the retailers it inspects (you can find the exact figures from ČOI's latest press release at coi.cz). And the penalties run from tens of thousands to single-digit millions of CZK, depending on severity and how often it recurs.

And now the worse news: in 2025 and 2026 six new European and Czech regulations come into force, adding obligations you may not even be aware of yet. The "order button" amendment. The DSA. GPSR. The Accessibility Act. The Green Claims Directive. The PPWR.

If you're reading this and it sounds like alphabet soup, you're in good company. This article is the result of systematically working through every single regulation — a complete overview of what's coming for you as an online store, when it applies, and what specifically you have to do. No legalese, and none of the "we recommend consulting an expert" filler.

(Although there is one thing I'll honestly recommend: have your terms and conditions and GDPR documents drawn up by a lawyer. A template off the internet won't save you. A consultation costs a fraction of a six-figure fine.)

A quick overview of the obligations

Obligation

From when

Penalty

"Order button" amendment (the wording "Objednat a zaplatit" — Order and pay)

in force

per ČOI

Lowest price in 30 days for discounts

in force

up to 5,000,000 CZK (≈ €200,000)

Verified reviews

in force

up to 5,000,000 CZK (≈ €200,000)

DSA — Digital Services Act

in force

based on turnover

GPSR — product safety

13 Dec 2024

per Czech law, in the order of millions of CZK

Accessibility Act

06/2025

up to 5,000,000 CZK (≈ €200,000)

Right-of-withdrawal button

06/2026

per ČOI

Green Claims Directive

09/2026

per ČOI

PPWR — packaging regulation

08/2026

per ČOI

Now, one at a time. I'll start with the ones you have to have sorted the moment you launch the store, and finish with those on a 12–18 month horizon.

1. The "order button" amendment: the text on a button that can earn you a fine

What it means: The button a customer uses to complete an order must contain unambiguous text that makes it clear this is a commitment to pay.

Permitted texts:

Prohibited texts:

Why it exists: The EU doesn't want a customer to "order" something with the impression that it isn't binding. Behind this rule is a long-standing problem with so-called dark patterns — manipulative interfaces that deliberately push a user toward an action they wouldn't otherwise take. In this case it targets one specific dark pattern: hidden commitment. When a button reads "Continue," the customer doesn't know whether they're committing or just moving to the next screen. The law no longer allows that.

How it works in Shoptet: Shoptet implemented the amendment at the platform level — the text "Objednat a zaplatit" (or "Objednávka zavazující k platbě") is deployed by the platform, not something a user rewrites by hand in the admin. In practice the button often has two lines: the primary call to order, and, in smaller type, supplementary text about the payment obligation.

Check the production version of your store with your own eyes. With older templates, migrated stores or custom changes, you sometimes find variants that don't comply with the amendment. Go through the entire checkout as a customer and verify how the button text actually reads at the moment the order is completed. If something looks off, the helpdesk in the admin is the fastest route to a fix.

2. The lowest price in 30 days for discount promotions

What it means: When you put a product on discount, you must display the lowest price at which the product was sold in the 30 days before the reduction. Not the original price. Not the recommended retail price. The actual lowest price you charged over the last 30 days.

Example:

Why it came about: This regulation arrived in response to a classic manipulation of the anchoring effect (Tversky & Kahneman, Science, 1974). When a customer sees a struck-through price of 1,999 CZK next to a current 999 CZK, the brain "anchors" on the higher number and perceives the current price as an exceptional deal — even though nobody ever actually paid 1,999 CZK for it. The EU decided to curb this dark pattern and force the anchor to be real. It didn't ban the anchoring principle itself (as a marketing tool it remains legitimate) — it banned only its abuse to manufacture fictitious "savings."

Penalty: ČOI issues fines of up to 5,000,000 CZK (≈ €200,000).

How to do it in Shoptet: On each product's detail, in the Ceník (Pricing) tab, you fill in the Standardní cena (Standard price) field. This value should hold the lowest price at which the product was sold in the 30 days before the current discount — not the recommended retail price, not a fictitious "original" price. From this value the platform calculates the percentage discount the customer sees and displays it in the correct format.

Important: it's not fully automatic. Shoptet doesn't track the price history for you and won't recalculate the Standardní cena field based on real sales. The responsibility for putting the genuine lowest 30-day price there rests with you. If you plan frequent promotions, it's worth either setting up your own record-keeping process or using an add-on such as Dynamické akce a slevy (Dynamic promotions and discounts, by Shoptet) in the Shoptet Market, which plans and monitors your discount campaigns for you.

3. Verified reviews: one of the most frequently checked points

What it means: Product reviews in an online store must be verified — that is, you must have a process guaranteeing that the review was written by a real customer who actually bought the product. And you have to tell the customer so.

What this means specifically:

  1. You must not have fake reviews (logical, but ČOI really does check).
  2. You must state how you verify the authenticity of reviews — text along the lines of "Reviews are verified; only customers who bought the product from us can write them."
  3. If you also publish unverified reviews (e.g. imported from elsewhere), you must clearly label them.
  4. You must not delete negative reviews — you're obliged to publish all relevant reviews.

Why it matters so much: Reviews are, in the psychology of selling, one of the most powerful forms of social proof as described by Robert Cialdini in Influence (2006). In situations of uncertainty, people instinctively follow the behaviour of others and assume that what many people do or recommend is correct and safe. When this mechanism is abused by fake reviews, it's not merely deceiving the consumer — it's a systematic erosion of trust in the whole of e-commerce. That's why regulators push hard on authenticity.

An interesting detail from the research: a perfect five-star score can paradoxically convert worse than a realistic 4.0–4.7. Customers have learned that perfect ratings look suspicious, and they look for authenticity, not idealisation. Minor negative reviews thus ironically increase overall credibility. Not censoring them makes sense both legally and commercially.

Penalty: Fines range from hundreds of thousands to single-digit millions of CZK for repeat offences.

What to set up in Shoptet: Shoptet has its own product-rating system and also supports integration with the Heureka "Verified by Customers" service, which emails customers with a verified purchase asking for a review. On the product detail, add the text "Reviews are verified" + a short explanation of the process, so the customer knows how you verify authenticity.

4. DSA — Digital Services Act

What it is: An EU regulation that applies to all digital services — including online stores. Its aim is transparency, consumer protection and the ability to report illegal content.

What you specifically have to have:

  1. A mechanism for reporting illegal content — a form or email through which anyone can report fraudulent reviews, dangerous products or misleading advertising.
  2. Content-moderation rules — how you decide which reviews and comments you publish and which you delete. This must be in your terms and conditions.
  3. Transparency of advertising messages — if you have paid elements on the site (sponsored products), they must be labelled as advertising.
  4. Identification of the seller — clear contact details, company ID, address, responsible person.

The practical translation: Add a "Report illegal content" link to the footer and a paragraph on moderation to your terms and conditions. If you have sponsored products, label them.

Why not to underestimate it: The DSA is a relatively young regulation and enforcement practice across the EU is still settling in, but the first public cases show regulators moving very quickly on non-compliance. And the fix is trivial — within a matter of hours you add a link and update your terms. Ignoring it only pays off until the first audit.

5. GPSR — General Product Safety Regulation

In force since 13 December 2024, it significantly tightens the safety rules for products sold online.

What you specifically have to have

  1. Identification of the manufacturer / importer for every product — name, address, contact. For every one!
  2. Warning notices in Czech — if a product requires warnings (allergens, age restrictions, usage), they must be in Czech on the product page.
  3. Contact details for a responsible person within the EU — if you import from outside the EU, you must have someone in the EU accountable for safety (yourself, a distributor, a fulfilment partner).
  4. Images must allow identification of the product — including packaging, labels and warning symbols.
  5. The obligation to withdraw a dangerous product — if a product turns out to be dangerous, you must pull it from sale and report it to the Safety Gate system.

Penalty: GPSR itself sets the framework; the specific penalties are enforced by member states in their implementing laws. In the Czech Republic it's enforced through the Act on General Product Safety, with fines in the order of millions of CZK depending on the severity of the breach.

The practical translation: For every product, fill in a "Manufacturer" field with the identification. If you sell third-party brands, request the details from your suppliers. If you import from China or the USA, you need a representative in the EU — without one, you're not allowed to sell. This is a very strictly enforced requirement, and a single audit is enough to block your entire portfolio.

6. The Accessibility Act (from 06/2025)

Online stores must be accessible to people with disabilities. This isn't a recommendation, it's an obligation with a fine attached.

What it means in practice

Penalty: Fines from ČOI, in the order of hundreds of thousands of CZK (≈ €8,000+).

How to handle it in Shoptet: premium templates from partners (Bluefox, Goodweb and others) typically handle accessibility better than the most basic free options. Regardless of the template, test your store with the WAVE Web Accessibility Evaluation Tool (wave.webaim.org) and the Lighthouse Accessibility audit in Chrome DevTools — these tools show you the specific points where accessibility falls short.

A practical tip: If you have a store with dozens of obligations and can't code, find a developer or agency to audit your accessibility. The investment is modest next to the fine it saves you.

A side benefit that's easy to forget: Accessibility is often presented as a tiresome obligation, but long-term data convincingly show that accessibility measures (contrast, structured code, alt text, clear navigation) improve processing fluency for absolutely every user. The same principle psycholinguistics describes — the more easily the brain processes information, the more positively it rates it. A site with high contrast and clean code is faster, easier to browse on a weak phone, better indexed by Google and generally converts better. Accessibility is a quiet investment in your conversion rate. So take the fine merely as a secondary motivator — the primary reason should be performance.

7. The right-of-withdrawal button (from 06/2026)

What changes: The customer must be able to withdraw from the contract easily online — via a "withdrawal button." The process must be just as simple as placing an order.

What it means in practice:

What to do about it: If you use Shoptet, keep an eye on platform updates — Shoptet will likely roll out an official solution during 2025/2026. If you want to be ahead of the curve, build your own form and connect it to the customer account.

Why it came about: Just like the "order button" amendment, this too is a response to friction-as-dark-pattern — deliberately complicating the withdrawal process. When you force a customer to phone, send a letter or fill in paper forms, you're exploiting the fact that, according to prospect theory (Kahneman & Tversky, 1979), people would rather accept a small loss than invest a lot of effort in avoiding it. The EU decided this psychological pressure should stop in the B2C environment.

8. The Green Claims Directive (from 09/2026)

The end of greenwashing. Unverifiable environmental claims are banned — the likes of "ecological," "kind to nature," "sustainable," "bio-friendly," "eco-friendly."

What will be prohibited

What will be mandatory

What to do about it: Go through your whole site and every product description. If you use words like "eco," "bio," "sustainable," "kind" — either you have proof for them, or you drop them. You have until 09/2026, but start now. Generic copy is hell to rewrite at the last minute.

Why the EU pushed exactly now: Greenwashing is one of the most effective forms of manipulation in today's retail. When a customer sees a green leaf on the packaging, the brain automatically fills in "greener" without checking anything specific. This is called the halo effect — a positive attribute (the colour green, the word "eco") spills positive judgement onto things that have nothing to do with ecology. Studies of the psychology of colour repeatedly document that products in green packaging tend to be perceived as healthier and gentler, even when their composition is in direct contradiction with that perception. The regulation is therefore not an attack on eco-marketing as such — it targets the abuse of intuitive associations.

9. PPWR — the Packaging and Packaging Waste Regulation (from 08/2026)

New requirements for product packaging. The aim is to reduce packaging waste and support recycling.

What changes

  1. Recyclability — all packaging must be recyclable.
  2. Material minimisation — you must not use more packaging material than necessary (a ban on excessive packaging).
  3. Packaging labelling — information about the material and how to dispose of it visibly on the packaging.
  4. A ban on certain plastics — single-use plastic packaging in certain categories.
  5. A percentage share of recycled material in plastic packaging.

What to do about it: Go through your packing materials. If you use excess plastic, polystyrene fillers, unlabelled boxes — start looking for alternatives. Recyclable paper, compostable fillers, minimalist boxes. Bonus: they also work as a brand statement (customers appreciate it), and combined with the peak-end rule (Kahneman, 2011) they improve the overall impression of the purchase — the moment of unboxing is the "end" of the customer journey and shapes the memory of the whole order.

10. The cookie bar and GDPR consents: the most common mistake

The cookie bar is not a "recommendation." It's a legal obligation with a fine from the ÚOOÚ (the Office for Personal Data Protection).

Rules the cookie bar must meet

  1. The "Reject all" button must be on the same level as "Accept all" — the same size, colour and placement. No tiny grey "reject" in the corner.
  2. No pre-ticked consents — the consent categories (analytics, marketing) must not be on by default.
  3. Granularity of consent — the user must be able to approve only certain categories (analytics yes, marketing no).
  4. The ability to change at any time — a "Cookie settings" link in the footer that reopens the bar when clicked.
  5. No measurement or marketing code may run before consent is given — a link to Google Consent Mode in GTM.
  6. Consent renewal — after 6–12 months you must ask the customer again.
  7. Consent logging — for auditing, you must keep a history of consents given.

Why these rules are so detailed: It's a fight against default bias. Richard Thaler and Cass Sunstein, in Nudge (2008), showed with the classic example of organ donation how powerful the default setting is. In Germany (opt-in) 12% of the population are donors. In Austria (opt-out) it's over 99%. The same people, the same cultural values — a different default. When a site operator had the option of pre-ticked consents, practically all users approved them, because changing a preset state takes effort. The EU banned this pressure on privacy.

The path in Shoptet

`Nastavení → Základní nastavení → Cookies` (Settings → Basic settings → Cookies; in some admin versions also available under Nastavení → Vzhled a obsah → Cookies)

Choose the "Zákonné znění" (Legal wording) variant, NOT "Informační" (Informational). The informational variant is merely informative and, on its own, does not meet GDPR requirements. Activate the integration with Google Consent Mode so that measurement code only runs after consent is given.

Penalty: The ÚOOÚ enforces GDPR, whose framework sets penalties of up to 20 million EUR or 4% of a company's global annual turnover for serious breaches (for less serious ones, 10 million EUR or 2%). In the Czech context the ÚOOÚ calibrates fines to the specific case, but in practice it's in the order of single-digit to tens of millions of CZK — and for large players it can go far higher.

11. What has to be in the footer and contact details

A simple list of what must be visibly present on the site:

This density of information isn't a formality. It's a test of the identifiability of the seller, which is now protected by regulation across the EU. By law, the customer is entitled to know who they're dealing with, where to find the company, and how to sue it if it comes to that. Without these details, you're a suspicious entity in the eyes of a regulator.

Pre-launch checklist for an online store

Point by point — go through it and tick it off. If you're missing something, don't launch.

The full series: How to start an online store in 2026

This article is part of a seven-part series on starting an online store in 2026. The other parts:

FAQ

What are the penalties for a discount promotion using a fake "original" price?

A fine from the Czech Trade Inspection (ČOI) ranging from 10,000 CZK (≈ €400) to 5,000,000 CZK (≈ €200,000), depending on severity and the size of the store. For repeat offences it typically lands in the tens to hundreds of thousands of CZK. On top of that you have to pull the promotion and correct it, which often means recalculating orders and issuing refunds.

Do I have to have verified reviews?

If you publish reviews, you must have a verification system (for example via Heureka, Google, Trustpilot or your own customer database) and clearly mark which reviews are verified and which are not. Publishing fabricated reviews or hiding negative ones is prohibited, and ČOI actively checks for it.

When does accessibility for online stores come into force?

The Accessibility Act (implementing the EAA Directive 2019/882) applies from 28 June 2025 to all online stores trading in the EU. Your store must meet the WCAG 2.1 AA standard — sufficient contrast, alt text on images, keyboard operation, structured headings. The only exemption is for micro-enterprises with fewer than 10 employees and under €2M turnover.

What is the "order button" amendment?

An amendment to the Czech Civil Code in force since 1 January 2023: the button that completes an order (at the end of checkout) must be labelled with the wording "Objednávka zavazující k platbě" (Order obliging payment) or a similarly unambiguous formulation. A generic "Submit" or "Confirm" can be grounds for an invalid contract and a fine.

Is the default cookie bar from the Shoptet template enough?

Shoptet's default bar is the bare minimum, but for full compliance with the Czech data protection authority (ÚOOÚ) and GDPR you need Consent Mode v2 (Google), a link to GTM, and an equal "Reject all" button next to "Accept all". A number of paid solutions (Cookiebot, CookieYes) handle this for €10–30 a month.