Customer Data Protection in E-commerce: GDPR Compliance

Introduction

Customer data protection is a major strategic issue for any e-commerce player. Since the General Data Protection Regulation (GDPR) came into force on 25 May 2018, e-commerce sites, mobile sales applications and marketplaces must comply with a strict legal framework on pain of sanctions that can reach 20 million euros or 4% of annual global turnover. Beyond regulatory constraints, GDPR compliance represents a genuine lever for customer trust: 87% of European consumers state they will not purchase from a site if they doubt the security of their data. This pillar article details the concrete obligations of e-commerce businesses regarding consent, cookies, newsletters and securing payment data.

Consent: The Cornerstone of GDPR Compliance

Consent is one of six legal bases for processing provided for in Article 6 of the GDPR. To be valid, it must meet four cumulative criteria defined in Article 7: it must be freely given, specific, informed and unambiguous. In the e-commerce context, this means that an internet user cannot have their consent conditioned upon purchasing a product (principle of freedom), and they must be able to consent separately to each purpose (marketing profiling, sharing with partners, newsletter, etc.).

The CNIL has significantly strengthened its requirements since 2020 with its guidelines on cookies and trackers. The "Accept All" button must now be accompanied by a "Reject All" button with equivalent accessibility and visibility. Pre-ticked boxes are strictly prohibited (CJEU ruling Planet49, 1 October 2019). E-commerce businesses must also retain time-stamped proof of consent for the entire duration of processing, and allow withdrawal to be as simple as the initial grant.

Managing Cookies and Trackers on E-commerce Sites

E-commerce sites use an average of 40 to 60 third-party cookies: analytics, advertising retargeting, social networks, chatbots, A/B testing. Article 82 of the amended Data Protection and Freedom Act requires prior consent for any tracker that is not strictly necessary for the service to function. Only shopping basket cookies, authentication session and load balancing cookies are exempt.

Implementing a compliant Consent Management Platform (CMP) has become essential. It must allow the visitor granularity in their choices: acceptance by purpose (audience measurement, personalisation, targeted advertising) and by recipient. Sanctions are raining down: Google (150M€), Amazon (35M€), Facebook (60M€) in 2022 for failing to provide a reject button as accessible as the accept button.

Newsletters and Commercial Prospecting: Rigorous Opt-in

Sending newsletters and promotional emails fall under Article L.34-5 of the Postal and Electronic Communications Code, transposing the ePrivacy Directive. The principle is explicit prior opt-in for individual prospects (B2C). A notable exception exists for customers who have already made a purchase: prospecting is permitted for similar products or services, provided they were informed at the time of collection and can object to each send.

In practice, the "I wish to receive commercial offers from [brand]" box must be unchecked by default and distinct from acceptance of the Terms and Conditions. Each email must contain a functional one-click unsubscribe link, the identity of the sender and a valid contact address.

Securing Payment Data

The processing of banking data falls under both the GDPR (Article 32 on security) and the PCI-DSS standard (Payment Card Industry Data Security Standard). E-commerce businesses should favour tokenisation via a payment service provider (PSP) certified at PCI-DSS level 1, thus avoiding direct storage of card numbers. Strong authentication (3D Secure v2) has been mandatory since 15 May 2021 pursuant to the DSP2 Directive.

The retention of the visual cryptogram (CVV) is formally prohibited after the transaction. Card numbers may only be retained with explicit consent to facilitate future purchases (CNIL decision no. 2018-303).

Conclusion

GDPR compliance in e-commerce is not about ticking boxes on a legal checklist: it structures the entire digital customer relationship. Between granular consent, cookie management, rigour in prospecting and payment security, e-commerce businesses must adopt a "privacy by design" approach from the outset of their customer journey design. This approach, far from being a commercial brake, becomes a differentiating argument in a market where digital trust determines conversion rates and customer loyalty.