Thibault Milan
Thibault Milan Highly analytical and detail-oriented professional with hands-on experience laying foundation for fantastic end-to-end user experiences.

GDPR & E-commerce

GDPR & E-commerce

Just before starting, maybe all of us don’t know about GDPR yet (really ? You are part of the 0.1% of people that didn’t receive tons of emails about it then) and what’s it give as new rights to end-users.

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

So basicaly GDPR state few rules that are applied across all EU & EEA but also outside, since those rules needs to be followed by any company who handle EU & EAA people data. Either those people are customers, employees, contractors, visitors, leads, …

We can translate that to simpler statements :

  1. You can’t share, without their consent, your customer’s data with 3rd party providers, partners & sponsors.

  2. You cannot add anyone to your marketing list

  3. You have to put on papers some plans about who is having access to client’s data, why, how and how you are ensuring the access are logged and revocable when the employee is leaving.

  4. You need to be able to give to the customers all their data (in a common portable format), erase, edit them or anonymize them on demand.

Following the GDPR, the ePrivacy evolve also in order to adapt to the new policies needed by GDPR and increasing the user’s protection. For exemple, we already see a lot of services that require user to accept their new policy. That’s, fortunatly for the user, unlawfull.

[…] access to services and functionalities must not be made conditional on the consent of a user to the processing of personal data or the processing of information related to or processed by the terminal equipment of end-users, meaning that cookie walls should be explicitly prohibited.

Read the full statement 🇺🇸

There’s 2 main concept to keep in mind when collecting consent (because you need to, in order to use your user personal informations): Informed & Explicit.

That mean you need to clearly inform your visitors & customers about which data exactly you will collect, how long you will keep it, how they can access/edit/export or ask for complete erasure.

To help you understand better the consequences of GDPR (or previous laws) on online retail, we made a small chart right after. You can see what you can’t do (orange), what you may kind (yellow) but subject to prerequisites, and what you absolutely can do (green).

The do and don’t of e-commerce marketing following GDPR.

  1. Retargeting is only allowed if you collected the explicit consent from the customer to receive this kind of emails. Retargeting can be made by email or ad platform, but the technical solution has no impact on the need to require the user’s consent.

  2. That’s a tricky question, and I have no clue about this one. Empty cart emails is marketing emails, for sure, but it’s also based on the behaviours of the end-user, and to force him to close a deal he pause. Even if it’s a well-known sales technique, sometimes followed by a coupon as incentive, I wouldn’t advice to continue using it before more clarification by experts.

  3. Product you may like** **features are ok to use, without consent, if you are only using some cross-selling or up-selling functionalities that are not based on the user behaviour.

  4. Marketing emails are allowed to your newsletter users if they give you their consent to do so. Otherwise, only past customers can be targeted.

As we can seen just before, mailing campaign can be sent to people who :

  1. Subscribe to your mailing list. And you’ll need to be able to prove they add subscribe to it.

  2. People who bought stuff from you. It falls under what is called soft opt-in . You need to provide an unsubscribe link in every email then.

For those 2 categories of people, no need to bother them asking if they can confirm their subscriptions. For the others, … well. You are not legally supposed to have other kind of people in your emailing database. The law already prohibit you to add people who just sent you email or handle you business cards.

There’s also another “issue” with GDPR, regarding your 3rd party provider. Since you may have choose a SaaS solution like Shopify, you will have to do extra steps in order to be compliant with GDPR :

  1. You will have to be sure the provider you choose is GDPR compliant, because you are the one who is accountable for that.

  2. You will need to be sure the provider will give you all the possibilities required by law in term of data manipulation (send to the user all the data you have on him, delete all those data, …).

  3. You’ll not be able to hide behind your 3rd party solution provider in case of data loss / leak. And that’s mostly not the fault of GDPR but of the new addendum (usually a D.P.A : Data Processing Agreement) your provider may have already sent to you and require you to sign. So be carefull about the fine lines.

The subject of GDPR is quite extensive, and we just cover a small part of it, the one that is related to the online-retail industry. But GDPR impact all business, small or big, non-profits and gouvernment, and not just with their customers but also their employees.

If you want to go further, here’s a small collection of ressources to start with.

Thanks for reading ! If you want more informations about GDPR, don’t hesitate to heads to . We also publish a fortnightly technology watch newsletter, you can take a look at it online & subscribe !

You can find me on Twitter, Linkedin, my newsletter & my website.