Customer Data Protection in E-commerce: GDPR Compliance

Introduction

Customer data protection is a major strategic issue for any e-commerce player. Since the entry into force of the General Data Protection Regulation (GDPR) on May 25, 2018, merchant sites, mobile sales applications and marketplaces must comply with a strict legal framework under penalty of sanctions that can reach 20 million euros or 4% of annual global turnover. Beyond regulatory constraint, GDPR compliance represents a genuine lever for customer trust: 87% of European consumers say they do not buy on a site whose data security they doubt. This pillar article details the concrete obligations of e-merchants regarding consent, cookies, newsletters and payment data security.

Consent: cornerstone of GDPR compliance

Consent is one of the six legal bases for processing provided for in Article 6 of the GDPR. To be valid, it must meet four cumulative criteria defined in Article 7: be free, specific, informed and unambiguous. In the e-commerce context, this means that an internet user cannot have their consent conditioned on the purchase of a product (principle of freedom), and they must be able to consent separately to each purpose (marketing profiling, sharing with partners, newsletter, etc.).

The CNIL has considerably strengthened its requirements since 2020 with its guidelines on cookies and trackers. The "Accept all" button must now be accompanied by a "Reject all" button with equivalent accessibility and visibility. Pre-checked boxes are strictly prohibited (CJEU ruling Planet49, October 1, 2019). E-merchants must also retain timestamped proof of consent for the duration of processing, and allow withdrawal as simple as the initial grant.

Management of cookies and trackers on merchant sites

E-commerce sites use an average of 40 to 60 third-party cookies: analytics, advertising retargeting, social networks, chatbots, A/B testing. Article 82 of the modified Computer Science and Liberties Law requires prior consent for any tracker not strictly necessary for service operation. Only shopping cart cookies, authentication session and load balancing cookies benefit from exemption.

The implementation of a compliant Consent Management Platform (CMP) has become essential. It must allow the visitor to granularity in their choices: acceptance by purpose (audience measurement, personalization, targeted advertising) and by recipient. Sanctions are pouring in: Google (150M€), Amazon (35M€), Facebook (60M€) in 2022 for failure to provide a rejection button as accessible as the acceptance button.

Newsletter and commercial prospecting: rigorous opt-in

The sending of newsletters and promotional emails falls under Article L.34-5 of the Postal and Electronic Communications Code, transposing the ePrivacy Directive. The principle is that of explicit prior opt-in for individual prospects (B2C). A notable exception exists for customers who have already made a purchase: prospecting is authorized for similar products or services, provided they were informed at collection and can object to each sending.

In practice, the checkbox "I wish to receive commercial offers from [brand]" must be unchecked by default and distinct from acceptance of Terms and Conditions. Each email must include a one-click unsubscribe link, the sender's identity and a valid contact address.

Payment data security

The processing of banking data falls under both GDPR (Article 32 on security) and the PCI-DSS standard (Payment Card Industry Data Security Standard). E-merchants should prioritize tokenization through a PCI-DSS Level 1 certified payment service provider (PSP), thus avoiding direct storage of card numbers. Strong authentication (3D Secure v2) has been mandatory since May 15, 2021 under the DSP2 Directive.

The retention of the visual cryptogram (CVV) is formally prohibited after the transaction. Card numbers can only be retained with express consent to facilitate future purchases (CNIL deliberation no. 2018-303).

Conclusion

GDPR compliance in e-commerce is not limited to a legal checklist: it structures the entire digital customer relationship. Between granular consent, cookie management, rigor in prospecting and payment security, e-merchants must adopt a "privacy by design" approach from the design of their customer journey. This approach, far from being a commercial barrier, becomes a differentiating argument in a market where digital trust determines conversion rate and customer loyalty.