Why eCommerce Gets GDPR Wrong More Than Most
Online stores sit at a uniquely difficult intersection of GDPR requirements. A typical eCommerce business collects personal data at every stage of the customer journey — browsing behavior, account creation, checkout details, payment information, delivery addresses, marketing preferences, support interactions, and post-purchase reviews. That data flows through dozens of third-party services: payment processors, shipping providers, email platforms, analytics tools, advertising networks, review platforms, and customer support software.
Each of those touchpoints creates a GDPR obligation. Each third-party service is a data processor that needs a compliant agreement. Each marketing email needs a lawful basis. Each cookie needs consent before it fires.
Most eCommerce businesses know they need to "be GDPR compliant" but struggle with what that actually means in practice — especially when the regulations were written for a general audience and not for the specific realities of running an online store.
This checklist translates GDPR's requirements into the specific actions that eCommerce businesses need to take. It is organized by area so you can work through it systematically and track your progress.
Checklist 1: Cookie Consent
Cookies are where most eCommerce GDPR enforcement starts, because non-compliant cookie banners are easy for regulators to detect — they just visit your website.
What the law requires
The ePrivacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC) combined with GDPR requires that:
- Non-essential cookies must not be set until the user gives consent
- Consent must be freely given, specific, informed, and unambiguous (GDPR Article 4(11))
- Refusing cookies must be as easy as accepting them — no dark patterns
- Users must be able to withdraw consent at any time (GDPR Article 7(3))
- Strictly necessary cookies (authentication, cart, security) do not require consent but must be disclosed
Your checklist
- No cookies fire before consent. Analytics scripts, marketing pixels, social media widgets, and ad trackers must all be blocked until the user actively consents. This means your Google Analytics, Meta Pixel, LinkedIn Insight Tag, and any retargeting scripts must load conditionally — not on page load.
- Granular category choices. Users must be able to choose which categories they accept. A compliant setup typically offers: Essential (always on), Functional (language, currency preferences), Analytics (usage statistics), and Marketing (advertising, retargeting). An "Accept All" button is fine, but "Reject All" or "Accept Essential Only" must be equally prominent.
- No pre-checked boxes. The Court of Justice of the EU ruled in Planet49 (Case C-673/17) that pre-ticked checkboxes do not constitute valid consent. Every non-essential category must start unchecked.
- No cookie walls. Blocking access to your store unless cookies are accepted is generally non-compliant, because consent must be freely given (GDPR Recital 42). The user should be able to browse and purchase without accepting analytics or marketing cookies.
- A way to change preferences later. A "Cookie Settings" link in your footer that reopens the consent dialog satisfies the withdrawal requirement. It must actually work — not just link to your cookie policy text.
- Consent records are stored. You need to prove that consent was given if a regulator asks. Store the timestamp, the categories consented to, the version of your consent text, and a user identifier.
Checklist 2: Privacy Policy and Transparency
GDPR Articles 13 and 14 require you to tell customers what you do with their data — before or at the point of collection.
Your checklist
- Your privacy policy is specific to your business. Generic template policies that do not name your actual data processing activities, your actual third-party processors, or your actual retention periods are not compliant. The policy must describe what you actually do, not what a template author imagined you might do.
- It is written in plain language. GDPR Article 12(1) requires that information is provided "in a concise, transparent, intelligible and easily accessible form, using clear and plain language." Legal boilerplate that a customer cannot understand fails this test.
- It covers all required information. GDPR Article 13 lists the minimum: your identity and contact details, DPO contact (if applicable), purposes and legal bases for each processing activity, categories of data collected, recipients or categories of recipients, international transfer details and safeguards, retention periods, data subject rights, the right to lodge a complaint with a supervisory authority, and whether providing data is a statutory or contractual requirement.
- It is accessible from every page. Link it in your website footer. Also link it at every data collection point: checkout, account registration, newsletter signup, contact forms, and review submission.
- It is versioned and dated. When you update your privacy policy, keep the previous version accessible and note the date of the change. If a customer gave consent under a previous version, you may need to show what they agreed to.
Checklist 3: Checkout and Payment Data
The checkout flow is where you collect the most sensitive personal data: names, addresses, email, phone numbers, and payment details.
Your checklist
- Identify your legal basis for each processing activity. Order fulfillment (processing the address to ship the product) is covered by "contract" (Article 6(1)(b)). Tax record retention is covered by "legal obligation" (Article 6(1)(c)). Marketing emails after purchase may use "legitimate interest" (Article 6(1)(f)) in some jurisdictions but require consent in others — check your national implementation.
- Only collect what you need. Data minimization (Article 5(1)(c)) means you should not require a phone number if you do not need it for delivery. Do not make fields mandatory unless they are genuinely necessary for the stated purpose.
- Do not default the marketing opt-in. If you have a "Send me offers and updates" checkbox at checkout, it must be unchecked by default. Pre-checked marketing consent is invalid under GDPR.
- Separate consent from the purchase. Marketing consent must not be bundled with the terms and conditions of purchase. "By placing this order you agree to receive marketing" is not freely given consent. Use a separate, clearly labeled checkbox.
- Use a PCI-compliant payment processor. Do not store raw credit card numbers yourself. Use a processor like Stripe that handles card data on their infrastructure and provides you with tokens. This reduces your GDPR risk surface significantly and satisfies the "integrity and confidentiality" principle (Article 5(1)(f)).
- Display your privacy notice at checkout. A link to your privacy policy must be visible during the checkout process — not buried after the order is placed.
Checklist 4: Email Marketing
Email marketing is one of the most common areas of GDPR non-compliance in eCommerce. The rules are stricter than many businesses realize.
Your checklist
- New subscribers give explicit opt-in consent. The signup form must clearly state what the person is signing up for (e.g., "Weekly product updates and promotions from [Your Store Name]"). A generic "Subscribe" button without context is not specific enough.
- Use double opt-in. While not strictly required by GDPR in all EU member states, double opt-in (confirmation email before adding to the list) is considered best practice by most Data Protection Authorities and is the safest way to prove valid consent. It is required under German law (Gesetz gegen den unlauteren Wettbewerb).
- Every email has a working unsubscribe link. This must unsubscribe the user with one click — not redirect to a preference center that requires logging in or additional steps. GDPR Article 7(3) requires that withdrawal of consent is as easy as giving it.
- Consent records are stored per subscriber. For each subscriber, record: when they opted in, how (which form, which page), what they consented to, the version of the consent text, and their IP address. If a subscriber complains to a DPA, you need this evidence.
- Post-purchase marketing has a clear legal basis. In many EU jurisdictions, you can email existing customers about similar products under the "soft opt-in" (derived from the ePrivacy Directive, Article 13(2)), but only if: they gave their email in the context of a sale, you are marketing your own similar products, you gave them a clear opt-out opportunity at the time of collection, and every subsequent email includes an unsubscribe option. If any of these conditions are not met, you need explicit consent.
- Purchased email lists are not compliant. If you did not collect the consent yourself, you almost certainly cannot demonstrate that the consent meets GDPR standards. Buying email lists and sending marketing to them is one of the highest-risk activities in eCommerce.
Checklist 5: Third-Party Services and Data Processors
A typical eCommerce store shares customer data with 10–30 third-party services. Each one is a data processor under GDPR, and you are responsible for their compliance as the data controller.
Your checklist
- Map every third-party service that touches personal data. Create a complete list. Common ones include: payment processors (Stripe, PayPal, Adyen), shipping providers (DHL, FedEx, Royal Mail, national postal services), email marketing platforms (Mailchimp, Klaviyo, Brevo), analytics (Google Analytics, Mixpanel), advertising platforms (Meta Ads, Google Ads), customer support tools (Zendesk, Intercom), review platforms (Trustpilot, Yotpo), fraud detection services, ERP and accounting software, and your hosting provider.
- Verify a Data Processing Agreement (DPA) is in place with each one. GDPR Article 28 requires a written contract between the controller (you) and each processor. Most major SaaS providers offer a standard DPA — but you need to actually sign or accept it. Having a DPA available on a provider's website does not mean you have executed it.
- Know where each processor stores data. If a processor stores data outside the European Economic Area, you need to verify that an appropriate transfer mechanism is in place: an adequacy decision (e.g., EU-US Data Privacy Framework, UK), Standard Contractual Clauses (SCCs), or Binding Corporate Rules. If you use Google Analytics, note that this has been the subject of multiple DPA enforcement actions across the EU.
- Review sub-processors. Your processors may use their own sub-processors. GDPR Article 28(2) requires that processors obtain your authorization before engaging sub-processors. Most DPAs include a mechanism for this (general authorization with notification of changes). Review the sub-processor lists of your major providers at least annually.
- Remove processors you no longer use. If you switched email platforms six months ago but the old one still has access to your customer data, that is an uncontrolled data exposure. Decommission and delete data from processors you no longer use.
Checklist 6: Customer Data Requests (DSARs)
Under GDPR, your customers have the right to access, correct, delete, restrict, and port their personal data. You have 30 calendar days to respond (extendable by two months for complex requests, with notification).
Your checklist
- Publish a clear request channel. Customers need to know how to submit a data request. A dedicated page, a form in your privacy policy, or a clearly labeled email address all work. Do not bury it. GDPR Article 12(2) requires that you "facilitate the exercise of data subject rights."
- Verify identity before responding. You must confirm that the requester is actually the person whose data they are requesting. For logged-in customers, the account itself may be sufficient. For others, request enough identifying information to match the request to your records — but do not collect more data than necessary for verification (that would violate data minimization).
- Know where all customer data lives. When a customer requests access or deletion, you need to find their data across every system: your eCommerce platform database, email marketing lists, analytics tools, customer support tickets, payment processor records, shipping provider records, and any spreadsheets or internal tools. This is where a data map pays for itself.
- Handle deletion requests with care. The right to erasure (Article 17) is not absolute. You are not required to delete data that you must retain for legal obligations (tax records, transaction records required by law), for the establishment or defense of legal claims, or for other overriding legitimate grounds. When you cannot fully delete, explain to the customer which data was deleted and which was retained, and why.
- Respond within 30 days. The clock starts when the request is received, not when you begin processing it. Late responses are a common enforcement target. Track deadlines for every request.
- Requests are free. You cannot charge for the first request. You may charge a reasonable fee for manifestly unfounded or excessive requests (Article 12(5)), but this threshold is high and invoking it without justification will draw scrutiny.
Checklist 7: Data Retention
GDPR's storage limitation principle (Article 5(1)(e)) requires that you do not keep personal data longer than necessary. For eCommerce businesses, this means different data has different retention periods.
Your checklist
- Define retention periods by data type. You cannot apply a single blanket retention period to all customer data, because different data serves different purposes with different legal bases. Some illustrative categories (actual periods vary by jurisdiction):
| Data Type | Suggested Approach | Reason |
|---|---|---|
| Order and transaction records | Retain for the statutory period required by your national tax and accounting laws (commonly 5–10 years) | Legal obligation |
| Customer account data | Retain while the account is active, then delete or anonymize after a defined inactivity period | Contract / legitimate interest |
| Marketing consent records | Retain while consent is active, plus a period after withdrawal to evidence past consent | Legitimate interest (proof of consent) |
| Abandoned cart data | Delete after a short period (e.g., 30–90 days) | No ongoing purpose |
| Customer support tickets | Delete or anonymize after a defined period following resolution | Legitimate interest |
| Analytics data | Anonymize after collection or retain anonymized aggregates only | Legitimate interest |
- Automate deletion where possible. Manual deletion processes are error-prone and rarely followed consistently. Build automated retention rules that flag or delete data when its retention period expires.
- Do not keep "just in case" data. Retaining customer data indefinitely because "we might need it someday" is not a lawful purpose under GDPR. Every category of data must have a stated purpose and a defined retention period.
Checklist 8: International Sales and Cross-Border Transfers
If you sell to customers in multiple countries — which most eCommerce businesses do — additional rules apply.
Your checklist
- GDPR applies if you target EU customers. Even if your business is based outside the EU, GDPR applies if you direct your activities toward EU residents (GDPR Article 3(2)). Indicators include: offering prices in euros, providing shipping to EU countries, translating your site into EU languages, or running advertising targeting EU audiences.
- Verify transfer mechanisms for non-EEA processors. If you use services that store or process data outside the EEA (most US-based SaaS tools), ensure an appropriate transfer mechanism is in place. The EU-US Data Privacy Framework provides adequacy for certified US companies. For other countries, Standard Contractual Clauses are the standard mechanism.
- Consider appointing an EU representative. GDPR Article 27 requires that non-EU controllers who regularly process EU residents' data appoint a representative in the EU. This is a named contact who acts as a point of communication for supervisory authorities and data subjects.
- Account for local variations. While GDPR is directly applicable across the EU, member states have implemented national variations — particularly around direct marketing, employee data, age of consent for children's data (ranging from 13 to 16), and specific sector requirements. If you sell heavily in a particular market, understand that country's implementation.
Checklist 9: Security Measures
GDPR Article 32 requires "appropriate technical and organisational measures" to protect personal data. For eCommerce, this means:
Your checklist
- Use HTTPS everywhere. Your entire site — not just the checkout — must be served over TLS. Customer browsing behavior, account pages, and search queries all constitute personal data in context.
- Keep software updated. eCommerce platforms (Shopify, WooCommerce, Magento, custom builds) and their plugins are frequent targets for attacks. Unpatched vulnerabilities are a leading cause of data breaches in eCommerce.
- Implement access controls. Not every team member needs access to all customer data. Warehouse staff need shipping addresses but not payment details. Marketing needs email addresses but not order histories. Apply the principle of least privilege.
- Have a breach response plan. GDPR Article 33 requires notification to your supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals. Article 34 requires notification to affected individuals if the risk is high. You need a plan before a breach happens: who detects it, who makes the notification decision, who communicates with the DPA, and who notifies customers.
- Log access to personal data. Maintain audit logs of who accessed customer data, when, and why. This is both a security measure and an accountability tool — if data is misused, you need to be able to trace what happened.
How PrivacyForge Helps eCommerce Businesses
Each of these checklist areas maps to a specific PrivacyForge capability:
- Cookie consent — The embeddable consent widget drops into any storefront with a single script tag. It supports granular category choices (Essential, Functional, Analytics, Marketing, Personalization, Advertising), blocks non-essential cookies until consent is given, provides equal Accept/Reject options, stores consent records with timestamps and consent version, and lets customers change preferences at any time.
- Third-party processor management — Data mapping lets you document every processor, what data they receive, under what legal basis, and whether a DPA is in place. Cross-border transfer tracking flags processors outside the EEA and records which transfer safeguards apply.
- Customer data requests — The DSAR handling system supports all GDPR request types (access, erasure, rectification, portability, restriction, objection, consent withdrawal), tracks the 30-day response deadline, manages identity verification, and generates exportable response packages in JSON and PDF format.
- Consent management — Every consent is recorded with its legal basis, timestamp, version, and collection context. Consent withdrawal is one click. Audit-ready records are always accessible.
- Data retention — Data maps include retention periods for each processing activity. Automated monitoring flags data approaching its retention deadline.
- Compliance monitoring — The compliance dashboard provides a real-time score across all GDPR requirements, with specific breakdowns for consent health, data mapping completeness, and DSAR response times.
- GDPR checklist — A built-in 30-item self-assessment covering lawful basis, transparency, security, data subject rights, governance, and international transfers, with a downloadable PDF report.
Start With What Matters Most
You do not need to complete every item on this checklist in one day. Prioritize based on risk:
- Cookie consent — Fix this first. It is the most visible compliance issue and the easiest for regulators to check.
- Privacy policy — Update it to reflect your actual practices. A template policy is better than nothing, but a specific one is what compliance requires.
- Email marketing consent — Audit your existing subscriber lists. If you cannot prove consent, consider a re-permission campaign.
- Third-party processor map — List every service that touches customer data and verify DPAs are in place.
- DSAR process — Establish a clear channel and response workflow before a request arrives, not after.
The rest can follow as you build out your compliance program. The goal is continuous progress, not instant perfection.