GDPR for E-commerce

About GDPR

GDPR is a comprehensive data protection law enacted by the European Union that governs how organizations collect, store, and process personal data of EU residents. It applies to any organization worldwide that processes data of EU residents, regardless of where the organization is located.

Governing Body: European Data Protection Board (EDPB) and national supervisory authorities

Who Must Comply

• • Any organization processing EU resident data
• • Organizations offering goods/services to EU
• • Organizations monitoring EU resident behavior
• • Data processors acting on behalf of controllers

Key Requirements

• • Obtain lawful basis for processing (consent, contract, etc.)
• • Provide clear privacy notices
• • Enable data subject rights (access, deletion, portability)
• • Implement data protection by design and default
• • Maintain records of processing activities
• • Report breaches within 72 hours
• • Appoint Data Protection Officer if required
• • Conduct Data Protection Impact Assessments

E-commerce-Specific Requirements

• • Implement GDPR-compliant cookie consent banners
• • Enable customer data export and deletion
• • Document legal basis for marketing communications
• • Ensure international data transfer compliance
• • Review third-party vendor data processing
• • Maintain data retention schedules

Common Violations in E-commerce

• • Pre-ticked consent boxes
• • Dark patterns in consent flows
• • Excessive data collection
• • Non-compliant cookie banners
• • Failure to honor deletion requests
• • Inadequate vendor agreements

Penalties

Up to €20 million or 4% of global annual revenue, whichever is higher. Meta was fined €1.2 billion in 2023. Amazon was fined €746 million in 2021.