5 GDPR Changes to Consider for Your Ecommerce Website

10th September 2022

What does it mean for ecommerce?

Data Processing and Consent

Retailers/merchants need to think about how they will gain consent, how and why they’re processing data for marketing purposes. This also includes cookies because at the moment, most websites take the approach of ‘we use cookies’ with a simple close message; the cookie is already placed on the site as soon as you enter.  When the GDPR comes into effect, the change will mean that users will need to clearly see an ‘I ACCEPT’ button and only once that’s clicked can the cookie be placed on their browser.

Databoxer, the one-click GDPR compliance platform, says:

Any touchpoint at which data is collected needs to be –

  • Unbundled. Data needs to be asked for separately for each purpose. A name and address can be ‘bundled’ for the single purpose of delivering something, but you can’t sneak a date of birth into that bundle, as it’s not relevant to the purpose.

  • Opt-in. For each purpose, data must actively be given informed consent. No more pre-ticked boxes which customers need to spot and untick to protect their data.

  • Granular. If a piece of data is intended for multiple purposes, consent needs to be given for each purpose.

  • Named. Customers need to be aware of everyone who will be using, relying on, or otherwise benefiting from the data.

  • Documented. You need to keep records of what data has been consented to, as well as how and when that consent was given.

If this seems excessive for each item of data you hold, consider how much of that data you really need to enable your business to function. Strip back the information you collect, streamlining your data handling and providing a more focused, less bloated service.

Website security

To meet Google’s Webmaster Guidelines, ecommerce websites should have full HTTPS coverage across the whole site, not just the checkout and My Account pages. This now also falls under the jurisdiction of GDPR as websites that use HTTPS send data over an encrypted connection, so you could say that if your whole website has an SSL certificate that you’re on your way to GDPR compliance. You should also ensure that the database itself is encrypted, like the Magento CMS.

Therefore, it’s not only important to have full HTTPS (instead of partial) for SEO purposes, but now also GDPR.

Think about your third parties

Retailers must be aware of third parties they’re using to power their website. Everything from their CRM, emarketing database, retargeting tools and marketing content. For example, if any website videos on Vimeo or YouTube are embedded on the website.

SiteImprove, who have built their own GDPR module, explains that: 

“Having an embedded video on your website means that the website is not in control of the data gathered by the embedded resource. This policy highlights embedded YouTube videos on the site being checked.”

Policy Updates – start now!

Your in-house GDPR Officer (everyone needs one!) will need to review and update the privacy policy on your website. Ensuring that all points of tagging, tracking and cookie drops are clearly outlined and their purpose stated. More specifically, you should answer the following questions when writing a privacy notice:

  • What information is being collected?

  • Who is collecting it?

  • How is it collected?

  • Why is it being collected?

  • How will it be used?

  • Who will it be shared with?

  • What will be the effect of this on the individuals concerned?

  • Is the intended use likely to cause individuals to object or complain?


(Note, for the full detail on what information should be provided to the data subjects at the point of data collection, readers should check out article 13 of the GDPR, specifically paragraphs 1 and 2, summarised by the ICO)

Privacy by Design

For instance, a pop-up where the user is requested to exchange data for 10% off or data collection points like Account creation. These areas now have to state clearly what their data will be used for, so start thinking about how this can be implemented on your website as early on as possible. The sooner these small changes are implemented, the more you can work towards reducing the costs of compliance and also avoid the ‘last minute’ rush.

Here’s a fab example from the ICO showing how you can use a tooltip to show a ‘just in time’ privacy notice:

Who’s accountable?

In short, we all are. The current penalty from the ICO is £500,000. The 4% of worldwide turnover fine stretches to €20m. It is imperative that agencies are helping to guide their clients on this topic, not only from a marketing and ecommerce standpoint but how it will affect them on an ongoing basis.

Want us to help grow your business?

Give us a call, jump on a chat or come by our office in London. Our door is always open.