eCommerce

GDPR compliance for online shops — a practical guide for SMBs

5 min read ·26 April 2026 ·By Trust Center

GDPR applies to any business that sells to or serves EU or UK residents, regardless of where the business is based. If you have EU or UK customers, you are subject to GDPR.

What data your online shop processes

An online shop processes significant amounts of personal data. Map out everything you collect: customer names, email addresses, delivery addresses, purchase history, abandoned cart data, browsing behaviour, IP addresses, payment card data (if stored), customer service communications, marketing preferences, and loyalty programme data.

For each category, you need a lawful basis for processing it under GDPR. Most eCommerce data is processed on the basis of contract (to fulfil the order) or legitimate interests (fraud prevention, customer service). Marketing requires consent.

At checkout, you must not pre-tick boxes or bundle marketing consent into the order acceptance. GDPR requires that consent for marketing is:

  • Freely given (not a condition of purchase)
  • Specific (for a particular marketing purpose)
  • Informed (users know what they're signing up for)
  • Unambiguous (a positive opt-in action, not a pre-ticked box)

Your privacy policy

Your privacy policy must explain all data processing activities in plain language. For an online shop, this includes your payment processor, delivery partners, marketing platforms (Klaviyo, Mailchimp, etc.), analytics (Google Analytics), and any other third parties who receive customer data.

Data retention

GDPR requires you to keep personal data only as long as necessary. For order data, you typically need to retain it for tax and accounting purposes (usually 6–7 years depending on jurisdiction). Customer accounts that are inactive can be deleted after a reasonable period with appropriate notice.

Third-party processors

Every company that processes personal data on your behalf — your payment processor, email marketing platform, fulfilment warehouse, helpdesk software — is a "data processor." You need a Data Processing Agreement (DPA) with each of them. Most major platforms (Stripe, Shopify, Mailchimp, Zendesk) provide these automatically in their terms of service or as downloadable documents.

Data subject rights for customers

Under GDPR, customers can: access all data you hold on them, correct inaccurate data, request deletion (the "right to be forgotten"), object to marketing, and request portability of their data. You must respond within 30 days. Build a process for handling these requests — they will come.

Cross-border transfers

If you use US-based services (Shopify, Stripe, Google, Meta, Mailchimp) to process EU customer data, those are international data transfers. Since the US-EU Data Privacy Framework was established in 2023, many major US providers are certified and transfers are lawful. Check that your key providers are DPF-certified or have Standard Contractual Clauses in place.

Ready to simplify your compliance?

Trust Center manages your privacy policies, cookie consent, and DSARs — one platform, all your brands, always up to date.

Get early access →

Related articles

eCommerce

What you must show at checkout — legal requirements for online stores

Consumer law across the EU, UK, USA, and Australia requires specific disclosures at checkout. Here is exactly what must appear before a customer completes their purchase.

4 min read · 26 April 2026
eCommerce

Legal requirements for online stores — what every eCommerce site needs

Selling online means meeting legal requirements that go beyond a standard website. Here is what your online store must have to comply across the US, UK, EU, Canada, and Australia.

6 min read · 26 April 2026