There’s something in your cart: an update on e-commerce in Saudi Arabia

Nick O’Connell - Partner, Head of Digital & Data - Saudi Arabia - Digital & Data

E-Commerce is continuing to grow in popularity in Saudi Arabia. While the pandemic is certainly a contributing factor, the increased efforts to regulate the sector can also take some of the credit.

Saudi Arabia’s Electronic Commerce Law (Royal Decree No. (M / 126) dated 7/11/1440H; 10 July 2019) has now been enhanced by the issuance of the Implementing Regulations to the E-Commerce Law (dated 19/5/1441H; 14 January 2020).

In this article, we elaborate on aspects previously addressed in our 2019 article Add to Cart: New E-Commerce Law in Saudi Arabia, and provide new information on provisions relating to the registration of e-commerce sites, authentication service providers, and intermediary platforms.


Registration of e-commerce sites

Entities with a Saudi commercial registration that are operating e-commerce sites must register the e-commerce site with the Ministry of Commerce in accordance with the Regulations. This includes sites that display or sell products, provide or advertise products or services, or exchange data in relation to product or services.

The registration requirements include details such as the name of the applicant, commercial registration details, activities carried out via the e-commerce site, and a description of the site and its address. There is a requirement to notify the Ministry if such details change, and to cancel the registration if the operation of the site for e-commerce purposes will be discontinued.


E-Commerce authentication providers

The Ministry will license ‘e-commerce authentication providers’. The exact role of such authentication providers is not entirely clear, but it is possible that ‘certification’ by a Ministry-approved e-commerce authentication provider will enhance the credibility of an e-commerce service provider’s website and operations. Authenticated e-commerce service providers must display the proof of such authentication on their e-commerce site, although there is no apparent requirement for e-commerce service providers to subject themselves to the authentication process.



The Ministry will also regulate platforms that act as intermediaries between service providers and customers. This includes any website or application that facilitates e-commerce transactions between e-commerce service providers and their customers. Examples given in the Regulations include platforms that provide online advertisement services, or that facilitate orders or payments.

The requirements that intermediaries must meet are diverse. Their application to intermediaries simply acting as a platform for others to buy and sell goods is somewhat straightforward. In contrast, where an intermediary does not provide such a sales platform, and instead simply provides advertising services or payment processing, the application of the intermediary requirements is less clear.


Information to be disclosed

An e-commerce site must disclose the service provider’s full name, address and contact information, commercial registration number and tax registration number (if registered). It must also include the applicable privacy policy, as well as the service provider’s mechanism for addressing customer complaints.

Information on the terms and conditions applicable to any contract to be entered between the service provider and the customer must also be provided. At a minimum, these must include:

  • how the contract will be concluded;
  • details of the subject goods or services;
  • information on any warranties;
  • the total cost to the customer, including the price of the goods or services, and all fees, taxes and additional amounts related to shipping/delivery;
  • details on how payment and delivery will be effected;
  • as applicable, information on termination mechanisms, requirements and costs, or information on restrictions on termination;
  • information on any after sales service; and
  • if applicable, information on the duration of the contract.

A receipt must be issued, and must include specific details. Along with the service provider and transaction information set out above, receipts must reflect information confirming the contract and date of execution, method of payment (and confirmation of full payment, if it has occurred), information on delivery (and scheduled dates) and tracking details, and a summary of any applicable replacement and refund provisions.

If the e-commerce site relates to a regulated activity, the service provider must provide details of the relevant licences or permits that it holds in order to practise such activity. This requirement is without prejudice to any other requirement that may apply to the specific regulated activity.



Advertising relating to e-commerce is considered to be binding, supplementary information to the contract between the e-commerce service provider and the customer.

It must include the name and contact details of the service provider, the name of the advertised product or service, and information on the product or service that allows the customer to make an informed decision, and a clear statement that the advertisement is an advertisement. It must also include a clear mechanism by which the recipient can opt-out from receipt of such advertisements in future; and service providers are required to comply with such requests.

Advertisements must not contain false displays, statements or misrepresentations (including material infringing third party trade mark rights) that may mislead or deceive customers. They must also comply with other legal requirements applicable to advertisements.


Correction of errors

Customers must have an opportunity to notify e-commerce service providers of errors in their communications with the service provider, and to correct those errors. In order to rely on this right, an error must be communicated to the service provider within 24 hours, and the customer cannot have utilised or benefitted from the service provider’s product.

If specified in the terms between the parties, e-commerce service providers may correct unintended errors in communications sent to customers. To rely on this right, the service provider must notify the customer immediately upon becoming aware of the error, and such notification must occur before the product is shipped or the service commenced. In the event of such an error, the customer can choose to proceed (presumably subject to the correction), or to cancel the contract and recover the costs incurred.


Personal data considerations

E-commerce service providers are prohibited from using personal data or electronic communications with customers for unauthorised purposes, or disclosing them to third parties, except with the consent of the customer or as otherwise required by law.

The type of personal data contemplated in the Regulations includes names and other identity information, addresses and contact numbers, account and bank card numbers, and photographs, although this should not be understood as an exhaustive list.

Unless the parties have agreed otherwise, a service provider cannot retain a customer’s personal data, except to fulfil the service provider’s obligations to the customer. The use of customer data for any other purposes, including retention as part of an ongoing relationship or for advertising or marketing purposes, requires the customer’s prior explicit consent.

There is an obligation on service providers to protect personal data of customers by applying technical and administrative measures commensurate with the nature of the data. (The National Cybersecurity Authority has also issued cybersecurity guidance applicable to e-commerce service providers and e-commerce customers.) A data breach mechanism is contemplated, and a short timeframe by which the responsible service provider must report any data breach incidents affecting personal data of customers.



E-Commerce customers are provided with a general right to terminate an e-commerce contract within seven days, provided the customer has not used the product or benefitted from the service. There are restrictions on this ability to terminate. These include: where the transaction relates to goods manufactured according to the customer’s specifications; where it relates to media such as video tapes, CDs, software, computer programs, newspapers, magazines; where the customer is responsible for a defect in the product; and where it relates to the provision of accommodation, transport or food services. There are also exceptions relating to goods, the nature of which might deteriorate in the period within which termination might otherwise be permitted; goods the nature of which is such that they cannot be re-sold due to health reasons; goods or services the nature of which they might be affected by continuous price volatility (such as gold); and goods sold by auction.

In the absence of an agreement to the contrary, customers will have a right to terminate in the event that goods are not delivered within 15 days from the date of the contract, or from the date on which it was otherwise agreed they were to be delivered. There is also an obligation on service providers to notify customers in the event of unexpected delays.


Next steps

E-commerce will continue to go from strength to strength in Saudi Arabia. The E-Commerce Law and its Regulations are not the only considerations. Besides the NCA’s cybersecurity guidelines for e-commerce (mentioned above), other authorities are getting involved to try to make sure that e-commerce services run safely and smoothly. One example is the CITC, the Saudi telecoms regulator, which is also responsible for aspects of the postal service. CITC is now licensing e-commerce logistics providers, seeking to ensure that those delivering e-commerce purchases are doing so safely. As the market develops, we expect that the application of the E-Commerce Law and its Regulations, and interplay between the different responsibilities of the various authorities, will continue to becomes smoother.


For further information, please contact Nick O’Connell (