GDPR Compliance for Ecommerce Shops: What Shop Owners Can Do

GDPR Compliance Ecommerce Shop

Ecommerce shop owners are busy enough as it is. SEO, social, design. You don’t need another to-do.

So we’ll apologize right away for adding one. It’s just that, well, GDPR compliance is too important to ignore.

GDPR is Europe’s big new data protection regulation. GDPR takes effect in May 2018 and will impact what it means to do ecommerce in Europe.

This post will look at what GDPR says, what GDPR compliance means for you, and how you can use it to your advantage.

What Does GDPR Stand For?

GDPR is short for General Data Protection Regulation. Adopted in April 2016, GDPR creates rules for how all European residents’ data must be handled.

GDPR is not a tech document. At all. In fact, ecommerce is only discussed once. And that’s in a footnote. And they call it “electronic commerce.” GDPR is less of a digital playbook than a statement on fundamental rights: “The processing of personal data should be designed to serve mankind.”

But there is still plenty for shop owners to be aware of. So let’s get familiar with GDPR.

Who Does GDPR Apply To?

European Union flags flying in Brussels

Regardless of where you are based, GDPR applies to all companies that offer products or services to consumers in Europe.

“It doesn’t matter if the company is in Europe, outside of Europe, or on some island,” Dr. Christoph Bauer, CEO of ePrivacy, told Oberlo. “If the services are offered to European customers, they need to follow the law.”

So if your ecommerce shop is available in Europe, you probably have to comply with GDPR. 

Just remember: GDPR compliance isn’t simply for European companies selling products to European customers. It covers any interaction with customers in Europe, period.

Of course, GDPR applies to more than just shop owners. GDPR compliance also applies to your favorite tools. Google, Facebook, MailChimp, and Shopify, to name a few, must also comply with GDPR. Later on we’ll look at how those tools and platforms are tackling GDPR compliance.

What’s up With GDPR for Small Businesses?

Small business owner analyzing GDPR compliance

GDPR affects companies of all sizes. From one employee to 10,000 employees, if a company handles data about Europeans, then GDPR applies.

Most ecommerce shops are much closer to one employee than 10,000, so it’s important to understand how GDPR distinguishes between big companies and small ones.

Ecommerce shop owners should know that GDPR doesn’t treat them the same way it treats huge businesses. For example, certain record-keeping requirements in GDPR apply only to companies with more than 250 employees.

When you read advice like, “It is essential to plan your approach to GDPR compliance now and to gain ‘buy in’ from key people in your organization,” you can relax. If you’re an online store owner, then the “key people” and the “organization” are probably you. If that’s the case, GDPR is a bit simpler.

But! There are still plenty of GDPR requirements that apply to everyone, no matter what. Let’s dive in.

What Should Shop Owners Do for GDPR Compliance?

GDPR is 88 pages and more than 50,000 words long, and the writing is as interesting as a long line at the post office. If you don’t want to read GDPR, you are forgiven.

But the rules laid out are applicable to all shops selling to consumers in Europe, and Europe accounts for about 25% of global GDP. So even if you can’t be bothered to read GDPR, there are some things to remember to be GDPR compliant.

Consent is king.

GDPR empowers Europeans to control exactly how their data is used. As a result, being GDPR compliant means you can’t assume what your users want.

For example, GDPR says, “Silence, pre-ticked boxes or inactivity should not constitute consent.” That means you should avoid stuff like this:

Pre-filled checkbox that violates GDPR


Econsultancy has a good post on what GDPR-compliant UX looks like when it comes to consent.

Only collect data that you need.

The heart of GDPR compliance is protecting people’s data. You can limit your exposure by not collecting data that you don’t need.

If there is no business value in knowing, say, what company your shopper works for, then GDPR gives you an incentive to not even ask.

If you use Shopify, you can adapt the questions you ask your visitors in the “Checkout” settings:

Checkout settings in the Shopify backend

If you’re not going to use the information, then don’t ask for it. And if you are going to use it, be really clear about what you’ll use it for.

For example, sometimes you’ll see checkout pages that ask for a shopper’s phone number. Shop owners need to ask themselves, “What am I going to use this person’s phone number for?”

There are definitely legitimate reasons to ask for a phone number. Could be for SMS campaigns, or as a safeguard against fraudulent orders. Shopify’s fraud detection mechanism flags orders if the shipping address and IP address are in different locations, and then uses the phone number to protect consumers and get confirmation. That is totally fine as far as GDPR compliance goes. Just make sure that you explain this stuff in the terms and conditions and privacy policy.

Make everything really clear.

Regulators in charge of GDPR compliance love transparency. You could put an “unsubscribe” link on your website next to “subscribe.” You could link directly to your terms and conditions from your footer. And your privacy policy.

Putting all of this stuff out in the open is one of the simplest ways to protect yourself from concerns about GDPR compliance. And if you have certified or verified processes, tell the world! This is how fashion giant Zalando does it:

Verified services notification

Don’t do sneaky stuff.

For companies under 250 employees, so much of GDPR boils down to simply not being sneaky. If you are honest and transparent and implementing best practices, you won’t face the massive fines that come with GDPR.

In a blog post about GDPR, tech security provider Sophos put it this way:

Daunting as it all may seem, small businesses can take comfort in this: as long as they can demonstrate that they’ve put their best foot forward to meet the requirements of GDPR, regulators will work with them on any problems that might arise.

Which means…

Keep selling in Europe!

Euro notes after ecommerce transactions

The European Union is not trying to shut down online stores. In fact, between the “Digital Single Market” and tens of billions pumped into broadband networks, the EU has been kind of obsessed with creating a more robust digital economy.

Plus regulators understand that some data storage is vital to keep the digital economy running. 

So, even if GDPR seems a bit old school, it’s not part of a coordinated effort to sink ecommerce. Which means you can sell in Europe all you want!

Are There Benefits to GDPR Compliance for Ecommerce Shops?

Big time. GDPR isn’t just rules and headaches. It’s a huge opportunity: European customers will like you more if you are GDPR compliant.

No doubt, data privacy is a big deal in Europe. And you can see topics related to GDPR compliance pop up all over the web. In fact, European companies from every sector use data protection and data privacy as a selling point, and store owners can do the same.

Here, for example, is the home page of the German supermarket chain Edeka. When you arrive, you get a heads up that they use cookies, as well as a link to a “Privacy Policy” page (“Datenschutzhinweisen”).

This data privacy stuff is way bigger than the Edeka logo. It’s front and center and huge:

Cookie and privacy banner from German website

Interested customers can also find a massive cookies section in the imprint, as well as yet another link to the data privacy section. Topics surrounding GDPR compliance are planted all over the website.

And this isn’t a financial institution or government body. It’s a supermarket.

This isn’t just a German thing. The French entertainment website has a floating banner about cookies — right below its dedicated “privacy policy” and “cookies” sections:

French website links to information on cookies and data privacy

The Dutch might take the cake. Or take the cookie, as it were. Just look at this massive cookie notice that every visitor sees upon arrival at the popular site Marktplaats:

Cookie banner from Dutch website Marktplaats

Meanwhile, top Dutch news site Telegraaf has no fewer than three data privacy-related sections in its footer:

Privacy information from website De Telegraaf

Simply put, data privacy and data protection are huge topics in Europe. Sure, some countries require websites to give details about cookies and data protection. But these websites don’t just give details. They show it off. It’s marketing!

European consumers want to feel comfortable about GDPR compliance issues before making a purchase or engaging with a brand. That’s why websites ranging from supermarkets to news outlets make such a big deal about GDPR-related topics like cookies and data privacy.

You can leverage these attitudes to grow your ecommerce business. Let people know that you are GDPR compliant. Make GDPR compliance part of your Terms and Conditions page. Put it in the footer of your emails. Every little advantage helps.

If you’re GDPR compliant and your competitor isn’t — or even if both of you are GDPR compliant but you’re the only one who brags about it — then that might be a big selling point in the European market.

What About GDPR and Marketing?

Let’s say you do everything in your power to be GDPR compliant. You remove those pre-ticked boxes, you only collect vital data, your policies are clearly explained. Awesome.

There’s still the issue of your tools: Are they GDPR compliant?

After all, shop owners typically use a handful of platforms and solutions to optimize their marketing, analytics, social, email, and so on. What’s more, most of those ecommerce tools are based outside of Europe — Google Analytics, Google AdWords, Facebook, MailChimp, and a whole lot more. 

Can a shop owner be GDPR compliant and still use these tools? Let’s take a look.

What About Google and GDPR?

Google office with large logo and glass windows

Chances are that you interact with Google’s suite of products on a daily basis. Google Analytics is the world’s most used analytics solution, and Google AdWords is No. 1 in search marketing. You might even run your email with Google.

Store owners know Google. Does Google know GDPR?

Absolutely. In fact, Google has gone out of its way to reassure ecommerce shop owners that it will be completely GDPR compliant by May 2018. As Google put it:

We are working hard to prepare for the EU’s General Data Protection Regulation (GDPR)…. We are committed to complying with the new legislation and will collaborate with partners throughout this process.

Google AdWords updated its terms and conditions in August 2017, unveiling data protection measures “related to the EU General Data Protection Regulation.”

Google also announced recently that it would stop scanning emails to deliver personalized ads and services. PageFair, a British group specializing in digital advertising, speculates that GDPR compliance “may be the real reason, or at least a contributing reason, why Google announced that it will stop mining people’s emails for ads.”

At Google’s dedicated URL for GDPR compliance — — you can find what amounts to a promise from Google about GDPR compliance and Google Cloud:

You can count on the fact that Google is committed to GDPR compliance across Google Cloud services. We are also committed to helping our customers with their GDPR compliance journey by providing robust privacy and security protections built into our services and contracts over the years.

In short, Google plans to be ready.

What About MailChimp and GDPR?

Logo of email provider MailChimp

MailChimp, the world’s leading email tool for small businesses, has made repeated references to GDPR compliance.

For example, in October, MailChimp announced that it would get rid of its double opt-in requirement. However, they are keeping double opt-in as the default setting in Europe. Why? As MailChimp put it in a blog post,

We made this decision after receiving a lot of feedback from EU customers who told us that single opt-in does not align with their business needs in light of the upcoming GDPR and other local requirements.

So yeah, MailChimp has heard of GDPR. In fact, MailChimp published a 26,000-word PDF explainer called, GDPR: What it is, what we are doing, and what you can do.

Like Google, MailChimp is heavily invested in GDPR compliance.

What About Shopify and GDPR?

If your shop runs on Shopify, don’t worry. Shopify is a thoroughly global company. Its founder and CEO is from Germany; the company is based in Canada; they are currently hiring in San Francisco and Ireland; their users are scattered around the globe.

Shopify now even has a section in its user manual specifically tackling GDPR topics:

Shopify's GDPR compliance section in user manual

Shopify has dealt with international regulations since its inception, which is why the company can say, “Shopify expects to be GDPR compliant when it takes effect on May 25, 2018.”

What About Facebook and GDPR Compliance?

Facebook has definitely had its legal issues in Europe. The company was fined €110 million in May 2017 for linking user accounts and user data between Facebook and Facebook-owned messaging app WhatsApp. That is exactly the type of data privacy issue that GDPR addresses.

But even if Facebook has a history with European regulators, they know GDPR compliance is a requirement. And they want every shop owner who uses their marketing tools — Facebook Custom Audiences, Facebook Connect, Facebook Beacon, and so on — to keep on using them.

In August 2017, a Facebook spokesperson told The Financial Times,

We have now assembled the largest cross-functional team in the history of the Facebook family of companies. Dozens of people at Facebook Ireland are working full time on this [GDPR] effort.

The article goes on to say that Facebook Ireland’s data protection team will swell 250 percent this year to support efforts surrounding GDPR compliance.

Conclusions on GDPR Compliance for Shop Owners

So what does all that mean for GDPR and your online shop? Here is the tl;dr version:

  • GDPR affects businesses that interact with consumers in Europe — or that might interact with Europeans — no matter where those companies are located.
  • GDPR compliance is a bit simpler for small companies. Which means GDPR compliance is different for your ecommerce business than it is for a massive company.
  • Your can help your shop be GDPR compliant by making sure your terms and conditions are clear; removing pre-ticked boxes; and generally respecting the privacy of your customers and potential customers.
  • You ecommerce business can take advantage of GDPR. Data privacy is a huge deal in Europe, so get GDPR compliant — and then let all your European shoppers know about it.
  • The marketing tools and channels that you use in your online shop will need to be GDPR compliant by the time GDPR takes effect in May 2018. You need to keep an eye on this, and contact them directly if you have questions. But GDPR is not a secret to anyone.


There are some great resources available for people wondering how GDPR impacts their online shop or dropshipping business. Here are a few goodies.

MailChimp’s explainer on General Data Protection Regulation

ePrivacy’s overview page, which includes a webinar, white paper, “quick check” and more

Econsultancy’s post, GDPR: 10 examples of best practice for obtaining marketing consent

The GDPR section of Microsoft’s “Trust Center”

The General Data Protection Regulation section of the Shopify manual

Boxcryptor’s overview of GDPR apps

And if you’re feeling brave, the actual text of the General Data Protection Regulation

This guide is for informational purposes only. By providing this guide, we are not acting as your lawyer or providing legal advice, and we are not responsible for how you use it. By using this guide, you agree to this disclaimer.


  • Good to know this. TFS!

  • Tiffany Orr

    Great explainer. Thanks!

  • David Vranicar

    Thanks, Tiffany!

  • David Vranicar

    Sure thing!

  • Interesting article, thanks. To what extent does GDPR apply to site/store owners who use other platforms like Etsy or BigCartel or Weebly, which do not give them any cookie or transaction data? I’m not sure how Oberlo differs in that respect, but there must be some difference in GDRP application between platform owners and site/store owners.

  • Michelle Lake

    Thnx for sharing.

  • Henrique Paranhos

    Excellent article, very usefull!

  • David Vranicar

    Great question. I know this isn’t the answer you’re looking for, but I think your best bet is to contact these platforms directly. Different platforms have different approaches and can give you specific details!

  • Thanks (it’s not for me, it’s for clients, I’ll point them in that direction). At Oberlo, do you take responsibility for GDRP compliance on those aspects that individual store owners have no control over, e.g. cookies, sign up data etc, and the store owner being expected to be responsible for compliance on the data that they do receive from Oberlo for, e.g., a transaction? It seems to me that on shared platforms compliance is split between platform owner and store owners.

  • I’ll jump in here if I may. Responsibility is shared between the Controller and the Processor (you and them), if you are a Dropshipper for example and you use Oberlo then you are responsible and accountable to your customer for how Oberlo manage and shares data, how AliExpress handle their data and how the seller manages and utilises data, Goggle is already on the road to compliance so if you use the Oberlo extension you should be fine there.

    This is shared accountability however the buck ultimately stops with you ensuring that your entire supply chain adheres to the same standards of data hygiene.


  • You make no reference to how GDPR will affect Dropshippers – who make up a huge percentage of your business.

    If you own a store and sell stuff then great, keep going. However, if you’re a Dropshipper you’re in a different category. AliExpress have had a terrible time trying to adjust to GDPR by rooting out fake sellers and “middle men” and has been at odds with the EU over this. Store owners don’t know how the personal data being imported to complete a transaction is being used or stored by a seller.

    You need to be a little more specific.


  • David Vranicar

    Great points, Nigel. GDPR is definitely something new for AliExpress, as it’s completely different than what’s standard in China. That said, Alibaba, which runs AliExpress, is proactively tackling GDPR topics. For example, like the American companies discussed in this post, Alibaba has published content explaining how GDPR impacts its operations and what changes it will be making:

    We won’t know for sure how AliExpress will adapt until the new year, but definitely this is something that Alibaba platforms and services are preparing for.

  • Nigel Bywater

    Thanks for the reply. 17 months gone, 6 to go. They don’t have long to allay fears. If Ali and their merchants aren’t compliant then dropshippers are equally liable for their supply chains. You can message me if you’d like additional insight or help at Oberlo. I’ve been emplying PbD for my clients for 21 years.

    Nigel [at]

  • Socol Ionut

    Congratulation David for this powerful article!
    I find him very useful and I will use it in my activity and website:

Join 700,000 Other Entrepreneurs


Thanks for subscribing!

Start using Oberlo today

All accounts have access to the forever free Starter Plan

Sign Up Free