GDPR for e-commerce — developer checklist 2026

GDPR compliance for e-commerce goes beyond a standard privacy policy. Here are 14 concrete technical implementations required for operational compliance, with references to the critical points in code.

I work with e-commerce stacks — see services or get in touch.

The 14 technical items to implement

1. Cookie consent banner with granular opt-in

Not a “accept cookies?” banner with one big green button and everything else hidden. The banner must let users accept or reject by category: necessary, analytics, marketing, personalization. Rejecting must not be harder than accepting.

Recommended tools: Cookiebot, Iubenda, Osano. Or a custom implementation (~1 day of dev).

2. Marketing & analytics cookies — loaded only after consent

Google Analytics, Meta Pixel, TikTok Pixel — none of these load in the browser until the user clicks “accept”. Check the Network tab in DevTools to confirm no requests go to google-analytics.com before consent.

3. Updated and versioned privacy policy

A privacy policy is not a static document. Version it with the date of the last change. Notify users about significant changes. List concretely: what data you collect, why, who you share it with, and how long you keep it.

4. Data export for users (right to portability)

In the account area, a “download my data” button. Generate a ZIP with all user data in machine-readable format (JSON or CSV). Orders, addresses, messages, preferences.

5. Data deletion (right to erasure / right to be forgotten)

A “delete account” button that actually deletes data, not just “deactivates”. Legal exceptions (accounting data with 5–10 year retention under Romanian law) are anonymized — not physically deleted, but personal identifiers are replaced.

6. Data minimization at collection

Do not collect a phone number if you do not use it. Do not ask for a national ID number unless you issue a fiscal invoice. “Optional” fields must be truly optional — no hidden red asterisk making them mandatory.

7. Encryption at rest for sensitive data

Passwords — bcrypt with cost factor 12+. Sensitive tokens — AES-256 encryption before storage in the DB. For FinTech / MedTech applications, column-level encryption in the DB.

8. Encryption in transit (HTTPS mandatory)

HTTPS on absolutely everything — including “static” pages. HSTS header. Valid certificate (Let's Encrypt is free, no excuses). Verified with SSL Labs for an A+ rating.

9. Audit logs for sensitive actions

Log when: the user changes their password, updates email, exports data, deletes their account. An admin accesses user data. Sensitive data is modified. Logs are immutable (append-only) with configurable retention.

10. Data Processing Agreement (DPA) with sub-processors

Using Stripe, AWS, SendGrid, Mailchimp? All are sub-processors under GDPR. They must be listed in the privacy policy + a DPA signed with each one.

11. Breach notification within 72 hours

A written incident response plan. Who notifies ANSPDCP (Romania's data protection authority), who notifies affected users, what data to include in the notification. Do not wait until it happens — prepare in advance.

12. Server and backup in the EU (or with adequacy decision)

A US server without DPF certification = GDPR problem. AWS EU-Frankfurt, Hetzner Falkenstein, GCP europe-west — all fine. Backups in the same region.

13. Third-party cookies — minimize

YouTube embeds, Google Maps, fonts — all plant third-party cookies. Use cookie-free versions (YouTube nocookie, self-hosted fonts) or load them only after consent.

14. DPO — Data Protection Officer

Required if you process data at large scale or handle sensitive data. For a medium e-commerce store, optional but recommended. Can be external (contract consultant).

Real penalties, not theoretical ones

ANSPDCP issued fines between €5,000 and €100,000 to Romanian online stores in 2024–2025 for: poorly configured cookie consent, missing privacy policy, refusal to honor data export requests. This is not a “theoretical problem”. Enforcement has tightened.

Quick GDPR audit for your site

  1. Open the site in incognito. Open DevTools > Network. See how many requests go to non-your domains before consent. If you see google-analytics, facebook, doubleclick — you are non-compliant.
  2. Search for “privacy policy”. Check the date of the last update. If it is older than 12 months, it is almost certainly outdated.
  3. Register a test account. Look for “download my data” and “delete account”. If they are missing, you have a problem.
  4. Check that sub-processors (Stripe, AWS, etc.) are listed in the privacy policy. Missing = problem.

Need help with GDPR on your store?

Send a short message about your store — I reply personally.

Get in touch

Read next