The European Union's General Data Protection Regulation (GDPR) is a regional law with global implications both in terms of its enforcement and its impact. So no matter where your company is located, if it does business with Europe, your ecommerce website must meet at least five requirements.

The GDPR, which took effect May 25, 2018, requires you to clearly communicate what information you collect and how that information is used. You will also need a basis for collecting personal data, and you must answer customer requests for information or erasure.

So here are the five things your website needs.

Privacy Policy

At its core, the GDPR is a personal privacy protection law. It clearly states that the protection of personal information is fundamental human right, and it sets out in 99 Articles and 173 recitals to regulate and defend that right.

So it should be little wonder that your ecommerce site is going to need a clear and specific privacy policy to meet GDPR requirements.

While there is not necessarily a format your company must follow, you are going to want to include six concepts:

  1. Identification
  2. Data collection
  3. Data use (processing)
  4. Data storage
  5. Data sharing
  6. Data control

These concepts can be expressed in several sections. For example, 3dcart's GDPR-compliant personalized privacy policy generator includes nine sections that collectively speak to the GDPR's essential requirements.


Here are the sections covered.

  • Section One: Transactional Information — describes what your company does with a data subject's personal information and includes email subscriptions.
  • Section Two: Consent — describes how consent is given and withdrawn.
  • Section Three: Disclosure — let data subjects know if information is shared.
  • Section Four: Online Store — discloses information about your ecommerce platform and payment processing.
  • Section Five: Third-party Services — identifies the use of third-party solutions which may also collect and process personal information.
  • Section Six: Security — explains what your company and your ecommerce platform do to protect personal information.
  • Section Seven: Do Not Track — explains cookies and how they work on your site.
  • Section Eight: Age of Consent — addresses the minimum legal age of consent.
  • Section Nine: Changes to this Privacy Policy — discloses the right to make amendments.

Your business will have three options for creating the required privacy policy.

 Best Privacy Policy Generators for GDPR Compliance

  1. 3dcart GDPR Policy Generatorgdpr-policy-generator
  2. Iubenda

  3. Termly


  5. TermsFeed



Consent on Forms

In the GDPR, consent is a person's genuine right to control his or her data. And your company is going to need to ask for consent for the use of cookies, email subscriptions, contests, wish lists, and user accounts.

Consent must be freely given, specific, informed, and unambiguous. While your business does have some flexibility regarding how consent forms or consent for cookies are implemented, you will need to cover key concepts, like describing why your business is collecting the data and how it will be processed; providing the option to opt-out or withdrawn consent at any time; the legal basis for data collection; and access to your business' privacy policy.

How you present these concepts can vary.

It may also be a good idea to "unbundle" consent, so rather than asking a site visitor to approve all cookies, for example, you might give them the choice to accept essential cookies necessary for the site to function while rejecting marketing cookies that monitor shopping behaviors.

Consent at Checkout

When a customer makes a purchase on an ecommerce site that customer understands that in order to receive the items purchased, he or she will need to provide personal data like a name, address, and payment card.

To be clear, your ecommerce operation does not need consent to process an online order.

The GDPR provides six valid and lawful bases for the collection and processing of personal data. These bases are consent, contract, legal obligation, vital interest, public interest, and legitimate interests.

An ecommerce checkout may be considered a form of a contract, since the data subject has specifically asked your business to do something — deliver a product — that requires the collection and processing of personal information.

However, there are a couple of things you may need to include on checkout pages.

First, you may still need to inform shoppers about your privacy policy and about what information is collected and processed during checkout. Second, you will need consent if you also want to market to shoppers.

As an example, if you have a checkbox in your shopping cart that says "add me to the email list," your company will need to get consent, since subscribing to an email list is not necessary for the completion of the order.

Similarly, if you ask a shopper to create a customer account at checkout, you will need consent.

Requests for Records

The GDPR allows for subject access, meaning that anyone covered by the GDPR whose data your business has collected has the right to request a record of all of the information you have about them.

Data subjects can submit a request in verbal or written form to any part of your business, and they do not need to specifically mention the GDPR. Your company will need to respond quickly.

Here again, the GDPR doesn't provide a specific template, but response best practices include:

  • Identifying all the places (databases) personal data is stored in advance.
  • Developing a system (automated if possible) that will retrieve all of a customer's personal data.
  • Training employees to recognize requests.
  • Developing a central repository for all GDPR-related requests.
  • Identifying the individuals or departments responsible for handling requests.
  • Creating form letters and responses.
  • Validating each request.
  • Keeping a record of all requests and your company's response for audit purposes.

You may want to mention this right in your privacy policy and even create a form for requests, just remember your customers don't have to use a specific form to make a valid request.

Requests to Delete Data

The GDPR also includes a right to erasure or a right to be forgotten. With this right, a person covered by the GDPR can contact your company in the same way he or she would for a record request, but instead of asking for a copy of the personal data your business has collected, he or she can demand that you delete it, effectively forgetting them.


This right is not absolute. There are at least five instances when you would not comply, including for the purpose of freedom of expression and information; to meet a legal obligation; for the public interest; for public scientific or historical research with overarching benefits to the public; and for legal claims.

Follow the same best practices recommended for the request for records, but be prepared to delete the personal data and ask third-party partners to do the same.

Want to learn the fastest way to make your website fully GDPR-compliant? Download our free ebook below.

Free report: The Real Cost of Running a Shopify Store