Automate this with PrivacyAudit
Run an automated scan and get a compliance checklist tailored to your website.
Ecommerce stores face a higher GDPR surface area than most websites. You're handling payment data, shipping addresses, purchase history, browsing behaviour, and often remarketing pixels across all of it.
Here's the complete checklist.
Checkout and payment processing
Never store raw card data yourself. Payment processors like Stripe and Paddle handle this, but you must have a Data Processing Agreement with them and reference them in your privacy policy.
Shipping addresses count as personal data. Document how long you retain them (typically needed for 7 years for tax records) and who you share them with (couriers, fulfilment centres).
Marketing and remarketing
Meta Pixel, Google Ads, TikTok Pixel, and similar tools drop cookies before a user has consented by default. You must implement Consent Mode or conditional loading to ensure these only fire after consent.
If you run email marketing: you need a clear opt-in at sign-up, a record of when that consent was given, and an easy way to unsubscribe from every email.
Product reviews and user accounts
User accounts store personal data indefinitely by default. Set a data retention policy — e.g. delete inactive accounts after 3 years of inactivity, with advance notice to the user.
If you use review platforms (Trustpilot, Yotpo), check their DPAs and include them in your processor list.
Abandoned cart recovery
Abandoned cart emails are a common conversion tool, but using an email address collected during checkout for marketing requires a legal basis. If the user didn't complete the purchase, consent may not have been given.
Use legitimate interests carefully here — document your balancing test.
Customer support data
Support tickets, live chat transcripts, and help desk data all contain personal information. Document your retention period and ensure your support tool has a DPA.
The compliance audit
Use PrivacyAudit to scan your ecommerce site and identify which tracking scripts and cookies are present, which fire without consent, and which policy links are missing or broken. The dashboard maps every finding to a specific remediation task.