Skills
skills/finsilabs/awesome-ecommerce-skills/gdpr-ecommerce

gdpr-ecommerce

Installation
SKILL.md

GDPR E-commerce

Overview

GDPR (General Data Protection Regulation) requires e-commerce stores serving EU/UK customers to obtain informed consent for data processing, provide data portability (Article 20), support the right to erasure (Article 17), and maintain a lawful basis for every category of personal data processing. Non-compliance carries fines up to €20M or 4% of global annual turnover. All major platforms have GDPR tools built in; the main gaps are cookie consent management and handling Subject Access Requests (SARs).

When to Use This Skill

  • When your store serves customers in the EU, EEA, or UK (UK GDPR)
  • When adding analytics, marketing, or personalization tools that process personal data
  • When a customer submits a Subject Access Request (SAR) or deletion request
  • When reviewing third-party integrations for GDPR compliance
  • When preparing for a data protection audit or DPA (Data Processing Agreement) review

Core Instructions

Step 1: Map your data processing activities

Before configuring any tool, document every category of personal data and its lawful basis. This Register of Processing Activities (RoPA) is required under Article 30 for large processors and recommended for all:

Data Category Lawful Basis Retention Period
Order data (name, address, items) Contract (Art. 6(1)(b)) 7 years (tax law)
Account data (email, password hash) Contract Until account deletion + 30 days
Analytics (page views, session duration) Legitimate interest / Consent 13 months
Marketing emails Consent (Art. 6(1)(a)) Until unsubscribe
Fraud prevention (IP, device fingerprint) Legitimate interest 90 days

Step 2: Implement cookie consent

Shopify

Shopify includes a built-in cookie consent banner via the Privacy & Compliance app (free):

  1. Go to Apps → Shopify Privacy & Compliance (or search in the App Store)
  2. Configure the banner text, position, and which cookie categories to ask about
  3. The app integrates with Shopify's Consent API so that analytics and marketing pixels respect customer choices
  4. Alternatively, install a dedicated CMP (Consent Management Platform) like CookieYes or Cookiebot — both have Shopify app integrations

Enabling consent-aware analytics:

  • For Google Analytics / GA4: use Shopify's Customer Events (Settings → Customer events) which respects consent automatically
  • For custom Pixel tracking: use the Shopify Customer Privacy API to check consent before loading tracking code

WooCommerce

WooCommerce includes basic GDPR features since version 3.4, but cookie consent requires a dedicated plugin.

Install GDPR Cookie Consent (by WebToffee) — free/premium:

  1. Install from the WordPress plugin directory
  2. Go to Cookie Law Info → Settings:
    • Configure the banner text, colors, and button labels
    • Set up cookie categories: Necessary (always on), Analytics, Marketing
    • Map your installed plugins/scripts to categories (Google Analytics → Analytics, Facebook Pixel → Marketing)
  3. The plugin blocks third-party scripts until consent is given

WordPress native GDPR tools:

  • Go to Settings → Privacy to configure your privacy policy page
  • Go to Settings → Privacy → Data Erasure Requests — customers can submit erasure requests from My Account; WordPress generates a confirmation email and you process it manually

BigCommerce

Install CookieYes or Cookiebot from the BigCommerce App Marketplace. Both provide:

  • A GDPR-compliant consent banner
  • Script blocking until consent is given
  • Consent logging for audit purposes

BigCommerce also supports custom cookie consent via the Script Manager (Storefront → Script Manager) — you can add a Cookiebot or CookieYes script globally.

Step 3: Handle Subject Access Requests (SARs)

Under GDPR Article 20, customers have the right to receive all their personal data in a machine-readable format within 30 days.

Shopify

  1. When a customer requests their data, go to their Customer profile in Shopify admin
  2. Click Request data — Shopify generates a data export file containing:
    • Customer profile data
    • Order history
    • Addresses
  3. Shopify emails the download link directly to the customer

Customer privacy settings:

  1. Go to Settings → Customer privacy
  2. Configure data request webhooks — Shopify sends customers/data_request webhooks to all installed apps when a customer requests their data, so apps can also provide their data

WooCommerce

WordPress includes a built-in personal data export tool:

  1. Go to Tools → Export Personal Data
  2. Enter the customer's email address and click Send Request
  3. The customer receives a confirmation email; once they confirm, you see the request in the admin
  4. Click Generate export file — WordPress collects data from WooCommerce and all plugins with data exporters
  5. The customer receives a zip file with their data in a machine-readable format

BigCommerce

BigCommerce does not have a built-in SAR tool. To handle data requests:

  1. Use the BigCommerce Customers API and Orders API to extract all data for a customer
  2. Package the data as a JSON or CSV export
  3. Deliver to the customer within 30 days of the request

Consider building or using a third-party service like Transcend or Mine to automate data request handling.

Step 4: Handle Right to Erasure (Article 17)

The right to erasure must balance deletion with legal retention obligations (tax records must be kept 5–7 years).

Shopify

  1. Open the customer's profile in Shopify admin
  2. Click More actions → Erase personal data
  3. Shopify anonymizes the customer's PII (replaces name, email, phone with anonymized placeholders) while keeping the order records for accounting
  4. Shopify sends customers/redact webhooks to all installed apps

WooCommerce

  1. Go to Tools → Erase Personal Data
  2. Enter the customer's email and send them a verification request
  3. Once they confirm, WordPress and WooCommerce anonymize:
    • Customer account (email replaced with anonymized placeholder)
    • Orders (customer name, billing/shipping details replaced with "Deleted User" / anonymized)
  4. Order financial records are preserved

BigCommerce

Use the Customers API to update the customer record, replacing PII with anonymized placeholders, and delete the customer account. The order records remain (financial data preserved) with the customer references removed.

Step 5: Ensure lawful marketing consent

Only send marketing emails to customers who have explicitly opted in. Pre-ticked boxes are prohibited under GDPR.

On all platforms:

  1. Add a clearly labeled, unchecked checkbox to the registration form and checkout: "Yes, I'd like to receive marketing emails"
  2. Record the consent timestamp, IP address, and form version in your database (or in your email platform)
  3. Include a one-click unsubscribe link in every marketing email
  4. Process unsubscribes immediately — within 10 business days is the standard requirement

Email platforms:

  • Klaviyo: tracks consent separately; use Klaviyo's built-in opt-in forms and consent properties
  • Mailchimp: uses double opt-in by default (recommended for GDPR); configure under audience settings
  • Omnisend: has GDPR mode with consent recording built in

Step 6: Sign Data Processing Agreements (DPAs)

Every third-party tool that processes customer data on your behalf must have a DPA in place:

  1. Stripe: DPA available at stripe.com/legal/dpa
  2. Klaviyo: DPA available in Klaviyo account settings under Account → Privacy
  3. Google Analytics: accept Google's DPA in the GA4 admin
  4. Shopify: Shopify is a data processor for your customer data; their DPA is in their legal agreements
  5. For each vendor, find the DPA in their privacy/legal documentation and complete it

Best Practices

  • Default all consent to denied — under GDPR, consent must be freely given and unambiguous; pre-ticked boxes are explicitly prohibited
  • Keep a consent audit trail — log every consent grant, withdrawal, and change with timestamp and the exact consent text version shown to the user
  • Respond to SARs within 30 days — automate data exports so they're available quickly via a self-service portal; manual exports are slow and error-prone at scale
  • Sign DPAs with all vendors before using their service — Stripe, Klaviyo, Google Analytics — any tool processing customer data must have a DPA
  • Separate consent from account creation — do not bundle marketing consent with T&Cs acceptance; each processing purpose needs a separate, granular consent
  • Test your deletion pipeline regularly — run erasure requests on test accounts quarterly to verify all data is deleted from the database, search indexes, analytics tools, and third-party processors

Common Pitfalls

Problem Solution
Cookie banner pre-ticking analytics boxes GDPR requires opt-in consent; pre-ticked boxes are explicitly prohibited under Recital 32
Deleting orders when customer requests erasure Orders must be retained for the statutory tax period (5–7 years); anonymize PII within orders rather than deleting the order record
Forgetting to delete from email platform and analytics Shopify's customers/redact webhook notifies apps; ensure your Klaviyo, Mailchimp, and analytics tools also receive the deletion request
Marketing emails sent without consent documentation Store the IP address, timestamp, consent text version, and method (checkbox, sign-up form) for every marketing opt-in
Missing DPA with a key vendor Audit your vendor list annually; Google, Stripe, Klaviyo, and your hosting provider all need DPAs if they process EU customer data

Related Skills

  • @data-retention-policies
  • @account-security
  • @analytics-integration
  • @fraud-detection
Weekly Installs
13
Repository
finsilabs/aweso…e-skills
GitHub Stars
14
First Seen
Mar 16, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
kimi-cli12
gemini-cli12
amp12
cline12
github-copilot12
codex12