Running an online shop means processing personal data at every stage of the customer journey — from the first page view to the final returns label. GDPR applies to all of it.
This guide covers the highest-risk areas for ecommerce businesses: order and delivery data, abandoned cart emails, retargeting pixels, email marketing consent, payment processors, customer deletion rights, product reviews, returns and fraud detection, age verification, international transfers, and data breach response.
Order and Delivery Data
Every completed order generates a rich personal data record: name, email, delivery address, payment reference, and order history. The lawful basis is contractual necessity (Article 6(1)(b)). Keep order records for VAT/tax compliance periods (typically 6-7 years), then delete. Every fulfilment warehouse, courier, and logistics provider must have a Data Processing Agreement (DPA) in place.
Abandoned Cart Emails: Consent vs Legitimate Interest
Abandoned cart emails are one of the most contested GDPR areas for ecommerce. Some argue a single timely reminder falls within legitimate interests — but under PECR, sending marketing emails to individuals requires prior consent unless the soft opt-in exemption applies. A guest checkout with no marketing opt-in does not satisfy the soft opt-in. The safest route: collect a separate marketing opt-in at checkout and limit abandoned cart sequences to subscribers.
Retargeting Pixels: Meta, Google, and Cookie Consent
Running Facebook Pixel, Google Ads tags, or TikTok Pixel requires prior, explicit, informed consent before the pixels fire. Your cookie consent banner must block all advertising pixels until the user actively accepts them, allow category-by-category acceptance, and record consent with a timestamp. Do not pre-tick advertising consent or use dark patterns.
Email Marketing and Double Opt-In
Consent must be freely given, specific, informed, and unambiguous. Double opt-in is strongly recommended — it provides clear evidence of consent and helps demonstrate compliance. Maintain a consent record for every subscriber including timestamp, form version, and consent wording.
Payment Processors and Shipping Partners
Stripe and PayPal typically act as independent data controllers for their own fraud and compliance purposes — disclose this in your privacy policy. Couriers and fulfilment providers are your data processors and require DPAs. If they transfer data outside the UK/EEA, your DPA must include Standard Contractual Clauses.
Customer Deletion Rights
GDPR's right to erasure means customers can request account deletion. Delete all data not required for legal retention purposes, retain order records for the required period, remove them from marketing lists immediately, and confirm deletion in writing. Make the process easy — the ICO has taken a dim view of organisations that make erasure deliberately difficult.
Fraud Detection and Automated Decision-Making
If you use automated fraud scoring to decline orders without human review, you may be engaging in automated decision-making under Article 22. Where decisions have a significant effect on individuals, you must inform customers, give them the right to human review, and explain the logic in your privacy policy.
International Transfers
Shipping internationally means transferring customer data to countries outside the UK/EEA. Ensure your DPAs with international fulfilment partners include adequate safeguards — typically Standard Contractual Clauses.
Data Breach Response
Notify the ICO within 72 hours of becoming aware of a breach posing risk to individuals. Notify affected customers where there is high risk to their rights and freedoms. Document every breach and your response, even if you decide not to notify.
Scan your ecommerce store for compliance gaps at https://app.custodia-privacy.com/scan — free, no signup required, results in 60 seconds.
Top comments (0)