Why your online store is violating GDPR right now

Most online store owners believe that GDPR compliance ends with publishing a privacy policy and adding a cookie banner. The reality is quite different – and you usually realize it only when an email from a law firm lands in your inbox. A customer claims they received a promotional message without consent. You have 72 hours to respond formally. Your privacy policy is published – but it was written based on a template from three years ago and does not reflect any of the tools you actually use today. This is especially significant given that data protection in eCommerce touches every point of the customer journey – from the first website visit to the delivery of the product to their home. For these reasons, GDPR obligations are widely neglected, even though compliance is a legal requirement – not a recommendation.

As an online store owner, you are a Data Controller under GDPR. This means you determine the purposes and methods of processing your customers’ personal data – and you are responsible for it, even when the work is outsourced to third parties.

The first and most common mistake is assuming that your fulfillment company, logistics partner, or CRM system is responsible for the data you transfer to them. Unfortunately, that’s not the case. When you pass customer data to a fulfillment operator – names, addresses, phone numbers or order history, you are performing data processing. They are Data Processors, but they act on your instructions. If you don’t have a signed Data Processing Agreement (DPA) with each of them, this is a violation—regardless of how reliable the partner is or how big your business is. Before you continue reading, ask yourself honestly: If the data protection authority requested a full list of all systems processing customer data tomorrow – could you provide it within 24 hours?

You create forms for collecting emails, or even worse – automatically add them to subscriber lists. Your main goal is to send promotional emails and retarget with discounts. It sounds simple and easy, and most importantly risk-free. But do you actually have a legal basis to carry out such activities?

GDPR requires explicit, specific and informed consent for email marketing. A pre-checked box during registration is not consent. A phrase like “Subscribe for updates” without a clear description of the content is also not. A purchased email list is definitely not, and automatically adding someone just because they placed an order is not consent either.

Imagine that you are running a large promotional campaign. You send discount codes and lists of promotions to your entire database, say 5,000 contacts. Among them are people who registered two years ago just to place an order. No one asked them whether they want to receive marketing messages. It could even be worse, for example the ‘Subscribe for updates’ checkbox may have been pre-ticked by default, simply to make the process easier.

Three days after the campaign, a complaint is filed with the CPDP (Commission for Personal Data Protection). One customer, just one (0.02%), has filed a complaint. This type of situation is among the most common triggers for CPDP inspections in e-commerce. The regulator starts an investigation. They will require you to produce documentation for every consent in your database, which will be quite difficult if you have not been maintaining records up to this point.

In this case, the CPDP (Commission for Personal Data Protection) may impose a fine of up to 4% of annual turnover (not profit). For a small business with revenue of 100,000 euros, this fine is 4,000 euros. For a business with a 15% margin, a 4,000 euro fine eats up over 25% of the annual net profit – for a single email sent.

Imagine a typical order in your store. The customer enters the website – Meta Pixel registers the session. They add a product to the cart – Google Analytics records the behavior. They complete the order and pay by card – the data passes through the payment provider. The order enters your CRM system. From there it is sent to the fulfillment platform. The courier company receives the name, address and phone number. After delivery, the email marketing tool sends questions like “How would you rate your order?”

Seven systems and at least four different companies. All of them process the personal data of the same customer, and you are responsible for all of it. This is the reality of modern eCommerce. This is exactly where the problem begins – most online store owners don’t actually know who sees what and how far it goes.

You now know who is responsible and where the risks come from. In Part 2 we will look at what happens when you collect more data than you need, how to respond when a customer asks to be “forgotten”, and why your cookie banner probably doesn’t protect you as much as you think.

Open your checkout form. How many fields does it have? Beyond the standard required data for order fulfillment, is there anything else that is not necessary?

Every additional field you collect without a specific and documented reason is a potential regulatory weakness. Under GDPR, the principle of data minimization is introduced. It requires you to collect only what you actually need, for the purpose you are collecting it. You should not collect data just because “we might need it for segmentation next year” or “competitors ask for it too”. You need specific data for a specific purpose. Every field you remove is one less set of data you need to store, delete on time, and justify during an audit.

Ask yourself a harder question as well: What happens to the data of a customer who placed an order three years ago and never returned? There is a high chance it is still in your database – in your CRM, in your email platform, in your order table. This brings us to the next requirement: having clear data retention policies. That means defining, for each category of data, what the retention period is – and why that specific period, rather than a shorter one, is justified.

An email arrives: “Please delete all my data.” One sentence. It seems easy, or at least at first glance, you just click “Delete” in your CRM and you’re done. But you’re not, and the reality is different.

A customer’s data rarely lives in just one place. For a typical order in an online store, it has spread across at least five or six systems. Your obligation is to trace its entire path to the end, including with the partners you have shared it with. If you do not assist within 30 days in exercising the right to erasure, the failure itself is a violation, separate from everything else.

An important nuance worth knowing: not everything is subject to deletion upon request. Accounting documents and order data with an active warranty period have their own legal grounds to be retained. This must be stated in writing, with proof that all data beyond what is legally required to be retained has already been deleted.

Ask yourself the question now, not when the request comes: if you had to “forget” a customer tomorrow, do you know exactly which systems are involved and who in your team is responsible for each? Or try an even more uncomfortable one: When was the last time you deleted customer data on your own initiative?

Open your website in incognito mode and see what happens before you click anything. In over 90% of the online stores I audit, Meta Pixel and Google Tag Manager have already loaded and are sending data. The cookie banner is still on the screen. There is still no consent. The violation has already occurred.
This is the most widespread and easiest-to-prove GDPR violation in eCommerce right now. Not because merchants are careless, but because the cookie banner looks like a solution, while in reality it is just an interface. The real solution is technical, not visual.

The rule is one and does not allow interpretation: tracking scripts must be blocked by default and activated only after explicit consent by category. A customer who has refused marketing cookies must not be tracked by the Meta pixel. If this is not the case for you right now, you have a technical problem that creates a legal one.

Regulators in the EU no longer warn, they sanction. In just the past two years, fines for invalid cookie mechanisms have been imposed on companies in Germany, France, Spain and Italy. The small scale of a business is not a mitigating circumstance.

Regulators in the EU no longer warn, they sanction. In just the past two years, fines for invalid cookie mechanisms have been imposed on companies in Germany, France, Spain and Italy. The small scale of a business is not a mitigating circumstance

GDPR is not a bureaucratic formality. It is an operational reality that affects every online store, regardless of its size. Not because the regulator is actively targeting small businesses, but because one dissatisfied customer, one misconfigured pixel, or one email without documented consent is enough to trigger an investigation.

My advice is simple: do not wait for a complaint to run an audit. Do it now, while you still have a choice in how to respond.

Author:

Martin Penchev is a Bulgarian lawyer specializing in contract, corporate, and eCommerce law, and a Ph.D. candidate in contract law at the Bulgarian Academy of Sciences. He is the founder of CraftPolicy, a company focused on developing tailor-made legal policies and GDPR solutions for online businesses. He has advised over 100 companies across Europe and the United States on contract structuring, regulatory risk, and digital compliance. His work combines academic expertise with practical business insight, supporting the sustainable growth of companies in complex regulatory environments.