Glossary
What is the GDPR? E-commerce definition
June 4, 2026
The GDPR (General Data Protection Regulation) is the European framework that governs the collection, use, and retention of personal data of European Union residents. For an e-commerce merchant, it applies as soon as you process names, emails, addresses, order history, or marketing consents, including via Shopify, Klaviyo, or ad pixels. It complements cookie rules (tracking cookies) and T&C.
Summary
Definition of GDPR in e-commerce
Having entered into force on May 25, 2018, the GDPR harmonizes data protection across the EU. A personal datum is any information that allows a person to be identified (directly or indirectly): email, IP, postal address, order number linked to a name.
Key players:
The concept is best understood by distinguishing several elements: Data controller (data controller): you, the merchant, who decides why and how the data is used; Processor (processor): service provider who processes on your behalf (Shopify, Klaviyo, carrier, helpdesk); Data subject: the customer or visitor whose data is being processed.
Typical e-commerce data concerned:
The concept is best understood by distinguishing several elements: Identity and contact (name, email, telephone); Delivery and billing addresses; Order history, payments (without storing full card numbers); Email/SMS marketing consent; Navigation data if linked to a profile (cookies, customer account); Customer service exchanges, chat, support tickets.
Useful distinctions:
The concept is best understood by distinguishing several elements: GDPR vs tracking cookie: the GDPR governs all data processing; cookies also fall under the ePrivacy directive / CNIL guidelines on trackers; GDPR vs T&C: GDPR = privacy; T&C = commercial contract (sale, returns); Personal data vs anonymized data: anonymized is outside the scope of GDPR if re-identification is impossible; GDPR vs PCI-DSS: PCI concerns card payment security, not the same framework; Legal basis vs consent: consent is only one of the possible bases (see section 3).
Why the GDPR concerns all online stores
Even a small Shopify store processes personal data with every order. The GDPR is not just for large corporations: it applies to any business targeting European customers.
Its impact can be seen at several levels: Customer trust: a clear privacy policy reassures before purchase; Sanctions: administrative fines are possible in the event of a serious breach (with amounts capped by the regulation); Legal marketing: email/SMS without a legal basis = spam and risk of complaint; Third-party apps: each tool (ESP, chatbot, reviews) processes data for you; Export outside the EU: international sales = check transfers (United States, standard contractual clauses); Customer base: data governance in the customer database; Reputation: data leaks or poor handling of deletion requests damages the brand.
GDPR compliance is a framework of key points: minimize data, document uses, respond to data subject rights. Legal advice remains recommended depending on your volume, your markets, and your specific processing practices.
Principles, legal bases and client rights
GDPR fundamental principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.
Common legal bases in e-commerce:
The elements to observe are as follows: Performance of a contract: processing an order, delivering, invoicing, after-sales service related to the purchase; Consent: newsletter, marketing cookies, promo SMS (free, specific, revocable); Legitimate interest: fraud prevention, website security (case-by-case analysis, right to object); Legal obligation: accounting retention, invoices.
Customer rights to implement:
The elements to observe are as follows: Access: copy of the data held; Rectification: correcting an incorrect address; Erasure ("right to be forgotten"), subject to legal provisions; Portability: structured export (e.g., CSV); Objection: refusing marketing or certain profiling; Restriction: temporary freezing of processing during a dispute.
In practice, FR shop "BioPantry", 2,000 orders/month. A customer requests erasure via customer service email. Verifications: active order in progress (no), legal accounting obligation to keep invoices for 10 years (retention limited to legal fields). Deletion of Klaviyo marketing profile + partial anonymisation of Shopify order according to internal procedure. Response within 30 days with confirmation. Marketing cookie consent managed via CMP; promotional email only if the checkout opt-in is checked.
GDPR and Shopify
Shopify acts as a processor for hosting store and customer data (Shopify Help Center). You remain responsible for marketing choices, installed apps and displayed policies.
In Shopify, this is reflected in particular by: Privacy Policy: dedicated page (identity of controller, purposes, holding periods, rights, processors); Customer Privacy: consent API, cookie preference management; Export / delete customer: from the admin customer file or personalized request; Marketing consent: email opt-in saved on the customer file; Apps: verify DPA (Data Processing Agreement) with Klaviyo, Gorgias, etc.; Checkout: marketing consent checkbox separate from the T&Cs (checkout); Chatbot / AI: conversations may contain personal data; inform the user and limit retention.
Merchant checklist:
The sequence can be read as follows: first Draft or have the privacy policy + legal notices validated; then Install CMP if analytics/advertising cookies (EU); next Document processing register (CNIL template for SMEs); after that Internal procedure for GDPR requests (dedicated email, 1-month response time); finally List processors and sign DPAs if offered; then Train support team: do not ask for unnecessary data via chat.
Points of attention for responsible data management
Points of vigilance notably include: Minimizing collection: strictly useful checkout fields; Separating transactional and marketing: distinct legal basis (email campaigns); Cookie consent before non-essential pixels; Retention periods: defining how long to keep inactive prospects; Security: strong admin passwords, restricted access, Shopify 2FA; Transparency: explaining why you collect the pop-up email; Logging consent: proof of marketing opt-in.
To watch out for:
Points of vigilance notably include: Pre-checked marketing box at checkout (invalid consent); Importing a purchased email list without a legal basis; Generic privacy policy not suited to your apps; Ignoring deletion requests > 30 days; Installing 20 apps without checking where customer data goes; Confusing T&Cs and privacy policy (two documents); Storing card numbers or passwords in plain text (prohibited).
In brief
To remember: GDPR = EU regulation on personal data protection; Merchant = controller; Shopify/apps = processors; Legal bases: contract, consent, legitimate interest, legal obligation; Customer rights: access, rectification, erasure, portability, objection; Distinct cookies (ePrivacy), T&C, PCI-DSS; Shopify: privacy policy, Customer Privacy, consent marketing, customer export.
Related terms, FAQ, and useful resources
Associated terms
Tracking cookie: trackers requiring consent in the EU.
Customer database: data subject to GDPR.
T&C: sales contract, distinct from privacy.
Customer account: personal data space.
Customer support: data processing via support tickets.
FAQ
Is RGPD and GDPR the same thing?
Yes. GDPR (General Data Protection Regulation) is the English name for the French RGPD. Same European regulation.
Does the GDPR apply if my shop is outside the EU?
If you sell to or target EU resident customers, the GDPR generally applies to their data, even if your company is based in the United States or elsewhere. Check with an advisor based on your structure.
Can I send emails without explicit consent?
In EU B2C, email prospecting generally requires prior consent or, in some countries, a highly regulated "soft opt-in" exception (existing customer, similar products). In practice, explicit opt-in at checkout or via a pop-up remains the safest path.
Is Shopify GDPR compliant on my behalf?
Shopify provides tools and acts under contract as a data processor, but global compliance depends on your apps, pixels, emails, retention periods, and responses to data subject rights. You remain the data controller.
Go further
Sources: Shopify Help Center (Privacy), EU Regulation 2016/679 (GDPR), CNIL (SME guides, cookies). This content is for informational purposes, not legal advice.
Enzo
13 May 2026
Convert over 2,000 customers on average per month with Qstomy.
The world’s 1st Shopify AI dedicated to customer conversion
Empowering 200+ e-commerce merchants
Subscribe to the newsletter and get a personalized e-book!
No-code solution, no technical knowledge required. AI trained on your e-shop and non-intrusive.
*Unsubscribe at any time. We do not send spam.