Who contracts with whom? The agency question
Every other decision in the stack flows from one question: when a buyer checks out, who are they buying from? There are two clean answers, and the documents must commit to one of them.
Platform as counterparty
The platform sells in its own name and procures the goods or services from the seller behind the scenes. The buyer's contract is with the platform, so the platform is the "supplier" for CPA purposes — returns, refunds and the implied warranty of quality land on the platform, even for goods it never touches. Commercially cleaner for buyers; legally heavier for the platform.
Platform as intermediary
The platform introduces buyer to seller and facilitates the transaction; the sale contract forms directly between buyer and seller. The seller carries the supplier obligations for the goods or services, and the platform supplies its own, separate service — the marketplace itself — to both sides. Legally lighter for the platform, but only if the documents and the checkout experience actually say so.
The consequences run through the whole business. CPA liability: the supplier of record carries the consumer's return and warranty rights — choose the counterparty model and you choose where those land. Returns operations: whoever is the supplier must actually run a compliant returns process, so the model must match what your operations team can deliver. Money framing: whether the full sale price or only the commission runs through the platform's books depends on whether it sells as principal or facilitates as agent — the VAT treatment differs between the two, the framing must be consistent across the terms, the invoices and the accounting, and the specifics belong with your tax adviser.
One warning from practice: buyers assume they bought from the platform, whatever the terms say. A platform that wants intermediary treatment must earn it — the checkout flow, order confirmations, invoices and support scripts all have to tell the same story as the legal documents. A contract that says "intermediary" while the user experience says "retailer" will not hold the line when a dispute arrives.
The seller-side agreement: eight clauses
The seller (or provider) terms are the operational heart of the platform — they are signed once and govern thousands of transactions. The eight clauses that decide whether the document works:
Onboarding, eligibility + verification
Who may sell on the platform, what checks apply at sign-up (identity, business registration, sector licences where the category needs them), the seller's warranty that its information is accurate, the platform's right to re-verify, and what happens when verification fails.
Listing rules + content licence to the platform
Listing standards, prohibited items and accuracy obligations — plus the licence the seller grants the platform over listing content (images, copy, trade marks) for display, search, caching and marketing of the platform, and which uses survive delisting.
Commission, fees + payment flows
The commission basis (a percentage of what, exactly), when it accrues (order placed, order fulfilled, or returns window expired), payout cycles, and clawbacks for refunds and chargebacks. Where the platform collects buyers' money and remits it to sellers, payment-services regulation can be engaged — see the payments flag below; take specific advice before building collect-and-remit.
Ranking, search fairness + algorithm changes
How listings are ranked, whether placement can be bought (and how paid placement is disclosed), the platform's right to change ranking logic, what notice sellers get of material changes, and an express statement that no position is guaranteed.
Data access splits
Exactly which buyer data the seller sees — order-fulfilment fields are not the same as marketing-grade contact data — and on what POPIA footing it receives them. A seller using buyer personal information for its own purposes becomes its own responsible party, which the agreement must anticipate.
Suspension, termination + appeal
Grounds for suspension and removal (policy breach, fraud signals, IP complaints, repeated buyer disputes), when the platform must give notice versus act immediately, the effect on pending orders and funds in the payout pipeline, and an internal review or appeal path.
Liability allocation + seller indemnities
The seller warrants its goods and services and its compliance with applicable law (CPA, product safety, sector rules) and indemnifies the platform against claims arising from its listings. The platform, in turn, limits its liability for downtime, ranking changes and lost sales.
Restraints on circumvention
Off-platform dealing is the classic marketplace leak: buyer and seller meet through the platform, then transact around it. Anti-circumvention clauses — introduction fees, defined restraint windows — are workable, but must be proportionate to remain enforceable as restraints.
Buyer-side terms
The buyer terms have one non-negotiable job: transparency about the counterparty. Before checkout, the buyer must be able to tell who they are contracting with for the goods or services, and what the platform does and does not take responsibility for. In the intermediary model this is the platform's main liability firewall; in the counterparty model it is where the platform owns the relationship outright. Either way, ambiguity is resolved against the platform in practice — buyers, regulators and ombuds all default to "you bought it from the platform".
Where buyers are consumers, the CPA's return and warranty rights attach to the supplier of record. The buyer terms should route returns, refunds and quality complaints to the right party under the chosen model, and define the platform's facilitation role — most platforms run the refund money-flow even when the seller carries the legal obligation, and the terms should say so.
ECTA adds the electronic-commerce layer. Section 43 requires a supplier offering goods or services through an electronic transaction to disclose prescribed information — identity, address, price, payment and delivery terms among them. The platform makes those disclosures for its own role and service, and where sellers are the suppliers, the platform should bake the sellers' section 43 information into the listing template so compliance is structural rather than optional. Section 44 gives consumers a seven-day cooling-off right for electronic transactions, subject to the section 42(2) exclusions — which carve out, among others, perishables, personalised goods and accommodation, transport, catering or leisure services booked for a specific date or period. Booking platforms in particular should map their inventory against those exclusions rather than assuming cooling-off applies, or doesn't, across the board.
POPIA architecture for platforms
For the platform's own data — buyer and seller accounts, behavioural data, transaction records — the platform decides the purposes and means of processing, which makes it the responsible party. That carries the full set of POPIA duties: lawful grounds, section 18 notification (the privacy policy), section 19 security safeguards, and section 22 breach reporting. None of that can be contracted away to sellers.
The harder design work is the buyer-data flow to sellers. When a seller receives a buyer's details to fulfil an order, the seller starts making its own decisions about that data — which makes it a responsible party in its own right, not the platform's operator. That is a responsible-party-to-responsible-party disclosure, and the seller terms must do the work of a data sharing agreement: defined data fields, purpose limitation (fulfil the order — not build a marketing list), security minimums, and a prohibition on off-platform marketing to buyers without their own lawful basis. Platforms that hand sellers marketing-grade buyer data without those rails are gifting their most valuable asset and taking the regulatory risk for it.
A few flows run the other way: where the platform processes personal information purely on a seller's instructions — hosted CRM features, for instance — the platform is acting as that seller's operator, and POPIA section 21 requires written operator terms for that slice of processing. The architecture exercise is mapping each data flow to the right classification, then making sure the document stack matches the map.
Platform liability for seller conduct
A platform is not automatically liable for everything its sellers do — the starting framing is that of an intermediary hosting third-party commerce. But the position degrades with involvement: a platform that takes title to goods, sets prices, badges listings as verified or curated, or presents itself as the seller pulls the sellers' conduct toward its own balance sheet. The contract layer manages the residual exposure — seller warranties of legality and safety, indemnities for claims arising from listings, and fast unilateral takedown rights — but the structural protection comes from the platform behaving like the intermediary its documents describe.
For unlawful content — counterfeit listings, infringing images, defamatory reviews — ECTA's Chapter XI safe harbour gives service providers limited liability for material they merely transmit, cache or host. In plain terms: the platform is not treated as the publisher of seller content it passively hosts, and it has no general duty to monitor everything sellers upload. The protection is conditional, though — it attaches to providers that belong to a recognised industry representative body (in practice, ISPA) and that act expeditiously on a proper takedown notification under section 77. A marketplace that wants the safe harbour should join the recognised body, run a real takedown channel, and mirror the takedown mechanics in its seller terms so that removing a listing is always also a clean contractual right.
Frequently asked
Is the platform liable for what sellers sell?
Not automatically. In the intermediary model the sale contract is between buyer and seller, and the seller carries the supplier obligations for the goods or services. But the platform's exposure rises with its involvement: holding itself out as the seller, taking title to stock, badging listings as endorsed or curated, or controlling pricing all pull liability toward the platform. The contract layer manages the residual risk — seller warranties, indemnities for claims arising from listings, and robust takedown rights — but it cannot override how the platform actually behaves toward buyers.
Do we need CPA compliance if we are just an intermediary?
Yes — being an intermediary narrows CPA exposure, it does not eliminate it. The platform still supplies its own service (the marketplace) to consumers, and that service is itself subject to the CPA where buyers are consumers. The CPA also deals specifically with intermediaries, including disclosure and record-keeping duties, and the marketing rules apply to how listings are presented. What the intermediary model does shift is the supplier-side obligations for the underlying goods — returns, refunds and the implied warranty of quality — onto the seller, provided the documents and checkout flow make the counterparty clear.
Can we hold buyer payments and pay sellers out ourselves?
Treat this as a regulatory question, not just a banking one. Collecting buyers' money and remitting it to sellers — collect-and-remit — can engage South Africa's payment-services framework, which regulates accepting payments on behalf of third persons. Many platforms structure around this by running the flow through a licensed payment service provider or aggregator that handles the splits, rather than holding the funds themselves. The analysis is fact-specific (who holds the money, for how long, in whose name), so take specific payments advice before building the flow — retrofitting a payment architecture after launch is expensive.
Who owns the platform data?
Three layers, three answers. Listing content (images, copy) stays the seller's, licensed to the platform on the terms of the seller agreement. Aggregated and derived data — sales trends, search behaviour, performance analytics — is typically claimed by the platform in its terms, and that allocation is one of the most commercially valuable clauses in the stack. Personal information is not "owned" by anyone: POPIA governs what each party may do with buyer and seller data regardless of what the contract says, which is why the data-access split in the seller terms must track the POPIA analysis, not just commercial preference.
How do ECTA takedown notices work for a marketplace?
Chapter XI of ECTA gives service providers limited liability for unlawful content they transmit, cache or host — but the safe harbour is conditional. It protects providers that belong to a recognised industry representative body (in practice, ISPA) and that act expeditiously to remove or disable access to hosted content on receiving a proper takedown notification under section 77. Marketplaces hosting seller listings should join the recognised body, run a formal takedown channel for IP and unlawful-content complaints, and mirror the takedown mechanics in the seller terms so removal is also a clean contractual right.
What should the commission clause actually cover?
More than the percentage. It should define the base (gross sale price, net of delivery, inclusive or exclusive of VAT), the accrual trigger (order placed, fulfilled, or returns window expired — each shifts refund risk differently), payout timing and cycles, clawback mechanics for refunds and chargebacks, set-off rights against future payouts, and how fees may change (notice period, and whether continued listing constitutes acceptance). Vague commission clauses are the single most common source of platform-seller disputes.
Why do buyer-side terms need to say who the counterparty is?
Because everything downstream depends on it. If the buyer is told — clearly, before checkout — that the sale contract is with the seller, then CPA returns and warranty claims route to the seller, and the platform's role is facilitation: hosting the listing, processing the order, and (usually) handling the refund mechanics through its payment flow. If the terms are silent or ambiguous, the buyer's reasonable impression fills the gap, and buyers almost always assume they bought from the platform. Transparency here is both a CPA fairness issue and the platform's main liability firewall.
What does a marketplace legal stack cost in SA?
From R18,000 for the core stack: seller or provider terms, buyer-facing terms, and the platform rules and policies they incorporate. Pricing scales with payment-flow complexity (collect-and-remit structures need payments analysis), the POPIA architecture (data-sharing terms for sellers, operator terms for vendors), and whether the platform spans multiple categories with different regulatory overlays.