Many eCommerce businesses rely on personal data collection for optimizing the shopping experience, enabling targeted marketing, and increasing sales. However, with the emergence of the General Data Protection Regulation (GDPR) and increasing privacy awareness, companies have a responsibility to ensure transparent and secure data processing practices.
If your company is selling goods or services to citizens of the European Union (EU) or the UK, then this guide will help you avoid hefty GDPR fines that can go up to €20 million or 4% of your annual gross revenue. Continue reading as we guide you through the main GDPR eCommerce compliance requirements.
Why does GDPR matter for eCommerce?
GDPR compliance is important to eCommerce websites for enhancing user trust, securing data, and preventing penalties. Here are the main benefits of compliance:
- Enhances consumer trust. Proper GDPR compliance gives customers more control over their data, ensuring higher trust in the brand. A report by Cisco found that 47% of consumers trust companies handling their data more as a result of the GDPR.
- Prevents large fines. Companies that don’t comply with the regulation are at risk of facing hefty GDPR fines. For less serious violations, that can be up to €10 million, or 2% of the firm’s annual revenue. Meanwhile, for serious infringements, the fine rises to €20 million or 4% respectively.
- Improves data security. To adhere to the regulation’s requirements, website owners need to ensure secure private data storage. It includes meticulous planning and performing a risk assessment to ensure no data gets into unauthorized hands.
- Competitive advantage. Ensuring proper and continuous GDPR compliance means respecting user data and their privacy. In a market where data is a product, compliance is a competitive advantage. According to a study by Cisco, 95% of consumers won’t buy from a company that doesn’t ensure robust data security measures.
GDPR requirements for eCommerce business
To ensure GDPR compliance effectively, it’s essential to understand the basic requirements of the privacy regulation. Let’s review a summary of the main GDPR ideas and requirements:
1. Explicit user consent
One of the main GDPR requirements for your eCommerce business is to obtain user consent – permission to collect, use, or share personal data. The GDPR Consent article states that consent must be:
- Freely given – you must present users with a clear choice.
- Specific – the purpose for consent must be explained in specific, without broad statements.
- Informed – eCommerce owners must inform users about what data they collect, how they use it, and why, using simple and easy-to-understand language.
- Unambiguous – consent should involve a clear affirmative action (pre-ticked boxes aren’t GDPR-compliant).
Consent must also be granular, meaning that data subjects should have the right to only opt into purposes they want (like order processing, marketing, etc.). Here’s an example of granular consent when it comes to internet cookies:
As you can see, users are able to only select the cookies that they want – there’s a clear distinction and no pre-ticked boxes.
For newsletters and marketing emails, you may even consider double opt-in. It requests user confirmation before successfully adding them as a subscriber.
2. Consent withdrawal
While GDPR requires obtaining consent, it also specifies giving users an option to withdraw it. It should be easily accessible for all users at any time. This can be a “Reject” button in a cookie banner or an unsubscribe link in all of your marketing emails.
For example, here’s an email unsubscribe link example from an email of the Washington Post:
The link should automatically unsubscribe the user as soon as they click the button, meaning you should avoid complicated or unclear instructions.
Additionally, users may not be penalized for consent withdrawal and your eCommerce business should stop processing data of users who withdrew consent immediately.
3. Lawful basis for processing
Under the GDPR, your eCommerce business must provide a lawful basis for processing. There are no specific requirements on where exactly it should be stated. However, many companies put it in the privacy notice and at the point of data collection, like during account creation.
The GDPR Article 6 outlines 6 lawful bases for processing. Here they are together with basic examples:
- Explicit consent (given by the data subject, like GDPR cookie consent)
- Contractual obligation (when a customer buys a product from your store and you need to process their name or payment information)
- Legal obligation (employer processes employee tax information for authorities)
- Vital user interests (hospital review a patient’s medical records in case of emergency)
- Task in the public interest (universities collect student data to administer exams)
- Legitimate interests (using customer data, like transaction monitoring, to prevent fraud)
4. Data minimization
One of the principles relating to the processing of personal data is data minimization. The GDPR Article 5 notes that personal data shall be “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.”
So, you should also review their data collection practices and what’s truly necessary to your business. For example, if a customer is purchasing a product on your website, consider whether collecting their date of birth is necessary. Unless your products require age verification, you may reduce such data collection.
5. Transparency
Transparency is a core principle of GDPR that refers to companies being open and clear about their data collection and processing practices. This includes providing information in an easily accessible manner, whether it’s including a cookie banner statement or a privacy policy.
Here’s how you can ensure transparency with your privacy policy:
- Place it in an obvious location – your eCommerce customers should be able to find your privacy policy at any time. Usually, websites place it in the website footer and in a cookie banner.
- Use clear and simple language – you should write your privacy policy in a way that would be easy to comprehend even for children. This means avoiding complex or legal terms.
- Keep it up to date – regularly review your privacy policy to ensure all your current data collection and processing activities are accurate.
6. Data Processing Agreements (DPAs)
Data Processing Agreements (DPAs) are legally binding contracts between a data controller and a data processor that define how personal data is processed. So, make sure you review the third-party services of your eCommerce business, like marketing platforms or payment processors, and who you should sign DPAs with.
According to the GDPR Article 28, the DPA should specify the following conditions:
- Only process the agreed data
- Ensure user data confidentiality
- Adopt security measures to protect data
- Avoid sub-processors without the data controller’s approval
- Fulfill data subject rights
- Remove collected data post-contract termination
- Allow data controller to audit GDPR compliance
7. Incident notifications
In case of a data breach, the GDPR requires notifying your eCommerce customers and supervisory authorities.
- The supervisory authority must be contacted within 72 hours. You can find the full list of authorities on the European Data Protection Board website.
- Affected data subjects must be informed immediately.
- Data breach effects must be alleviated (useful to perform a GDPR risk assessment to prevent future threats as well).
8. Data portability
Data portability allows users to obtain or reuse their personal data on different services or platforms. The data should be supplied within one month of receiving the request and provided in an accessible and machine-readable format.
In the case of eCommerce, an example could be a customer of the website requesting a copy of their wishlist to transfer it into a competing platform.
9. Data Protection Officer (DPO)
If your eCommerce business handles sensitive data or processes data on a large scale, then GDPR requires appointing a Data Protection Officer (DPO). A DPO is a dedicated individual or organization that’s responsible for ensuring your organization’s continuous GDPR compliance.
Naturally, a DPO must be an expert in data privacy regulations (especially GDPR). It can be an employee or an external organization or an individual under a legally binding agreement.
10. Right to access
Your eCommerce store customers have the right to access their own personal data that you collect, according to GDPR Article 15. The company must provide the copy in a concise and transparent form.
Additionally, it should be done free of charge, unless it’s repetitive or unfounded, then a small fee can be requested.
The GDPR Article 12 also states that data subject rights requests must be processed within one month of receiving it. However, if the request is complex, organizations may extend the processing period by two months by informing the user within the first month.
11. Right to erasure
The right to erasure (or right to be forgotten) permits data subjects to request eCommerce companies to permanently delete their personal data. Under the GDPR Article 17, erasure can be requested in the following cases:
- Data is no longer necessary for the purpose it was collected.
- The data subject withdraws consent
- Data subject objects to processing
- Unlawful data processing practices
- Data erasure must happen to comply with a legal obligation
- The personal data of a minor was collected
However, this user right has exceptions. For example, it doesn’t apply when data is necessary for legal obligation compliance or reasons of public interest in public health.
Like with other user rights, companies get one month to respond and can extend it to two more months after informing the user.
Steps to make your eCommerce website GDPR-compliant
While knowing how to achieve compliance correctly can be challenging, it becomes easier with a detailed GDPR compliance checklist. Let’s review the main tasks you should complete.
1. Map out and audit your data
The journey to GDPR compliance should start from understanding exactly what data you collect and where it comes from. You must:
- Identify the channels that data comes from
- List what data is collected
- Define the lawful basis for processing
- Review where data is securely stored
- Keep a log of data access permissions
2. Obtain user consent
The main GDPR requirement is informing users about your data collection practices and getting their consent.
A common example for eCommerce websites is cookie management, which is usually achieved through a cookie banner like this:
As visible, the GDPR-compliant banner includes both “Accept” and “Reject” buttons. It’s also possible to provide granular consent with a preference management button.
The easiest way to add cookie banners to your website is by using a consent management platform. For example, TinyCookie on Shopify enables a one-click customizable cookie banner setup.
3. Review your privacy policy
You should review your privacy policy to ensure it doesn’t involve complex legal terms and is easy to read for anyone. Additionally, check if your data processing practices are up to date and if the policy includes the necessary information. Here are the main points to include in your privacy policy:
- Lawful basis for processing
- What information is collected
- How long is the data collected for
- Third parties that you share data with
- Data transferring (if applicable)
- User rights explanation
The official GDPR website provides a privacy policy template to help you out.
4. Create user right request handling process
Under the GDPR, users can exercise their rights and submit requests to your eCommerce business. You must prepare to handle those requests, which include the following:
- Right of access – prepare a clear process on how you’d provide users with a copy of their personal data.
- Right to rectification – establish a method to correct user data in a timely manner.
- Right to erasure – ensure you can delete user data within 30 days of receiving the request.
- Right to data portability – users may ask to provide their data copy in a machine-readable format to use in other services or platforms.
- Right to object – provide clear methods for objecting data processing and ensure you review these requests as soon as possible.
5. Ensure personal data security
eCommerce businesses must ensure that user data is stored securely, according to the GDPR Article 32. The listed security measures include:
- Data encryption
- Confidentiality and resilience of systems
- Data access and restoration (in case of a breach)
- Regular testing, staff training (about GDPR requirements and customer request handling)
6. Create or review agreements
eCommerce businesses must ensure that they have Data Processing Agreements with all involved third parties. This can be such services as payment processors like PayPal, email marketing platforms like Klaviyo, customer support tools, and analytics or tracking services.
A DPA is crucial to ensure legal compliance of all parties, mitigate risks, protect customer trust, and GDPR compliance evidence. Make sure you continuously review your DPAs in case your practices change.
Common GDPR mistakes and how to avoid them
While the GDPR has been in effect since 2018, many eCommerce businesses still make common compliance errors. They could lead to large GDPR fines or reduced customer trust. Here are some of the most common mistakes that you should avoid:
- Pre-ticked boxes. The EU data protection law requires ensuring that consent is granular, but it also should involve affirmative action, which pre-ticked boxes lack.
- Cookie walls. Blocking access to your website or services because the user didn’t grant consent is considered non-compliant. Consent must be freely given.
- The assumption that GDPR doesn’t apply. Just because your company is located outside the EU, you’re not exempt from GDPR compliance unless you don’t offer services to EU citizens or monitor their behavior.
- Missing legal basis. Legal basis is an important requirement and should be considered carefully. Try mapping out your data collection points and assign a legal basis for each one.
- Not keeping consent records. Without keeping consent records, you have no valid proof of GDPR compliance.
- No incident response plan. If you don’t create an incident response plan and don’t inform supervisory authorities within 72 hours of a breach, you may be heavily fined.
Best tools to simplify GDPR compliance
Manually achieving GDPR compliance can be very time-consuming and challenging. Let’s review a few tools that help simplify GDPR compliance for eCommerce websites.
TinyCookie
TinyCookie is a Shopify cookie consent management platform that simplifies GDPR compliance for eCommerce businesses. It requires a one-click setup after installation and automatically stores user consent preferences.
You can place a customizable cookie banner on your website with unique text and a link to your privacy policy in a matter of seconds. Here’s an example of what it looks like:
- Lets you add consent and withdrawal buttons
- Allows cookie preference management
- Records consent
- Automatically scans cookies
- Integrates with Global Privacy Controls, Consent Mode V2, and more
Klaviyo
Klaviyo is a marketing automation platform that helps ensure your marketing emails comply with the GDPR. It supports granular consent for different marketing channels and provides form templates that are compliant.
Transcend
Transcend is a privacy and data governance solution that helps establish and automate data subject request processing. It also assists with data mapping, including automatic updating and identifying where personal data is stored.
Frequently asked questions
The General Data Protection Regulation (GDPR) is a data protection law that governs how organizations, including eCommerce businesses, handle the personal data of European Union (EU) citizens.
Yes, the GDPR applies to US companies that offer goods or services or monitor the behavior of EU citizens. GDPR requirements in the US are the same as for European countries, including obtaining explicit user consent and following GDPR data transfer requirements.