Ecommerce and GDPR: obligations, fines and how to comply in your online store

If you run an online store or sell over the internet, the General Data Protection Regulation (GDPR) requires you to process your customers’ personal data with transparency, a valid legal basis and appropriate security. Non-compliance can lead to significant fines from the Spanish Data Protection Agency (AEPD) and other European supervisory authorities. This article covers key GDPR obligations for ecommerce: legal bases and consent, privacy policy, cookies and records of processing activities, plus the risks and common errors that often result in fines.

Legal bases and consent in ecommerce

In an online store you process personal data for orders, shipping, invoicing, customer support and often marketing (newsletters, remarketing). Each processing must have a legal basis under the GDPR: performance of contract (order, delivery), legal obligation (invoicing, tax retention) or consent (newsletter, non-essential cookies, profiling). Consent must be free, specific, informed and unambiguous. Pre-ticked boxes, illegible text or “bundled” consent without distinguishing purposes are not valid and can be penalised.

Information to users: privacy policy (Arts. 13 and 14 GDPR)

You must inform data subjects clearly and accessibly about: who is the controller, what data is collected, for what purposes, on what legal basis, how long it is kept, what rights they have (access, rectification, erasure, restriction, portability, objection and not to be subject to automated decisions), whether there are international transfers and the right to complain to a supervisory authority. This is typically set out in the privacy policy, which must be available before users provide data. GDPR advisory can help you draft it and align your records and processes.

Fines: what happens if you don’t comply

Cookies and tracking on your online store

Analytics, preference or advertising cookies (and similar technologies) involve processing of personal data. Those that are not strictly necessary for the requested service require prior consent before being placed. You must inform users in a cookie policy which cookies you use, for what purpose and duration, and provide a banner that allows accept or reject by category (not just “Accept all”). A banner that does not allow rejection or does not link to a clear cookie policy is one of the most common grounds for complaints and fines. See also our article on web legal texts and cookies.

Record of processing activities and security measures

The GDPR requires you to maintain a record of processing activities (subject to limited exceptions for undertakings with fewer than 250 employees in certain cases) including, among other things, purposes, categories of data and data subjects, recipients, retention periods and security measures. You must also implement technical and organisational measures appropriate to the risk (pseudonymisation, encryption, access control, staff training). In ecommerce, card data is often processed by the payment gateway; you are still responsible for data you process directly (customers, orders, emails) and for having data processing agreements with providers that access personal data.