DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR for Shopify and WooCommerce: Cookie Consent, Email Marketing and Ecommerce Compliance

#gdpr #ecommerce #shopify #compliance

GDPR for Shopify and WooCommerce: Cookie Consent, Email Marketing and Ecommerce Compliance

Category: Industry Guides
Date: March 2026
Read time: 10 min read

If you run a Shopify or WooCommerce store and sell to customers in the EU or UK, GDPR applies to you — regardless of where your business is based. Online stores collect a significant amount of personal data: names, addresses, payment details, browsing behaviour, abandoned cart activity, and email marketing engagement. Handling all of this correctly is not optional.

This guide covers the most important GDPR requirements for ecommerce stores in plain language, including cookie consent, email marketing, pixel tracking, customer data rights, third-party apps, and what to do when things go wrong.

Customer Order Data and Lawful Basis

When a customer places an order, you collect personal data including name, email address, delivery address, phone number, and order history. The lawful basis for processing this data is contract performance — you need it to fulfil the order, handle returns, and deal with customer service queries.

You do not need to ask for separate consent to process order data. However, you must be clear in your privacy policy about what you collect, how long you retain it, and who you share it with (couriers, payment processors, fulfilment centres).

What you cannot do is use order data as a backdoor to opt customers into email marketing. Completing a purchase is not the same as consenting to receive promotional emails.

Cookie Consent Banners on Shopify and WooCommerce

Both platforms load third-party cookies and tracking scripts by default. This is where many stores fall foul of GDPR.

On Shopify, the platform includes a basic cookie consent banner, but it does not block tracking scripts from loading before consent is given. For genuine GDPR compliance you need a consent management platform (CMP) that:

  • Blocks all non-essential scripts until the visitor actively accepts
  • Records consent with a timestamp and version
  • Allows visitors to withdraw or change their consent at any time
  • Distinguishes between categories (analytics, marketing, functional)

On WooCommerce, the situation is similar. WordPress sites typically run Google Analytics, Facebook Pixel, and other scripts via plugins that do not respect consent by default. You need a CMP plugin that can conditionally load scripts only after consent.

Pre-ticked boxes, implied consent ("by continuing to use this site..."), and cookie walls (blocking access unless cookies are accepted) are all non-compliant under GDPR.

You can use Custodia to scan your store and see exactly which trackers are loading before consent — including scripts you may not realise are active.

Email Marketing Consent: Klaviyo, Mailchimp and GDPR

For EU and UK customers, you must have explicit prior consent before sending marketing emails. This means:

  • An unchecked opt-in checkbox at checkout or signup
  • Clear wording: "Yes, I'd like to receive offers and updates from [Store Name]"
  • A record of when and how consent was given

Pre-ticked checkboxes and buried opt-in language buried in your terms and conditions are not valid consent.

Klaviyo and Mailchimp both allow you to collect and store consent records. Make sure your integration passes the consent timestamp and source to your ESP (email service provider). This is important because if a customer raises a complaint or requests erasure, you need to demonstrate exactly when and how they consented.

Soft Opt-In for Existing Customers

GDPR's "soft opt-in" rule (technically a PECR provision in the UK and an equivalent principle across the EU) allows you to send marketing emails to existing customers for similar products or services without fresh consent — provided:

  • They were given a clear opportunity to opt out at the time of purchase
  • They haven't since opted out
  • You only contact them about similar products

This is a narrow exception. If your store sells both fashion and electronics, a customer who bought a jacket does not have soft opt-in for electronics promotions. Use it carefully and document your reasoning.

Abandoned Cart Emails and Consent

Abandoned cart emails are a high-revenue tactic for ecommerce, but they sit in a grey area under GDPR.

If a visitor has explicitly consented to marketing emails, sending an abandoned cart email is fine. If they haven't — for example, they're a returning visitor who added items to their cart without being logged in — you generally cannot send them a chaser email based purely on cart activity.

Some platforms try to capture the email mid-checkout before the purchase is complete. Whether this is permissible depends on whether the customer was clearly informed that doing so would result in marketing emails. Vague "save your cart" wording without explicit consent language is risky.

The safest approach: only send abandoned cart emails to customers who have opted into marketing emails, or to logged-in customers who purchased previously and fall within the soft opt-in rules.

Pixel Tracking: Meta Pixel and Google Analytics GA4

Meta Pixel (formerly Facebook Pixel) and Google Analytics GA4 are both analytics and advertising tools that collect personal data. Under GDPR, both require consent before loading — they cannot be treated as "strictly necessary."

Meta Pixel tracks page views, add-to-cart events, purchases, and custom conversion events. It sends this data to Meta's servers, which use it for ad targeting and lookalike audiences. Without prior consent, this is illegal under GDPR.

Google Analytics GA4 collects IP addresses, device fingerprints, session data, and behavioural information. Even with IP anonymisation enabled, GA4 is considered personal data processing under GDPR. You need either consent or a legitimate interest assessment (which is difficult to justify for advertising purposes).

Your cookie consent banner must block both of these tools from loading until the visitor actively accepts analytics or marketing cookies. Many stores using Shopify's default setup are unknowingly running unconsented tracking on every visitor.

Customer Account Data and Right to Erasure

GDPR gives customers the right to request deletion of their personal data — known as the right to erasure or the "right to be forgotten." For ecommerce stores, this creates a tension: customers have the right to erasure, but you have legal obligations to retain certain records (particularly financial and tax records).

What you must erase on request:

  • Marketing preferences and email consent records (once fulfilled)
  • Browsing and behavioural data
  • Account profile information beyond what's legally required

What you can retain despite an erasure request:

  • Order records for tax and accounting purposes (typically 6–7 years depending on jurisdiction)
  • Data needed for fraud investigation or legal claims

Document your erasure process. When you receive a request, you have 30 days to respond and action it. If you use Shopify or WooCommerce, check how your platform handles deletion — Shopify has a customer redaction webhook for apps, and WooCommerce allows anonymisation of order data.

Third-Party Apps and DPAs in the Shopify App Store

Every third-party app you install on your Shopify or WooCommerce store is a potential data processor. Under GDPR, you are responsible for ensuring your processors handle data appropriately.

This means:

  • Reviewing the privacy practices of each app you install
  • Checking that the app provider has signed a Data Processing Agreement (DPA) with Shopify or with you directly
  • Ensuring apps don't export customer data to countries without adequate data protections (or that appropriate safeguards like SCCs are in place)

Shopify maintains a list of apps that have completed its data protection requirements, but this does not replace your own due diligence. When you add a new app that accesses customer data, you should ask the vendor for a DPA if one isn't already publicly available.

Custodia can help you identify which third-party scripts and services are active on your store and flag those that may need DPAs or additional review.

International Sales and EU Customer Rights

If you sell internationally and have EU or UK customers, GDPR applies to those transactions regardless of your company's location. The key rights EU customers have under GDPR are:

  • Right of access — to know what data you hold about them
  • Right to rectification — to correct inaccurate data
  • Right to erasure — to have their data deleted (with the exceptions noted above)
  • Right to restrict processing — to limit how you use their data
  • Right to data portability — to receive their data in a machine-readable format
  • Right to object — particularly to direct marketing

Your privacy policy must explain how customers can exercise these rights and give a response timeframe (30 days is the standard). If your store is using Shopify's built-in customer accounts, make sure your process for handling these requests is documented.

Payment Processor Data: Stripe and PayPal as Separate Controllers

One area that often confuses store owners is the role of payment processors. When a customer pays via Stripe or PayPal, those processors collect their own data — card details, fraud signals, transaction records — and they process this as independent data controllers, not as your processors.

This means:

  • You are not responsible for how Stripe or PayPal process payment data
  • But you do need to disclose in your privacy policy that payment data is handled by these third parties
  • You should not store raw card data yourself

Stripe and PayPal each publish their own privacy policies which apply to the data they collect. Your job is to make customers aware of who is processing their payment information and link to those policies.

Data Breaches for Online Stores

Ecommerce stores are common targets for cyberattacks — particularly Magecart-style attacks that inject card-skimming scripts into checkout pages. Under GDPR, a personal data breach must be reported to your supervisory authority within 72 hours of becoming aware of it, if it's likely to result in a risk to individuals.

A breach that exposes customer names, email addresses, or order histories would typically require notification. A breach that exposes payment card data is high risk and would likely also require you to notify the affected customers directly.

Steps to take now:

  • Implement security monitoring for your store
  • Regularly audit the scripts running on your checkout page
  • Ensure your hosting environment is patched and up to date
  • Document your breach response procedure so you can act within 72 hours if needed

Subject Access Requests from Customers

Any customer can submit a Subject Access Request (SAR) asking for a copy of all the personal data you hold about them. You have 30 days to respond, and you cannot charge a fee for this in most circumstances.

For ecommerce stores, a SAR typically involves compiling:

  • Order history and delivery addresses
  • Account information and preferences
  • Email marketing consent records and engagement history
  • Customer service communications
  • Any profiling or segmentation data

If you use Klaviyo, Mailchimp, Zendesk, Gorgias, or other tools that hold customer data, you'll need to check each system. Document your process and keep records of each SAR you receive and how you responded.

Privacy Policy Requirements for Ecommerce

Your privacy policy must be accessible from every page of your store (typically in the footer) and must clearly explain:

  • What personal data you collect and why
  • The legal basis for each type of processing
  • Who you share data with (couriers, payment processors, marketing tools, analytics)
  • How long you retain data
  • Customer rights under GDPR and how to exercise them
  • How to contact you for privacy queries
  • Whether you transfer data outside the EEA and what safeguards are in place
  • Your cookie policy or a link to it

A generic template is better than nothing, but a privacy policy that reflects what your store actually does is significantly more credible — and more defensible if questioned by a regulator. Custodia generates privacy policies based on a live scan of your store, so the content reflects your actual data practices rather than a best-guess template.

Retention of Order Records

You have competing obligations on data retention. GDPR says you should not keep personal data longer than necessary. Tax and accounting law typically requires you to keep financial records for 6–7 years (7 years in the UK, 6 years in many EU states).

The practical resolution:

  • Retain order records (name, address, items, value) for as long as your legal obligation requires
  • Anonymise or delete data that isn't needed for legal compliance — for example, email marketing history beyond a reasonable period
  • Document your retention policy so you can demonstrate it's applied consistently

A data retention policy doesn't need to be complex. A simple table mapping each data type to its retention period and legal basis is sufficient for most small stores.

Practical Ecommerce GDPR Compliance Checklist

Use this checklist to assess your store's current position:

Cookie consent and tracking

  • Cookie consent banner blocks non-essential scripts before consent
  • Consent is granular — visitors can accept analytics without marketing cookies
  • Meta Pixel and Google Analytics only load after consent
  • Consent records are stored with timestamps

Email marketing

  • Explicit opt-in checkbox at checkout (unchecked by default)
  • Consent records show when and how each subscriber opted in
  • Unsubscribe link in every marketing email
  • Suppression list applied before each send

Customer data rights

  • Privacy policy explains all customer rights and how to exercise them
  • Process documented for handling SARs within 30 days
  • Process documented for handling erasure requests
  • Order data anonymisation process available for post-obligation-period records

Third-party apps and processors

  • DPAs in place for all apps that access customer data
  • Data transfers outside EEA reviewed and documented
  • Payment processor data handling disclosed in privacy policy

Security and breach response

  • Breach notification procedure documented
  • Security monitoring in place for checkout and account pages
  • Staff aware of 72-hour reporting obligation

Privacy policy

  • Accessible from every page
  • Covers all data types your store processes
  • Includes cookie information or links to cookie policy
  • Up to date with all active third-party integrations

Running a GDPR-compliant ecommerce store is achievable without a legal team. The biggest risks — unconsented pixel tracking, invalid email marketing consent, and inadequate privacy policies — are all fixable with the right tools and processes.

Scan your store for free at https://app.custodia-privacy.com/scan to see exactly which trackers are loading, what data is being collected, and where your compliance gaps are. Results in 60 seconds.

Top comments (0)