GDPR and eCommerce Coding

GDPR + eCommerce: 4 major ways the GDPR will affect your eCommerce business

Industry NewsCategory
7 min read
Geoff Scott

If you’re running an eCommerce business in the U.S., it’s very possible you’ve only heard of Europe’s GDPR in passing. It’s time to change that because it has the power to affect your website, store and the very way you interact with customers. Even American businesses need to know how the GDPR + eCommerce are linked.

The European Union passed the General Data Protection Regulation (GDPR) in 2016 — a law that heavily scrutinizes (and potentially penalizes) websites for the ways they collect the data of European citizens. Enforcement begins May 25, and it will affect every website that gathers the information of individuals from European Union (EU) countries.

American websites that store and process such data are NOT exempt.

The good news is that it isn’t too late to learn more about these regulations and to protect your business. Here are four considerations for GDPR and eCommerce, and some suggestions on how to prepare for the worst (so you don’t end up losing money).

Your website could be heavily fined for not complying

Failure to comply with the GDPR can get costly. Organizations that are caught violating these regulations could be forced to pay up to four percent of their annual global turnover — or 20 million euros “for the most serious infringements,” including “not having sufficient customer consent to process data.”

If that doesn’t scare you a bit, this might: Management consulting firm Oliver Wyman is projecting that $6 billion USD in penalties will be levied against non-compliant companies in the first year of GDPR enforcement. Nobody wants to be included in that projection, but it’s an inevitability if businesses don’t take serious steps to prepare.

The fines will be substantial, no matter how you cut it.

Processing the information of European customers without their agreement could seriously harm your business. Although it remains to be seen how enforcement will pan out, who would want to risk it?

And what constitutes sufficient customer consent (so you can avoid paying the fines mentioned above)? According to article 4 of the GDPR:

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”

Furthermore, the customer data your website collects is classified as either “personal” or “sensitive personal” by the EU, and this classification is tied to consent as well. For instance, ”explicit” consent is required in order to process sensitive personal data.

Unless the user directly clicks (or “opts in”) to accept your outlined terms and policies, you have not established explicit consent.

If you gather the following information about your customers:

  • Race, ethnicity, or gender
  • Religion, philosophy, or overarching beliefs
  • Biometric or genetic data
  • Health
  • Sexual orientation or sex life

… you must make sure they are absolutely aware of it.

Data that falls outside these parameters requires “unambiguous consent.” A couple examples of this include:

  • A user submits their email address to receive blog updates, or
  • A web surfer puts in their personal information on your site to receive a free copy of an eBook

Both of these cases fall under the “unambiguous consent” umbrella.

Understand the information your site gathers so you can avoid violating consent clauses of the GDPR, because these infractions could end up being the biggest hit to your bottom line.

Shift to clickwrap for GDPR + eCommerce

Barnes & Noble lost a lawsuit in 2014 because of where their website’s privacy policy and terms of use were located (in the footer exclusively). It was determined that the plaintiff never actually agreed to the policies set forth by Barnes & Noble because they weren’t apparent at any point during the checkout process.

The key problem with Barnes & Noble and others who’ve encountered legal issues regarding consent is that they employed browse-wrap to convey their policies, which requires no physical action. If you have terms of use or privacy policy listed somewhere on your homepage but the user never actually has to click on anything, your website uses browse-wrap. Businesses have preferred using this over the years — viewing it as an unobtrusive way to legally safeguard themselves. Here’s how it’s done on Comedy Central’s website:

GDPR and eCommerce TOS

Legally-conscious webmasters have recently started to phase out browse-wrap in favor of more concrete forms of consent. Doing so pleases the American legal system as well as safeguards companies from GDPR and eCommerce penalties.

The solution for many has been clickwrap, a method of consent which forces the user to click a link/button before using the website or purchasing a product.

Check out how it’s been implemented on the American Airlines website:

GDPR and eCommerce AA

By forcing customers to act before being allowed to proceed, American Airlines is doing their best to ensure consent.

Facebook does this too but in a slightly different way. In Facebook’s case, the very act of creating an account constitutes a user’s agreement with their policies.

GDPR and eCommerce Facebook

If users are never forced to acknowledge and consent to the policies on your website, you’re leaving yourself open to litigation. It just takes one disgruntled customer to bring a hailstorm of legal proceedings down upon you.

When deciding between the browsewrap and clickwrap methods, consider this (even if clickwrap seems annoying). And with GDPR enforcement closing in, it’s better to be safe than sorry.

Transparency is at the heart of the GDPR. Letting consumers know the ways their data is being processed, who is processing it and how to get this information altered or even erased are key tenets of this legislation.

The easiest way to facilitate all of this is by putting together clear legal policies on your website. If you have the money, paying a lawyer to personally compose yours is a sound option. There are also SaaS generators that can help you tailor one to meet the needs of your business. Plus, there are a variety of free privacy policy templates and samples available online from which to draw inspiration if you’d rather avoid opening your pocketbook.

Policies are no longer simply a tool to cover your bases in the event of a lawsuit.

According to the GDPR, your privacy policy must be “concise, transparent, intelligible and easily accessible,” as well as “written in clear and plain language.” Gone are the days of convoluted jargon to confuse even the most battle-hardened consumer. Constructing each policy with the common person in mind is now the law of the land. Make sure the language doesn’t inadvertently grant you supreme power over your customers and their data. They will notice, and you might end up seeing them in court.


Even the best-written legal policy has the potential to put a well-caffeinated adult to sleep. Don’t fall asleep on the implications of GDPR + eCommerce though, because it could come back to haunt you and your business. Even if you don’t deal with European customers for the time being, taking the necessary precautions can still be beneficial.

The above content should not be construed as legal or tax advice. Always consult an attorney or tax professional regarding your specific legal or tax situation.