Customer Data Protection in E-Commerce: GDPR Compliance

Introduction

Customer data protection is a major strategic issue for any e-commerce player. Since the General Data Protection Regulation (GDPR) came into force on 25 May 2018, online stores, mobile sales applications and marketplaces must comply with a strict legal framework under penalty of sanctions that can reach 20 million euros or 4% of annual global turnover. Beyond regulatory constraint, GDPR compliance represents a genuine lever for customer trust: 87% of European consumers state they will not buy from a site whose data security they doubt. This pillar article details the concrete obligations of e-commerce businesses regarding consent, cookies, newsletters and payment data security.

Consent: cornerstone of GDPR compliance

Consent is one of the six legal bases for processing provided for in Article 6 of the GDPR. To be valid, it must meet four cumulative criteria defined in Article 7: it must be free, specific, informed and unambiguous. In the e-commerce context, this means that an internet user cannot have their consent made conditional on the purchase of a product (principle of freedom), and they must be able to consent separately to each purpose (marketing profiling, sharing with partners, newsletter, etc.).

The CNIL has considerably strengthened its requirements since 2020 with its guidelines on cookies and trackers. The "Accept All" button must now be accompanied by a "Refuse All" button with equivalent accessibility and visibility. Pre-ticked boxes are strictly prohibited (CJEU ruling Planet49, 1 October 2019). E-commerce businesses must also retain time-stamped proof of consent for the entire duration of processing, and allow withdrawal to be as simple as the initial granting of consent.

Cookie and tracker management on e-commerce sites

E-commerce sites use an average of 40 to 60 third-party cookies: analytics, advertising retargeting, social networks, chatbots, A/B testing. Article 82 of the amended Data Protection and Freedoms Act requires prior consent for any tracker that is not strictly necessary for the operation of the service. Only shopping cart cookies, authentication session cookies and load balancing cookies are exempt.

The implementation of a compliant Consent Management Platform (CMP) has become essential. It must allow the visitor granularity in their choices: acceptance by purpose (audience measurement, personalisation, targeted advertising) and by recipient. Sanctions are pouring in: Google (€150M), Amazon (€35M), Facebook (€60M) in 2022 for failure to provide a refusal button as accessible as the acceptance button.

Newsletter and commercial prospecting: rigorous opt-in

The sending of newsletters and promotional emails falls under Article L.34-5 of the Postal and Electronic Communications Code, transposing the ePrivacy Directive. The principle is that of explicit prior opt-in for private individuals (B2C). A notable exception exists for customers who have already made a purchase: prospecting is authorised for similar products or services, provided they have been informed at the time of collection and can opt out at each sending.

In concrete terms, the box "I wish to receive commercial offers from [brand]" must be unchecked by default and distinct from the acceptance of Terms and Conditions. Each email must include a one-click functional unsubscribe link, the identity of the sender and a valid contact address.

Securing payment data

The processing of banking data falls under both the GDPR (Article 32 on security) and the PCI-DSS standard (Payment Card Industry Data Security Standard). E-commerce businesses should favour tokenisation via a payment service provider (PSP) certified PCI-DSS Level 1, thus avoiding direct storage of card numbers. Strong authentication (3D Secure v2) has been mandatory since 15 May 2021 in application of the DSP2 Directive.

The retention of the visual cryptogram (CVV) is formally prohibited after the transaction. Card numbers can only be retained with explicit consent to facilitate future purchases (CNIL deliberation n°2018-303).

Conclusion

GDPR compliance in e-commerce is not just a legal checklist: it structures the entire digital customer relationship. Between granular consent, cookie management, rigour in prospecting and payment security, e-commerce businesses must adopt a "privacy by design" approach from the conception of their customer journeys. This approach, far from being a commercial brake, becomes a differentiating argument in a market where digital trust determines conversion rate and customer loyalty.