Sell more with better email & SMS

Get ecommerce-focused email & SMS marketing that makes it easier to grow your brand, get sales & build better relationships.

Drive sales on autopilot with ecommerce-focused features

See Features

GDPR for Ecommerce: The Definitive Guide to Getting Ready [+Free GDPR Checklist]

Reading Time: 6 minutes

Many businesses wrongly believe that GDPR compliance is only required for businesses based in the European Union.

But that is completely wrong.

The GDPR applies to any organization, regardless of location, that processes or collects the personal data of individuals within the EU. This means that if your business collects data on EU residents, then you are subject to GDPR regulations, regardless of your business location.

The GDPR applies to anyone who has EU citizen or resident personal data--whether ecommerce customer or subscriber
The GDPR applies to anyone who has EU citizen or resident personal data–whether ecommerce customer or subscriber

With huge fines for non-compliance, this ecommerce GDPR guide will help you understand what these GDPR rules mean for your businesses and how to comply with them.

What is the GDPR and when does it take effect?

GDPR stands for General Data Protection Regulation, which took effect on May 25, 2018. 

The GDPR for Ecommerce goes into effect on May 25, 2018

The GDPR ensures personal data protection of European Union citizens.

It determines the ways that personal data of EU citizens can be handled, both within and outside the EU.

The main aim of the GDPR is to actually give control of the data back to the citizens and residents of the EU. This means they can determine who has access to their data.

This includes the ability to demand that any personal data stored previously by a business, including an online store, be deleted or modified promptly and permanently.

The GDPR also simplifies the requirements for international businesses that have to comply with different sets of rules for different countries in the EU.

While it can seem like a problem, the GDPR for ecommerce actually allows you to identify genuine subscribers: the ones who are eager to hear from you. After all, those are the ones who are buying your products regularly.

What about the consequences of non-compliance? They are pretty high, to be honest. 

The fines are:

  • Up to €10 million under EU GDPR and £8.7 million under UK GDPR, or up to 2% of the annual worldwide turnover for the previous year, whichever is higher. This is for any business that does not comply with the GDPR rules.
  • Up to €20 million under EU GDPR and £17.5 million under UK GDPR, or up to 4% of the annual worldwide turnover for the previous year, whichever is higher. This fine is for any business that suffers a data breach where the personal data of Europeans is compromised.
GDPR for ecommerce fines can be quite hefty

With such hefty fines, you must make sure you adhere to the ecommerce GDPR and we are here to help you do that.

Ecommerce for GDPR: The 3 essential parts

The tough new rules have probably left you wondering if your online business can survive in international waters. Well, we are here to let you know that it’s not that hard for ecommerce stores to stay compliant.

Ecommerce GDPR can be broken into three parts you need to pay attention to. The essential parts of ecommerce GDPR are:

  • Get consent: A user must agree to be included in your marketing campaigns.
  • Provide adequate protection: You must protect the users’ personal data adequately.
  • Delete, correct, or restrict when asked: If a user requests you delete, correct, or restrict the personal data you have, you must comply quickly
The 3 essential parts of the GDPR: consent, data protection, and deletion and correction

GDPR checklist for ecommerce websites

Okay, so now that we know about the essential aspects of the GDPR for ecommerce and businesses in general, how can you make sure you are following the rules?

We’ll go over these steps so that you can be ecommerce GDPR compliant.

#1 Specify what personal data you’re collecting or storing

Clearly mention the data you are collecting from your users for transparency. Also, make sure users understand which data points are mandatory and which are optional.

For example, if they don’t provide an email address, users won’t be able to create an account. Or if they don’t provide payment information, they won’t be able to buy your products.

#2 Obtain consent for data collection

Always seek consent before collecting any customer data. More importantly, ensure they have consented to receive marketing messages and promotional offers separately.

The image below shows a signup form with 2 checkboxes, one for newsletter and one for receiving marketing communication. Under GDPR, the user needs to check the second box as a way to give their consent to receive commercial offers from you. 

#3 Only keep customer data for as long as necessary

When it comes to GDPR for ecommerce purposes, you’re probably fine. You’re selling to customers. Even if they haven’t bought anything from you in 6 months or a year, there’s still a possibility that you’ll be able to sell to them.

As long as you got the consent in the first place, you’re fine.

#4 Appoint a Data Privacy Officer

Hire someone who’ll be responsible for ensuring the personal customer data you’re processing and storing is protected.

You can even do it yourself if you understand the data protection procedures you’re using.

#5 Make data protection the core of your activities.

If you plan on launching any new campaigns, make sure you’ve got your users’ personal data protection at the core of your activities.

That means there’s no accidental (or intentional) situation where you reveal your customers’ personal information.

#6 Protect your employees

If you have employees that are European citizens or residents, make sure you handle their data carefully. Use the same level of protection for your employee data as you use for your European customers.

#7 Make it easy to delete or modify user personal data

When a user requests you to delete or modify their information, make sure you know how to do it promptly.

#8 Inform users quickly in case of a data breach

According to the GDPR rules, businesses have 72 hours to inform their affected user or users that their data was breached.

#9 Update your privacy policy

Make sure your privacy policy complies with the new GDPR. First, your privacy policy should be written in clear, plain language.

Second, it should be accessible to anyone and clear on how you plan to use customers’ personal data and for what reasons.

#10  Make sure third-party apps or vendors are GDPR-compliant

If you’re using third-party platforms and apps to help you run your ecommerce store, make sure that they’re GDPR-compliant. This includes Shopify, Bigcommerce, and whatever other subscription-based ecommerce platforms you’re using.

Frequently asked questions

1. Do I need consent from newsletter subscribers?

Yes, you do. The ecommerce GDPR states that you need specific consent from customers who have signed up to receive marketing messages from you.

2. Can I send promotional emails to customers?

It depends on whether your customers (data subjects) have agrees to receive promotional emails from you. If they didn’t, then you can’t send them promotional emails.

3. Can I retarget visitors without their consent?

No. No consent, no promotional messages. That includes retargeting ads. If the user does not agree to the cookies policy or refuses in any obvious way, then you cannot track that user.

4. Do I really need to have a Data Protection Officer (DPO)?

Probably not, but it depends on certain factors.

According to ecommerce GDPR, Data Processing Officers (DPOs) are required if the company’s “core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale.” 

If you’re not involved in any of these activities, then you don’t need a data protection officer.

How Omnisend is helping merchants be GDPR-ready

Omnisend is committed to ensuring that all ecommerce merchants using our marketing automation platform are GDPR compliant. 

We are doing this in 4 important ways.

#1 Easy-to-export customer profiles

Merchants will be able to export the data they have on their customers using Omnisend in two ways: as a PDF or a JSON file.

The PDF version makes it easy for you to show customers what type of personal data you have on them and comply with GDPR’s ‘right to access’ requirement. 

The JSON version allows you to comply with the portability aspect of GDPR for ecommerce by making it easy for you to move all your data comprehensively. 

#2 GDPR-ready consent and re-consent

Omnisend has introduced new features to help marketers seek specific content from subscribers to send them marketing messages.

#3 Easy data anonymization

Omnisend gives ecommerce merchants the ability to anonymize customers. This means that by simply looking at the data you won’t be able to identify the customer or subscriber in any way.

#4 GDPR-compliant SMS messaging

We include an unsubscribe option for SMS messages so that subscribers who no longer wish to receive text messages from your brand can easily unsubscribe.


GDPR has introduced new regulations that give users more control over their data. To comply with the ecommerce GDPR, you need to get consent to send marketing content, adequately protect your subscribers’ data, and respond quickly to requests to delete or modify personal data.

Sounds hectic, but not for those using Omnisend. 

New laws might seem scary, but Omnisend makes sure the way you collect and store personal data is GDPR-compliant. This will help you earn the trust of your customers and build strong, long-lasting relationships.

Get started with Omnisend today & drive sales on autopilot with pre-built automation workflows

Bernard Meyer
Article by
Bernard Meyer

Bernard is the Sr. Director of Communications & Creative at Omnisend, with a passion for good research, helping ecommerce businesses with their marketing automation needs, and beating absolutely everyone in Mario Kart 64.