If your compliance strategy is a Cookiebot banner and a privacy policy template you found on Google, you are still exposed. Cookie consent is one part of GDPR compliance. It is not even the most important part.
This guide covers everything a UK ecommerce business actually needs to do to comply with UK GDPR. Whether you run a Shopify store, a WooCommerce site, or a custom-built shop, the obligations are the same. The tools differ. The law does not.
Why ecommerce businesses face specific GDPR risks
Ecommerce stores process more personal data than most small businesses realise. Every transaction involves a name, email address, shipping address, payment details, and browsing behaviour. Most stores also run email marketing (Klaviyo, Mailchimp), analytics (Google Analytics, Hotjar), advertising pixels (Meta Pixel, Google Ads), and review platforms (Trustpilot, Judge.me). Each of these creates a separate data processing relationship with its own legal requirements.
The typical Shopify store with 10 apps installed has 10 data processing relationships that need to be documented and governed. Most store owners have not documented any of them.
The six things every UK ecommerce business must have
1. A Record of Processing Activities (ROPA)
Article 30 of UK GDPR requires you to maintain a record of your processing activities. This is not optional for ecommerce businesses. Even if you have fewer than 250 employees (the threshold is widely misunderstood), you still need a ROPA if your processing is not occasional, which it is not if you are processing customer orders and running marketing campaigns every day.
Your ROPA should document every way your business uses personal data. For a typical ecommerce store, that includes:
- Customer order processing. Names, emails, addresses, order history. Legal basis: contract performance.
- Email marketing. Email addresses, purchase behaviour, segmentation data. Legal basis: consent (for marketing to prospects) or legitimate interests (for existing customers under the "soft opt-in" exception in PECR Regulation 22).
- Website analytics. IP addresses, browsing behaviour, device data. Legal basis: consent (for non-essential analytics cookies).
- Advertising and retargeting. Behavioural data shared with Meta, Google, TikTok. Legal basis: consent.
- Payment processing. Card data handled by Stripe, PayPal, etc. Legal basis: contract performance.
- Customer reviews. Names, email addresses, review content. Legal basis: consent or legitimate interests.
- Customer support. Contact details, support ticket content. Legal basis: contract performance or legitimate interests.
- Employee/contractor data. If you have staff, their personal data needs documenting too. Legal basis varies.
For each activity, the ROPA must record: the purpose of processing, the categories of personal data involved, the legal basis, who receives the data (including any third-party processors), whether data is transferred outside the UK, and retention periods.
2. Data Processing Agreements (DPAs) with every vendor
Every third-party tool that processes personal data on your behalf needs a Data Processing Agreement. Under Article 28 of UK GDPR, you as the data controller must have a written contract with each processor that sets out the subject matter, duration, nature, and purpose of the processing.
For a typical Shopify store, this means DPAs with:
- Shopify (your ecommerce platform). Shopify auto-applies their Data Processing Addendum when you create a store. It is available at shopify.com/legal/dpa.
- Stripe or PayPal (payment processing). Stripe's DPA is incorporated into their terms of service. PayPal has a separate DPA you may need to accept.
- Klaviyo or Mailchimp (email marketing). Both offer DPAs. Klaviyo's is at klaviyo.com/legal/data-processing-agreement. Both use Standard Contractual Clauses for UK/EU data transfers.
- Google Analytics (if you use it). Google's Data Processing Terms apply. You need to accept them in your GA admin settings.
- Meta (if you use the Pixel). Meta's Data Processing Terms for business tools. Note that Meta Pixel creates a joint controller relationship, not a processor relationship.
- Every Shopify app that processes customer data. This is where most stores fall down.
3. A GDPR-compliant privacy policy
Your privacy policy is not a formality. Under Articles 13 and 14 of UK GDPR, you must tell people how you use their data at the point of collection. For an ecommerce store, your privacy policy should cover:
- Who you are (your business name and contact details)
- What personal data you collect and why
- The legal basis for each type of processing
- Who you share data with (name every category of third party)
- Whether data is transferred outside the UK, and what safeguards are in place
- How long you keep data (specific retention periods, not "as long as necessary")
- Your customers' rights (access, rectification, erasure, portability, objection, complaint to the ICO)
- How you handle cookies and tracking technologies
A generic template that says "we may share your data with third parties" is not compliant. You need to be specific.
4. Lawful cookie and tracking consent
Under PECR (the Privacy and Electronic Communications Regulations 2003, as amended), you need consent before setting any cookie that is not strictly necessary for the service the user has requested.
For an ecommerce store, strictly necessary cookies include: session cookies, shopping cart cookies, authentication cookies, and essential security cookies. Everything else needs consent before it loads.
If your cookie banner loads the Meta Pixel and Google Analytics on page load and only asks for consent after the data has already been collected, you are non-compliant. This is one of the most common failures in UK ecommerce.
5. Customer data retention periods
UK GDPR requires you to keep personal data for no longer than necessary. "We keep everything forever" is not a policy. You need defined retention periods:
- Order data: duration of the customer relationship plus 6 years (UK limitation period for contract claims). Some financial data may need 7 years for HMRC.
- Marketing data: while the person is subscribed. Delete or anonymise within 30 days of unsubscribe.
- Website analytics data: anonymise or delete after 14-26 months.
- Customer support data: duration of the interaction plus 12 months, then delete.
- Payment card data: you should not be storing this. Stripe and PayPal handle card data.
6. A process for handling data subject requests
Your customers have rights under UK GDPR: the right to access their data, correct it, delete it, port it to another service, and object to certain types of processing. You need a process for handling these.
For ecommerce, the most common requests are:
- Access requests (DSARs). A customer asks for a copy of all data you hold on them. You have one calendar month to respond. For a Shopify store, this means exporting their order history, account data, marketing preferences, and any data held by your apps and processors.
- Erasure requests. A customer asks you to delete their data. You must comply unless you have a legal obligation to retain it (e.g., financial records for HMRC). You can anonymise what you cannot delete.
- Marketing opt-outs. Every marketing email must include an unsubscribe link, and unsubscribe requests must be processed promptly.
The challenge is ensuring your third-party apps and processors also action the request. If you delete a customer from Shopify but their data still sits in Klaviyo, Google Analytics, and your review platform, you have not actually fulfilled the erasure request.
The vendor problem: Shopify apps and third-party tools
The biggest compliance gap for most ecommerce businesses is third-party apps. A typical Shopify store uses apps for email marketing, reviews, upselling, abandoned cart recovery, inventory management, shipping, accounting, and more. Each app that processes customer data is a data processor under UK GDPR.
For each app, you should:
- Check whether they have a DPA. Look in their terms of service or privacy policy. If there is no DPA, that is a red flag.
- Check where they process data. If the app processes data outside the UK, verify that appropriate transfer mechanisms are in place.
- Check what data they access. Some Shopify apps request broad permissions but only need a subset of data.
- Document the relationship. Add each app to your ROPA with the data categories processed, the purpose, the legal basis, and the location.
The Meta Pixel joint controller issue
This deserves its own callout because it catches so many ecommerce businesses. If you run Meta ads and have the Pixel on your store, you are a joint controller with Meta for the data the Pixel collects. This is established by the CJEU's Fashion ID judgment (Case C-40/17).
Joint controllership means you share legal responsibility with Meta for ensuring the processing is lawful. You cannot argue that Meta is just a processor following your instructions. You both determine the purposes.
Email marketing: the soft opt-in and its limits
UK ecommerce businesses have a useful exemption for email marketing to existing customers. Under Regulation 22 of PECR (the "soft opt-in"), you can send marketing emails to someone who has previously purchased from you, provided:
- You collected their email address during a sale or negotiation of a sale
- The marketing is about similar products or services to what they bought
- You gave them a clear opportunity to opt out when collecting their email, and in every subsequent email
- They have not opted out
This means you do not need explicit opt-in consent to email existing customers about products similar to what they bought. But the soft opt-in does not cover: emails to people who only browsed your site but did not buy, emails about products or services unrelated to their purchase, or sharing their email address with third parties for their own marketing.
For prospects (people who have not bought from you), you need explicit opt-in consent. A pre-ticked checkbox at checkout does not count.
What to do this week
If you have read this far and realised your store has gaps, here is where to start:
This week:
- Audit your cookie consent. Does the Meta Pixel fire before consent? Do analytics load before consent? Fix any that do.
- Check your privacy policy. Does it name your actual vendors and processors? Does it include specific retention periods?
- Verify DPAs are in place for Shopify, Stripe, and your email marketing platform.
This month:
- Create a ROPA listing every way your business processes personal data.
- Review every Shopify app for DPA coverage and data access.
- Set up a process for handling DSARs (even a simple documented procedure).
- Define and document data retention periods.
Ongoing:
- Review your ROPA when you add new tools or change how you use data.
- Audit your cookie consent quarterly (tools update, new scripts get added).
- Process unsubscribe and deletion requests promptly.
Want to get all of this done in one sitting?
Rowpa generates your ROPA from your website and tech stack, checks every vendor against a 300+ tool DPA library, and produces an audit-ready privacy policy. Takes about 15 minutes.
Get started freeThis post is for information only and does not constitute legal advice.