GDPR Compliance for Ecommerce Businesses

Does the GDPR Apply to Your Business

The GDPR applies to you if you offer goods or services to people in the EU (even if you do not have a physical presence there) or if you monitor the behavior of people in the EU (including through website analytics and tracking cookies). If your website is accessible in the EU and collects any personal data from EU visitors, you are subject to the GDPR. Factors that demonstrate you are targeting EU customers include accepting euros, offering shipping to EU countries, having a .eu domain or translated website, or running ads targeting EU audiences.

The "I only sell domestically" defense does not hold up if your website collects analytics data from EU visitors who happen to find your site. Google Analytics automatically collects IP addresses, which are personal data under the GDPR. If a single EU resident visits your website and Google Analytics records their visit, you have processed personal data of an EU resident without GDPR compliance. The practical likelihood of enforcement against a small U.S. store over incidental EU traffic is low, but the risk grows with your EU customer base and the nature of your data processing.

For online stores that actively sell to EU customers, GDPR compliance is not optional and the consequences of non-compliance are real. Beyond the massive fines, non-compliance can result in orders from EU data protection authorities to stop processing EU data entirely, which effectively shuts down your EU sales channel. Payment processors and platforms like Shopify and Amazon also require GDPR compliance for sellers who process EU customer data.

Step 1: Audit Your Data Collection and Processing

Before you can comply with the GDPR, you need to know exactly what personal data your business collects, processes, and stores. Create a data map that documents every type of personal data you handle. For a typical ecommerce store, this includes customer names, email addresses, phone numbers, shipping and billing addresses, payment information, order history, IP addresses, browser and device information, browsing behavior on your site, email engagement data (opens, clicks), and any data from customer service interactions.

For each data type, document where it is collected (checkout form, email signup, cookies, customer service), where it is stored (your ecommerce platform database, email marketing tool, analytics platform, CRM), who has access (your team, third-party service providers), how long it is retained, and the legal basis for processing it. The GDPR requires a valid legal basis for every processing activity, and the six legal bases are consent, contract performance, legal obligation, vital interests, public task, and legitimate interests.

For ecommerce businesses, the most common legal bases are contract performance (processing order data to fulfill a purchase), consent (using email addresses for marketing), and legitimate interests (website analytics for business improvement). Each type of processing must map to one of these bases, and you must document the mapping. If you rely on legitimate interests, you must also conduct and document a Legitimate Interest Assessment showing that your interests do not override the individual's rights.

Step 2: Implement Cookie Consent

GDPR requires affirmative, informed consent before placing non-essential cookies on a visitor's device. This means your website cannot load Google Analytics, Facebook Pixel, advertising scripts, or any tracking technology until the visitor explicitly opts in. Pre-checked consent boxes, implied consent through continued browsing, and cookie walls (blocking site access until the user accepts cookies) are all non-compliant under GDPR.

A compliant cookie consent mechanism must clearly identify the categories of cookies used (necessary, analytics, marketing, etc.), explain what each category does, allow the user to accept or reject each category individually, not pre-select any non-essential categories, work without requiring the user to accept any non-essential cookies to use the site, and record the user's consent choice as proof of compliance.

Consent management platforms (CMPs) like Cookiebot, OneTrust, Termly, and CookieYes handle these requirements automatically. They scan your website for cookies, categorize them, display a compliant consent banner, block non-essential cookies until consent is given, and maintain consent records. Pricing ranges from free for small sites to $10 to $50 per month for stores with higher traffic. Installing a CMP is the fastest and most reliable path to cookie consent compliance.

On Shopify, apps like CookieBot, GDPR Cookie Compliance, and Pandectes integrate directly with your theme and handle cookie blocking automatically. On WooCommerce, plugins like CookieYes, Complianz, and GDPR Cookie Consent provide similar functionality. After installation, test thoroughly to confirm that Google Analytics, Facebook Pixel, and other tracking scripts are actually blocked until the visitor accepts cookies, since some implementations fail to block scripts despite showing a consent banner.

Step 3: Update Your Privacy Policy

Your privacy policy must include several GDPR-specific disclosures beyond what U.S. law requires. These include the identity and contact information of the data controller (your business), the legal basis for each processing activity, your data retention periods for each category of data, the data subject rights available under GDPR (access, rectification, erasure, restriction, portability, objection), how to exercise those rights (contact email, web form), the right to lodge a complaint with a supervisory authority, whether you transfer data outside the EU and what safeguards are in place, and information about any automated decision-making or profiling.

Many businesses add a dedicated GDPR section to their privacy policy rather than rewriting the entire document. This section addresses EU-specific rights and requirements while the rest of the policy covers general privacy practices. Regardless of structure, the policy must be written in clear, plain language that a non-lawyer can understand. The GDPR specifically prohibits burying disclosures in dense legal jargon.

Step 4: Handle Data Subject Requests

Under GDPR, individuals have the right to access all personal data you hold on them, request correction of inaccurate data, request deletion of their data (the "right to be forgotten"), request restriction of processing while a dispute is being resolved, receive their data in a portable format (such as CSV or JSON), and object to processing based on legitimate interests or direct marketing. You must respond to these requests within 30 days. Extensions of up to 60 additional days are allowed for complex requests, but you must notify the requester within the initial 30-day period.

For small ecommerce businesses, most data subject requests are deletion requests from former customers who want their account and order data removed. Before deleting, check whether you have a legal obligation to retain certain data. Tax records typically must be retained for seven years, and order records may need to be retained for warranty or product safety purposes. If you have a legal obligation to retain data, you can retain the minimum necessary data and explain the retention basis to the requester.

Set up a dedicated email address or web form for data subject requests and document your response process. Train your customer service team to recognize GDPR requests, since they may arrive as general customer emails rather than formal legal requests. A customer who writes "please delete my account and all my data" is making a GDPR erasure request, even if they do not reference the GDPR by name.

Step 5: Establish Data Processing Agreements

The GDPR requires a Data Processing Agreement (DPA) between your business (the data controller) and every third party that processes personal data on your behalf (data processors). Your data processors include your ecommerce platform (Shopify, WooCommerce hosting), email marketing service (Klaviyo, Mailchimp), payment processor (Stripe, PayPal), shipping and fulfillment services, analytics providers (Google), customer service tools (Zendesk, Gorgias), and any other tool that handles customer data.

A DPA defines what data the processor handles, the purpose and duration of processing, the processor's security obligations, the processor's obligations regarding data subject requests, sub-processor authorization requirements, and data return or deletion procedures when the contract ends. Most major SaaS companies offer pre-signed DPAs that you can download from their website or request from their legal team. Shopify, Stripe, Klaviyo, Google, and most enterprise-grade tools have DPAs available. For smaller tools or custom service providers, you may need to provide your own DPA template.

Keep a record of all signed DPAs. If a data protection authority investigates your compliance, one of the first things they ask for is proof that you have appropriate agreements with your data processors.

Step 6: Create a Data Breach Response Plan

The GDPR requires notification to the relevant data protection authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. If the breach is likely to result in a high risk to those individuals (such as exposure of financial data or login credentials), you must also notify the affected individuals without undue delay.

Your breach response plan should cover how you detect potential breaches (monitoring, alerts, employee reports), the internal escalation process (who is notified first, who makes the notification decision), assessment criteria for determining whether the breach requires authority notification, the notification process for your lead supervisory authority (the data protection authority in the EU member state most connected to your processing activities), the notification process for affected individuals if required, documentation requirements for every breach (even those not requiring external notification), and remediation steps to prevent recurrence.

For U.S.-based businesses without an EU establishment, your lead supervisory authority is typically the data protection authority in the EU member state where your largest number of affected individuals reside. If you are unsure which authority to contact, the European Data Protection Board maintains a directory of all EU supervisory authorities with contact information and complaint forms.

Even breaches that do not require external notification must be documented internally. Maintain a breach register recording the nature of the breach, the categories and number of individuals affected, the likely consequences, and the measures taken to address the breach. This register must be made available to supervisory authorities upon request.

Practical GDPR Compliance for Small Stores

Full GDPR compliance involves significant effort, but the practical steps for a small ecommerce store are manageable. Install a consent management platform for cookie consent, which costs $0 to $50 per month and takes an afternoon to configure. Update your privacy policy with GDPR-required disclosures, which takes a few hours with a good template. Set up a data subject request email address and response process, which costs nothing. Download and file DPAs from your major service providers, which takes an afternoon of finding and reviewing documents. Write a basic data breach response plan, which is a one-page document outlining who to contact and what steps to follow.

The total cost for a small store to achieve reasonable GDPR compliance is typically $200 to $500 for a consent management platform (annual), $0 to $1,000 for privacy policy updates (depending on whether you use a template or attorney), and a few days of administrative time. Compared to the potential fines and the certainty of eventually needing EU compliance as privacy laws spread globally, this is a worthwhile investment.