GDPR Compliance for Ecommerce: What You Must Know
GDPR compliance for ecommerce is one of those topics that generates more confusion than clarity. The regulation is written in legal language, published by regulators with enforcement responsibilities, and frequently discussed in terms of maximum fines rather than practical obligations. The result is that many store owners either over-engineer their compliance (spending disproportionate time on theoretical edge cases) or under-invest in it (treating GDPR as something that only applies to large businesses).
Neither approach is correct. GDPR applies to any online store that collects personal data from customers in the UK or European Union - regardless of where the store is based. If you sell to European customers, you have GDPR obligations. Those obligations are specific, manageable, and meaningful. This guide cuts through the legal complexity to explain what actually applies to your store, what you need to do, and what happens if you do not.
Important: This guide provides practical guidance for ecommerce store owners. It does not constitute legal advice. For your specific GDPR compliance situation - particularly if you handle sensitive data categories, operate at scale, or have complex data processing arrangements - consult a qualified data protection officer or legal adviser.
See it in action
Want to automate this for your store?
VortexIQ's AI agents can audit, fix, and monitor your ecommerce store automatically.
Compliance sits alongside technical security, fraud prevention, and monitoring - the Ecommerce Security & Compliance Complete Guide covers the full framework.
In This Guide
GDPR and Ecommerce: Who It Applies To
GDPR - the General Data Protection Regulation - applies based on where your customers are located, not where your business is registered. The key conditions:
You are established in the EU or UK: Your business is based in an EU member state or the UK (which has its own equivalent regulation, UK GDPR, post-Brexit). GDPR and UK GDPR apply to all your personal data processing, regardless of where your customers are.
You offer goods or services to people in the EU or UK: You ship products to EU or UK addresses, your website is available in EU languages, your pricing is in Euros or Pounds, or you otherwise actively target EU or UK customers. Even if you are based in the US or Australia, if you are selling to European customers, GDPR applies to the data you collect from them.
You monitor the behaviour of people in the EU or UK: You use analytics tools to track customer browsing behaviour on your website, and those visitors are in the EU or UK. This threshold is broader than many store owners realise.
In practice, virtually every ecommerce store that ships internationally has some GDPR obligations. The question is not whether GDPR applies - it almost certainly does in some form - but what your specific obligations are given your customer geography and data processing activities.
The Personal Data Your Store Holds
GDPR applies to "personal data" - any information relating to an identified or identifiable natural person. For a typical ecommerce store, this includes more than most store owners initially consider:
Data Type Where It Lives GDPR Applies? Customer name Platform database, email marketing tool, CRM Yes Email address Platform database, email marketing tool, support system Yes Delivery address Platform database, fulfilment system, 3PL Yes Phone number Platform database, SMS marketing tool Yes Order history Platform database, analytics tools Yes Browsing behaviour Analytics platform (Google Analytics, etc.) Yes IP address Server logs, analytics platform Yes (identifiable in context) Payment card details Payment processor (not your systems if using hosted checkout) Yes (but primarily PCI DSS scope) Cookie identifiers Analytics and marketing platforms Yes Customer service conversation history Support platform Yes Account login credentials Platform database Yes
The breadth of this list matters because each data type may have different lawful bases, different retention periods, and different disclosure requirements. Your GDPR compliance programme needs to account for the full picture, not just the most obvious data types.
Your Six Lawful Bases for Processing
GDPR requires that every processing activity you perform on personal data has a lawful basis. The six lawful bases are defined in Article 6 of the regulation. For ecommerce, three are most relevant:
Contractual Necessity
Processing is necessary for the performance of a contract with the customer, or to take steps at their request before entering into a contract.
For ecommerce, this covers: processing the order (name, address, order details, payment confirmation), managing the delivery (sharing address with fulfilment partner and carrier), handling returns and refunds, and responding to customer service enquiries about their orders.
You do not need separate consent for processing data that is genuinely necessary to fulfil an order. The contract provides the lawful basis.
Legitimate Interests
Processing is necessary for your legitimate business interests, provided those interests are not overridden by the customer's rights and interests.
For ecommerce, legitimate interests can cover: fraud prevention and security monitoring (a genuine business need that customers would expect), basic analytics to improve your service, suppressing unsubscribed email addresses (you need to remember who unsubscribed to avoid re-contacting them), and some customer satisfaction communications.
Legitimate interests require a documented balancing test: you must assess whether your legitimate interest is proportionate and not overridden by customer rights. It cannot be used as a catch-all to avoid obtaining consent.
Consent
The customer has given clear, specific, informed, and unambiguous consent for the processing activity.
For ecommerce, consent is the correct basis for: marketing emails and SMS (for customers who have not previously purchased from you), non-essential cookies and tracking, and profiling or personalisation that goes beyond what is necessary for the transaction.
Critical: GDPR consent requirements are strict. Pre-ticked boxes are not valid consent. Bundling marketing consent into the purchase T&Cs is not valid consent. Consent must be a clear, affirmative action - an unticked checkbox that the customer actively selects. And you must be able to demonstrate, if challenged, that valid consent was obtained for each processing activity it covers.
What GDPR Requires of Ecommerce Stores
Privacy Policy
You must have a clear, accessible privacy policy that explains: who you are and how to contact you, what personal data you collect, why you collect it (the lawful basis for each category), who you share it with, how long you keep it, and what rights customers have. The policy must be written in plain language, not legal jargon.
Review your current privacy policy against this list. Many ecommerce stores have generic privacy policy templates that do not accurately describe their actual data processing activities - mentioning platforms and tools they no longer use, failing to mention ones they do use, or describing data purposes in vague terms that do not meet GDPR's transparency requirements.
Marketing Consent Flows
If you send marketing emails or SMS messages, your consent capture must meet GDPR standards:
- Unticked checkbox at checkout, clearly labelled (e.g. "I would like to receive offers and news by email")
- Separate from the purchase T&Cs agreement
- Opt-in, not opt-out
- Record of when and how consent was obtained retained for compliance purposes
Pre-GDPR email lists built on opt-out or implied consent may not be valid for GDPR purposes. If your email list predates your GDPR consent upgrade, you may need to run a re-consent campaign before continuing to market to those contacts.
Customer Data Rights
GDPR gives customers seven rights over their personal data. For ecommerce, the most commonly exercised are:
Right of access: A customer can request all personal data you hold about them. You must provide it in a portable, readable format within one month. This includes their order history, account data, email marketing preferences, and any other data you hold.
Right to erasure ("right to be forgotten"): A customer can request that you delete their personal data. You must comply unless you have a legitimate reason to retain it (tax and legal retention obligations for transaction records, for example). Note: you can delete their account and personal details while retaining anonymised order records for financial compliance purposes.
Right to object to marketing: Any customer can opt out of marketing at any time. You must honour this immediately and maintain suppression records so they are not re-contacted.
Right to data portability: A customer can request their data in a machine-readable format (typically a structured file). This is most commonly exercised when a customer wants to move their data to another service.
You need an operational process for responding to each of these requests within the GDPR one-month timeframe.
Third-Party Data Processing Agreements
Every third-party service that processes personal data on your behalf - your email marketing platform, your analytics tool, your fulfilment partner, your customer support software, your payment processor - is a data processor under GDPR. You are required to have a written Data Processing Agreement (DPA) with each one.
In practice, most major platforms provide standard DPAs or have GDPR-compliant terms built into their service agreements. Shopify, BigCommerce, Mailchimp, Klaviyo, and Google Analytics all provide DPAs. The practical action: check whether you have accepted or executed a DPA with each service that processes your customer data, and obtain or execute one for any that do not currently have one in place.
Breach Notification: The 72-Hour Rule
Under GDPR Article 33, if you experience a personal data breach - any incident that results in the accidental or unlawful destruction, loss, alteration, or disclosure of personal data - you must notify your data protection authority within 72 hours of becoming aware of it, unless the breach is unlikely to result in risk to individuals.
72 hours is shorter than most store owners realise. A breach discovered on Friday afternoon and not reported until the following Tuesday is a GDPR compliance failure in itself, separate from the breach.
Your breach response plan must account for this timeline explicitly. See Ecommerce Data Breach Response Plan for a step-by-step playbook.
In the UK, the relevant authority is the Information Commissioner's Office (ICO). EU member states each have their own national Data Protection Authority (DPA).
CCPA: The US Counterpart
The California Consumer Privacy Act applies to businesses that collect personal data from California residents and meet at least one of three thresholds:
- Annual gross revenue over $25 million
- Buy, sell, or receive the personal information of 100,000 or more consumers or households per year
- Derive 50% or more of annual revenue from selling consumers' personal information
Many mid-sized ecommerce stores that process 10,000+ orders per year from US customers will meet the 100,000 consumer threshold (one order per consumer = one record, and the threshold counts households).
Key CCPA rights for consumers:
- Right to know what personal data is collected about them
- Right to delete their personal data (with similar exceptions to GDPR erasure)
- Right to opt out of the "sale" of their personal data (note: CCPA has a broad definition of "sale" that can include sharing data with advertising platforms for targeted advertising)
- Right to non-discrimination (a business cannot penalise a customer for exercising their CCPA rights)
Practical CCPA compliance steps:
- Add a "Do Not Sell My Personal Information" link to your website footer (required if you "sell" data under CCPA's definition)
- Update your privacy policy to include CCPA-required disclosures
- Establish a process for responding to consumer data requests
- Review data sharing arrangements with advertising and analytics platforms against CCPA's definition of "sale"
A store with solid GDPR compliance is well positioned for CCPA - the practical requirements overlap significantly. The main additions are the "Do Not Sell" mechanism and the CCPA-specific privacy policy disclosures.
Practical GDPR Compliance Steps for Your Store
This is the action plan for stores that need to improve their GDPR compliance posture:
Step 1: Data audit.
Map all the personal data your store collects, where it lives, what processing activity you perform on it, and what lawful basis applies. This is the foundation of everything else - you cannot comply with requirements you have not mapped.
Step 2: Privacy policy update.
Rewrite your privacy policy to accurately describe your current data processing activities, clearly state lawful bases, and explain customer rights. This should reflect your actual stack, not a generic template.
Step 3: Consent flow review.
Check every place in your customer journey where you collect consent for marketing. Replace any pre-ticked boxes, bundled consents, or opt-out mechanisms with clear opt-in checkboxes. Capture and store consent records.
Step 4: Execute DPAs with processors.
List every third-party service with access to customer data. Confirm that a DPA or GDPR-compliant service agreement is in place for each. For any gaps, obtain the DPA from the provider's compliance documentation.
Step 5: Customer rights process.
Document how you would respond to a Subject Access Request, an erasure request, and an objection to marketing. Assign responsibility to a named individual. Test the process by simulating a request.
Step 6: Breach response plan.
Document your breach notification process with the 72-hour GDPR requirement in mind. Ensure the right people know what to do and how to reach the ICO or relevant national DPA. For the full breach response playbook, see Ecommerce Data Breach Response Plan.
Step 7: Ongoing monitoring.
Assign responsibility for GDPR compliance to a named individual. Schedule an annual review of your privacy policy, consent flows, and processor agreements to keep them current as your tech stack evolves.
Frequently Asked Questions
Does GDPR apply to my Shopify store if I am based in the US?
Yes, if you have customers in the UK or EU. GDPR applies based on where your customers are, not where your business is registered. If you actively sell to EU or UK customers - your store ships to those regions, your prices are in Euros or Pounds, or you market to those regions - GDPR applies to the personal data you collect from those customers. The practical implication is that you need a GDPR-compliant privacy policy, valid consent flows, and the ability to respond to UK/EU customer data rights requests on GDPR timelines.
What are the penalties for GDPR non-compliance?
GDPR provides for two tiers of fines: up to €10 million or 2% of annual global turnover for less serious infringements (record-keeping failures, processor agreement omissions), and up to €20 million or 4% of annual global turnover for more serious infringements (breaches of core principles, lack of valid consent, rights violations). In the UK, the ICO can impose fines up to £17.5 million or 4% of global turnover. However, regulators use fines proportionately - small businesses with genuine compliance efforts and limited harm face different outcomes than large businesses with systematic non-compliance. The practical risk for most ecommerce stores is not maximum fines but reputational damage from a high-profile enforcement action.
Do I need to appoint a Data Protection Officer?
Only some organisations are required to appoint a DPO: public authorities, organisations that carry out large-scale systematic monitoring of individuals, or organisations that process special category data (health, biometric, criminal) at scale. Most ecommerce stores do not meet these thresholds. However, designating someone within your team with responsibility for data protection compliance - even without the formal DPO title - is good practice and ensures someone owns the obligations.
Are cookie consent banners required under GDPR?
Cookie consent requirements actually derive from the ePrivacy Directive (PECR in the UK) rather than GDPR directly, but they work in conjunction. Non-essential cookies - analytics cookies, marketing cookies, third-party tracking - require prior consent. Essential cookies (session cookies, basket cookies, security cookies) do not require consent. A compliant cookie consent mechanism needs to: offer genuine choice (accept/reject), not use dark patterns (pre-selected options, misleading button design), and record consent. Most Shopify and BigCommerce themes include cookie consent functionality, but it needs to be properly configured to meet current standards.
How long can I keep customer data?
GDPR requires you not to keep personal data longer than necessary for the purpose for which it was collected. For ecommerce transaction data, most jurisdictions have tax and accounting record-keeping requirements that mandate retention for 6-7 years - this provides a lawful basis for retaining order records for that period. For marketing data (email preferences, consent records), there is no similar statutory retention requirement. Marketing contacts who have not engaged for a defined period (typically 12-24 months) should be reviewed - inactive contacts with no engagement provide no business value and increase your data holding liability. Implement a regular suppression and deletion process for inactive marketing contacts.
Related Articles
- Ecommerce Security & Compliance: Complete Guide
- Ecommerce Payment Security Best Practices
- Ecommerce Data Security Best Practices
- Ecommerce Data Breach Response Plan
- GDPR & Data Retention for Ecommerce Backups
- Ecommerce Backup & Data Protection: Complete Guide
Ready to take action?
Run a Free AI Audit on Your Store
VortexIQ scans your ecommerce store across 85+ checks — SEO, performance, analytics, ads — and gives you a prioritised fix plan in under 30 seconds.