Customer data protection in e-commerce: GDPR compliance

Introduction

Customer data protection is a major strategic issue for any e-commerce player. Since the General Data Protection Regulation (GDPR) came into force on 25 May 2018, online retailers, mobile sales applications and marketplaces must comply with a strict legal framework under penalty of fines of up to 20 million euros or 4% of annual worldwide turnover. Beyond regulatory compliance, GDPR compliance represents a genuine lever of customer trust: 87% of European consumers state they will not purchase from a site if they doubt the security of their data. This pillar article details the concrete obligations of e-commerce businesses regarding consent, cookies, newsletters and payment data security.

Consent: the cornerstone of GDPR compliance

Consent constitutes one of the six legal bases for processing provided for in Article 6 of the GDPR. To be valid, it must meet four cumulative criteria defined in Article 7: it must be free, specific, informed and unambiguous. In the e-commerce context, this means that an internet user cannot have their consent conditioned on the purchase of a product (principle of freedom), and they must be able to consent separately to each purpose (marketing profiling, sharing with partners, newsletters, etc.).

The CNIL has considerably strengthened its requirements since 2020 with its guidelines on cookies and trackers. The "Accept all" button must now be accompanied by a "Refuse all" button with equivalent accessibility and visibility. Pre-ticked boxes are strictly prohibited (CJEU ruling Planet49, 1 October 2019). E-commerce businesses must also retain time-stamped evidence of consent for the entire duration of processing, and allow withdrawal to be as straightforward as granting consent.

Cookie and tracker management on e-commerce sites

E-commerce sites use an average of 40 to 60 third-party cookies: analytics, advertising retargeting, social networks, chatbots, A/B testing. Article 82 of the amended Computer and Freedoms Act requires prior consent for any tracker that is not strictly necessary for the service to function. Only basket cookies, authentication session and load-balancing cookies benefit from an exemption.

The implementation of a compliant Consent Management Platform (CMP) has become essential. It must allow the visitor granularity in their choices: acceptance by purpose (audience measurement, personalisation, targeted advertising) and by recipient. Fines are pouring in: Google (€150M), Amazon (€35M), Facebook (€60M) in 2022 for failing to provide a refusal button as accessible as the acceptance button.

Newsletters and commercial prospecting: rigorous opt-in

The sending of newsletters and promotional emails falls under Article L.34-5 of the Postal and Electronic Communications Code, transposing the ePrivacy Directive. The principle is explicit prior opt-in for individual prospects (B2C). A notable exception exists for customers who have already made a purchase: prospecting is authorised for similar products or services, provided that they have been informed at the time of collection and can object to each sending.

Concretely, the "I wish to receive commercial offers from [brand]" box must be unchecked by default and distinct from acceptance of the Terms and Conditions. Each email must include a functional one-click unsubscribe link, the identity of the sender and a valid contact address.

Securing payment data

The processing of banking data is governed by both the GDPR (Article 32 on security) and the PCI-DSS standard (Payment Card Industry Data Security Standard). E-commerce businesses should prioritise tokenisation via a PCI-DSS Level 1 certified payment service provider (PSP), thus avoiding direct storage of card numbers. Strong authentication (3D Secure v2) has been mandatory since 15 May 2021 in application of the DSP2 Directive.

The storage of the visual security code (CVV) is formally prohibited after the transaction. Card numbers can only be retained with express consent to facilitate future purchases (CNIL deliberation no. 2018-303).

Conclusion

GDPR compliance in e-commerce is not just a legal checklist: it structures the entire digital customer relationship. Between granular consent, cookie management, rigour in prospecting and payment security, e-commerce businesses must adopt a "privacy by design" approach from the outset of their customer journeys. This approach, far from being a commercial brake, becomes a differentiating argument in a market where digital trust determines conversion rate and customer loyalty.