Creating a privacy policy: How to make your online shop GDPR-compliant

Creating a privacy policy: How to make your online shop GDPR-compliant

Creating a privacy policy: How to make your online shop GDPR-compliant

Creating a privacy policy: How to make your online shop GDPR-compliant

Secure your webshop with a comprehensive privacy policy. Learn the essentials and best practices for safeguarding customer data and compliance with privacy regulations.

Secure your webshop with a comprehensive privacy policy. Learn the essentials and best practices for safeguarding customer data and compliance with privacy regulations.

Ecommerce-tips

27 Jul 2021

Nick Knuppe

Head of product marketing

European law requires that all online shops that do business in the EU display a privacy policy. Yet, it’s sometimes difficult for retailers to know exactly which details such a policy needs to include. This article tells you everything you need to know about creating a privacy policy. We’ll also look at which privacy protection rules from the GDPR might be important for e-commerce retailers like you.

European law requires that all online shops that do business in the EU display a privacy policy. Yet, it’s sometimes difficult for retailers to know exactly which details such a policy needs to include. This article tells you everything you need to know about creating a privacy policy. We’ll also look at which privacy protection rules from the GDPR might be important for e-commerce retailers like you.

European law requires that all online shops that do business in the EU display a privacy policy. Yet, it’s sometimes difficult for retailers to know exactly which details such a policy needs to include. This article tells you everything you need to know about creating a privacy policy. We’ll also look at which privacy protection rules from the GDPR might be important for e-commerce retailers like you.

European law requires that all online shops that do business in the EU display a privacy policy. Yet, it’s sometimes difficult for retailers to know exactly which details such a policy needs to include. This article tells you everything you need to know about creating a privacy policy. We’ll also look at which privacy protection rules from the GDPR might be important for e-commerce retailers like you.

What is a privacy policy for an online shop?

Every website that collects personal data must include a privacy policy. This policy informs your shop’s visitors about the type, scope and purpose of your data processing. It also explains users’ options for revoking consent to have their personal data stored.

If your online shop does not contain a privacy policy or if your policy is incomplete, you could be penalised by the data security authorities in your country. The legal basis for this in the European Union is the General Data Protection Regulation (GDPR).

Every website that collects personal data must include a privacy policy. This policy informs your shop’s visitors about the type, scope and purpose of your data processing. It also explains users’ options for revoking consent to have their personal data stored.

If your online shop does not contain a privacy policy or if your policy is incomplete, you could be penalised by the data security authorities in your country. The legal basis for this in the European Union is the General Data Protection Regulation (GDPR).

Every website that collects personal data must include a privacy policy. This policy informs your shop’s visitors about the type, scope and purpose of your data processing. It also explains users’ options for revoking consent to have their personal data stored.

If your online shop does not contain a privacy policy or if your policy is incomplete, you could be penalised by the data security authorities in your country. The legal basis for this in the European Union is the General Data Protection Regulation (GDPR).

Every website that collects personal data must include a privacy policy. This policy informs your shop’s visitors about the type, scope and purpose of your data processing. It also explains users’ options for revoking consent to have their personal data stored.

If your online shop does not contain a privacy policy or if your policy is incomplete, you could be penalised by the data security authorities in your country. The legal basis for this in the European Union is the General Data Protection Regulation (GDPR).

What is the GDPR?

In 2016, the European Parliament adopted the EU General Data Protection Regulation. Under this new law, all e-commerce retailers selling in EU countries were required to make various changes to their online shop by no later than 25 May 2018. These changes related in particular to the following areas:

  • Data collection

  • Duties to inform

  • Sending newsletters

  • Order processing

The goal of the GDPR was to standardise online privacy protection throughout all EU member states. This benefits not only consumers, but also shop operators. For example, the one-stop shop (OSS) principle simplifies international e-commerce. Now, shop operators no longer need to coordinate with multiple privacy protection authorities regarding a single data process; instead, they can deal with just one central authority.

Why is a privacy policy important for your online shop?

In 2016, the European Parliament adopted the EU General Data Protection Regulation. Under this new law, all e-commerce retailers selling in EU countries were required to make various changes to their online shop by no later than 25 May 2018. These changes related in particular to the following areas:

  • Data collection

  • Duties to inform

  • Sending newsletters

  • Order processing

The goal of the GDPR was to standardise online privacy protection throughout all EU member states. This benefits not only consumers, but also shop operators. For example, the one-stop shop (OSS) principle simplifies international e-commerce. Now, shop operators no longer need to coordinate with multiple privacy protection authorities regarding a single data process; instead, they can deal with just one central authority.

Why is a privacy policy important for your online shop?

In 2016, the European Parliament adopted the EU General Data Protection Regulation. Under this new law, all e-commerce retailers selling in EU countries were required to make various changes to their online shop by no later than 25 May 2018. These changes related in particular to the following areas:

  • Data collection

  • Duties to inform

  • Sending newsletters

  • Order processing

The goal of the GDPR was to standardise online privacy protection throughout all EU member states. This benefits not only consumers, but also shop operators. For example, the one-stop shop (OSS) principle simplifies international e-commerce. Now, shop operators no longer need to coordinate with multiple privacy protection authorities regarding a single data process; instead, they can deal with just one central authority.

Why is a privacy policy important for your online shop?

In 2016, the European Parliament adopted the EU General Data Protection Regulation. Under this new law, all e-commerce retailers selling in EU countries were required to make various changes to their online shop by no later than 25 May 2018. These changes related in particular to the following areas:

  • Data collection

  • Duties to inform

  • Sending newsletters

  • Order processing

The goal of the GDPR was to standardise online privacy protection throughout all EU member states. This benefits not only consumers, but also shop operators. For example, the one-stop shop (OSS) principle simplifies international e-commerce. Now, shop operators no longer need to coordinate with multiple privacy protection authorities regarding a single data process; instead, they can deal with just one central authority.

Why is a privacy policy important for your online shop?

Why is a privacy policy important for your online shop?


Every online shop collects data—and not just when you process an order. Your website contains tracking tools, social media plugins and cookies that collect information about your visitors. Your privacy policy, just like your company’s contact information, is a key requirement because it ensures that you are handling your customers’ data responsibly and not abusing the data collection process. If you don’t publish a privacy policy, you risk being penalised and even paying heavy fines.

In addition, a privacy policy is essential for gaining your customers’ trust. Shoppers want to know what kinds of data your online shop collects and whether their personal data is secure. Most shoppers will never buy from a site whose data security they do not trust. The main ways to build trust as an online retailer are to include a complete privacy policy, detailed contact information and secure payment methods on your site.


Every online shop collects data—and not just when you process an order. Your website contains tracking tools, social media plugins and cookies that collect information about your visitors. Your privacy policy, just like your company’s contact information, is a key requirement because it ensures that you are handling your customers’ data responsibly and not abusing the data collection process. If you don’t publish a privacy policy, you risk being penalised and even paying heavy fines.

In addition, a privacy policy is essential for gaining your customers’ trust. Shoppers want to know what kinds of data your online shop collects and whether their personal data is secure. Most shoppers will never buy from a site whose data security they do not trust. The main ways to build trust as an online retailer are to include a complete privacy policy, detailed contact information and secure payment methods on your site.


Every online shop collects data—and not just when you process an order. Your website contains tracking tools, social media plugins and cookies that collect information about your visitors. Your privacy policy, just like your company’s contact information, is a key requirement because it ensures that you are handling your customers’ data responsibly and not abusing the data collection process. If you don’t publish a privacy policy, you risk being penalised and even paying heavy fines.

In addition, a privacy policy is essential for gaining your customers’ trust. Shoppers want to know what kinds of data your online shop collects and whether their personal data is secure. Most shoppers will never buy from a site whose data security they do not trust. The main ways to build trust as an online retailer are to include a complete privacy policy, detailed contact information and secure payment methods on your site.


Every online shop collects data—and not just when you process an order. Your website contains tracking tools, social media plugins and cookies that collect information about your visitors. Your privacy policy, just like your company’s contact information, is a key requirement because it ensures that you are handling your customers’ data responsibly and not abusing the data collection process. If you don’t publish a privacy policy, you risk being penalised and even paying heavy fines.

In addition, a privacy policy is essential for gaining your customers’ trust. Shoppers want to know what kinds of data your online shop collects and whether their personal data is secure. Most shoppers will never buy from a site whose data security they do not trust. The main ways to build trust as an online retailer are to include a complete privacy policy, detailed contact information and secure payment methods on your site.

What should a privacy policy for e-commerce include?

Under the GDPR, all online shops must provide a privacy policy that is:

  • precise

  • transparent

  • easy to understand

  • easy to access

The first step is to make sure that your privacy policy is clearly visible and accessible from the footer on every page of your website. This allows customers to always review your privacy policy, even when they are in the middle of placing an order. The content must also be written using language that everyone can understand. In general, your site’s privacy policy needs to address four main topics:

1. Data controller and contact

In most online shops, the privacy policy begins with information about who is responsible for processing data. Under articles 13.1.a–b of the GDPR, shop operators have a duty to inform their customers by listing contact details for the following parties:

  • The data controller (the party in charge of collecting the data, usually your company)

  • The controller’s legal representative (usually the CEO or managing director of your company, if applicable)

  • The controller’s data security officer (if applicable)

2. Personal data

Many online shops also define “personal data” near the beginning of the privacy policy. This is not strictly required by the GDPR, but it does make the concept easier for customers to understand.

After that, you must explain:

  • … which data your shop collects and processes.

  • … at which point(s) the data collection takes place.

  • … for which purpose(s) this is done.

  • … who receives the data.

  • … for how long the data is stored.

3. Legal basis

For each type of data you collect, you must specify the legal basis. Most online retailers do so by referring to the specific article of the GDPR. For example, one common legal basis is article 6.1.f of the GDPR: ‘processing is necessary for the purposes of the legitimate interests pursued by the controller […]’. You must also specify what those legitimate interests are. For example, if you are collecting your visitors’ IP addresses, then use the following table to determine the legal basis and which legitimate interests you should cite:


4. Data subjects’ rights

The GDPR also requires online shops to inform users (data subjects) of their rights under the law. These include the following:


Under the GDPR, all online shops must provide a privacy policy that is:

  • precise

  • transparent

  • easy to understand

  • easy to access

The first step is to make sure that your privacy policy is clearly visible and accessible from the footer on every page of your website. This allows customers to always review your privacy policy, even when they are in the middle of placing an order. The content must also be written using language that everyone can understand. In general, your site’s privacy policy needs to address four main topics:

1. Data controller and contact

In most online shops, the privacy policy begins with information about who is responsible for processing data. Under articles 13.1.a–b of the GDPR, shop operators have a duty to inform their customers by listing contact details for the following parties:

  • The data controller (the party in charge of collecting the data, usually your company)

  • The controller’s legal representative (usually the CEO or managing director of your company, if applicable)

  • The controller’s data security officer (if applicable)

2. Personal data

Many online shops also define “personal data” near the beginning of the privacy policy. This is not strictly required by the GDPR, but it does make the concept easier for customers to understand.

After that, you must explain:

  • … which data your shop collects and processes.

  • … at which point(s) the data collection takes place.

  • … for which purpose(s) this is done.

  • … who receives the data.

  • … for how long the data is stored.

3. Legal basis

For each type of data you collect, you must specify the legal basis. Most online retailers do so by referring to the specific article of the GDPR. For example, one common legal basis is article 6.1.f of the GDPR: ‘processing is necessary for the purposes of the legitimate interests pursued by the controller […]’. You must also specify what those legitimate interests are. For example, if you are collecting your visitors’ IP addresses, then use the following table to determine the legal basis and which legitimate interests you should cite:


4. Data subjects’ rights

The GDPR also requires online shops to inform users (data subjects) of their rights under the law. These include the following:


Under the GDPR, all online shops must provide a privacy policy that is:

  • precise

  • transparent

  • easy to understand

  • easy to access

The first step is to make sure that your privacy policy is clearly visible and accessible from the footer on every page of your website. This allows customers to always review your privacy policy, even when they are in the middle of placing an order. The content must also be written using language that everyone can understand. In general, your site’s privacy policy needs to address four main topics:

1. Data controller and contact

In most online shops, the privacy policy begins with information about who is responsible for processing data. Under articles 13.1.a–b of the GDPR, shop operators have a duty to inform their customers by listing contact details for the following parties:

  • The data controller (the party in charge of collecting the data, usually your company)

  • The controller’s legal representative (usually the CEO or managing director of your company, if applicable)

  • The controller’s data security officer (if applicable)

2. Personal data

Many online shops also define “personal data” near the beginning of the privacy policy. This is not strictly required by the GDPR, but it does make the concept easier for customers to understand.

After that, you must explain:

  • … which data your shop collects and processes.

  • … at which point(s) the data collection takes place.

  • … for which purpose(s) this is done.

  • … who receives the data.

  • … for how long the data is stored.

3. Legal basis

For each type of data you collect, you must specify the legal basis. Most online retailers do so by referring to the specific article of the GDPR. For example, one common legal basis is article 6.1.f of the GDPR: ‘processing is necessary for the purposes of the legitimate interests pursued by the controller […]’. You must also specify what those legitimate interests are. For example, if you are collecting your visitors’ IP addresses, then use the following table to determine the legal basis and which legitimate interests you should cite:


4. Data subjects’ rights

The GDPR also requires online shops to inform users (data subjects) of their rights under the law. These include the following:


Under the GDPR, all online shops must provide a privacy policy that is:

  • precise

  • transparent

  • easy to understand

  • easy to access

The first step is to make sure that your privacy policy is clearly visible and accessible from the footer on every page of your website. This allows customers to always review your privacy policy, even when they are in the middle of placing an order. The content must also be written using language that everyone can understand. In general, your site’s privacy policy needs to address four main topics:

1. Data controller and contact

In most online shops, the privacy policy begins with information about who is responsible for processing data. Under articles 13.1.a–b of the GDPR, shop operators have a duty to inform their customers by listing contact details for the following parties:

  • The data controller (the party in charge of collecting the data, usually your company)

  • The controller’s legal representative (usually the CEO or managing director of your company, if applicable)

  • The controller’s data security officer (if applicable)

2. Personal data

Many online shops also define “personal data” near the beginning of the privacy policy. This is not strictly required by the GDPR, but it does make the concept easier for customers to understand.

After that, you must explain:

  • … which data your shop collects and processes.

  • … at which point(s) the data collection takes place.

  • … for which purpose(s) this is done.

  • … who receives the data.

  • … for how long the data is stored.

3. Legal basis

For each type of data you collect, you must specify the legal basis. Most online retailers do so by referring to the specific article of the GDPR. For example, one common legal basis is article 6.1.f of the GDPR: ‘processing is necessary for the purposes of the legitimate interests pursued by the controller […]’. You must also specify what those legitimate interests are. For example, if you are collecting your visitors’ IP addresses, then use the following table to determine the legal basis and which legitimate interests you should cite:


4. Data subjects’ rights

The GDPR also requires online shops to inform users (data subjects) of their rights under the law. These include the following:


Can I use a template to create the privacy policy for my online shop?

There is no general template that can be used for the privacy policy on every online shop. Since the GDPR does not specify precisely how online retailers should write their privacy policy, such policies take many forms. Some look a bit like general terms and conditions. Others are structured more like a FAQ page, which makes it clear and easy to understand. If you choose to take this approach, make sure your privacy policy answers these questions for the customer:

  • How do we collect your data?

  • What do we use your data for?

  • What are your rights as a data subject?

You can find templates online that can serve as examples when writing your privacy policy. Just remember that every shop operator processes user data differently, so you must always adapt the template to match your actual situation. It’s always a good idea to hire a legal expert to create a custom-made privacy policy for you, or at least to ask them to review your privacy policy. This will ensure that your policy is accurate and complete.

There is no general template that can be used for the privacy policy on every online shop. Since the GDPR does not specify precisely how online retailers should write their privacy policy, such policies take many forms. Some look a bit like general terms and conditions. Others are structured more like a FAQ page, which makes it clear and easy to understand. If you choose to take this approach, make sure your privacy policy answers these questions for the customer:

  • How do we collect your data?

  • What do we use your data for?

  • What are your rights as a data subject?

You can find templates online that can serve as examples when writing your privacy policy. Just remember that every shop operator processes user data differently, so you must always adapt the template to match your actual situation. It’s always a good idea to hire a legal expert to create a custom-made privacy policy for you, or at least to ask them to review your privacy policy. This will ensure that your policy is accurate and complete.

There is no general template that can be used for the privacy policy on every online shop. Since the GDPR does not specify precisely how online retailers should write their privacy policy, such policies take many forms. Some look a bit like general terms and conditions. Others are structured more like a FAQ page, which makes it clear and easy to understand. If you choose to take this approach, make sure your privacy policy answers these questions for the customer:

  • How do we collect your data?

  • What do we use your data for?

  • What are your rights as a data subject?

You can find templates online that can serve as examples when writing your privacy policy. Just remember that every shop operator processes user data differently, so you must always adapt the template to match your actual situation. It’s always a good idea to hire a legal expert to create a custom-made privacy policy for you, or at least to ask them to review your privacy policy. This will ensure that your policy is accurate and complete.

There is no general template that can be used for the privacy policy on every online shop. Since the GDPR does not specify precisely how online retailers should write their privacy policy, such policies take many forms. Some look a bit like general terms and conditions. Others are structured more like a FAQ page, which makes it clear and easy to understand. If you choose to take this approach, make sure your privacy policy answers these questions for the customer:

  • How do we collect your data?

  • What do we use your data for?

  • What are your rights as a data subject?

You can find templates online that can serve as examples when writing your privacy policy. Just remember that every shop operator processes user data differently, so you must always adapt the template to match your actual situation. It’s always a good idea to hire a legal expert to create a custom-made privacy policy for you, or at least to ask them to review your privacy policy. This will ensure that your policy is accurate and complete.

Are there other privacy protection rules that are important in e-commerce?

To make sure your shop is compliant with the GDPR, a privacy policy is a must. But there are some other rules that you must also consider. These rules relate to:

  • Web forms

  • Website encryption

  • Email marketing

  • Cookies

  • Social media plugins

Web forms

When a customer wants to enter their personal data on your site (for example, during checkout or when signing up for your newsletter), they need to fill in a web form. To ensure that the web forms on your site comply with the GDPR, they must meet two important requirements: 

  • Data minimisation: As a shop operator, you are only allowed to request the minimum amount of data necessary for you to fulfil your contractual obligation (for example, to fill an order). So, during checkout, all you really need to ask is the customer’s name and address. If your customer only wants to sign up for your email newsletter, you cannot require them to also provide you with their postal address and phone number. 

  • Confidentiality: As an online retailer, you are obligated to make sure that all your customers’ personal data is protected from unauthorised or unlawful processing. That means that any transfer of data needs to be encrypted.

Website encryption

Article 32.1.a of the GDPR requires shop operators to ensure that their data transfer is encrypted. It’s a good idea to use the HTTPS protocol to secure communications on your website. You can also use an SSL certificate to ensure that…

  • … communication partners are authorised via an asymmetrical encryption process.

  • … data transfer is secured end-to-end with a symmetrical encryption process.

  • … the integrity of the transported data is not compromised.

To learn more about how to obtain an SSL certificate and which other security measures you can take, check out our article on eCommerce security.

Email marketing

Ever since the GDPR came into effect, online shops have been required to use a double opt-in process to gain the customer’s consent for processing their data (for example, when a customer signs up for your newsletter). That means a customer who is interested in receiving information or advertising from you must consent to this when they give you their contact information (for example, by ticking a box to indicate that they wish to receive advertising emails from you). After that, you must also send them a confirmation link via email, which they must click to complete the sign-up process. This means that they twice give their consent to receive future information/offers from you. If you don’t obtain this double consent, you are not allowed to send advertising or marketing messages to the customer’s email address. If the customer does not click on the confirmation link, you are not allowed to use or store their email address for marketing purposes. 

Cookies

Cookies are another important topic when it comes to data security. Many online shops use cookies to create a more user-friendly experience. For example, cookies can store information so users do not have to fill in their details every time they visit the site. These include information such as:

  • Language settings

  • Items in the shopping cart

  • Login details

The EU Cookies Directive (2009/136/EC) is another piece of legislation that is closely related to the GDPR. Under this directive, a shop owner can only use cookies without the visitor’s consent if they are strictly necessary from a technical point of view. In addition, your website must always include a banner that informs visitors that it uses cookies. And you must always ask for the visitor’s consent in advance of using cookies that are not necessary to keep your site functioning properly.

The table below shows examples of which kinds of cookies are considered technically necessary and which are not:


Social media plugins

In the past, social media plugins could start collecting user data the moment a visitor arrived on your site. The GDPR changed all of that. Under the new rules, social media plugins must always be inactive by default when a user arrives on a site. When a plugin is correctly embedded on your site, it is a passive button that only becomes active when the user clicks on it. By clicking the button, the user gives their consent for their data to be transferred to whichever social media platform the plugin is for. After all, if a user clicks the button, it’s logical to assume that they wish to use it (for example, to share content from your website via social media).

Social media plugins are very common in e-commerce and usually appear in the form of Shariff buttons. In addition, you can use a two-click consent principle for social media buttons on your site (similar to the double opt-in principle for newsletters). Under the two-click system, the user first clicks the social media button they want to use. Then your shop explicitly asks if they consent to you transferring their data to the social media platform.

Order processing

As a shop operator, you probably work with many service providers, such as:

  • Payment service providers

  • SaaS suppliers

  • Cloud services

These service providers also process personal data related to your customers, so the GDPR requires you to enter into a data processing agreement (DPA) with each partner. Without a DPA, you have no legal grounds for transferring customer data to a third party. Although creating a DPA takes a little extra effort, it offers you more security than you had in the past. For example, a DPA clearly defines who is responsible in the event of a data leak.

To make sure your shop is compliant with the GDPR, a privacy policy is a must. But there are some other rules that you must also consider. These rules relate to:

  • Web forms

  • Website encryption

  • Email marketing

  • Cookies

  • Social media plugins

Web forms

When a customer wants to enter their personal data on your site (for example, during checkout or when signing up for your newsletter), they need to fill in a web form. To ensure that the web forms on your site comply with the GDPR, they must meet two important requirements: 

  • Data minimisation: As a shop operator, you are only allowed to request the minimum amount of data necessary for you to fulfil your contractual obligation (for example, to fill an order). So, during checkout, all you really need to ask is the customer’s name and address. If your customer only wants to sign up for your email newsletter, you cannot require them to also provide you with their postal address and phone number. 

  • Confidentiality: As an online retailer, you are obligated to make sure that all your customers’ personal data is protected from unauthorised or unlawful processing. That means that any transfer of data needs to be encrypted.

Website encryption

Article 32.1.a of the GDPR requires shop operators to ensure that their data transfer is encrypted. It’s a good idea to use the HTTPS protocol to secure communications on your website. You can also use an SSL certificate to ensure that…

  • … communication partners are authorised via an asymmetrical encryption process.

  • … data transfer is secured end-to-end with a symmetrical encryption process.

  • … the integrity of the transported data is not compromised.

To learn more about how to obtain an SSL certificate and which other security measures you can take, check out our article on eCommerce security.

Email marketing

Ever since the GDPR came into effect, online shops have been required to use a double opt-in process to gain the customer’s consent for processing their data (for example, when a customer signs up for your newsletter). That means a customer who is interested in receiving information or advertising from you must consent to this when they give you their contact information (for example, by ticking a box to indicate that they wish to receive advertising emails from you). After that, you must also send them a confirmation link via email, which they must click to complete the sign-up process. This means that they twice give their consent to receive future information/offers from you. If you don’t obtain this double consent, you are not allowed to send advertising or marketing messages to the customer’s email address. If the customer does not click on the confirmation link, you are not allowed to use or store their email address for marketing purposes. 

Cookies

Cookies are another important topic when it comes to data security. Many online shops use cookies to create a more user-friendly experience. For example, cookies can store information so users do not have to fill in their details every time they visit the site. These include information such as:

  • Language settings

  • Items in the shopping cart

  • Login details

The EU Cookies Directive (2009/136/EC) is another piece of legislation that is closely related to the GDPR. Under this directive, a shop owner can only use cookies without the visitor’s consent if they are strictly necessary from a technical point of view. In addition, your website must always include a banner that informs visitors that it uses cookies. And you must always ask for the visitor’s consent in advance of using cookies that are not necessary to keep your site functioning properly.

The table below shows examples of which kinds of cookies are considered technically necessary and which are not:


Social media plugins

In the past, social media plugins could start collecting user data the moment a visitor arrived on your site. The GDPR changed all of that. Under the new rules, social media plugins must always be inactive by default when a user arrives on a site. When a plugin is correctly embedded on your site, it is a passive button that only becomes active when the user clicks on it. By clicking the button, the user gives their consent for their data to be transferred to whichever social media platform the plugin is for. After all, if a user clicks the button, it’s logical to assume that they wish to use it (for example, to share content from your website via social media).

Social media plugins are very common in e-commerce and usually appear in the form of Shariff buttons. In addition, you can use a two-click consent principle for social media buttons on your site (similar to the double opt-in principle for newsletters). Under the two-click system, the user first clicks the social media button they want to use. Then your shop explicitly asks if they consent to you transferring their data to the social media platform.

Order processing

As a shop operator, you probably work with many service providers, such as:

  • Payment service providers

  • SaaS suppliers

  • Cloud services

These service providers also process personal data related to your customers, so the GDPR requires you to enter into a data processing agreement (DPA) with each partner. Without a DPA, you have no legal grounds for transferring customer data to a third party. Although creating a DPA takes a little extra effort, it offers you more security than you had in the past. For example, a DPA clearly defines who is responsible in the event of a data leak.

To make sure your shop is compliant with the GDPR, a privacy policy is a must. But there are some other rules that you must also consider. These rules relate to:

  • Web forms

  • Website encryption

  • Email marketing

  • Cookies

  • Social media plugins

Web forms

When a customer wants to enter their personal data on your site (for example, during checkout or when signing up for your newsletter), they need to fill in a web form. To ensure that the web forms on your site comply with the GDPR, they must meet two important requirements: 

  • Data minimisation: As a shop operator, you are only allowed to request the minimum amount of data necessary for you to fulfil your contractual obligation (for example, to fill an order). So, during checkout, all you really need to ask is the customer’s name and address. If your customer only wants to sign up for your email newsletter, you cannot require them to also provide you with their postal address and phone number. 

  • Confidentiality: As an online retailer, you are obligated to make sure that all your customers’ personal data is protected from unauthorised or unlawful processing. That means that any transfer of data needs to be encrypted.

Website encryption

Article 32.1.a of the GDPR requires shop operators to ensure that their data transfer is encrypted. It’s a good idea to use the HTTPS protocol to secure communications on your website. You can also use an SSL certificate to ensure that…

  • … communication partners are authorised via an asymmetrical encryption process.

  • … data transfer is secured end-to-end with a symmetrical encryption process.

  • … the integrity of the transported data is not compromised.

To learn more about how to obtain an SSL certificate and which other security measures you can take, check out our article on eCommerce security.

Email marketing

Ever since the GDPR came into effect, online shops have been required to use a double opt-in process to gain the customer’s consent for processing their data (for example, when a customer signs up for your newsletter). That means a customer who is interested in receiving information or advertising from you must consent to this when they give you their contact information (for example, by ticking a box to indicate that they wish to receive advertising emails from you). After that, you must also send them a confirmation link via email, which they must click to complete the sign-up process. This means that they twice give their consent to receive future information/offers from you. If you don’t obtain this double consent, you are not allowed to send advertising or marketing messages to the customer’s email address. If the customer does not click on the confirmation link, you are not allowed to use or store their email address for marketing purposes. 

Cookies

Cookies are another important topic when it comes to data security. Many online shops use cookies to create a more user-friendly experience. For example, cookies can store information so users do not have to fill in their details every time they visit the site. These include information such as:

  • Language settings

  • Items in the shopping cart

  • Login details

The EU Cookies Directive (2009/136/EC) is another piece of legislation that is closely related to the GDPR. Under this directive, a shop owner can only use cookies without the visitor’s consent if they are strictly necessary from a technical point of view. In addition, your website must always include a banner that informs visitors that it uses cookies. And you must always ask for the visitor’s consent in advance of using cookies that are not necessary to keep your site functioning properly.

The table below shows examples of which kinds of cookies are considered technically necessary and which are not:


Social media plugins

In the past, social media plugins could start collecting user data the moment a visitor arrived on your site. The GDPR changed all of that. Under the new rules, social media plugins must always be inactive by default when a user arrives on a site. When a plugin is correctly embedded on your site, it is a passive button that only becomes active when the user clicks on it. By clicking the button, the user gives their consent for their data to be transferred to whichever social media platform the plugin is for. After all, if a user clicks the button, it’s logical to assume that they wish to use it (for example, to share content from your website via social media).

Social media plugins are very common in e-commerce and usually appear in the form of Shariff buttons. In addition, you can use a two-click consent principle for social media buttons on your site (similar to the double opt-in principle for newsletters). Under the two-click system, the user first clicks the social media button they want to use. Then your shop explicitly asks if they consent to you transferring their data to the social media platform.

Order processing

As a shop operator, you probably work with many service providers, such as:

  • Payment service providers

  • SaaS suppliers

  • Cloud services

These service providers also process personal data related to your customers, so the GDPR requires you to enter into a data processing agreement (DPA) with each partner. Without a DPA, you have no legal grounds for transferring customer data to a third party. Although creating a DPA takes a little extra effort, it offers you more security than you had in the past. For example, a DPA clearly defines who is responsible in the event of a data leak.

To make sure your shop is compliant with the GDPR, a privacy policy is a must. But there are some other rules that you must also consider. These rules relate to:

  • Web forms

  • Website encryption

  • Email marketing

  • Cookies

  • Social media plugins

Web forms

When a customer wants to enter their personal data on your site (for example, during checkout or when signing up for your newsletter), they need to fill in a web form. To ensure that the web forms on your site comply with the GDPR, they must meet two important requirements: 

  • Data minimisation: As a shop operator, you are only allowed to request the minimum amount of data necessary for you to fulfil your contractual obligation (for example, to fill an order). So, during checkout, all you really need to ask is the customer’s name and address. If your customer only wants to sign up for your email newsletter, you cannot require them to also provide you with their postal address and phone number. 

  • Confidentiality: As an online retailer, you are obligated to make sure that all your customers’ personal data is protected from unauthorised or unlawful processing. That means that any transfer of data needs to be encrypted.

Website encryption

Article 32.1.a of the GDPR requires shop operators to ensure that their data transfer is encrypted. It’s a good idea to use the HTTPS protocol to secure communications on your website. You can also use an SSL certificate to ensure that…

  • … communication partners are authorised via an asymmetrical encryption process.

  • … data transfer is secured end-to-end with a symmetrical encryption process.

  • … the integrity of the transported data is not compromised.

To learn more about how to obtain an SSL certificate and which other security measures you can take, check out our article on eCommerce security.

Email marketing

Ever since the GDPR came into effect, online shops have been required to use a double opt-in process to gain the customer’s consent for processing their data (for example, when a customer signs up for your newsletter). That means a customer who is interested in receiving information or advertising from you must consent to this when they give you their contact information (for example, by ticking a box to indicate that they wish to receive advertising emails from you). After that, you must also send them a confirmation link via email, which they must click to complete the sign-up process. This means that they twice give their consent to receive future information/offers from you. If you don’t obtain this double consent, you are not allowed to send advertising or marketing messages to the customer’s email address. If the customer does not click on the confirmation link, you are not allowed to use or store their email address for marketing purposes. 

Cookies

Cookies are another important topic when it comes to data security. Many online shops use cookies to create a more user-friendly experience. For example, cookies can store information so users do not have to fill in their details every time they visit the site. These include information such as:

  • Language settings

  • Items in the shopping cart

  • Login details

The EU Cookies Directive (2009/136/EC) is another piece of legislation that is closely related to the GDPR. Under this directive, a shop owner can only use cookies without the visitor’s consent if they are strictly necessary from a technical point of view. In addition, your website must always include a banner that informs visitors that it uses cookies. And you must always ask for the visitor’s consent in advance of using cookies that are not necessary to keep your site functioning properly.

The table below shows examples of which kinds of cookies are considered technically necessary and which are not:


Social media plugins

In the past, social media plugins could start collecting user data the moment a visitor arrived on your site. The GDPR changed all of that. Under the new rules, social media plugins must always be inactive by default when a user arrives on a site. When a plugin is correctly embedded on your site, it is a passive button that only becomes active when the user clicks on it. By clicking the button, the user gives their consent for their data to be transferred to whichever social media platform the plugin is for. After all, if a user clicks the button, it’s logical to assume that they wish to use it (for example, to share content from your website via social media).

Social media plugins are very common in e-commerce and usually appear in the form of Shariff buttons. In addition, you can use a two-click consent principle for social media buttons on your site (similar to the double opt-in principle for newsletters). Under the two-click system, the user first clicks the social media button they want to use. Then your shop explicitly asks if they consent to you transferring their data to the social media platform.

Order processing

As a shop operator, you probably work with many service providers, such as:

  • Payment service providers

  • SaaS suppliers

  • Cloud services

These service providers also process personal data related to your customers, so the GDPR requires you to enter into a data processing agreement (DPA) with each partner. Without a DPA, you have no legal grounds for transferring customer data to a third party. Although creating a DPA takes a little extra effort, it offers you more security than you had in the past. For example, a DPA clearly defines who is responsible in the event of a data leak.

Privacy protection in your online shop: a summary of things to consider

Every online shop collects personal data about its visitors. The GDPR is designed to keep this data safe. It provides a set of standard practices for all website operators in the European Union. It also sets specific rules for e-commerce retailers, particularly with regard to newsletters, social media buttons and web forms. It requires you to inform customers about your data processing practices and your privacy policy. Use the table below to help you create a fully GDPR-compliant privacy policy for your online shop.


Stay up to date

Never miss an update. Receive product updates, news and customer stories right into your inbox.

Connect every payment. Upgrade every part of your business.

Never miss an update. Receive product updates, news and customer stories right into your inbox.

Form fields

Table of contents

Table of contents

MollieGrowthCreating a privacy policy: How to make your online shop GDPR-compliant
MollieGrowthCreating a privacy policy: How to make your online shop GDPR-compliant