eCommerce GDPR Checklist - An Ultimate Guide to Digital Privacy Rules

eCommerce GDPR Checklist - An Ultimate Guide to Digital Privacy Rules


With an unprecedented rise in technology, a man’s privacy is at stake in this world of computers and other gadgets. All data related to a person, whether personal or private, is just a click away. In this scenario, the possibility of data misuse is higher and undoubtedly there arises a need for laws that oversee this. Most importantly, the law must keep the customer at the forefront and this was how GDPR was conceptualized.

Read along to know more.

What is GDPR?

GDPR stands for General Data Protection Regulation which was specifically created for the people belonging to the European Union on April 14, 2016 by the European Parliament and Council of the European Union.

Though created in 2016, the regulation came into effect two years later on 25th May 2018.

This was created for the purpose of protecting personal data of the EU citizens in the online world. Any organization that handles customer data is liable to follow this regulation.

Prior to this enforced regulation, it was just a directive that governed data protection for the citizens. It was a suggestion and was not strictly followed. The misuse of customer data for the sake of business made the authorities take this step of coming up with GDPR - a set of laws to safeguard digital privacy.

Is GDPR applicable outside European Union?

Officially, the law is applicable only for the EU states. Unfortunately, it is an undeniable reality that the repercussions of the GDPR digital privacy rules are felt worldwide.

Say if you are an organization headquartered in Australia with clients from every corner of the globe and when Citizens of EU too are a part of it, you will have to comply with the GDPR checklist to serve them and their needs as your customer. The rules are set in such a way that you cannot stay away from it unless you do not have any association with the European Union at any cost.

How does GDPR apply to the eCommerce sector?

If GDPR is all about data protection eCommerce sector is nothing without data. The need for customer data is minimal when one shops physically. When the same shopping goes online without the need for physical presence, things literally go for a spin with the need of hoards of data related to the customer.

Each and every step in the eCommerce shopping process needs data. Some of the steps are marketing, sales, accounting, shipping, and delivery.

To make sure that every eCommerce business confirms to the GDPR regulations, they must project the same in the privacy policy page. Some of the eCommerce sites that have GDPR are ASOS, Forever 21, Marks & Spencer, PrettyLittleThing, etc.

Quick fixes to make your privacy policy GDPR compliant

First things first. Before starting your journey with the GDPR compliance, you must know what and what not to do. The best way to document this information is to revamp the privacy policy page of your eCommerce store.

Your eCommerce GDPR privacy policy must include the following information:

  • Authentic office address - an address that can be geographically located, not a virtual one.

  • Types of data collected - email, phone number, and other personal data.

  • The purpose of data collection - email marketing, tracking, etc.

  • Data storage methods - how long you retain the customer information and how.

  • User rights of data - methods to access and request to delete data.

Below shown is an eCommerce privacy policy example with GDPR of the online store Best Buy. It is noteworthy because the site gives a detailed list of all the information they are likely to collect from their customers throughout the journey. Such a list only improves transparency which is important for the sustenance of a business.

Quick fixes to make your privacy policy GDPR compliant

Another online fashion retailer giant in the UK, ASOS, has segregated the privacy policy page into various sections with a drop down option which makes it easier to read than looking at large chunks of text.

The sections that are on the ASOS privacy policy page are
  • How we use your information

  • Sharing your information

  • Marketing Messages

  • Seeing adverts for ASOS.com online

  • Your information and countries outside Europe

  • Keeping your information

  • Your rights

  • Changes to how we Protect Your Privacy

  • Cookies

  • How to contact us

The writing on the page is in a simple and clear fashion as directed by the GDPR. Considering the fact that ASOS is a Shopify store, these sections can act as a Shopify GDPR eCommerce checklist.

To make things easier for you, Shopify has come up with a privacy policy generator with a 14-day free trial option.
Campaign Rabbit , a stellar platform for email marketing and popup creation, has a privacy policy that is similar to ASOS.

Now that you have added all the updates to the GDPR eCommerce privacy policy, it is time to move on to the next step of implementation. Read on to know the most important points to be put to practice.

eCommerce GDPR checklist

This is a comprehensive eCommerce GDPR compliance checklist that can be put to use for both WooCommerce and Shopify stores.

Add a checkbox to forms and emails

The maiden step to take when planning to abide by the GDPR is to create an eCommerce GDPR template for subscription forms and emails with an added checkbox.

Checkboxes are added to fulfill two requirements:

  • To make the person abide by the terms and conditions

  • To get consent for marketing campaigns

GDPR eCommerce consent for an eCommerce store can be created in the following format with the help of the Shopify platform.

This Shopify account creation form shows a checkbox to confirm subscription.

Shopify also allows to add the same checkbox in the checkout page.

Important Information
Please note that the checkbox is unticked. This is mandatory. Online store owners used to place ticked checkboxes in forms and emails. As per the new regulations, this is prohibited and the person must tick the box to confirm consent.

Create Account

Here is another sample form with checkboxes to confirm both subscription and marketing consent.

Check Box

Optimize double opt-in

The usage of double opt-in for confirming an email subscription is essential to make sure that the consent given by the customer to process the data is “unambiguous and freely given” as directed by the GDPR.

When the double opt-in is used for subscription purposes, the first opt-in takes place via a normal web form or a popup form . Then again, with the help email address collected in the first opt-in, the subscription is confirmed by sending an email to the prior given address.

By doing this, the possibility of the consent for subscription being ambiguous can be ruled out completely. To be more clear, it is a double confirmation from the subscribers’ side for you as an email marketer to send marketing-related newsletters and content.

Here is an example of double opt-in email by Puma online store that comes with eCommerce GDPR compliance.

Optimize double opt-in

Perks of a double opt-in:

  • A confirmed list of subscribers who are genuinely interested in being associated with your eCommerce store.

  • Decreased spam and bounce rates.

  • Increased click-through and open rates.

Campaign Rabbit, a product to create marketing emails comes with digital data privacy compliance and data consent for marketing.

Get re-consent from existing clients

If you have already been using GDPR - compliant terms and policies to document and store information about subscriber consent, then there is very less for you to do further. Otherwise, you will have to get down to work immediately.

It is obvious that the new methods will be applied to the new subscribers but have you thought about your existing customer base? They cannot be ignored and must become GDPR compliant too.

For this, revamp your existing email list by doing the following:

  • Send a re-subscription email to the old customer base, especially to all inactive email ids
  • Make sure to document the consent at any cost
  • Remove the subscribers from the list who have not made an effort for re-subscription
  • Revamp the email list and merge the new subscribers to the same
  • This is a sample email to confirm subscription by Crabtree & Evelyn, London.

Get re-consent from existing clients

Infact, consent must be brought from the customers to send abandoned cart recovery emails too and you must use the best cart recovery plugins to make it successful.

Confirm the age to meet the special requirements for children

The GDPR applies to children too and the related article is given below.

Article 8 of the GDPR states

“the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.”

Only children who are 16 and above are allowed to share their personal data on eCommerce domains and if the child is found to be younger, consent must be sought from the parents or guardian.

The same article also allows member states of the EU to lower the age bar to 13 and only Britain has done it till date.

Such a rule is mandatory for eCommerce stores that sell liquor, cigarettes, and similar stuff.

Jack Daniel’s has done this right by sending out emails just to verify the age

Confirm the age to meet the special requirements for children

Filter your email database proactively

The ‘batch and blast’ method of sending out emails is not going to work out anymore when you follow the GDPR rules.

This is because you cannot simply barge into people’s inbox with email after email without their consent. A big supermarket chain in the UK, the Morrisons were fined 10,500 euros for doing this.

Morrisons had a database of 230,000 members and they sent out emails regarding one of their loyalty programs to the whole lot. The result was a fine imposed by the Information Commissioner’s Office (ICO). It happened that 131,000 members of the database had already unsubscribed from getting marketing emails.

This fine was imposed as per the GDPR rule that fines can go upto 20 million euros or 4% of the global turnover in case of any non-compliance.

A simple updated data could have avoided the issue. So, your existing email list must be thoroughly checked prior to sending a marketing message.

Give customers the priority to handle the data

As per the GDPR regulations, the customer is given complete control over the data. The following are the rights of the customer:

  • Right to access data

  • Right to make corrections in the data

  • Right to delete data called as ‘Right to be forgotten’ by GDPR

You, as an eCommerce site owner, are liable to present the data to the owner at any point of time upon request. Customer must also be capable to edit the data when necessary.

The most important factor is the ‘Right to be forgotten’ as mentioned in Article 17. According to this, the data that the site owner has must be deleted without a trace from the database when the customer wants it to be done. All GDPR eCommerce Shopify and GDPR eCommerce Wordpress sites comply by these rules and put the customer first.

Data breach communication must be done on time

Communicating about a breach of personal data is as important as storing and securing it. Misuse of data that is personal to the customer base is a serious issue and punishable if needed measures are not taken at the right time.

Articles 33 and 34 of GDPR mention clearly about the steps to be taken in case of any data misuse.

There are two steps involved:

Communicating about the data breach to

  • The supervisory authority

  • The data subject/customer

    As per the rules, the communication must be initiated within 72 hours after the incident happens.

    Following this, the customer has the authority to decide whether to use the services of the eCommerce store or not.

Make sure that your ESP and third-party apps too follow the regulations

To run an eCommerce business successfully, it is a fact that you are not the only person involved in it. Partnering with platforms like Shopify and WooCommerce is essential and it does not stop there.

Applications from third parties are also used to make marketing successful and an Email Service Provider too plays a crucial role. In this case, do you think it would suffice if you alone follow rules without a second thought?

Priority must be given to make sure that people you partner with also comply with the GDPR in eCommerce.

Benefits of an eCommerce GDPR checklist

  • Gives a head start to your GDPR compliance journey.

  • Own a database of thoroughly filtered loyal audience completely interested in buying from you.

  • The whole process of data collection, usage, and storage get eventually better leading to lesser maintenance costs.

  • The complete workflow of your store becomes transparent which gives an uplift to your online eCommerce store/brand with improved customer confidence.

This checklist is not a piece of legal advice but a suggestion on how to apply the digital data privacy rules to your eCommerce store.

After reading this post, you must have realized where you stand and how far you must go to deal with the GDPR digital privacy rules for your eCommerce store. This applies to stores running on all platforms and if yours is one that runs on WooCommerce, here is a detailed WooCommerce GDPR eCommerce checklist to indulge in.

Get armed with the essential eCommerce ingredients to make your site GDPR compliant.