GDPR Compliance Checklist for E-Commerce Businesses

Last updated: 2026-06-09 — ComplianceStack Editorial Team

17 items
🎯

Generate Your Personalized GDPR Checklist

Tell us about your organization and we'll tailor this 17-item checklist to your situation — highlighting your gaps, marking what you already have, and calculating your readiness score. Free. Instant. Downloadable.

E-Commerce GDPR Compliance Checklist

0 of 17 items reviewed

1

Implement compliant cookie consent mechanism

Critical 3-5 days

Deploy a cookie banner that obtains explicit consent before non-essential cookies are set, with granular options for different cookie categories. Pre-ticked boxes and cookie walls are prohibited.

ePrivacy Directive Article 5(3), GDPR Article 7
2

Maintain comprehensive privacy policy

Critical 2-3 days

Provide clear information about all data processing activities, including purposes, legal bases, retention periods, third-party recipients, and international transfers. Must be accessible from all pages.

GDPR Articles 13, 14
3

Minimize data collection at checkout

High 2-4 days

Collect only data necessary for order fulfillment and legal obligations. Avoid requesting birth dates, phone numbers, or other data not required for the transaction.

GDPR Article 5(1)(c)
4

Eliminate dark patterns in consent flows

High 2-3 days

Ensure that declining consent or data processing is as easy as accepting. Reject buttons must be equally prominent, and users should not face degraded service for exercising their rights.

EDPB Guidelines 3/2022 on Dark Patterns, GDPR Article 7(4)
5

Obtain explicit consent for marketing communications

Critical 2-3 days

Implement separate opt-in checkboxes for marketing emails, SMS, and other communications. Pre-checked boxes are not valid consent. Maintain records of when and how consent was obtained.

GDPR Article 6(1)(a), Article 7, ePrivacy Directive Article 13
6

Establish legal basis for cart abandonment emails

Medium 1-2 days

Ensure cart abandonment emails are sent under legitimate interest (with balancing test documented) or with explicit consent. Provide easy unsubscribe options in every message.

GDPR Article 6(1)(f), Recital 47
7

Implement data subject access request process

Critical 5-7 days

Create a mechanism for customers to request copies of their personal data within one month. Verify identity before fulfilling requests and provide data in a structured, commonly used format.

GDPR Article 15, Article 20
8

Enable customer account deletion

High 3-5 days

Provide a self-service option for customers to delete their accounts and associated data, subject to legitimate retention requirements for completed orders and legal obligations.

GDPR Article 17
9

Validate cross-border data transfer mechanisms

Critical 4-6 days

Ensure all transfers of customer data outside the EEA rely on valid mechanisms such as Standard Contractual Clauses, adequacy decisions, or Binding Corporate Rules. Document all international transfers.

GDPR Articles 44-46, Chapter V
10

Define and enforce data retention policies

High 3-4 days

Establish maximum retention periods for different data categories (browsing data, order history, marketing lists) and implement automated deletion. Keep only what is necessary for defined purposes.

GDPR Article 5(1)(e), Article 17
11

Secure payment data handling

Critical 5-10 days

Never store full credit card numbers or CVV codes. Use tokenization through payment processors. Maintain PCI DSS compliance alongside GDPR requirements for cardholder data.

GDPR Article 32, Article 25
12

Manage product review data responsibly

Medium 2-3 days

Obtain consent before publishing customer names with reviews. Provide options to use pseudonyms or initials. Implement processes for customers to edit or delete their reviews.

GDPR Article 6(1)(a), Article 17
13

Assess and document profiling activities

High 6-10 days

If using algorithms for personalized pricing, product recommendations, or customer segmentation, conduct a DPIA. Provide meaningful information about the logic involved and allow customers to opt out.

GDPR Article 22, Article 35, Recital 71
14

Audit third-party tracking and analytics

High 3-5 days

Document all third-party services that process customer data (Google Analytics, Facebook Pixel, etc.). Ensure Data Processing Agreements are in place and that consent covers all tracking technologies.

GDPR Article 28, Article 6(1)(a)
15

Configure behavioral tracking transparency

High 2-3 days

Clearly disclose when customer behavior is tracked across sessions or devices. Provide details about profiling purposes and allow customers to object to behavioral tracking.

GDPR Article 21, Article 13(2)(f)
16

Maintain Records of Processing Activities

Medium 4-6 days

Document all processing activities including customer data collection, order processing, marketing, analytics, and third-party sharing. Update records as new processing activities are introduced.

GDPR Article 30
17

Establish data breach notification procedures

Critical 3-5 days

Implement processes to detect, investigate, and report personal data breaches to supervisory authorities within 72 hours. Notify affected customers when breaches pose high risks to their rights.

GDPR Articles 33, 34

Common Mistakes to Avoid

Using pre-ticked consent boxes for marketing or non-essential cookies, assuming implied consent is sufficient for email marketing or analytics tracking.
The Italian DPA fined multiple e-commerce operators for invalid consent mechanisms. Active opt-in is required; consent cannot be inferred from inaction or bundled with terms acceptance.
Collecting excessive customer data at checkout such as birth dates, gender, or phone numbers when not necessary for order fulfillment or legal compliance.
Violates data minimization principle under Article 5(1)(c). Supervisory authorities have issued warnings and corrective orders requiring companies to reduce data collection to what is strictly necessary.
Transferring customer data to US-based service providers without valid transfer mechanisms after the Schrems II decision invalidated Privacy Shield.
Amazon Europe was fined €746 million by Luxembourg DPA partly for improper international data transfers. Companies must implement Standard Contractual Clauses with supplementary measures or use adequacy-approved jurisdictions.
Implementing dark patterns that make withdrawing consent or deleting accounts significantly harder than providing consent or signing up.
The EDPB issued guidelines condemning dark patterns in March 2022. The French CNIL fined Google €90 million and Facebook €60 million for making cookie rejection more difficult than acceptance, violating Article 7(4).
Retaining customer data indefinitely without defined retention schedules, particularly for inactive accounts, old orders, and abandoned carts.
Storage limitation violations under Article 5(1)(e) can result in enforcement actions. The UK ICO has issued multiple corrective orders requiring companies to implement and enforce retention policies with automated deletion.

Frequently Asked Questions

What are the maximum fines for GDPR violations in e-commerce?

GDPR fines can reach €20 million or 4% of annual global turnover, whichever is higher, for serious violations under Article 83(5). The largest e-commerce fine to date was €746 million against Amazon by Luxembourg's CNPD in 2021 for improper processing and transfer of personal data. Other notable e-commerce penalties include H&M's €35.3 million fine by the Hamburg DPA for excessive employee surveillance, and €10 million against Notebooksbilliger.de for insufficient technical and organizational measures under Article 32.

Do I need consent for every cookie on my e-commerce site?

Under the ePrivacy Directive Article 5(3) and GDPR Article 6, you need explicit consent for all non-essential cookies before they are set. Strictly necessary cookies for checkout, security, and load balancing do not require consent as they are essential for service provision. However, marketing cookies, analytics tracking, social media pixels, and advertising cookies all require active opt-in consent. The CJEU ruling in Planet49 (Case C-673/17) confirmed that pre-checked boxes are invalid and consent must be given by clear affirmative action.

How long can I retain customer data after their last purchase?

GDPR Article 5(1)(e) requires that data be kept only as long as necessary for the stated purpose. There is no single retention period; it depends on the data type and legal obligations. Order data typically must be retained for 6-10 years for tax and accounting obligations per national law. Marketing data should be deleted after 24-36 months of inactivity unless customers actively consent to continued storage. Browsing and session data should be deleted within days or weeks unless justified for legitimate purposes.

Get This Checklist Emailed to You

No account needed. We'll email you the full checklist + any updates to compliance requirements.

Related Checklists