Widerrufsbutton 2026: German Withdrawal Law Requirements

What the Widerrufsbutton Law Requires - and Why June 19, 2026 Matters

The Widerrufsbutton is a legally prescribed electronic withdrawal function that allows consumers to cancel distance-selling contracts with a few clicks - without phone calls, email to a support inbox, or paper forms. § 356a BGB, effective June 19, 2026, makes this function mandatory for all covered businesses. The concept is directly modeled on the Kündigungsbutton introduced under § 312k BGB in 2022, which required a similar one-click cancellation mechanism for ongoing subscriptions - a rule that reshaped how German e-commerce handles subscription termination.

The European origin of the rule is important context. Directive (EU) 2023/2673 required EU member states to transpose Article 11a into national law by December 19, 2025, with application beginning June 19, 2026. Germany's implementing statute is the "Gesetz zur Änderung des Verbrauchervertrags- und des Versicherungsvertragsrechts." The six-month gap between transposition deadline and application date gives businesses time to implement - but that window is closing.

One of the most common questions we hear from clients is: "Does this actually apply to us?" The table below covers the three key criteria:

If all three answers are "yes," the obligation applies - regardless of company size or annual revenue. There is no SME exemption.

Who § 356a BGB Covers - Scope, Edge Cases, and Exceptions

§ 356a BGB applies to all businesses that conclude B2C distance-selling contracts via an "online user interface" - defined broadly as software, including websites or parts of websites, and apps. This means a physical goods shop, a SaaS subscription service, a streaming platform, and a digital content provider all fall under the same rule. Company size is irrelevant.

Who is affected

• Online shops selling physical or digital goods to consumers in Germany
• Subscription and SaaS services with monthly or annual billing plans available to private users
• Streaming and membership platforms where consumer access is sold via a website or app
• Hybrid B2B/B2C shops - the obligation applies to the B2C portion of their business

Statutory exceptions - no withdrawal right, no button required

• Custom-made goods produced to consumer specification
• Perishable goods that deteriorate rapidly
• Hygiene products where the seal has been broken after delivery
• Event tickets, transport bookings, or hotel reservations for a fixed date or period
• Contracts concluded exclusively in a physical store or by telephone with no online interface involved

Edge cases that require careful analysis

Hybrid businesses present the most complex scenario. A company that sells primarily B2B but also allows consumer purchases on the same platform must implement the button for the B2C portion. Responsibility on marketplace platforms is similarly nuanced: depending on whether the marketplace itself or the individual seller concludes the contract with the consumer, the compliance obligation shifts accordingly. We have worked through both of these scenarios with clients - the answer always depends on the specific contract structure, not on a general rule of thumb.

What the Widerrufsbutton Must Do - the 4-Step Mandatory Process

§ 356a BGB prescribes a two-stage withdrawal process with a mandatory confirmation email. The law sets out specific requirements for each step, and deviating from this structure - even in seemingly minor ways - creates legal exposure. Here is the process as it must work:

The mandatory 4-step flow

• Step 1: The consumer clicks a clearly labeled entry point with the designation "Vertrag widerrufen" (or an equivalent formulation with the same meaning). This button must be "always available," "prominent," and "easily accessible" throughout the withdrawal period - not hidden in a footer link collection alongside the AGB and Impressum.
• Step 2: A form appears with the mandatory minimum fields: name of the consumer, data to identify the contract or contract portion (e.g., order number), and an electronic contact channel for the confirmation (typically email address).
• Step 3: The consumer clicks a second button labeled "Widerruf bestätigen" (confirm withdrawal) - this is the confirmation function required under § 356a(3) BGB. The two-step structure is intentional: it prevents accidental withdrawals while keeping the process accessible.
• Step 4: The merchant sends an Eingangsbestätigung (receipt confirmation) immediately - on a durable medium, which in practice means email - containing the content of the withdrawal, and the date and time of receipt.

Guest orders and the no-login rule

Consumers who placed a guest order must be able to use the withdrawal function without creating an account. Forcing registration is explicitly contrary to the purpose of the regulation, which is to reduce friction in the withdrawal process. The standard approach for guest order identification is a combination of order number and billing email address. This lookup must be rate-limited to prevent abuse - a technical detail that is often overlooked in initial implementations.

There is one meaningful exception to the no-login rule: if the contract itself was concluded only through a registered account (as is common in SaaS with mandatory registration), placing the withdrawal function inside the logged-in account area is acceptable. The key test is whether the consumer was required to have an account to form the contract in the first place.

Partial withdrawal (Teilwiderruf)

The law also contemplates scenarios where a consumer wants to withdraw from part of a contract - for example, returning two items from a five-item order. The withdrawal form should allow selection of individual contract components, not only all-or-nothing cancellation. This is a detail that many initial implementations miss, particularly on platforms where order line-item selection requires custom development.

Common Implementation Mistakes - Fines, Warning Letters, and Extended Withdrawal Periods

Non-compliance with § 356a BGB carries two categories of risk: regulatory fines from the Bundesamt für Justiz, and private enforcement through Abmahnungen from competitors and trade associations. According to IHK Region Stuttgart, businesses with annual turnover above 1.25 million euros face fines of up to 4% of annual turnover; businesses below that threshold face fines of up to 50,000 euros. Enforcement is coordinated at the EU level under Regulation (EU) 2017/2394, with the Bundesamt für Justiz as the competent German authority.

The six most frequent implementation errors we see

• Login barrier: Requiring the consumer to log in before accessing the withdrawal function - directly violates § 356a(1) BGB for cases where no login was required to conclude the contract
• Button buried in link collections: Placing "Vertrag widerrufen" as a plain link in the footer alongside the AGB, Impressum, and Datenschutz - the law requires the button to be prominent and easily accessible, not visually indistinguishable from legal notice links
• Missing or broken Eingangsbestätigung: Failing to send the receipt confirmation immediately, sending it without the required timestamp, or not including the withdrawal content - all constitute violations of § 356a(4) BGB
• Outdated legal texts: The Widerrufsbelehrung and Datenschutzerklärung must be updated to reference the new electronic withdrawal function; failing to update them creates an independent legal violation
• No audit trail: Without logged records of each withdrawal event (timestamp, content, contract reference), the merchant cannot demonstrate compliance in enforcement proceedings
• No abuse protection for guest access: Without rate limiting on the guest order lookup, the form becomes a vector for order reconnaissance or spam withdrawal attempts

The extended withdrawal period risk

This risk is less discussed but potentially the most damaging. If the Widerrufsbelehrung contains errors or is missing required references to the new withdrawal mechanism, the statutory 14-day withdrawal period can extend to up to 12 months and 14 days. That means consumers could theoretically withdraw from contracts placed shortly after your June 19, 2026 go-live for over a year. Correct legal texts are not optional.

What Needs to Change on Your Website and in Your Backend

A compliant Widerrufsbutton implementation touches at minimum five technical areas: UI components, backend processing logic, transactional email infrastructure, audit logging, and legal text updates. Teams that treat this as a frontend-only task consistently miss requirements that only surface during QA or, worse, during enforcement.

UI requirements

• Entry point: A prominent button or link in the site header or footer, consistently available on all pages throughout the withdrawal period - not only on the order detail page
• Form page: Mandatory fields for name, contract identifier, and email; additional optional fields should be kept to the minimum necessary under DSGVO data minimization principles (Art. 5(1)(c) GDPR)
• Confirmation page: Displayed after form submission, confirming receipt and informing the consumer that the Eingangsbestätigung will follow by email

Backend infrastructure

• Transactional email: Immediate dispatch of the Eingangsbestätigung with the exact date and time of receipt, the withdrawal content, and links or references for follow-up
• Audit log: Persistent record of each withdrawal event: timestamp, submitted form data, associated order or contract reference, and confirmation of email dispatch
• Data retention: Documented retention periods for withdrawal records, aligned with applicable commercial and tax law requirements and DSGVO obligations
• Guest order lookup: Secure identification flow for consumers without accounts, protected by rate limiting and anti-abuse controls

Legal text updates required

• Widerrufsbelehrung: Must include a reference to the new electronic withdrawal function, its location on the site, and how to use it
• Datenschutzerklärung: Must describe the data collected during the withdrawal process (name, order reference, email), the legal basis for processing, and the applicable retention period
• AGB / Rückgabebedingungen: Should be reviewed for consistency with the new mechanism to avoid contradictions that could be exploited in Abmahnungen

QA and pre-launch testing

• Complete end-to-end flow test including guest order scenario
• Email content and timestamp verification for the Eingangsbestätigung
• Audit log completeness check, including contract reference linkage
• Rate limiting and abuse protection verification on the guest lookup endpoint
• Partial withdrawal scenario testing where applicable

Platform Implementation Guide: Shopware, WooCommerce, Shopify, Magento, PrestaShop, and Laravel

Every major e-commerce platform handles the Widerrufsbutton differently, because none of them have it built in natively. The implementation complexity varies significantly: Laravel and custom headless setups offer the most control, while Shopify's restricted checkout creates the most constraints. Here is what each platform requires based on our experience with client projects.

Shopware 6

Shopware 6 provides solid foundations for this implementation. The withdrawal button can be added as a permanent element in the header or footer via theme customization. A dedicated CMS page handles the withdrawal form, and Shopware's Mail Templates system manages the Eingangsbestätigung. Audit logging can be implemented within the Order or Customer context, or in a separate dedicated log table.

From our work on Shopware 6 projects: the platform's Flow Builder and Custom Plugin architecture make the core implementation straightforward. The area that requires the most careful testing is the guest order scenario - specifically, the order lookup logic and the rate limiting configuration. Shopware does not include anti-abuse controls for guest lookups out of the box; these need to be added explicitly.

WooCommerce / WordPress

WooCommerce has no native withdrawal button support. Implementation requires either a purpose-built plugin or custom development. The withdrawal form is integrated via WooCommerce hooks or a standalone plugin, and the transactional confirmation email runs through WP Mail or a configured SMTP plugin. Guest order lookup uses order number and billing email - the same lookup pattern as Shopware, but the anti-abuse layer needs to be built manually or via a plugin that provides rate limiting at the WordPress application level.

Shopify

Shopify is the most constrained platform for this implementation. Theme customization via Liquid and App Blocks handles the entry point placement. The withdrawal form itself requires Shopify Forms or an external app, and the confirmation email runs through Shopify Flow or an external integration. The core challenge is Shopify's restricted checkout - the entry point for the withdrawal function cannot be embedded inside the checkout flow in standard Shopify. The recommended approach places the button in the header or footer of the store, accessible from all pages, and uses an app-based form solution for the withdrawal process itself.

Magento / Adobe Commerce

Magento implementations benefit from a custom module approach: a dedicated database table for withdrawal logs, a custom controller handling the form submission and email dispatch, and an email template configured through the Magento mail system. Integration with the Customer Account system handles logged-in users; Guest Order Lookup via order ID and email handles guest scenarios. A staging or UAT environment for pre-launch testing is essential given Magento's complexity.

PrestaShop

PrestaShop supports this implementation through a dedicated module - either purpose-built or an adaptation of existing modules. Hook-based integration in frontend templates places the entry point correctly. The PrestaShop Mail system handles the Eingangsbestätigung. As with other platforms, guest order lookup and rate limiting require explicit implementation.

Laravel / Headless / Custom

Custom Laravel and headless architectures offer the most flexibility and control. A dedicated controller handles the withdrawal form route; Laravel Mail, Mailgun, Postmark, or any configured mail service handles the Eingangsbestätigung dispatch. Audit logging integrates naturally with Laravel's existing database and logging infrastructure. Rate limiting is available through Laravel's built-in throttle middleware. REST and GraphQL APIs connect the backend logic to any headless frontend without additional complexity. For clients with a custom-built platform, this is consistently the cleanest implementation path.

How Webdelo Implements the Widerrufsbutton for German Mid-Market Clients

We have been implementing compliance-driven development for German B2C and hybrid clients for years, and the pattern with the Widerrufsbutton follows what we have seen with other regulatory obligations like the Kündigungsbutton: the technical implementation is rarely the hard part. The friction comes from the intersection of technical requirements, legal text updates, QA coverage, and the operational workflow that needs to change in the support team after go-live.

Our 4-phase approach

• Phase 1 - Compliance Audit: We analyze the current state of the website or app against § 356a BGB requirements, identify gaps across UI, backend, email infrastructure, logging, and legal texts, and produce a prioritized action plan with effort estimates
• Phase 2 - Implementation: UI components, backend processing logic, transactional email configuration, audit logging, guest order lookup with rate limiting - all built to the platform's architecture (Shopware, WooCommerce, Shopify, Magento, PrestaShop, or custom)
• Phase 3 - QA and Legal Text Review: Full test coverage of all withdrawal scenarios including guest orders and partial withdrawal; collaboration with the client's legal counsel or our network of e-commerce lawyers for Widerrufsbelehrung and Datenschutzerklärung updates
• Phase 4 - Maintenance and SLA: Post-launch monitoring, incident response, and proactive updates when regulatory guidance or case law clarifies ambiguous requirements - because compliance is not a one-time event

Service packages

• Quick Check: 1-2 day assessment of your current implementation status with a concrete action plan and effort estimates - useful as a starting point if you are not yet sure what needs to change
• Full Implementation: Complete technical delivery on your existing platform, from entry button to audit log, including QA and documentation
• Maintenance + SLA: Ongoing compliance coverage with defined response times - relevant for businesses that want a reliable contact point when regulatory requirements evolve after June 19, 2026

Request a free Quick Check to get a clear picture of your current compliance status and a concrete plan for what needs to change before the deadline. If you are ready to move forward, book a Widerrufsbutton implementation and legal text review directly.

FAQ: Widerrufsbutton ab 2026

Does § 356a BGB apply to small online shops?

Yes. The law makes no exception based on company size or annual turnover. Every online shop that concludes B2C distance-selling contracts via a website or app and where a statutory right of withdrawal exists is covered. The fine thresholds differ by turnover - 50,000 euros maximum below 1.25 million euros annual turnover, 4% of annual turnover above that - but the obligation applies regardless.

What happens if we implement the button after June 19, 2026?

Non-compliance after the effective date creates two risks: regulatory fines from the Bundesamt für Justiz (up to 50,000 euros or up to 4% of annual turnover) and Abmahnungen from competitors or trade associations. Both can be initiated at any point after the deadline passes. There is no grace period specified in the law.

Do guest orders need to access the withdrawal function without an account?

Yes. Consumers cannot be required to register or log in to exercise their right of withdrawal - unless the contract itself was only available to registered users. For standard guest orders, the identification mechanism uses order number and billing email address. The lookup endpoint must be rate-limited to prevent misuse.

Is it enough to place the button only on the order detail page?

No. The withdrawal function must be "always available," "prominent," and "easily accessible" throughout the withdrawal period, which by default is 14 days from receipt of goods. A permanent element in the header or footer is the recommended approach. Placing the button only on the order detail page - which a consumer may not be able to access after a certain time or without logging in - does not satisfy the visibility requirement.

What mandatory fields does the withdrawal form need?

Three fields are required by § 356a(2) BGB: the consumer's name, data to identify the contract or contract portion (typically the order number), and an electronic contact channel for the receipt confirmation (typically email address). Any additional optional fields should be justified by necessity - DSGVO data minimization principles apply.

What is the Eingangsbestätigung and how quickly must it be sent?

The Eingangsbestätigung is the mandatory receipt confirmation that the merchant sends after a withdrawal is submitted. It must be sent "immediately" (unverzüglich) on a "durable medium" - in practice, email. It must contain the content of the withdrawal and the exact date and time of receipt. Failure to send it, or sending it with incorrect or missing information, constitutes a violation of § 356a(4) BGB.

Do we need to update the Widerrufsbelehrung?

Yes. The Widerrufsbelehrung must reference the new electronic withdrawal function and describe where and how consumers can use it. The Datenschutzerklärung must describe the data processed during the withdrawal (name, order reference, email), the legal basis, and retention periods. Failing to update legal texts is an independent compliance violation separate from the technical implementation.

Does the rule apply to SaaS subscriptions, not just physical goods?

Yes. § 356a BGB covers all B2C distance-selling contracts where a statutory right of withdrawal exists - including SaaS subscriptions, streaming services, memberships, and digital content, as long as no statutory exception applies. The right of withdrawal for digital content is subject to its own rules (for example, it may lapse once the download begins with explicit consumer consent), but where withdrawal rights exist, the button obligation follows.

Can we use a plugin, or does this require custom development?

Plugins are available for Shopware, WooCommerce, and other platforms. The critical question is whether the plugin fully covers all legal requirements: Eingangsbestätigung with correct content and timestamp, audit logging, guest order access without forced registration, and proper form field configuration. Many early plugins cover the UI layer but fall short on backend compliance requirements. We recommend a detailed compliance review of any plugin before going live.

What is the latest safe date to start implementation?

The obligation applies from June 19, 2026. Given that development, platform integration, QA, and legal text updates each take time, we recommend starting no later than March or April 2026. That leaves adequate runway for a proper implementation cycle and avoids the risk of last-minute shortcuts that create compliance gaps.

What to Do Before June 19, 2026

The Widerrufsbutton is a process, not a feature. § 356a BGB requires a two-stage withdrawal flow, immediate email confirmation, audit logging, guest access without forced registration, and updated legal texts - across whichever platform your business runs on. The technical implementation is achievable, but it requires deliberate effort and cross-functional coordination between development, legal, and operations.

• The legal basis is § 356a BGB, implementing Article 11a of EU Directive 2023/2673, effective June 19, 2026
• The process is two-stage: entry button "Vertrag widerrufen" → form with mandatory fields → confirmation button → immediate Eingangsbestätigung by email
• Guest orders must be accessible without forced account registration; rate limiting is required for the guest lookup
• Widerrufsbelehrung and Datenschutzerklärung must be updated - failing to do so creates an independent legal violation beyond the technical non-compliance
• Fines reach up to 4% of annual turnover (above 1.25 million euros) or up to 50,000 euros, plus Abmahnung risk from competitors and associations
• Implementation on Shopware, WooCommerce, Shopify, Magento, PrestaShop, and Laravel each requires platform-specific approaches - none have native support

Request a free Quick Check to see exactly where your current implementation stands. If you are ready to move forward with full implementation and legal text review, we can scope and deliver the complete solution - from UI components through audit logging and Eingangsbestätigung to post-launch SLA coverage.