Ecommerce: How To Have A GDPR-compliant E-shop

Alessandro Vercellotti
Alessandro Vercellotti
Legal for Digital

Six years after the entry into force of the GDPR, MyBank interviewed Alessandro Vercellotti, founder of Legal for Digital, to find out where e-commerce stands in terms of compliance and what can be done to have an online store that is legally sound in terms of privacy.

About our guest:

Alessandro Vercellotti is a Digital Lawyer (Avvocato del Digitale®), founder partner of the Legal for Digital® law firm specialised in Copyright, AI, Privacy, E-commerce, Brand Reputation, and Legal Tech.

Europe’s data protection regulation or GDPR officially took effect on 25 May 2018. What has this meant for e-commerce?

The GDPR’s enforcement since 2018 has significantly impacted how personal data is managed in the e-commerce sector. Before the European regulation, there was privacy legislation in Italy but no unified framework at the European Community level. Taking into consideration the fact that most e-commerce sites operate at the national and European levels, the GDPR proposed a broader, more comprehensive way of handling personal data.

Savvy companies have taken the opportunity to use the GDPR not only to fulfil formal obligations like drafting privacy policies, cookie policies, and banners for the handling of technical cookies and profiling but also to increase e-commerce performance.

In other words, for many operators, the GDPR has been both a bureaucratic obligation and a chance to rethink the entire management of customers’ personal data to improve user experience and make their online businesses more successful. This approach can be greatly beneficial in terms of conversions, turnover, and customer retention.

Essentially, the GDPR has elevated the handling of personal data from a mere regulatory obligation to a strategic tool for e-commerce success. Both large players and smaller, more dynamic ones have adopted this shift in perspective.

Taking stock six years in, how can we assess the results?

Six years after the GDPR came into force, the results are mixed. On the one hand, the regulation has undoubtedly helped to increase companies’ and consumers’ awareness of the importance of personal data protection. According to much of the market research, Italians’ awareness of privacy issues has grown significantly since the GDPR’s introduction. The same goes for companies, with widespread investment and efforts to improve compliance.

On the other hand, there are still many critical issues, especially in the e-commerce sector. Based on the data that emerged from our analyses of the hundreds of Italian e-commerce sites that we have supported as Legal for Digital, we estimate that only 30% are fully compliant with the GDPR. This means that seven out of ten e-commerce sites still have gaps or irregularities in how they handle users’ personal data, which exposes them to serious penalties and reputational damage.

In our experience as a law firm specialised in digital law, e-commerce sites, especially small and medium-sized ones, often struggle to manage privacy obligations either because they lack the resources and internal skills or because they underestimate the risks. Unsurprisingly, the Italian Privacy Authority has imposed sanctions against well-known e-commerce brands in recent years. Just to cite a few striking examples:

-In 2021, a well-known food delivery platform was fined €2.6 million for unlawful use of rider data.

-In July 2021, the Italian data protection authority hit a well-known internet marketplace with a €746 million fine for violating GDPR rules on the processing of personal data for marketing purposes without user consent.

-In December 2021, the Italian authority issued a famous clothing brand a €5 million fine for improperly managing personal data for direct marketing purposes. Violations included excessive use of data and the lack of an adequate legal basis for data processing.

-In January 2022, the Italian data protection authority imposed a €2 million fine on a company that operates a well-known online marketplace for failing to comply with users’ requests to delete their personal data and for using inadequate methods to verify the identity of users who requested access to their personal data.

But potential customers are not the only ones affected by violations. One prominent clothing brand was sanctioned in Germany with a fine of over €35 million for illegally processing the personal data of its employees. This precedent shows how GDPR compliance requires a full-spectrum approach, one that deals with the personal data processing of both users/consumers and employees/contractors.

Although the GDPR has increased awareness of privacy issues, we are still seeing compliance failures in the e-commerce sector. Not only does this expose a business to fines, but it can also undermine consumer confidence and business performance. Based on the projects we have overseen, we estimate that a fully compliant online store can improve their conversion rate by up to 15%. A lack of attention to privacy matters, on the other hand, tends to increase distrust, cart abandonment, and failed purchases.

We still have a long way to go before fully seizing the opportunities of the GDPR in online commerce, but some best practices are emerging. Industry operators must do more than just formally comply by truly integrating data protection into their business processes and customer journeys. This is the only way an e-commerce site can strengthen customer confidence and continue to grow sustainably.

What still gets overlooked by online store operators?

Our audits of e-commerce sites to help them become compliant have uncovered some recurring critical issues.

For example, the use of cookies is often underestimated. We continue to see many e-commerce sites install cookies, especially for analytics and profiling, without sufficiently informing users or, worse still, telling them at all. Others collect consent for the use of non-technical cookies in non-compliant ways like scrolling the page or continuing navigation. The GDPR and Italian data protection guidelines require free, specific, informed, and unequivocal consent, acquired through a positive act like clicking on the relevant box.

Another critical area is the management of relationships with data processors, i.e., external suppliers that process personal data on behalf of e-commerce sites such as logistics and shipping companies, cloud platforms, newsletter services, and tools for analytics and retargeting. In this case, the main problem is the lack of a specific contract or documented instructions, in violation of Article 28 of the GDPR.

Another often-overlooked issue is the management of data collected through the e-commerce site within a company’s CRM systems. Where does this data end up? On an internal or external CRM? In the latter case, is the supplier based in the European Union or elsewhere like the United States? Can it guarantee full compliance with the GDPR? Though CRM platforms are technologically advanced, many were not designed for the European market, which means there could be structural deficiencies in the management of consent and the privacy-by-design mechanisms required by the GDPR. The e-commerce site, in the person of the data controller, must ensure that these tools are correctly configured and compliant. One way to do this is by setting the fields and processing flows so they comply with the key principles of the European legislation, but this requires interdisciplinary skills and a close collaboration between legal, IT, and marketing.

Many online merchants still think of data protection as a mere formal requirement under the purview of the legal or IT departments and unrelated to business strategy. This approach not only exposes them to non-compliance risks but also prevents them from reaping the benefits of proper data protection.

A recent success story for us involves an online furniture store that used a structured privacy-by-design approach to improve user experience, reduce complaints by 30%, and increase conversion rates by 12%. We want stories like this to become the new normal in the Italian e-commerce world.

B2B and GDPR Compliance: are we talking about fake news?

Absolutely. I often hear that “GDPR does not apply to B2B.” But nothing could be further from the truth. While the regulation does concern the data protection of natural persons, personal data also includes business customer data like VAT number, company email, and employee phone numbers and as such must be processed in accordance with the GDPR.

B2B e-commerce sites are by no means exempt from the obligations. Since they typically deal with a large amount of data from other businesses, they should pay even more attention to privacy issues.

Beyond mere bureaucratic compliance, how important is it to carefully select the payment methods offered on an e-commerce site, and what criteria should be adopted?

The choice of payment method is key but too often is dictated by pricing logic alone without adequate evaluation of privacy and security.

It is often only considered in the final phase when the site design, product pages, automations, and integrations with the CRM have already been defined. This approach is wrong for several reasons.

First, not all payment tools are equal in terms of performance, management costs, and user experience. Some can ensure lower transaction fees, easier merchant-side integration, or a faster, more intuitive customer-side checkout, as account-to-account solutions, which allow customers to pay directly from their own bank’s online banking. The easier the payment process, the more likely the user will complete the purchase without abandoning the cart.

Then there is the key issue of security. Not all gateways and payment methods ensure the same standards of data protection, fraud prevention, and cash flow management. Although most consumers are not skilled enough to evaluate such aspects in detail, if a problem or a violation occurs e-commerce site owners must answer for their choices. To avoid this, they must select only reliable, certified tools that meet all technical and regulatory requirements (GDPR and PSD2) and offer adequate protection and advanced security.

Especially when it comes to the GDPR, the payment service provider must be qualified as a processor or sub-processor with contracts guaranteeing confidentiality, limits on the purposes of processing, and security. Site owners should also ensure that providers have a registered office or at least a representative in the European Union so that interested parties can exercise their rights and supervisory authorities can perform checks.

Selecting a payment method cannot be a secondary concern or the last step in the development of an e-commerce site. It must be an integral part of the design, on par with user experience, SEO, and the integration of marketing channels. This is the only way site owners can identify solutions that perform better, are more secure and can help win customer trust, which converts into sales and turnover.

Here is everything you need for a legally solid e-commerce site in terms of privacy!

An e-commerce site needs the following for privacy compliance:

1. Privacy information that is clear, complete, and always accessible

2. Explicit consent of users acquired where necessary

3. A detailed cookies policy and mechanisms for managing preferences

4. Contracts signed with all data processors

5. A data processing record

6. Proper technical and organisational security measures

7. Procedures for managing data breaches

Important: Do not think of these obligations as just an extra cost and a hassle. They give e-commerce site owners the chance to improve customer trust, which boosts performance and turnover. Privacy is not antithetical to business; it is a bedrock. We have the data to prove it. The e-commerce sites that have invested solidly in GDPR compliance have up to 20% higher conversion rates than the average. In an increasingly competitive market, a company’s approach to privacy can make the difference.

21 May 2024



MyBank privati


MyBank privati