How To Be GDPR Compliant For Ecommerce Stores – A Concise Summary Of What You Need To Do

There’s been a lot of fud going around regarding GDPR compliance for ecommerce stores so I decided to take the time to concisely summarize the actions that I’ve taken towards becoming compliant myself.

Now there are literally hundreds of GDPR posts out there that can be found on Google but none of them tell you flat out what needs to be done.

Instead, they either regurgitate the GDPR document which is borderline unreadable or they scare the cr@% out of you so you’ll pay for their consulting services:)

Well this post will tell you what you need to do without the lawyer speak…

Disclaimer: I am not a lawyer nor am I an expert on GDPR. All of the information here is gleamed from discussions with colleagues and lawyers. As a result, please take everything in this post with a grain of salt. In other words, this article is for informational purposes only.

I recommend that you seek legal and other professional counsel to determine your own GDPR needs.

Get My Free Mini Course On How To Start A Successful Ecommerce Store

If you are interested in starting an ecommerce business, I put together a comprehensive package of resources that will help you launch your own online store from complete scratch. Be sure to grab it before you leave!

Step 1: You Need To Update Your Privacy Policy

I’m not going to go into too much depth on how to write a privacy policy. But there are many compliant ecommerce companies out there and plenty of examples to emulate.

Simply go to your favorite established ecommerce store and take a look. There are also many GDPR privacy policy generators out there where you can take a questionnaire, pay a few hundred dollars, and get a privacy policy auto-generated for you.

In a nutshell, you need to include the following…

  • Your contact information
  • What information you collect and how and why you collect it
  • What you do with the data and who else gets to see it
  • What your visitor’s rights are under the GDPR

Creating a privacy policy isn’t the hard part.

Deciding how to collect data and what to do with your existing data is where the main confusion lies. As a result, this is where I will be focusing my efforts for the remainder of this post.

Step 2: Fix Your Post Purchase Email Optins For EU Visitors

95%+ of our customers are from the United States but we do get our fair share of buyers from the UK. In general, when someone purchases from our store, we automatically send them a multi-step post purchase autoresponder sequence.

Related: 5 Email Autoresponders Your Online Store Needs To Automate Sales

There is no checkbox. There’s no optin. If you’ve made a purchase, then you’re going to get the sequence.

With the GDPR however, you will now need to get explicit consent to send your EU customers a post purchase sequence.

The easiest way to do this is to have a checkbox during checkout which asks whether they would like to be added to your store’s newsletter.

post purchase checkbox

This checkbox needs to be unchecked by default.

If a customer makes a purchase and has checked the box, then you have consent to send them future correspondence via email.

There are a few caveats here however.

Let’s say you incentivize the customer to check the checkbox by offering them a free ebook, discount or giveaway WITHOUT saying that they’ll be signed up for your general newsletter.

Then guess what? You are only allowed to deliver them their freebie with no additional correspondence!

As a result with your checkbox, you have to make it clear that they are on your ongoing newsletter and that they can unsubscribe at any time.

Step 3: Adjust Your Regular Email Optins

A popular practice with ecommerce stores is to give out coupons or free giveaways in return for an email address. Then once the email is obtained, the customer is placed on an automated pre purchase sequence.

However with the GDPR, you are only allowed to email the customer about the coupon or the free giveaway and that is all.

You must obtain consent for any future correspondence.

The simplest way around this is to state clearly that the EU customer will be placed on your company newsletter once they optin for the coupon or giveaway.

Coupon popup

In a nutshell, you must inform the EU customer that they will be placed on a recurring newsletter once they optin.

A common question is whether you need to place an explicit checkbox on your email form for consent. And as far as I know, a checkbox is NOT needed.

I asked several people in the know about this exact point. In addition, I painfully read the GDPR doc and no where does it explicitly state that you NEED to have a checkbox.

Instead, the exact language in the doc is that you need to clearly communicate how you will be processing subscribers’ personal data.

Consent must be given by a subscriber and cannot be bundled with unrelated actions. Therefore as long as you explicitly state that you will be emailing them on a recurring basis going forward, you should be good.

Another common question is whether double optin is required for email newsletter signups. Once again, there’s nothing in the GDPR that states that you are required to use double optin.

As per the GDPR, you simply need to be able to prove the compliant consent. And entering personal information into an email signup form and clicking “submit” can be considered consent, as long you are explicit in informing the customer what they are signing up for.

That being said, double optin is probably a good practice to follow.

Step 4: Clean Up Your Existing List. Send Re-Engagement Emails Only If Necessary

I don’t know about you but I’ve been receiving hundreds of emails from stores asking me to re-optin to their list and I’m from the United States!

There is absolutely no need to do this for non EU subscribers and these companies are purging a large portion of their list for no reason whatsoever.

Whether or not you need to send a re-engagement email depends on several factors. And you need to ask yourself the following questions…

  • Can you prove that your EU subscribers opted into your list? – If you transferred emails from one provider to the other or purchased an email list, then chances are you don’t have this information.

    However if someone from the EU opted into your list, it should be tracked in your email marketing provider’s database. You need to check.

  • Did you clearly explain how you’d use subscribers’ data and what content you can send them? – Using the example in step 2, I was automatically placing EU customers on a post purchase sequence when they made a purchase.

    I did NOT clearly explain to them that I was going to do this. As a result, I need to explictly send a re-optin email to these people.

  • Can your subscribers unsubscribe at any time? – As far as I’m concerned, this is par for the course. If you are using any legit email provider, an unsubscribe link is required by law.

If you answered yes to all 3 questions above, then you don’t need to do anything as long as there’s a record of this in your email marketing database. But for most of you, you’ll most likely have to re-optin all of your EU customers who are subscribed to your post purchase sequence.

For my store, I simply segmented all of my EU customers and sent them the following email.

We have updated our Privacy Policy to comply with recent GDPR changes (which takes effect May 25,2018). If you would like to read more about how we handle your information, please refer to our updated Privacy Policy and Terms of Service.

If you would like to continue to receive our emails, please confirm your subscription by clicking the button below:

YES! I would like to continue receiving emails from Bumblebee Linens

By confirming your subscription with the link above, you will continue to receive:

  • Updates of the latest newsletter
  • Coupons and promotions
  • New product announcements

Anyone who doesn’t re-optin is deleted from our database.

Note: This wasn’t a big deal for our store because we don’t get that many EU customers

Step 5: Don’t Make Non EU Folks Jump Through Hoops

A lot of shopowners I know are now putting in checkboxes all over the place to ensure consent no matter who the customer is. But the problem is that you are reducing your conversion rate for every checkbox you add.

Instead of making a blanket change to your site, you might want to consider treating EU customers differently.

For example for your post purchase email sequence, you may want to only display the checkbox for EU customers only. After all, you already know they are from the EU because they entered all of their delivery address information on your checkout form.

A simple “if” statement will prevent this checkbox from being shown to US customers.

The same goes with any other form on your site. After all, there’s no reason for your conversion rate to suffer especially if the EU is just a small percentage of your overall business.

For our store, I don’t send post purchase email sequences to EU customers altogether. I also don’t currently run retargeting ads to EU customers because the shipping is so high and we don’t get that many EU customers to begin with.

Use your own judgement.

My Personal Take On The Penalties For GDPR Infringement

Everyone is absolutely terrified about the fines associated with violating the GDPR. After all, the penalties are like 20 million dollars or 4% of your revenues or something ridiculously crazy like that.

First off, EU officials have indicated that fines would likely be a last resort for enforcement.

Here’s an excerpt from a recent blog post from the U.K.’s information commissioner Elizabeth Denham.

It’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm,” she said.

The ICO’s commitment to guiding, advising, and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.

While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.

The GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.

Here’s how I interpret this statement.

They will implement the fines only if you are willfully violating the GDPR. But if you are making your best effort to comply, you will probably get several warnings before anything drastic happens.

Again, this is my own interpretation and please take it with a grain of salt.

If you take the necessary steps to understand and follow the GDPR regulations, then you have nothing to worry about.

Ready To Get Serious About Starting An Online Business?

If you are really considering starting your own online business, then you have to check out my free mini course on How To Create A Niche Online Store In 5 Easy Steps.

In this 6 day mini course, I reveal the steps that my wife and I took to earn 100 thousand dollars in the span of just a year. Best of all, it's free and you'll receive weekly ecommerce tips and strategies!

Note: This post above may contain affiliate links, which means that I may receive a commission if you make a purchase when clicking a link. Please consult our privacy policy for more information.

Related Posts In Email Marketing

About Steve Chou

Steve Chou is a highly recognized influencer in the ecommerce space and has taught thousands of students how to effectively sell physical products online over at

His blog,, has been featured in Forbes, Inc, The New York Times,  Entrepreneur and MSNBC.  

He's also a contributing author for BigCommerce, Klaviyo, ManyChat, Printful, Privy, CXL, Ecommerce Fuel, GlockApps, Privy, Social Media Examiner, Web Designer Depot, Sumo and other leading business publications.

In addition, he runs a popular ecommerce podcast, My Wife Quit Her Job, which is a top 25 marketing show on all of Apple Podcasts

To stay up to date with all of the latest ecommerce trends, Steve runs a 7 figure ecommerce store,, with his wife and puts on an annual ecommerce conference called The Sellers Summit.  

Steve carries both a bachelors and a masters degree in electrical engineering from Stanford University. Despite majoring in electrical engineering, he spent a good portion of his graduate education studying entrepreneurship and the mechanics of running small businesses. 

2 thoughts on “How To Be GDPR Compliant For Ecommerce Stores – A Concise Summary Of What You Need To Do”

  1. Jeremy Robinson says:

    Thanks for the summary! I’ve been wondering what’s behind all the “privacy policy update” emails I’ve been receiving.

  2. Shaun says:

    One of the clearest breakdowns I’ve seen for the EU changes, particularly helpful to see what constitutes a need to deploy re-engagement emails to the EU folks. Thanks!

Comments are closed.