GDPR for e-commerce — developer checklist 2026
GDPR compliance for e-commerce goes beyond a standard privacy policy. Here are 14 concrete technical implementations required for operational compliance, with references to the critical points in code.
The 14 technical items to implement
1. Cookie consent banner with granular opt-in
Not a “accept cookies?” banner with one big green button and everything else hidden. The banner must let users accept or reject by category: necessary, analytics, marketing, personalization. Rejecting must not be harder than accepting.
Recommended tools: Cookiebot, Iubenda, Osano. Or a custom implementation (~1 day of dev).
2. Marketing & analytics cookies — loaded only after consent
Google Analytics, Meta Pixel, TikTok Pixel — none of these load in the browser until the user clicks “accept”. Check the Network tab in DevTools to confirm no requests go to google-analytics.com before consent.
3. Updated and versioned privacy policy
A privacy policy is not a static document. Version it with the date of the last change. Notify users about significant changes. List concretely: what data you collect, why, who you share it with, and how long you keep it.
4. Data export for users (right to portability)
In the account area, a “download my data” button. Generate a ZIP with all user data in machine-readable format (JSON or CSV). Orders, addresses, messages, preferences.
5. Data deletion (right to erasure / right to be forgotten)
A “delete account” button that actually deletes data, not just “deactivates”. Legal exceptions (accounting data with 5–10 year retention under Romanian law) are anonymized — not physically deleted, but personal identifiers are replaced.
6. Data minimization at collection
Do not collect a phone number if you do not use it. Do not ask for a national ID number unless you issue a fiscal invoice. “Optional” fields must be truly optional — no hidden red asterisk making them mandatory.
7. Encryption at rest for sensitive data
Passwords — bcrypt with cost factor 12+. Sensitive tokens — AES-256 encryption before storage in the DB. For FinTech / MedTech applications, column-level encryption in the DB.
8. Encryption in transit (HTTPS mandatory)
HTTPS on absolutely everything — including “static” pages. HSTS header. Valid certificate (Let's Encrypt is free, no excuses). Verified with SSL Labs for an A+ rating.
9. Audit logs for sensitive actions
Log when: the user changes their password, updates email, exports data, deletes their account. An admin accesses user data. Sensitive data is modified. Logs are immutable (append-only) with configurable retention.
10. Data Processing Agreement (DPA) with sub-processors
Using Stripe, AWS, SendGrid, Mailchimp? All are sub-processors under GDPR. They must be listed in the privacy policy + a DPA signed with each one.
11. Breach notification within 72 hours
A written incident response plan. Who notifies ANSPDCP (Romania's data protection authority), who notifies affected users, what data to include in the notification. Do not wait until it happens — prepare in advance.
12. Server and backup in the EU (or with adequacy decision)
A US server without DPF certification = GDPR problem. AWS EU-Frankfurt, Hetzner Falkenstein, GCP europe-west — all fine. Backups in the same region.
13. Third-party cookies — minimize
YouTube embeds, Google Maps, fonts — all plant third-party cookies. Use cookie-free versions (YouTube nocookie, self-hosted fonts) or load them only after consent.
14. DPO — Data Protection Officer
Required if you process data at large scale or handle sensitive data. For a medium e-commerce store, optional but recommended. Can be external (contract consultant).
Real penalties, not theoretical ones
ANSPDCP issued fines between €5,000 and €100,000 to Romanian online stores in 2024–2025 for: poorly configured cookie consent, missing privacy policy, refusal to honor data export requests. This is not a “theoretical problem”. Enforcement has tightened.
Quick GDPR audit for your site
- Open the site in incognito. Open DevTools > Network. See how many requests go to non-your domains before consent. If you see
google-analytics,facebook,doubleclick— you are non-compliant. - Search for “privacy policy”. Check the date of the last update. If it is older than 12 months, it is almost certainly outdated.
- Register a test account. Look for “download my data” and “delete account”. If they are missing, you have a problem.
- Check that sub-processors (Stripe, AWS, etc.) are listed in the privacy policy. Missing = problem.