Selling digital downloads

If you’re thinking of setting up your own site for pattern sales – or any other digital sales – there are a couple of things you need to be careful about. The biggest one (to my security-obsessed mind) is keeping your customer data safe. To do this you’ll either need to pay for a service, or commit to managing your site – and its security – yourself. There’s also EU VAT to think about.

This mostly talks about those hosting options and security problems, but there’s a smidge about VAT at the end. And I’m talking here about selling your patterns yourself – not about online marketplaces that do the selling for you.

Hosting & Security

If you’re selling patterns on your own site you’re responsible for making sure that you’re doing it securely. You have a couple of options when you go down this route.

Software as a Service

You can choose a software as a service (SaaS) setup – like Shopify, or Big Cartel. They’ll be responsible for the security.

You can get WordPress – or another blog – hosted as if it was a SaaS. This means that your service provider is responsible for security. WordPress.com – where this site is hosted – is probably the best known of the WordPress options.

With any of these, you still should do some research – search for ‘wordpress.com security’ or ‘shopify security’ or whatever you’re interested in, and see what the internet has to say about it – but if you’re using a reliable service you should be reasonably safe from random hacking bots on the prowl for easy pickings.

(You should still take your security seriously – create good passwords, don’t reuse your passwords across different sites and services, use two-factor authentication whenever you can, make sure that your computer and phone are running up to date software….)

You should expect to pay at least £20 a month for a SaaS service that lets you sell digital downloads, and you won’t have a huge amount of freedom to make changes to templates, or install any plugin that you like. Those limitations are a part of what makes this option secure.

Self-hosted websites

You can also host your own site – and this is where I really worry about people running into trouble.

That site’s probably going to be WordPress, downloaded from wordpress.org and installed on a hosting service you’re paying for separately. (It doesn’t have to be WordPress, but the non-Wordpress options – like Joomla or Drupal, for example – have steeper learning curves and take more time and knowledge to maintain.)

WordPress is reasonably secure if you’re careful and you know what you’re doing. It has the potential to be incredibly insecure if you’re not, or you don’t. In 2018 90% of all hacked CMS sites used WordPress. This is partly because there are so many WordPress sites (60% of the CMS market share, 30% of sites on the internet) but it’s also because so many of those sites are insecure.

If you host your own site you’re responsible for making sure that your software is up to date. Automatic-ish updates are a thing, but they’re not reliable. Almost all core WordPress hacks are due to out of date software. WordPress updates are generally fairly seamless but sometimes things do go wrong, and you end up with a site that can’t find something important in the database, or a plugin that’s suddenly not working.

If you’re installing plugins – and you’ll need to in order to sell patterns – those plugins will also need to be kept up to date.

Most WordPress site hacks are through plugins, rather than through the core WordPress software; either because the plugin software wasn’t updated, because the software creator failed to keep it up to date or because it was an inherently insecure piece of software.

If you have a blog – like this one – and it’s hacked you can restore your blog back to the pre-hack state. (You have backups, right?) (Also – fix the problem that left you hackable!) You might feel a bit foolish. You might also have had your site blacklisted as a compromised site and you’ll need to fix that. There’s a bit of cleaning up to do. Here’s WordPress’s guide on what do if your WP site is hacked.

But if you’re selling patterns on your site, you’re also storing the personal information of your customers – name, email address and billing address at a minimum. If someone hacks your site they can get their hands on that information, and they can do damage with it. You have a legal responsibility – and a moral responsibility – to make sure that your customer data is stored securely. If you’re in the EU the General Data Protection Regulation (GDPR) applies. If you’re not in the EU it still applies if you’re holding data on EU residents. There are, of course, other data protection laws that apply in other countries.

Self-hosted sites can be a lot cheaper than buying a SaaS option – from a couple of pounds a month – but it is a lot riskier. I would advise almost everyone to avoid the self-hosted route. I avoid it myself, these days, and that’s not because I don’t know how to apply software and security updates. I am far too well acquainted with those tasks.

VAT and the EU

If you’re selling digital downloads there’s also the EU VAT nightmare to navigate. I am the biggest cheerleader ever for the EU, and even I think that this is a hideous and confusing mess which has had very little impact on the problems it set out to solve (tax avoidance by huge multinational companies) and puts a vastly disproportionate burden on very small businesses.

Here’s the UK government’s summary of EU digital services VAT rules. I don’t fully understand all of it myself, but I think it boils down to:

If you’re not based in the EU, you must charge VAT to your EU customers, register for VAT in an EU country, and pay that VAT.

If you are based in the EU, you must charge VAT on purchases by customers in other EU states.

These rules apply when you sell to customers within the EU, no matter where you’re located; you don’t have to be within the EU for these to apply to you.

A lot of the software that lets you sell digital downloads will also do the VAT bits – checking the rate in your customers’ location and giving you the calculations. You’ll still have to register and pay the VAT.

But – if you’re in the UK, it looks like there’s a threshold of £8800-ish for sales within the EU – if your digital sales are below that you may be able to avoid having to register. Here’s some info about that threshold. This may not survive brexit, though – so you might have to register as a non-EU seller at the start of next year

Oh, brexit! I don’t know what impact brexit will have on any of this, for those of us in the UK – but I predict a frantic scrabble and lots of confusion and misinformation and chaos, because that seems to be the government’s brexit strategy.6