We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.
Contact Us
Contact Us
Sign in
Sign in
November 17, 2022

The threat of data breaches keeps rising as the world becomes increasingly digitized, and more information gets transmitted across the internet. Some of the most serious issues related to data theft are identity theft, financial or payment data theft, and email and internet fraud.

According to a 2022 AAG report, cyberattacks increased by 125% in 2021, and this upward trend will likely continue in 2022.

Therefore, it's no surprise that countries are strengthening their data protection laws. The European Union’s General Data Protection Regulation (GDPR) is one of the strongest laws in this area.

The GDPR came into effect in May 2018. This set of guidelines regulates how ecommerce companies can store, process, and track data for users in the EU region. The GDPR applies to all online and offline businesses serving customers who are EU residents.

So, how do you adhere to the ecommerce GDPR checklist?

To start, you could go through the GDPR requirements document, which is over 50,000 words long. However, if reading this lengthy document isn't your jam, then fear not — we can help.

Here, we'll share the principles that guide the GDPR and a comprehensive ecommerce GDPR checklist. We’ll also cover what to do in case of a data breach and what happens if your ecommerce website violates the GDPR guidelines.

Principles guiding the GDPR

The following principles guide the spirit and intention behind the GDPR:

  • Purpose limitation: Limit data processing to the specified purpose.
  • Lawfulness, fairness, and transparency: Use the data you collect legally and explicitly for the reasons you collected it.
  • Data minimization: Your ecommerce business should ask for the bare minimum and strictly necessary user information.
  • Storage limitation: Once you have used the data for the specified purpose, data erasure should immediately follow. You can’t use the data for any other reason except for those clearly specified by your ecommerce website.
  • Accuracy: An updated privacy policy must clearly inform users of the purpose behind the data collection and their user rights.
  • Accountability: You should be able to clearly show the steps you've taken to remain GDPR compliant.
  • Integrity and confidentiality: Your ecommerce website should be safe and secure with robust security measures to avoid data breaches and theft.

Keeping these principles in mind, let's dive into the ecommerce GDPR checklist to better understand how you can abide by these guidelines.

Ecommerce GDPR checklist

  • Handle personal data with care.
  • Seek user consent for cookies.
  • Have a transparent privacy policy.
  • Allow users to manage their personal data on your ecommerce website.
  • Secure your ecommerce website.
  • Vet third parties.
  • Take these measures if there's a violation.

Let’s dive into each one of them. 

Handle personal data with care

To comply with GDPR requirements, you must document all the personal data you collect.

Personal information includes:

  • Basic identifiers (such as name, address, and date of birth).
  • Online information (such as IP address and cookies).
  • Other sensitive data (such as health, sexual orientation, political opinions, race, ethnicity, and biometric data).

Certain details should accompany each piece of your users' personal information, including:

  • Category of data.
  • Source of the personal data.
  • Third parties with whom you're sharing the data.
  • Reasons for data collection.
  • Whether you received consent before collecting the information.
  • Date by which you'll stop needing it.

Seek user consent for cookies

If your ecommerce website uses non-necessary cookies, then you need a cookie banner to get GDPR-compliant cookie consent from users.

The cookie banner should tell visitors how you use cookies, what data you store, and the users' rights to refuse the storage of cookies.

The language used in these banners needs to be clear and concise — avoid confusing language and jargon. Explain the kind of cookies you're using, why you need to set cookies, and how visitors can manage their cookie preferences. Add an option to selectively allow some cookies.

If a user closes a banner without selecting any option, that doesn't automatically mean they consented to the cookie. You need clear consent from the user.

You also must remember users' cookie preferences for subsequent visits to your ecommerce website.

Have a transparent privacy policy

The next step in the ecommerce GDPR checklist is to ensure that your ecommerce business has a transparent and publicly accessible data privacy policy. It should discuss all the processes involved with handling personal data.

The privacy policy must include information about how you collect, store, use, and disclose personal data.

It should also explain the user's rights to access, modify, or delete their personal data from your ecommerce website and your obligations toward them.

Craft your data privacy policy in plain English, not legalese, so users have no difficulty understanding it. In addition, make the privacy policy readily accessible via a common link in the footer.

A transparent and clear data privacy policy is essential to the ecommerce GDPR checklist.

Allow users to manage their personal data on your ecommerce website

Along with transparency, you must let users have complete control over their personal data.

Users should have the option to request and view the personal information you collect. They also should be able to ask for the change or removal of their data from your website.

One way to empower users is to add a footer with a link on all your website pages with details on how they can manage data on your ecommerce website. You also could give them the option to submit their requests via email.

Secure your ecommerce website

Transparency and control aren't enough. Cyberattacks could compromise users' sensitive information and lead to crimes like fraud or identity theft. So, the next step in your ecommerce GDPR checklist is to ensure your website has the latest security measures. Also, check that hackers can’t access or leak the customer data you store. To secure your website, take the following steps:

  • Install an SSL certificate that encrypts the data shared between the website and the server.
  • Add more layers of protection to your website if it lets users share payment-related information.
  • Increase password security for admin accounts.
  • Use antivirus software to prevent unauthorized access.
  • Ensure that you collect only the amount of personal data needed for your ecommerce business. Remove customer data once you're done with it.
  • Avoid sending personal or sensitive data to third-party services.
  • Anonymize or pseudonymize personal data before storing it.
  • Use multiple locations for data backup.

Vet third parties

Within the GDPR framework, the company that decides to collect data (the data controller) has separate obligations and duties from the one that processes it (the data processor or third party).

The data processor or third party processes the data per the rules the data controller sets. However, any third party that works with your ecommerce business has to be GDPR compliant.

You also need to be aware of the third party's privacy policy. Ensure it doesn’t access or process personal data for reasons other than those stated in your contract.

If you need to transfer data from the EU to a third party in a non-EU country, make sure you do the necessary risk assessments before the data transfer. Also, double-check that the recipient business and the country it operates in have robust data protection systems.

Take these measures if there's a violation

Despite all the precautions you take, data breaches might still happen. In that case, the GDPR requirement is to notify the supervisory authority with all the information you have within 72 hours of the data breach.

Some things to include in your report are:

  • The approximate number of users affected.
  • The categories of data and the approximate amount of compromised personal data.
  • Any action your ecommerce business takes or plans to mitigate such breaches in the future.

You must keep a record of all your data processing activities and inform the authorities. Alongside that, you need to comprehensively examine the following:

  • Where, when, and how the breach happened.
  • What data was involved.
  • Whom the breach affected, and to what degree.

Don’t keep your users in the dark about the data breach. Notify them about the risks to their rights and freedoms. Also, tell them how they can protect their data.

In addition, block access to your ecommerce website until you fix the breach.

Lastly, update your privacy policy and strengthen your security measures to prevent future breaches on your website.

What happens if you don't comply with GDPR standards?

If you're still wondering whether it is worth your time to be GDPR compliant, then consider the following consequences.

GDPR non-compliance could lead to serious ramifications, including significant monetary damage. Several factors determine the severity of GDPR violations, such as:

  • The nature, seriousness, and length of the violation.
  • Whether the violation was deliberate or an act of negligence.
  • The extent to which the company cooperates with the supervisory authority to address the violation and mitigate its consequences.
  • How much the company stands to gain or lose as a result of the violation.
  • Whether the company has any previous violations.

For a less severe violation, ecommerce companies might need to pay a fine of $9.8 million (€10 million) or 2% of the company's annual global turnover, whichever is higher.

Some examples of minor violations include:

  • Collecting personal data from minors (below 16 years) without parental consent.
  • Not adhering to basic privacy policies through cookies.
  • Concealing the involvement of third parties in the privacy statement.
  • Not appointing a data protection officer (DPO) who guides the company toward GDPR compliance and ensures adherence to GDPR policies.
  • Not informing authorities of non-compliance within 72 hours.

More severe violations could result in fines of up to $19.5 million (€20 million) or 4% of annual global turnover (whichever is greater).

Some examples of severe GDPR non-compliance include:

  • Processing data obtained without user consent, illegitimately, or fraudulently.
  • Not providing users with a lucid and transparent data privacy policy.
  • Refusing to give users any control over their personal data.
  • Sending users' data to a third party that isn't GDPR compliant.

From January–October 2022, the total monetary penalty imposed on companies due to GDPR non-compliance amounted to over $552 million (€555 million).

The following companies received some of the heftiest fines for GDPR non-compliance in 2022:

In 2021, Luxembourg slapped Amazon with an $865 million fine (€746 million).

Final thoughts: The complete ecommerce GDPR checklist for your website

Now that you have a handy ecommerce GDPR checklist, you can safely do business with customers who are EU residents by adhering to these guidelines.

The next step is to get help from an expert to secure your website and prioritize data security.

Build your ecommerce platform in a GDPR-compliant hosting environment with Nexcess and never worry about data security again.

Check out our hosting plans to get started today.

View hosting plans.


Maddy Osman
Maddy Osman

Maddy Osman is a WordPress expert and WordCamp US speaker. She is a WordCamp Denver organizer and also operates The Blogsmith, an SEO content agency for B2B tech companies that works with clients like HubSpot, Automattic, and Sprout Social. Learn more about The Blogsmith's process and get in touch to talk content strategy: www.TheBlogsmith.com