You sell products online. That means you're collecting more personal data than almost any other type of website — and the compliance requirements are more demanding too.
Why E-Commerce Stores Have a Bigger Privacy Problem Than Most Websites
A typical blog or SaaS marketing site might collect an email address and drop a few analytics cookies. Your online store collects far more than that.
Think through what happens during a single purchase: a customer's full name, delivery address, email, phone number, payment card details (or at minimum, a payment token tied to their card), IP address, browser fingerprint, browsing and purchase history, size and style preferences, and often their abandoned cart behavior — all recorded before they even complete a transaction.
Then there's what happens after the sale: retargeting pixels track them across the web so you can serve ads, email marketing tools log every open and click, loyalty programs build long-term behavioral profiles, and session recording tools may have captured exactly how they navigated your store.
The result: a typical e-commerce store is operating as a sophisticated personal data processor, often without the compliance infrastructure to match. GDPR regulators have noticed. So have plaintiffs' attorneys under CCPA.
This guide breaks down what laws apply, what they require, and the practical steps to get compliant without hiring a privacy attorney.
What Laws Apply to Your Online Store
GDPR — If You Have EU Customers
The General Data Protection Regulation applies to any business that sells to or markets toward EU residents — regardless of where your store is based. If you ship to Germany, France, Italy, or anywhere else in the EU, GDPR applies to those transactions.
GDPR is the strict one. It requires opt-in consent before setting non-essential cookies or tracking pixels. It gives customers rights to access, correct, and delete their data. It requires a lawful basis for every category of processing you do. Violations can reach €20 million or 4% of global annual revenue, whichever is higher.
CCPA/CPRA — If You Have California Customers
The California Consumer Privacy Act (and its 2023 CPRA amendments) applies to businesses that meet certain size or data-volume thresholds and serve California residents. Unlike GDPR, CCPA is opt-out by default — but you must provide a clear "Do Not Sell or Share My Personal Information" mechanism, honor Global Privacy Control browser signals, and fulfill data subject requests within 45 days.
Threshold alert: The 100,000 consumer threshold counts website visitors, not just paying customers. If you get meaningful California traffic, you may already be covered.
State Privacy Laws Beyond California
As of 2026, fifteen-plus U.S. states have consumer privacy laws. Virginia, Colorado, Connecticut, Texas, and others have passed their own versions, most modeled on CCPA. If you're shipping across the U.S., you're likely subject to multiple state frameworks. CCPA-readiness is a reasonable baseline for all of them.
PCI DSS — A Quick Note on Payment Security
PCI DSS (Payment Card Industry Data Security Standard) is not technically a privacy law — it's a security standard for handling payment card data. But it matters for e-commerce: if you store, process, or transmit cardholder data, you need to be PCI-compliant. Most small stores avoid this burden by using Stripe, PayPal, or similar processors that handle the card data directly. If that's you, document it — your privacy policy should explain that payment processing is handled by a PCI-compliant third party.
The Trackers Running in Your Store Right Now
E-commerce stores are among the heaviest users of third-party tracking technology. Each tool you add creates a compliance obligation — particularly under GDPR.
Meta Pixel is installed on a significant share of all e-commerce sites. It tracks page views, add-to-cart events, purchases, and customer identifiers, sending that data to Facebook/Instagram for ad targeting and conversion measurement. Under GDPR, it requires explicit opt-in consent before firing. Under CCPA, it likely qualifies as "sharing" personal data for cross-context behavioral advertising.
Google Ads Conversion Tracking works similarly — it tracks purchase events and passes them back to Google to optimize ad bidding. It cannot fire before consent under GDPR.
TikTok Pixel is increasingly common as stores expand to TikTok advertising. Same category as Meta Pixel: requires opt-in under GDPR, counts as data sharing under CCPA.
Klaviyo and Mailchimp tracking embed tracking pixels in emails and may run site-side scripts to identify returning visitors and link their behavior to email profiles. This creates a cross-channel data profile — which regulators treat as sophisticated profiling requiring a clear legal basis.
Hotjar and session recording tools are particularly risky. These tools record actual screen activity — mouse movements, clicks, and scrolling. If Hotjar is running during checkout, it may be capturing data entered into form fields, potentially including payment information. This is both a privacy violation and a PCI DSS concern.
Google Analytics is table stakes for most stores, but it still requires consent under GDPR for its cookie-based tracking. Google's own data-processing terms and the ongoing EU adequacy debates mean it requires careful implementation — ideally behind a consent gate.
The key point: every one of these tools requires proper consent under GDPR if you have EU customers. Most stores run all of them without any consent mechanism at all.
Cookie Consent for E-Commerce: What Actually Needs Opt-In
Not all cookies are equal under GDPR. The regulation distinguishes between:
Strictly necessary cookies — These are essential for the store to function: session cookies, shopping cart contents, login state, payment processing tokens. These do not require consent and should never be blocked by a consent banner.
Analytics cookies — Tools like Google Analytics that measure traffic and behavior. These require consent under GDPR. They can be defaulted to "off" with an opt-in option.
Marketing and retargeting cookies — Meta Pixel, Google Ads, TikTok Pixel, and similar tools. These are the highest-stakes category. They require explicit, informed opt-in consent under GDPR before firing. This is not optional and it is not satisfied by a banner that defaults to "accept."
The practical implication: your consent management platform needs to load the page with only strictly necessary cookies active, present a genuine choice, and only fire retargeting pixels and analytics after the customer opts in. "Implied consent" — continuing to use the site — does not satisfy GDPR.
What Your Privacy Policy Must Cover for E-Commerce
A generic privacy policy template won't cut it for an online store. You need to specifically address:
Payment processors. Name Stripe, PayPal, or whichever processor you use. Explain that payment data is handled directly by that provider and link to their privacy policy. Explain what data you do retain (last four digits, billing address, transaction IDs) and why.
Shipping and logistics. You share customer names, addresses, and order details with carrier services — UPS, FedEx, USPS, Royal Mail. This is a third-party data disclosure and must be documented.
Abandoned cart emails. If you send these, explain the legal basis for doing so and what data triggers them (email address, cart contents, session data).
Email marketing platforms. Klaviyo, Mailchimp, Drip — these are data processors holding your customer list. Name them, describe what data you share with them, and explain how customers can unsubscribe.
Ad and analytics platforms. Meta, Google, TikTok. Describe what data you share with each, how it's used for ad targeting, and how customers can opt out.
Loyalty and rewards programs. If you run one, document the data collected, how profiles are built, and how customers can close their account and request data deletion.
Customer service tools. Gorgias, Zendesk, Intercom — these hold conversation histories, order data, and customer identifiers. They're data processors that need to be disclosed.
Retention periods. GDPR and the CPRA both require you to state how long you keep each category of data. Order records need to be retained for accounting and legal purposes — but behavioral analytics data doesn't.
The Abandoned Cart Email Problem
Abandoned cart emails are one of e-commerce's highest-ROI automations. They're also one of the trickier compliance questions.
Under GDPR: You need a valid lawful basis to send them. For a customer who added items to a cart but didn't purchase, the most defensible basis is usually legitimate interests — you have a genuine commercial reason to follow up, and it's reasonably expected. However, this requires a legitimate interests assessment and the customer must have been given a clear opt-out. If the customer has previously bought from you and you're emailing about similar products, the "soft opt-in" rule in many EU markets may also apply. When in doubt, the cleaner approach is to collect explicit email marketing consent at the point of checkout entry.
Under CCPA: The rules are less prescriptive here. CCPA is opt-out, not opt-in, so if you have the email and haven't received an opt-out, sending an abandoned cart email is generally permissible. However, you must honor opt-out requests and provide a clear unsubscribe mechanism in every email.
The mistake to avoid: Running abandoned cart automations with no consent basis documented, no opt-out mechanism in the emails, and no acknowledgment of this practice in your privacy policy.
Handling DSARs for E-Commerce
When a customer submits a data subject access request or deletion request, an e-commerce store has significantly more data to handle than a simple marketing site.
Access requests require you to compile: order history, payment method details (what you retain), shipping addresses, email marketing engagement history, loyalty account data, customer service conversation logs, and any behavioral or analytics data tied to their identity. You have 30 days under GDPR and 45 days under CCPA.
Deletion requests are more complex. You have a legal right — and in some cases an obligation — to retain certain records. Order records, invoices, and transaction data may need to be kept for tax compliance and legal purposes. You can explain this to the customer: retain the legally required minimum, delete everything else.
The practical challenge: Most e-commerce stacks spread customer data across multiple systems — your e-commerce platform, your email marketing tool, your customer service platform, your analytics suite, your ad platforms. A complete DSAR response requires searching all of them. Document which systems hold what data before a request arrives — not after.
Common E-Commerce Privacy Mistakes
1. Meta Pixel Firing Before Consent
This is the single most common GDPR violation in e-commerce. The Meta Pixel loads in the page header and fires immediately on page load — before any consent banner is shown or accepted. Under GDPR, this is an unlawful transfer of personal data to Meta. Regulators across the EU have issued significant fines for exactly this issue.
2. Session Recording Tools Capturing Payment Fields
Hotjar and similar tools record everything visible on screen unless specifically configured not to. If session recording is running during checkout, it may capture card numbers, CVV codes, or billing details as customers type them. This violates PCI DSS and is a serious privacy breach. All payment fields must be excluded from session recording.
3. Abandoned Cart Emails With No Documented Consent Basis
Running an abandoned cart flow with no legal basis documented, no legitimate interests assessment conducted, and no mention of the practice in your privacy policy. This is common and it's a compliance gap.
4. Outdated Privacy Policy That Doesn't Mention Current Ad Platforms
Many stores add new ad channels — TikTok, Pinterest, Snapchat — without updating their privacy policy. If you're sharing customer data with an ad platform and it's not in your policy, you're out of compliance on disclosure requirements under both GDPR and CCPA.
5. "Accept All" Defaults That Aren't Valid Consent
Pre-ticking consent checkboxes or designing banners that default to "accept all" does not constitute valid consent under GDPR. Consent must be freely given, specific, informed, and unambiguous — meaning an affirmative action by the user.
5-Step E-Commerce Compliance Checklist
Step 1: Audit Every Tracker and Third-Party Tool
List every pixel, script, cookie, and analytics tool running on your store. Include what data each one collects, where that data goes, and what it's used for. Don't guess — use a scanner that reads your actual page code.
Step 2: Implement Consent Management That Actually Works
Deploy a consent management platform that loads only strictly necessary cookies on page load, presents a real opt-in choice for analytics and marketing tools, and only fires retargeting pixels after consent is given. Test it. Verify that Meta Pixel and Google Ads are genuinely blocked until opt-in.
Step 3: Update Your Privacy Policy
Rewrite it from scratch using your actual data inventory. Name every third-party tool. Describe every data type. Include retention periods. Document your legal basis for each processing activity. If you have EU customers, structure it around GDPR requirements. If you have California customers, add CCPA-required disclosures.
Step 4: Set Up a DSAR Process
Create a publicly accessible intake form. Map which systems hold which customer data. Assign someone responsible for requests. Set up deadline tracking — 30 days for GDPR, 45 for CCPA. Prepare response templates for access and deletion requests.
Step 5: Monitor for New Compliance Gaps
Your store changes over time. New apps get installed, new ad channels get added, new email automations get built. Set a recurring review cadence — at minimum quarterly — to catch new data collection practices before they become violations.
How Custodia Helps E-Commerce Stores
Automated pixel and tracker detection. Custodia scans your store and identifies every cookie, pixel, and third-party script running on your pages — including whether they fire before or after consent. You get a full data map in minutes, not weeks.
Consent management that blocks trackers until opt-in. Custodia's consent banner is built for e-commerce: it distinguishes strictly necessary cookies from analytics and marketing tools, defaults to off for retargeting pixels, and only fires Meta Pixel, Google Ads, and TikTok Pixel after genuine opt-in. GDPR-compliant out of the box.
Auto-generated privacy policy for e-commerce. Built from your actual tracker inventory and store configuration. Covers payment processors, shipping carriers, email marketing platforms, ad platforms, loyalty programs, and session recording tools — with the specific disclosures each law requires. Updates automatically when your stack changes.
DSAR management. Built-in intake form, identity verification workflow, and deadline tracking for GDPR's 30-day and CCPA's 45-day windows. AI-assisted data discovery across connected platforms so no customer request falls through the cracks.
Continuous monitoring. Weekly re-scans detect new trackers added by app installs, theme updates, or new ad channel integrations — before they become compliance gaps.
Plans start at $29/month. Most stores are fully set up within a day.
No signup required. See every tracker running on your store and whether your consent setup is GDPR-compliant — in 60 seconds.
Last updated: March 2026
Top comments (1)
Solid guide, especially the Meta Pixel consent section — that's where most stores trip up.
One gap I'd add: device and browser fingerprinting goes beyond cookie consent. Even with a GDPR-compliant cookie banner, analytics tools can still collect:
These fingerprints don't require cookies and aren't cleared by cookie deletion. Under GDPR Article 4(1), fingerprint data that can identify a natural person is personal data — and requires the same consent as cookies.
For stores running multiple brands or international storefronts, this creates an additional risk: if you're fingerprinting users across your store portfolio without separate consent per brand, you're potentially correlating personal data across legal entities without basis.
Worth adding a "non-cookie tracking audit" step to your checklist. The WP29 guidelines on cookies explicitly cover device fingerprinting in the same category.