GDPR in e-commerce: 7 common mistakes online shops make

Every online shop processes personal data - that is obvious. Less obvious is that most shops make the same repeating mistakes. Below are the seven we most often find during audits, with the concrete fix for each.

1. No privacy notice at the order form

Signal: the checkout page shows only "I accept the terms". The Art. 13 GDPR notice (who is the controller, for what purpose, on what basis, for how long, what rights) lives only in the privacy policy three clicks away.

Fix: a short notice (3-4 sentences) right under the form, with a "Full info" link to the privacy policy. GDPR does not require long text - it requires easily accessible text.

Signal: "I want to receive newsletter with offers" is checked by default; the customer has to untick it actively.

Fix: every marketing consent box must be empty by default. The CJEU's Planet49 judgment (C-673/17) is unambiguous and EU regulators consistently enforce it through administrative fines.

Signal: the banner only offers "Accept" (no "Reject"), or non-essential cookies (Google Analytics, Facebook Pixel) load before the user's decision.

Fix: the banner must offer three levels - accept all, accept only necessary, granular settings. Tracker scripts load only after opt-in. Key principle: consent before cookies are set, not after.

4. No data processing agreements with vendors

Signal: the shop uses Shopify/WooCommerce, Mailchimp, a payment gateway, a courier, an accounting firm - but signed an Art. 28 DPA only with the accounting firm.

Fix: a list of all vendors that receive personal data (even "just" customer email). For each: a standard DPA template or acceptance of their Data Processing Addendum. Most global SaaS providers have a ready DPA you can sign from the panel - keep the confirmation.

5. Customer data in raw logs

Signal: server logs record full HTTP request bodies including order numbers, emails and sometimes fragments of payment data.

Fix: sanitise logs before writing them. PII (emails, addresses, card numbers) should never reach application logs. Bonus: faster incident analysis and lower storage cost.

Signal: the customer clicked "Unsubscribe" but 3 weeks later received a promotion email. Why? Consent withdrawal lives in one system, the next campaign goes out from another (a second mailing tool, an external agency).

Fix: one central consent register (a consent management platform), or at minimum automatic synchronisation of consent state across systems. Without it you risk a complaint and fine from a single customer.

7. No breach response procedure

Signal: the shop had a breach (e.g. a backup left in a public S3 bucket), but the regulator notification was late or never sent - because nobody knew about the 72-hour clock under Art. 33 GDPR.

Fix: a short one-page procedure: who notifies, who they call, what information to collect, what the regulator form looks like. A dry run twice a year to check the team can execute it.

Summary

These seven mistakes show up in 8 out of 10 audits we run - and all of them can be fixed in 2-4 weeks without pausing sales. Most of the time the missing piece is not knowledge, it is time to put the topic in order.

If any of these signals sound familiar, start with a free conversation - in 30 minutes we'll tell you whether you need a full GDPR audit or just patching a specific area.