DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR for Subscription E-Commerce: Recurring Billing, Customer Profiles, and Cancellation Data

#gdpr #privacy #ecommerce #subscriptions

GDPR for Subscription E-Commerce: Recurring Billing, Customer Profiles, and Cancellation Data

Subscription e-commerce companies hold some of the deepest customer profiles in retail. You know what someone buys every month, how their tastes shift over time, when they paused their subscription, why they cancelled, and whether they came back. That data is commercially valuable — and it is also personal data under GDPR, subject to the same lawful basis, transparency, and data subject rights obligations as any other personal information.

The difference from one-off e-commerce is significant. A single purchase creates a transaction record. A subscription creates an ongoing relationship that generates data continuously. Every renewal, every address change, every product swap, every "skip this month" click is a data point. Understanding your GDPR obligations across the full subscription lifecycle is not optional — it is the foundation of running a subscription business in Europe.

Why Subscription E-Commerce Is Different Under GDPR

One-off e-commerce is relatively straightforward: customer makes a purchase, you process the order, you retain the transaction record for tax purposes, and your GDPR obligations are largely limited to that purchase relationship.

Subscription e-commerce is more complex:

  • You process payment data repeatedly on a recurring schedule, which requires maintaining tokenised payment credentials rather than just a transaction record
  • You build longitudinal customer profiles — preferences, purchase history, behavioural data — that grow more detailed over time
  • You maintain a consent and communication relationship that extends beyond any individual transaction
  • You hold data about why customers left (cancellation reasons, churn surveys) which raises specific questions about secondary use
  • You may profile subscribers for personalisation and targeting that goes beyond what customers expect from a "product delivery" relationship

Each of these creates GDPR obligations that one-off e-commerce companies do not face.

Recurring Billing: Tokenisation, PCI-DSS, and GDPR

When a customer provides payment details for a subscription, they expect their card to be charged automatically at each renewal. To make this work, you need to store something that allows future charges — and this is where tokenisation becomes essential.

What tokenisation means: Rather than storing the raw card number (which would create PCI-DSS obligations to protect raw payment data), your payment processor (Stripe, Braintree, Adyen) stores the actual card data and returns a token — a reference string that only works with that processor. You store the token.

GDPR implications:

  • The token itself is personal data — it relates to an identifiable individual and can be used to charge them
  • Your privacy notice must explain that you store payment tokens for recurring billing and name your payment processor as a data processor
  • You need a Data Processing Agreement with your payment processor
  • When a subscription ends, you need a data retention policy for how long you keep the payment token. Most businesses retain it for the duration of the subscription plus a reasonable period for dispute resolution

What you should not do: Store raw card numbers, CVVs, or full card data. This is both a PCI-DSS violation and an unnecessary collection of sensitive personal data under GDPR's data minimisation principle.

Customer Profile Data: The Subscription Data Stack

Subscription businesses accumulate profile data across multiple dimensions:

  • Purchase history: What products or boxes were sent each month, substitutions, skips
  • Preference data: Flavour preferences, dietary requirements, clothing sizes, skin type, beauty preferences
  • Delivery addresses: Historical addresses, multiple shipping locations, seasonal addresses
  • Communication preferences: Email frequency, SMS consent, notification settings
  • Account behaviour: Login frequency, app usage, wishlist activity

Each category requires a lawful basis:

  • Purchase history and delivery addresses are necessary for the performance of the contract — lawful basis Article 6(1)(b)
  • Preference data used for personalisation beyond delivery requires either consent or legitimate interest, with a legitimate interest assessment documenting that the processing is proportionate and that subscriber interests do not override yours
  • Communication preferences and marketing consent require active opt-in consent under PECR (UK) and GDPR

The practical implication: you probably have more data than you have lawful bases for. Audit your subscription data stack against Article 5(1)(b) purpose limitation — if data collected for one purpose (delivering the right products) is being used for another (cross-selling, behavioural advertising), you need a fresh lawful basis for that secondary use.

Behavioural Targeting and Personalisation for Subscribers

Subscription businesses increasingly use subscriber data for personalisation — serving targeted ads on social media, personalising email campaigns based on purchase history, building lookalike audiences from subscriber lists.

The consent question: If you use subscriber email addresses or purchase data to build Facebook Custom Audiences or Google Customer Match lists, this is a form of data sharing with a third-party advertising platform. It requires either:

  • Explicit consent — the subscriber actively opted in to their data being used for advertising personalisation
  • Legitimate interest — a documented assessment concluding that using their data for targeted advertising is proportionate and that the subscriber's interests do not override yours

Legitimate interest for advertising-related profiling is increasingly scrutinised. The ICO (UK) and DPAs in France, Ireland, and the Netherlands have consistently found that using personal data for behavioural advertising requires consent, not legitimate interest.

What this means for your subscriber lists: Review how you use subscriber data in advertising platforms. If you are uploading customer lists to Meta Ads or Google Ads without explicit consent for that specific use, you are likely non-compliant.

Win-Back Campaigns: Consent vs Legitimate Interest After Cancellation

When a subscriber cancels, the commercial impulse is to try to win them back. Win-back email sequences are common in subscription e-commerce. But what is the lawful basis for emailing someone who has cancelled?

Under PECR (Privacy and Electronic Communications Regulations), you can use legitimate interest for marketing emails to existing customers about similar products. The key question is whether a cancelled subscriber still qualifies as an existing customer.

The ICO's position: A person who has cancelled a subscription may still be considered a past customer to whom you have a legitimate interest in marketing similar products, provided:

  • The marketing is clearly related to what they previously purchased
  • They were given a clear opportunity to opt out at the point of cancellation data collection
  • Your opt-out mechanism is simple and effective

What this does not permit:

  • Emailing cancelled subscribers about unrelated products or services
  • Emailing subscribers who explicitly opted out of marketing at or before cancellation
  • Sending win-back campaigns indefinitely — there must be a time limit after which the person is no longer treated as a past customer

Practical recommendation: A win-back sequence of 2-3 emails within 90 days of cancellation, clearly related to the product they had, with a simple unsubscribe mechanism, is defensible under PECR legitimate interest. Win-back campaigns 18 months after cancellation are not.

Cancellation Data: Using Churn Reasons for Marketing

Most subscription businesses collect cancellation reasons via an exit survey. "Too expensive," "pausing for now," "didn't use it enough," "switching to a competitor" — this data is valuable for product improvement and for targeting win-back offers.

GDPR implications of cancellation survey data:

  • Cancellation reasons are personal data. They tell you something about an individual's financial situation ("too expensive"), behaviour ("didn't use it enough"), and preferences
  • The lawful basis for collecting this data is typically legitimate interest — you have a legitimate interest in understanding why customers leave
  • The purpose stated at the point of collection matters: if you tell customers the survey is for "improving our service," using it to personalise win-back email campaigns is a secondary use requiring either consent or a fresh legitimate interest assessment
  • Cancellation reasons should not be retained indefinitely — they are operational data with a finite useful life

Free Trial to Paid Conversion: Consent Timing Matters

Free trials create a specific GDPR challenge: customers provide personal data (and often payment details) before they are paying customers. The consent and transparency obligations apply from the moment data is collected — not from the moment they convert.

Common mistakes:

  • Collecting payment details at trial sign-up without a clear privacy notice explaining what happens if they do not convert
  • Using trial sign-up data for marketing emails without PECR-compliant consent, on the basis that "they opted in when they signed up for the trial"
  • Not clarifying in the trial sign-up flow whether marketing consent is separate from consent to receive the trial itself

What good looks like: Your trial sign-up page should:

  1. Link to a full privacy notice covering both trial and subscription data processing
  2. Separate marketing consent (opt-in checkbox) from functional account creation
  3. Clearly explain payment tokenisation if you take card details upfront
  4. Explain data retention if the trial does not convert — for example, that account data is deleted after 30 days of inactivity

Subscription Pause vs Cancel: How Data Handling Changes

Many subscription businesses offer a "pause" option as an alternative to cancellation. From a GDPR perspective, pause and cancel have different implications:

Paused subscriptions: The subscriber remains an active customer. You can continue to email them under PECR legitimate interest (transactional emails about their pause, reminders) and under whatever marketing consent they provided. Their data retention timeline continues to run from their eventual cancellation, not from the pause date.

Cancelled subscriptions: The subscription relationship has ended. You should:

  • Retain data only as long as necessary for legal, tax, and contractual obligations (typically 6-7 years for financial records)
  • Remove or suppress marketing-related profile data on a shorter timeline if the subscriber requests it
  • Treat the person as a lapsed customer rather than an active subscriber for PECR purposes

The practical risk: if your system treats paused and cancelled subscribers identically in your CRM — both marked as "inactive" — you may be applying the wrong marketing permissions to cancelled subscribers.

Box Subscriptions: Curated Preference Data as Profiles

Beauty, food, clothing, and lifestyle subscription boxes are built on preference data. The personalisation is the product. But the profile you build — dietary restrictions, skin concerns, clothing sizes, beauty preferences — constitutes detailed personal data that in some cases may touch on special category data under Article 9.

When preference data becomes special category:

  • Dietary restrictions that reveal religious beliefs (halal, kosher, no pork)
  • Health conditions that influence product choices (eczema, diabetes, pregnancy)
  • Preferences that indicate racial or ethnic origin (certain beauty products marketed to specific communities)

Special category data requires explicit consent under Article 9(2)(a) — legitimate interest is not sufficient.

For box subscription operators: Review your preference questionnaires. If any question could reveal health status, religious belief, or ethnic origin, you need explicit consent with a clear explanation of how that data is used. Do not bury this in general terms and conditions.

PECR and Transactional vs Marketing Emails

The distinction between transactional and marketing emails matters for subscription businesses because you send both types to the same people:

Transactional emails (no PECR consent required):

  • Renewal confirmation and receipt
  • Delivery tracking and shipping notification
  • Account changes (address update, payment method update)
  • Pause confirmation and resumption reminder
  • Password reset and account security alerts

Marketing emails (PECR consent required):

  • New product or box theme announcements
  • Referral programme invitations
  • Upsell offers (add-ons, gift subscriptions)
  • Seasonal promotions
  • Survey requests that are not directly related to service improvement

The grey area: Emails that contain both transactional content and a promotional element. Renewal confirmations that include a "refer a friend" section are common. The ICO's guidance is that the primary purpose of the communication determines whether it requires marketing consent. A renewal receipt with a referral widget is still primarily transactional. A "refer a friend" campaign with a receipt attached is primarily marketing.

Children's Subscriptions: Parental Consent and Age-Appropriate Design

Children's book clubs, educational subscription boxes, craft kits for kids — these services specifically target children and parents. If a child is the data subject (the profile is about them, personalised for them), specific GDPR obligations apply.

Under UK GDPR (Age Appropriate Design Code): Services likely to be accessed by children must:

  • Provide privacy information in age-appropriate language
  • Default to privacy-protective settings
  • Not profile children for advertising purposes
  • Not use children's data for purposes beyond what is necessary for the direct service

Parental consent: For children under 13 in the UK (under 16 in most EU jurisdictions), you must obtain verifiable parental consent for processing the child's data — standard consent flows designed for adults are not sufficient.

Practical implication: If your subscription product is for children (the beneficiary is the child), you should:

  • Take account of the child's age in your privacy notice and consent mechanisms
  • Not use data about children's preferences for behavioural advertising
  • Provide clear mechanisms for parents to access, correct, or delete data about their children

Data Portability for Subscribers

Under Article 20 GDPR, data subjects have the right to receive personal data they have provided to you in a structured, commonly used, machine-readable format. For subscription businesses, this means:

Data typically covered:

  • Purchase/delivery history for the subscription
  • Preference data provided by the subscriber
  • Account information
  • Communication history (what emails you sent and when they were opened, where you hold this data)

Data not typically covered:

  • Internal analysis and segmentation you have created about the subscriber
  • Inferred data derived from their behaviour (though this may be covered if it was provided "actively and knowingly" by the subscriber)

Timeline: You must respond to data portability requests within one month of receipt.

Practical preparation: Can your system export a subscriber's complete data profile in JSON or CSV format? If not, you are not ready for data portability requests.

Reactivation of Lapsed Subscribers: The Consent Clock

A subscriber who cancelled two years ago and re-subscribed today is a new subscriber for consent purposes. Any marketing consent they gave at their original sign-up has not automatically transferred to their new subscription.

What this means: When a lapsed subscriber reactivates:

  1. They should go through the same privacy notice and consent flow as a new subscriber
  2. You cannot rely on consent captured at their original sign-up
  3. If your reactivation flow is streamlined ("one click to re-subscribe"), you still need to present the privacy notice and obtain fresh consent for marketing

The consent clock also applies to win-back campaigns. If you collected marketing consent at subscription sign-up, that consent has a natural expiry — it is valid while the subscription is active and for a reasonable period afterward. A consent collected three years ago from a subscriber who cancelled 18 months ago is not a reliable basis for current marketing emails.

10 Common GDPR Mistakes Subscription E-Commerce Companies Make

1. Using cancellation survey data for personalised win-back targeting without a documented lawful basis. You collected it for product improvement — using it for segmented marketing requires either consent or a fresh legitimate interest assessment.

2. Uploading subscriber email lists to Meta or Google Ads without explicit consent for advertising use. Purchase history consent does not cover behavioural advertising profiling.

3. Not having DPAs with your subscription management platform, email tool, and payment processor. Every SaaS tool that touches subscriber personal data is a data processor.

4. Treating paused and cancelled subscribers identically in your CRM. They have different marketing permissions.

5. Sending win-back campaigns indefinitely. There is no fixed GDPR time limit, but the longer the gap since cancellation, the harder it is to justify legitimate interest.

6. Using preference data from children's subscriptions for segmentation and targeting. Children's data has heightened protections even if the account holder (the parent) is an adult.

7. Not providing a privacy notice at free trial sign-up. Your GDPR obligations begin at the point of data collection, not at conversion.

8. Conflating transactional email opt-in with marketing email consent. Subscribers consent to receive order confirmations. They do not automatically consent to promotional emails.

9. No data portability process. If a subscriber asks for all their data in a machine-readable format, you have one month to provide it.

10. No data retention schedule for lapsed subscriber profiles. Keeping detailed customer profiles indefinitely "in case they re-subscribe" is not consistent with GDPR's storage limitation principle.

Run a Compliance Scan on Your Subscription Platform

Your subscription e-commerce website likely has tracking tools, analytics, and third-party integrations that you have not fully mapped. Cookie consent, analytics platforms, advertising pixels, and subscription management tools all involve personal data collection.

Scan your website free at Custodia — identify trackers, missing consent mechanisms, and third-party data flows in 60 seconds, no signup required.

Last updated: March 2026

Top comments (0)