Table of Contents

Compliance for E-commerce Websites

Do you run an e-commerce website? Here’s everything you need to understand and get started with compliance

What you’ll need (and when you’ll need it)

Why? Under most countries’ laws it’s mandatory that you disclose details related to privacy and your data processing activities. Failure to do so can result in massive fines, legally invalidate your mailing list, leave you open to litigation and negatively affect your the credibility of your brand.

When do you need it? Whenever processing personal user data in any way (e.g. Via social connect buttons, payment portals, analytics services, shopping cart plugins etc.). Keep in mind that privacy policies should be dynamic documents as they must be reasonably up-to-date in order to be considered legally compliant.


Platform-specific integration


Common services that explicitly require privacy policies

Mailchimp  | Google Analytics | Google AdSense | Google Ads Remarketing | Amazon Affiliate Program | Facebook Lead Ads

Why? E-commerce websites often use cookies for everything from analytics statistics to social buttons and re-marketing services.

When do you need it? If you use cookies and you have EU-based users, you’re required by both law and by law-abiding third-parties such as Google, Amazon, Apple, Facebook etc. to comply with legal requirements; this generally means having valid cookie policy and cookie management solution in place.


CMS Plugins
These plugins allow you to set up quickly on the post popular platforms and automate much of the prior blocking process

WordPress Plugin Guide | Magento Guide | Joomla! Guide | PrestaShop Guide | PHP class Guide.
Drupal users, you can access the class via direct download or Packagist, and find full instructions in the PHP class guide linked above.



If you run ads on your site via ad networks (including Google’s ad services), we heavily suggest that you meet industry requirements by enabling the IAB Transparency & Consent Framework feature in the Cookie Solution. Failure to do so can potentially result in reduced ad reach and revenue.

How to enable the IAB TCF in the Cookie Solution › | How to collect consent for Google Ad personalization ›

Why? The GDPR requires that you keep and maintain valid records of consent if processing user data based on consent. Without these records, the consent you collect is considered invalid.

When do you need it? When processing the personal data of EU-based users on the legal basis of Consent. Common Scenarios of this include collecting personal data via forms for newsletters, email lists, subscriptions etc. This does not typically apply to consent for cookies as cookies are still largely governed by the ePrivacy Regulation (Cookie Law).


Note: GDPR requirements also apply to you even if you’re not based in the EU but have EU-based users or you only have non-EU users but are based in the EU. Read more here.



Why? The GDPR requires that you keep and maintain valid records of processing if processing the personal data of EU-based persons. Without these records, your processing activities would be in violation of the law. This is especially relevant to E-commerce businesses as they typically process sensitive data such as payment information.

When do you need it? If you fall under the scope of the GDPR and your processing activities are not occasional, could result in a risk to the rights or freedoms of others, involves sensitive data or if you have more than 250 employees — in short, it’s almost always required.



Additional Resources

Make your site compliant in minutes

Start generating

Still have questions?

Visit our support forum Email us