One law governs every online sale you make in Malaysia.
Most sellers never read it. But the Electronic Commerce Act 2006 determines when your orders become binding, what you must disclose before checkout, and what rights a customer has when they order the wrong thing.
What Is the Electronic Commerce Act 2006 (Act 658)?
The Electronic Commerce Act 2006 (Act 658) is Malaysia’s foundational law for digital transactions. It gives online contracts, electronic signatures, and digital records the same legal standing as paper documents, and sets the rules for when and how contracts form in ecommerce. The Act came into force on 19 March 2007 and covers all commercial transactions conducted through electronic means in Malaysia.
Before this law, there was genuine legal uncertainty about whether a contract formed via email or a website checkout was enforceable in Malaysia. Act 658 resolved that question.
The Electronic Commerce Act covers four core areas relevant to online sellers:
- Legal validity of electronic records — digital contracts, order confirmations, receipts, and business records are admissible as evidence in Malaysian courts
- Contract formation rules — when exactly an online sale becomes legally binding on both parties
- Automated transaction rules — contracts formed through checkout systems are valid without a human reviewing each order
- Error correction rights — what a customer can do when they make a material mistake in their order
What the ECA does not cover: data privacy (governed by PDPA Malaysia ), consumer protection disclosure requirements (Consumer Protection Act 1999 and the Consumer Protection (Electronic Commerce) Regulations 2012), or digital signatures between businesses (Digital Signature Act 1997, Act 562).
Think of the ECA as the legal plumbing behind every online sale — invisible when it works correctly, and very visible when a dispute arises.
When Does an Online Order Become a Binding Contract?
Under the Electronic Commerce Act 2006, your product listing is not a binding offer. It is an invitation to treat. The customer makes an offer when they click “Place Order.” You accept that offer when you send an order confirmation or process payment. Until you confirm, you are not legally obligated to complete the sale at the listed price or at all.
This distinction matters. If you accidentally list a product at RM 25 instead of RM 250 and customers order before you catch it, each order is only an offer. You have not accepted. You can legally cancel, issue a clear notice, and correct the price.
The moment you send an order confirmation or charge a customer’s card, the contract is formed. Cancelling after that point creates consumer protection liability.
The same principle applies to automated checkout systems. When a customer orders through your website with no human monitoring, that operates as an automated message system under the ECA. Contracts formed through automated systems are valid — but the invitation-to-treat rule still applies. The confirmation, not the listing, is your acceptance.
| Contract Stage | Legal Status | What It Means |
|---|---|---|
| Product listing on website or app | Invitation to treat | Not binding — pricing errors can be corrected |
| Customer clicks “Place Order” | Customer’s offer to buy | Not yet binding on the seller |
| Order confirmation sent or payment charged | Contract formed | Binding — cancelling creates liability |
| Dispatch confirmation sent | Contract being performed | Obligation to deliver is activated |
Interpretation based on Electronic Commerce Act 2006 (Act 658), read together with the Contracts Act 1950 (Act 136).
If your checkout automatically sends a confirmation the moment payment is processed, your window to cancel a mispriced order closes at that point. Review your order flow so confirmations go out after a system check, not before.
What Disclosure Obligations Do You Have Before a Customer Pays?
The Consumer Protection (Electronic Commerce) Regulations 2012, made under the Consumer Protection Act 1999, require Malaysian online sellers to display seven categories of information before a customer completes a purchase. Missing any of these disclosures is a regulatory risk — and places you at a disadvantage in any consumer dispute. These apply to direct website sales and are considered best practice for marketplace sellers.
The ECA sets the legal framework for how electronic contracts operate. The what (the specific information you must show customers) comes from the Consumer Protection (Electronic Commerce) Regulations 2012.
Here is what must be accessible to customers before they click the final purchase button:
1. Seller identity — Registered business name (SSM-filed), physical address, and email or mailing address. A WhatsApp number alone is insufficient.
2. Product description — Sufficient detail for an informed decision. Size guides for clothing, model numbers and warranty terms for electronics. “High quality” is not a description.
3. Full price — Including SST (if registered), platform fees passed to customers, and delivery charges. No surprise fees at the payment step.
4. Payment terms — Accepted methods, when charges apply, and any BNPL or instalment conditions.
5. Delivery terms — Estimated timeframe, coverage area, and conditions that may affect fulfilment.
6. Return policy — Visible before purchase. A return policy not disclosed before checkout is difficult to enforce under Malaysian consumer protection law.
7. Dispute resolution — How customers can raise complaints and how you will handle them.
For marketplace sellers on Shopee, Lazada, or TikTok Shop: the platform covers many of these disclosure requirements through its infrastructure. Your product listing content — particularly the description, return policy note, and seller information — remains your responsibility.
Is your checkout fully compliant? Work through SellerLegal’s ecommerce compliance checklist to verify each disclosure point in under 10 minutes.
Can a Customer Cancel an Order Because of Their Own Mistake?
Yes. The Electronic Commerce Act 2006 gives customers the right to withdraw from an electronic transaction if they made a material error (such as the wrong product or quantity), provided they notify you as soon as they discover the error and have not yet received any benefit from the transaction. This right sits above your stated refund policy for immediate order mistakes.
This is one of the most practically misunderstood provisions of the ECA.
A customer orders 10 units of a phone case when they meant to order 1. They realise immediately. Under the ECA, they must notify you as soon as possible and must not have already received any benefit. If both conditions are met, they are entitled to withdraw.
A blanket “no refunds after order placement” policy does not override this right for immediate checkout mistakes. You can still apply your usual return policy for change-of-mind or post-delivery situations. But the ECA covers mistakes made during the automated checkout — before any fulfilment.
This provision applies to automated transactions — website and app orders processed without a human reviewing each one. For human-assisted sales (WhatsApp or phone), the customer had the opportunity to confirm before committing, so the provision is less directly applicable.
The practical fix: add an order review screen showing product, quantity, and total before the payment button. Customers who verify before confirming have no grounds to claim an ECA error right.
How Long Must You Keep Electronic Order Records?
The Electronic Commerce Act 2006 establishes that electronic records have the same legal standing as paper documents for record-retention purposes, meaning you do not need to print and file physical order records. The retention period itself is governed by tax law: the Income Tax Act 1967 and Customs Act 1967 both require business records to be kept for a minimum of 7 years.
This matters across three areas:
Tax audits. LHDN can audit records up to 7 years back. If you cannot produce order histories or supplier invoices, you face potential reassessment and penalties. Platform exports from Shopee or Lazada Seller Centre, or accounting software exports, satisfy this requirement.
Consumer disputes. The Consumer Claims Tribunal handles disputes typically filed within 3 years per the Limitation Act 1953. Without an order record, you have no evidentiary basis.
PDPA compliance. The 7-year retention period is generally accepted as consistent with the PDPA Retention Principle for transaction records. After that period, records containing personal data should be deleted or anonymised.
| Record Type | Acceptable Format | Retention |
|---|---|---|
| Order confirmations | Platform CSV export, email PDF | 7 years (Income Tax Act 1967) |
| Payment receipts | Stripe/iPay88 statements, bank records | 7 years (Income Tax Act 1967) |
| SST records (if registered) | MySST system exports | 7 years (Customs Act 1967) |
Sources: Income Tax Act 1967 (Act 53), Section 82; Customs Act 1967 (Act 235). Electronic records accepted per Electronic Commerce Act 2006 (Act 658).
Cloud accounting software and marketplace seller portals satisfy the ECA’s recognition of electronic records. No legal requirement to print paper copies.
What Happens When You and a Customer Dispute the Contract Terms?
When contract terms are disputed in an online sale under Malaysian law, the courts and the Consumer Claims Tribunal apply the Electronic Commerce Act 2006 together with the Contracts Act 1950. The terms displayed to the customer at the time of the transaction govern (not terms updated afterwards, and not terms buried in a separate PDF that was not clearly presented during checkout). Click-wrap agreements, where a customer checks “I agree to Terms,” are enforceable if the terms were accessible and the acceptance was clear.
Most ecommerce disputes are handled through the Consumer Claims Tribunal Malaysia (CCT) , which resolves consumer disputes up to RM 50,000 at low cost to both parties. The same legal principles apply regardless of the venue.
Three common gaps that create liability:
Terms updated after a sale — Existing orders are governed by the terms in place when the order was placed. The ECA records the timestamp of electronic messages. Retroactive policy changes do not apply to completed transactions.
Terms not accessible at checkout — If your Terms and Conditions are not linked during checkout, a customer can argue they never formed part of the contract. Terms you rely on must have been accessible to the other party at the time of contracting.
Conflict between listing and terms document — If your listing says “free returns within 14 days” but your Terms say “all sales final,” the listing language typically prevails. Consistent terms across product page, checkout, and confirmation email remove this risk.
Make your core terms visible during checkout, not only in a linked PDF. Archive screenshots of your checkout pages periodically so you have evidence of the terms in place at the time of any disputed transaction.
For sellers who receive formal complaints, understanding how PDPA enforcement works in Malaysia provides useful context for the pattern regulators follow when assessing whether disclosures were made adequately.
For sellers new to the broader compliance picture, the Consumer Protection for Ecommerce Malaysia guide covers how the Consumer Protection Act 1999 operates alongside the ECA.
Last verified: June 2026. Regulations change — verify current requirements at the Malaysian Laws Online portal maintained by the Attorney General’s Chambers.
Frequently Asked Questions
Does the Electronic Commerce Act 2006 apply to Shopee and Lazada sellers in Malaysia?
Yes. Act 658 applies to any commercial transaction through electronic means in Malaysia, including marketplace sales on Shopee, Lazada, and TikTok Shop. Both direct website sellers and marketplace sellers are subject to the Act’s rules on contract formation, order confirmations, and customer error correction rights.
When does a binding contract form in an online sale under Malaysian law?
Under the Electronic Commerce Act 2006, a contract forms when the seller accepts the customer’s offer, typically when you send an order confirmation or process payment. The product listing is an invitation to treat, not a binding offer. A pricing error does not automatically bind you to sell at the incorrect price, provided you cancel before confirming the order.
What are the penalties for Consumer Protection Act violations in Malaysia?
Under the Consumer Protection Act 1999 as amended, corporations that breach consumer protection provisions — including the electronic commerce disclosure regulations — face fines up to RM 250,000 per offence for repeat violations, per the Malaysian Ministry of Domestic Trade and Cost of Living (KPDN). Individual directors can face personal fines and potential imprisonment for deliberate breaches.