How to Fix GDPR for E-commerce
Ecommerce GDPR compliance touches many surfaces: cookie consent at landing, customer data at signup, marketing data collection, checkout flow, data retention policies. Each surface has compliance requirements. This guide covers ecommerce-specific GDPR. Pair with GDPR guide.
Step-by-step: How to fix GDPR for ecommerce
- Implement cookie consent banner. Visitors from EU need explicit consent before non-essential cookies fire. Tools: OneTrust, Cookiebot, Iubenda — managed consent platforms. Set up: categorise cookies (essential, analytics, marketing), block until consent, log consent records.
- Audit current data collection. Map every data point you collect: at landing (IP, device), at signup (name, email, phone), at checkout (payment, address), via cookies (analytics, advertising), via marketing tools. Each needs lawful basis.
- Minimise data collection at checkout. Only collect what's needed. 'Date of birth' for age-restricted products: needed. 'Date of birth' for general retail: not needed, remove. Less data = less compliance burden, less breach risk, better conversion.
- Document lawful basis. Each data category needs lawful basis: consent (cookies, marketing), contract (checkout to fulfil order), legitimate interest (fraud prevention), legal obligation (tax records). Document; train team.
- Build user rights workflow. Users can request: access (copy of data), portability (machine-readable export), erasure (delete data), restriction (stop processing), objection (opt-out of certain processing). 30-day response window. Process documented and team-trained.
- Set data retention policies. Customer account data: keep while account active + reasonable retention after. Marketing data: until opt-out. Order data: 6+ years for tax (UK), varies by jurisdiction. Document retention periods; enforce automated deletion.
- Plan breach response. If data breach occurs: notify ICO (UK) or DPA (EU) within 72 hours, notify affected users if high risk to rights. Document breach response plan before needed. Test annually.
Frequently Asked Questions
Best GDPR cookie consent tools for ecommerce?
Cookiebot — comprehensive, $11+/month based on traffic. OneTrust — enterprise, more expensive. Iubenda — affordable, multi-jurisdiction. Termly — simple. Most ecommerce: Cookiebot or Iubenda at $20-50/month. Free options exist but limited features.
Do I need GDPR compliance if I'm a non-EU ecommerce site?
If you sell to EU customers: yes. GDPR applies to processing of EU residents' data regardless of business location. Plus: CCPA (California), other regional regulations have similar requirements. Most modern ecommerce: implement GDPR-level practices as baseline.
Customer account deletion — what data must I delete?
Personal data: name, email, address, phone, payment details (anonymise from records). Order data: typically retain for tax/legal compliance (6 years UK) but anonymise where possible (remove customer identifiers, keep transaction record). Communications: delete. Marketing data: delete.
How long can I keep customer data?
Active customers: while relationship continues. Inactive customers: defined retention period in privacy policy (e.g., 3 years from last interaction). Order records: tax/legal retention (6 years UK). Specify in privacy policy; enforce automatically.
Best tools for GDPR data subject request handling?
Manual workflow via privacy-focused email + spreadsheet for small ecommerce. Tools: OneTrust (enterprise), Osano, Securiti. For most ecommerce: defined process + manual handling sufficient at moderate scale; tooling helps at high request volume.