The European consumer has substantial rights when contracting for goods or services online. Nevertheless, unlike European data protection law, specific requirements for adequate data security practices are largely absent from European legislation governing Business-to-Consumer (B2C) transactions. The following article evaluates the application of current EU consumer protection requirements and appraises the extent to which they oblige service providers to include data security or information regarding data security practices in contract terms. In addition to considering the core European consumer protection instruments currently in place, the article evaluates proposed legislation for digital goods and assesses its potential application to contract terms commonly offered by cloud service providers (CSPs). Furthermore, the article provides some comparative analysis of data security requirements from the USA.