Protection of e-commerce customer data: GDPR compliance

Introduction

The protection of customer data constitutes a major strategic issue for any e-commerce player. Since the entry into force of the General Data Protection Regulation (GDPR) on May 25, 2018, merchant sites, mobile sales applications and marketplaces must respect a strict legal framework under penalty of sanctions of up to 20 million euros or 4% of annual global turnover. Beyond the regulatory constraint, GDPR compliance represents a real lever of customer confidence: 87% of European consumers say they will not buy from a site where they doubt the data security. This pillar article details the concrete obligations of e-retailers in terms of consent, cookies, newsletters and security of payment data.

Consent: cornerstone of GDPR compliance

Consent constitutes one of the six legal bases for processing provided for in Article 6 of the GDPR. To be valid, it must meet four cumulative criteria defined in Article 7: be free, specific, informed and unambiguous. In the e-commerce context, this means that an Internet user cannot have their consent conditioned on the purchase of a product (principle of freedom), and that they must be able to consent separately to each purpose (marketing profiling, sharing with partners, newsletter, etc.).

The CNIL has considerably strengthened its requirements since 2020 with its guidelines on cookies and trackers. The “Accept all” button must now be accompanied by a “Refuse all” button of equivalent accessibility and visibility. Pre-checked boxes are strictly prohibited (CJEU Planet49 judgment, October 1, 2019). E-merchants must also retain time-stamped proof of consent for the duration of processing, and allow withdrawal as simple as the initial grant.

Management of cookies and trackers on merchant sites

E-commerce sites use on average 40 to 60 third-party cookies: analytics, advertising retargeting, social networks, chatbots, A/B testing. Article 82 of the amended Data Protection Act requires prior consent for any tracker not strictly necessary for the operation of the service. Only shopping cart, authentication session, and load balancing cookies are exempt.

Setting up a compliant Consent Management Platform (CMP) has become essential. It must allow the visitor to be granular in their choices: acceptance by purpose (audience measurement, personalization, targeted advertising) and by recipient. The sanctions are raining down: Google (€150M), Amazon (€35M), Facebook (€60M) in 2022 for the lack of a refusal button as accessible as the accept button.

Newsletter and commercial prospecting: rigorous opt-in

The sending of newsletters and promotional emails falls under article L.34-5 of the Postal and Electronic Communications Code, transposing the ePrivacy directive. The principle is that of explicit prior opt-in for individual prospects (B2C). A notable exception exists for customers who have already made a purchase: prospecting is authorized for similar products or services, provided that they were informed during collection and can object to each shipment.

Concretely, the box “I would like to receive commercial offers from [brand]” must be unchecked by default and distinct from acceptance of the T&Cs. Each email must include a working one-click unsubscribe link, the identity of the sender and a valid contact address.

Securing payment data

The processing of banking data falls under both the GDPR (article 32 on security) and the PCI-DSS standard (Payment Card Industry Data Security Standard). E-merchants should favor tokenization via a PCI-DSS level 1 certified payment service provider (PSP), thus avoiding the direct storage of card numbers. Strong authentication (3D Secure v2) has been mandatory since May 15, 2021 in application of the DSP2 directive.

Keeping the visual cryptogram (CVV) is strictly prohibited after the transaction. Card numbers can only be kept with express consent to facilitate subsequent purchases (CNIL deliberation no. 2018-303).

Conclusion

GDPR compliance in e-commerce is not just a legal checklist: it structures the entire digital customer relationship. Between granular consent, cookie management, rigor in prospecting and secure payments, e-retailers must adopt a “privacy by design” approach when designing their journeys. This approach, far from being a commercial obstacle, becomes a differentiating argument in a market where digital trust conditions the conversion rate and loyalty.