Irish SME
Website Legal Pages: What Every Irish Business Needs Beyond a Privacy Policy

Every WordPress site I have ever audited has a Privacy Policy. Most of them are decent. GDPR forced that discipline on the entire internet, and business owners got used to having one.
Far fewer have Terms and Conditions. Fewer again have a Returns or Refund Policy that says anything specific. Sitting down to write this, the question that keeps coming up in conversations with business owners is a simple one: can a customer legally return a made-to-order item just because they changed their mind? The honest answer is that it depends entirely on what your Terms and Conditions say, and most sites do not have any.
That gap is not a technical problem. Web60 gives every customer full WordPress access from day one, so adding a page takes minutes. The gap is that nobody told these business owners which pages they actually need, what each one has to say, and that a genuinely new EU requirement landed on 19 June 2026 that most Irish site owners have not heard about yet.
The Four Pages, and What Each One Actually Does
Business owners tend to lump these together as "legal stuff." They are not interchangeable. Each one answers a different question, and a customer dispute usually hinges on exactly which page should have covered it.
| Page | What It Actually Covers | Legal Basis | Where Sites Fall Down |
|---|---|---|---|
| Privacy Policy | How you collect, use, and store personal data | GDPR | Rare gap, most sites have one |
| Terms and Conditions | The contract terms of buying from you or using your site | Consumer Rights Act 2022 | Very common gap |
| Returns and Refund Policy | Cancellation rights, cooling-off period, refund timelines | Consumer Rights Directive | Almost always missing or vague |
| Cookie Policy | What tracking technology runs on the site and why | ePrivacy rules | Often present but generic, copy-pasted |
What a Privacy Policy Does Not Cover
A Privacy Policy exists to answer one question: what happens to a visitor's personal data. Name, email, IP address, anything collected through a contact form or a checkout. That is its whole job under GDPR, and it is a genuinely important document.
What it does not do is tell a customer what they are entitled to if a product arrives damaged, if they change their mind about a purchase, or what your business actually promises when someone hands over payment. Those are contract questions, not data protection questions, and they sit in a completely different document. Cookie consent is a related but separate question again, governed by ePrivacy rules rather than GDPR itself, and worth its own short page rather than a line buried inside the Privacy Policy.
Conflating the two is the single most common mistake I see. A business owner assumes GDPR compliance means they are covered. It means they are covered for one specific thing.
Terms and Conditions: What CCPC Actually Requires
The Competition and Consumer Protection Commission is Ireland's enforcement body for this, and its guidance is specific about presentation, not just content. Terms have to be in plain, understandable language, clearly presented, and not hidden in small print. New or complex terms need to be brought to a customer's attention rather than assumed. Cost-related terms, cancellation charges especially, have to be clearly explained rather than implied [1].
In practice, that means your Terms and Conditions should state, in language a customer can actually read without a solicitor:
- Your business name and registered address
- What you are selling and how it is described
- Pricing, payment methods, and any additional charges
- When and how the contract terms can change
- How disputes get handled
So what does that mean for a business owner who has never written one of these? It means the Terms and Conditions page is the document a customer, or a CCPC investigator, points to first if there is a dispute about what was promised. No page, no defence. A vague page, a weak defence. This is not the section to skip because it feels like paperwork.
The Fourteen-Day Cooling-Off Period Most Owners Get Wrong
Under the Consumer Rights Directive, anyone buying online in Ireland has a right to cancel within fourteen days, starting from when they receive the goods or agree a service contract, without giving a reason [2]. That right exists whether your Terms and Conditions mention it or not. What changes is whether your customers, and CCPC, can see that you understand it.
Refunds have to be processed within fourteen days of the cancellation, using the same payment method the customer originally used, unless they agree otherwise. There are real exclusions. Made-to-order and personalised goods are generally outside the standard cooling-off right, along with a handful of specific categories like sealed goods that cannot be returned for health reasons once unsealed.
Picture a custom furniture maker in Roscommon who spends a week going back and forth with a customer who ordered a made-to-measure hall table and then decided, after delivery, that they preferred a different finish. Under consumer law, personalised goods made to a customer's specification are generally exempt from the standard right to cancel. But that exemption only protects the business if it was stated clearly before the order was placed. Silence does not count as a defence. It counts as a business that will spend a week arguing about something a single sentence on a Returns page would have settled in advance.
A sync reality check worth having: a Returns Policy tells a customer what they are entitled to. It does not stop them from asking anyway, and it does not stop CCPC from getting a complaint if your wording is ambiguous. The policy sets the terms of the argument. It does not make the argument disappear.

The New Withdrawal Button Requirement Nobody Told You About
This is the part most Irish business owners genuinely have not heard, and it is not hypothetical. From 19 June 2026, EU Directive 2023/2673 requires any trader selling to EU consumers through a website or app to provide a prominently displayed, easy-to-find online withdrawal function, commonly called the withdrawal button, so a customer can cancel a distance contract directly through the site rather than by phoning or emailing [3].
The button has to be labelled with clear wording such as "withdraw from contract here," has to stay available throughout the fourteen-day period, and has to let the customer identify which order they are cancelling and confirm the request. The trader then has to send an acknowledgement, by email or another durable record, showing the date and time it was received.
I would treat this the way I treat any new regulatory deadline: assume enforcement takes a while to bite, and build the compliant version anyway, because the penalty for not having it is not proportionate to the effort of adding it. Miss the requirement, and the standard fourteen-day cooling-off period can extend to twelve months and fourteen days for that customer. That is not a fine. That is an open-ended cancellation window on every affected sale.
For most businesses reading this, the fix is a dedicated, clearly linked cancellation page or form with a properly labelled button, not a software project. If you are running a straightforward WooCommerce shop, this is an afternoon's work, not a development sprint.
What It Costs You When These Pages Do Not Exist
None of this shows up as a crisis on a Tuesday morning. It shows up as a drawn-out email thread, a chargeback the business cannot contest because there is nothing in writing to point to, or a CCPC complaint that could have been closed with one link to a clear policy page. CCPC's own 2025 helpline figures show contacts about online purchases up 14% year on year, with faulty goods and service issues topping the list of concerns for the fifth year running [4]. None of that requires a business to have done anything wrong. It just requires a customer who is unsure of their rights, and a business with nothing written down to settle the question quickly.
The businesses that get hurt worst are the ones selling anything even slightly bespoke: signage, print, furniture, catering for events, anything made to order. Those are exactly the businesses with a genuine exemption to claim, and exactly the businesses least likely to have written it down anywhere a customer or CCPC would look.
Where to Actually Publish These Pages
This is where the WordPress side of this stops being complicated. These should be dedicated pages, not a paragraph buried in a PDF attachment nobody opens. Deploy each one as its own page with its own URL: /terms-and-conditions, /returns-policy, /privacy-policy, /cookie-policy. Link all four from your site footer so they are visible on every page, and link the returns policy specifically from your checkout or booking flow, where a customer is actually thinking about cancellation terms. It is the same instinct that leaves an About page reading like a CV instead of building trust: assume the page is complicated to write, then avoid writing it at all.
If managing your own WordPress site still sounds like a job for a developer, it is not. Web60's WordPress dashboard gives you full page-building access from the day your site goes live. There is no ticket to raise and no waiting on an agency's change-request queue to add a page like this. You draft it, publish it to production, and it is live. If you are still at the stage of getting a compliant site live in the first place, Web60's AI website builder gets you a working WordPress site in under a minute, ready for you to add these pages yourself from day one. That matters more than it sounds, because these are pages business owners tend to put off precisely because they assume it requires a developer.
Getting Your Legal Pages Live in an Afternoon
Draft each page separately. Do not combine Terms and Conditions with your Returns Policy in one wall of text. Separate pages are easier for a customer, and for CCPC, to find the specific answer they need.
Verify against your actual business model. A template written for a general retailer will not correctly describe a made-to-order furniture business or a service booked by appointment. Check every clause matches what you actually sell and how you actually deliver it.
Publish as dedicated pages, not attachments. Each policy gets its own URL and its own entry in your site's page list, not a PDF link or a paragraph inside another page.
Link from the footer and the checkout. Every page footer should carry all four links. The Returns Policy specifically needs a link at the point of purchase, not just in the footer.
Review annually, or after any change to what you sell. A Returns Policy written for a product range you no longer stock is worse than no policy at all, because it actively misleads.

Conclusion
A Privacy Policy was never designed to answer what happens when a customer wants their money back. Treating it as a stand-in for Terms and Conditions and a Returns Policy leaves a business arguing every dispute from scratch, with nothing written down to point to. None of these pages require a redesign or a developer. They require an afternoon, a clear head about what you actually sell, and a decision to stop treating them as optional. For anything with real financial exposure, a short conversation with a solicitor before you publish is worth having. For everything else, get the pages live and move on.
Frequently Asked Questions
Do I legally need Terms and Conditions on my business website?
If you are selling goods or services, yes. CCPC guidance requires that terms covering price, payment, and cancellation be presented clearly to consumers before purchase. There is no fixed legal template, but the information has to exist somewhere a customer can find it.
What is the difference between a Privacy Policy and Terms and Conditions?
A Privacy Policy covers how you handle personal data under GDPR. Terms and Conditions cover the contract itself: what you are selling, at what price, under what conditions, and how disputes are handled. They answer different questions and neither one substitutes for the other.
How long is the cooling-off period for online purchases in Ireland?
Fourteen days from the date the goods are received, or from when a service contract is agreed. The customer does not need to give a reason. Refunds must generally be processed within fourteen days of the cancellation, using the original payment method.
Can a customer return a made-to-order or personalised item?
Generally not under the standard cooling-off right, but that exemption only holds up if it was clearly stated to the customer before the order was placed. If your Returns Policy does not mention it, do not assume the exemption protects you.
What is the new EU withdrawal button requirement?
From 19 June 2026, businesses selling to EU consumers online must provide a clearly labelled, easy-to-find withdrawal function so customers can cancel a contract directly through the website. Missing it can extend a customer's cancellation window well beyond the standard fourteen days.
Do service-based businesses need a Returns Policy, not just product sellers?
Yes. The cooling-off right applies to service contracts agreed at a distance too, not only physical goods. A consultant, a photographer, or a tradesperson taking bookings online should state cancellation terms just as clearly as a shop selling products.
Sources
Graeme Conkie founded SmartHost in 2020 and has spent years building hosting infrastructure for Irish businesses. He created Web60 after seeing the same problem repeatedly — Irish SMEs paying too much for hosting that underdelivers. He writes about WordPress infrastructure, server security, developer workflows, managed hosting strategy, and the real cost of hosting decisions for Irish business owners.
More by Graeme Conkie →Ready to get your business online?
Describe your business. AI builds your website in 60 seconds.
Build My Website Free →More from the blog
A Second Location Doubled Her Business. Her Website Still Only Had One.
A Westmeath physiotherapist opened a second clinic. Her second-location website still had one address. Here's what actually needs to change.
The European Accessibility Act Is One Year Old. Most Irish Business Websites Are Still Not Compliant.
The EAA came into force in Ireland on 28 June 2025. Is your business website compliant? Here is what the law actually requires and where to start.
