Privacy Compliance Guide
Build a privacy-compliant e-commerce operation that protects customer data, avoids regulatory fines, and turns privacy into a competitive advantage. This skill covers the major regulations, practical implementation steps, and ongoing compliance maintenance for online sellers.
Quick Reference
| Decision | Strong | Acceptable | Weak |
|---|
| --- | --- | --- | --- |
| Privacy policy | Custom-drafted, regulation-specific, regularly updated | Template-based, covers key regulations | Generic boilerplate or missing |
| Cookie consent | Granular opt-in banner with category controls | Basic opt-in/opt-out banner | No consent mechanism or implied consent |
| Data inventory | Complete map of all data collected, stored, processed, shared | Major data flows documented | No documentation of data practices |
| Email compliance | Double opt-in, easy unsubscribe, CAN-SPAM + GDPR compliant | Single opt-in with working unsubscribe | Purchased lists or no unsubscribe option |
| Data retention | Defined retention periods per data type with auto-deletion | General retention policy exists | No retention policy, data kept indefinitely |
| Breach response | Written plan with 72-hour notification procedure | Awareness of notification requirements | No breach response plan |
Solves
- Regulatory fines — GDPR fines up to 4% of global revenue or €20M; CCPA fines up to $7,500 per intentional violation
- Cookie consent gaps — Non-compliant cookie banners that expose the business to enforcement action
- Email marketing violations — CAN-SPAM penalties of $50,120 per email; GDPR consent requirements for marketing
- Data breach liability — Lack of breach response plan leading to delayed notification and increased penalties
- Customer trust erosion — Poor privacy practices driving customers to privacy-conscious competitors
- Third-party data risks — Sharing customer data with vendors/partners without proper agreements
- Cross-border complexity — Selling internationally without understanding jurisdiction-specific requirements
Workflow
Step 1: Conduct a Data Inventory
Map every piece of customer data your business collects, stores, and shares.
Data collection points:
| Touchpoint | Data Collected | Legal Basis | Retention |
|---|
| --- | --- | --- | --- |
| Account registration | Name, email, password | Contract performance | Until account deletion |
| Checkout | Address, payment info, phone | Contract performance | Order + 7 years (tax) |
| Browse behavior | Pages viewed, time on site, clicks | Legitimate interest / Consent | 90 days |
| Email signup | Email, name, preferences | Consent | Until unsubscribe |
| Customer support | Issue details, communication history | Contract / Legitimate interest | 3 years |
| Reviews | Name, rating, review text | Consent | Until withdrawal |
| Cookies/tracking | IP, device info, browsing patterns | Consent | Per cookie category |
Third-party data sharing:
| Partner | Data Shared | Purpose | DPA in Place? |
|---|
| --- | --- | --- | --- |
| Payment processor | Card details, billing info | Payment processing | [ ] Yes / [ ] No |
| Shipping carrier | Name, address, phone | Order fulfillment | [ ] Yes / [ ] No |
| Email platform | Email, name, segments | Marketing | [ ] Yes / [ ] No |
| Analytics | IP, behavior, device | Analytics | [ ] Yes / [ ] No |
| Ad platforms | Email (hashed), behavior | Advertising | [ ] Yes / [ ] Noo |
| Reviews platform | Email, name, order data | Review collection | [ ] Yes / [ ] No |
Step 2: Implement Cookie Consent
GDPR-compliant cookie banner requirements:
- Must appear before non-essential cookies fire
- Must offer granular category choices (not just "accept all")
- Must be as easy to reject as to accept
- Must not use dark patterns (pre-checked boxes, confusing language)
- Must store consent records
Cookie categories:
| Category | Examples | Consent Required? |
|---|
| --- | --- | --- |
| Strictly necessary | Cart, authentication, security | No (always active) |
| Functional | Language preference, recently viewed | Yes |
| Analytics | Google Analytics, Hotjar, Mixpanel | Yes |
| Marketing | Facebook Pixel, Google Ads, retargeting | Yes |
Implementation options:
- Cookiebot ($12-46/month) — Auto-scans and categorizes cookies
- OneTrust (free tier available) — Enterprise-grade, GDPR + CCPA
- Termly ($10-39/month) — Simple setup, good for Shopify
- Custom implementation — Full control but higher maintenance
Step 3: Draft Privacy Policy
Required sections (GDPR + CCPA coverage):
- Identity and contact details — Who you are, how to contact your DPO
- Data collected — What personal data you collect and how
- Legal bases — Why you process each type of data (consent, contract, legitimate interest)
- Data sharing — Who you share data with and why
- International transfers — If data leaves the EEA/UK, what safeguards apply
- Retention periods — How long you keep each data type
- Individual rights — Right to access, rectify, erase, port, restrict, object
- Cookie policy — What cookies you use and how to manage them
- Children's data — COPPA compliance if applicable (under 13)
- California-specific disclosures — CCPA/CPRA rights for California residents
- Updates — How you notify customers of policy changes
Placement requirements:
- Footer link on every page
- Link in account registration flow
- Link at checkout
- Link in email footer
Step 4: Configure Email Marketing Compliance
CAN-SPAM requirements (US):
- Accurate "From" name and email address
- Non-deceptive subject lines
- Clear identification as advertising (if applicable)
- Physical mailing address in every email
- Working unsubscribe mechanism (honored within 10 business days)
- No purchased email lists
GDPR requirements (EU/UK):
- Explicit opt-in consent (pre-checked boxes are NOT valid consent)
- Double opt-in recommended (confirmation email)
- Separate consent for each purpose (newsletter vs. promotions vs. partner offers)
- Easy withdrawal of consent (one-click unsubscribe)
- Record of when and how consent was obtained
Best practice — double opt-in flow:
- Customer enters email → receives confirmation email
- Customer clicks confirmation link → added to list with timestamp
- Welcome email sent with preference center link
- All emails include one-click unsubscribe + physical address
Step 5: Set Up Data Subject Request Handling
GDPR rights you must support:
| Right | Timeline | Implementation |
|---|
| --- | --- | --- |
| Access (SAR) | 30 days | Export all data for the individual |
| Rectification | 30 days | Allow customers to update their data |
| Erasure ("right to be forgotten") | 30 days | Delete data (except where legal obligation to retain) |
| Data portability | 30 days | Provide data in machine-readable format (CSV/JSON) |
| Restriction | 30 days | Stop processing but retain data |
| Objection | 30 days | Stop processing for direct marketing immediately |
CCPA/CPRA rights:
| Right | Timeline | Notes |
|---|
| --- | --- | --- |
| Know | 45 days | What data collected, categories, sources, purposes |
| Delete | 45 days | Delete personal information |
| Opt-out of sale/sharing | Immediate | "Do Not Sell My Personal Information" link |
| Correction | 45 days | Correct inaccurate information |
| Limit use of sensitive data | Immediate | Restrict use of sensitive PI |
Implementation: Create a dedicated email or web form (e.g., privacy@yourstore.com or /privacy-request page) and establish an internal process with assigned responsibilities and tracking.
Step 6: Prepare a Data Breach Response Plan
72-hour notification timeline (GDPR):
- Hour 0-4: Identify and contain the breach
- Hour 4-12: Assess scope — what data, how many individuals, what risk
- Hour 12-24: Notify DPO/privacy lead, begin documentation
- Hour 24-48: Draft notification to supervisory authority
- Hour 48-72: Submit notification to supervisory authority
- Day 3-30: Notify affected individuals (if high risk) without undue delay
Breach notification must include:
- Nature of the breach
- Categories and approximate number of individuals affected
- Categories and approximate number of records affected
- Name and contact details of DPO or contact point
- Likely consequences of the breach
- Measures taken or proposed to address the breach
Step 7: Ongoing Compliance Maintenance
Monthly tasks:
- Review new third-party tools/integrations for data impact
- Check unsubscribe processing (test it works)
- Review and respond to any data subject requests
Quarterly tasks:
- Audit cookie consent banner functionality
- Review data retention — delete data past retention period
- Update privacy policy if any data practices changed
- Review vendor DPA status
Annual tasks:
- Full data inventory refresh
- Privacy policy comprehensive review
- Staff privacy training
- Data protection impact assessment (DPIA) for new high-risk processing
- Regulatory update review (new laws, enforcement trends)
Example 1: Shopify DTC Brand — GDPR + CCPA Setup
Scenario: US-based skincare brand selling to US + EU customers via Shopify. 50,000 email subscribers, uses Klaviyo, Google Analytics, Facebook Ads.
Step 1 — Data inventory findings:
- Shopify collects: name, email, address, phone, payment, order history
- Klaviyo receives: email, name, purchase history, browse behavior
- Google Analytics: IP (anonymized), pages, sessions, device
- Facebook Pixel: IP, browsing behavior, purchase events (hashed email for Custom Audiences)
- DPAs needed: Klaviyo (has standard DPA), Facebook (Business Tools Terms), Google (Data Processing Terms)
Step 2 — Cookie consent: Installed Cookiebot on Shopify ($14/month). Configured categories: necessary (cart/checkout), analytics (GA4), marketing (Facebook Pixel, Klaviyo tracking). GA4 and FB Pixel only fire after consent.
Step 3 — Privacy policy: Drafted with GDPR + CCPA sections. Added "Do Not Sell My Personal Information" link in footer for CCPA. Listed all data categories, purposes, and third-party recipients.
Step 4 — Email compliance: Configured Klaviyo double opt-in. Added physical address to all email templates. Created preference center with separate toggles for promotional emails, new product alerts, and educational content.
Step 5 — Data requests: Created privacy@brand.com inbox monitored weekly. Built internal SOP: requests triaged within 48 hours, fulfilled within 25 days (buffer before 30-day deadline).
Step 6 — Breach plan: Documented response procedure. Identified Shopify's breach notification process. Assigned roles: CEO (decision authority), CTO (containment), Operations (customer communication).
Result: Fully compliant setup in 2 weeks. Ongoing cost: ~$15/month (Cookiebot) + 2 hours/month maintenance.
Example 2: Amazon + Multi-Channel Seller — Minimal Viable Compliance
Scenario: Small team selling on Amazon, eBay, and own Shopify store. Limited resources. Need practical compliance without a legal team.
Priorities (risk-based approach):
- Email compliance (highest fine risk): Switched to double opt-in, added physical address, tested unsubscribe links. Deleted purchased email list.
- Cookie consent (EU fine risk): Installed free OneTrust banner on Shopify. Amazon/eBay handle their own cookie consent.
- Privacy policy (foundation): Used Termly generator ($10/month) customized with actual data practices. Added to Shopify footer and eBay "About" page.
- Data retention: Set Shopify to anonymize order data after 3 years (beyond tax retention requirement). Configured email platform to auto-remove unsubscribed contacts after 30 days.
- "Do Not Sell" link: Added CCPA link to Shopify footer. Disabled Facebook Custom Audiences for California IP addresses (Shopify geolocation).
Result: 80% compliant in 1 week. Ongoing cost: $10/month + 1 hour/month. Remaining 20% (formal DPIA, full data inventory, breach response plan) scheduled for quarterly improvement.
Common Mistakes
- Relying on "implied consent" — Under GDPR, pre-checked boxes, continued browsing, or scroll-based consent are NOT valid. You need affirmative action (click "Accept") for non-essential cookies and marketing.
- Using purchased email lists — This violates CAN-SPAM (if recipients haven't opted in) and GDPR (no consent basis). Delete purchased lists immediately and build organically.
- Firing tracking pixels before consent — Many sites load Google Analytics and Facebook Pixel on page load, before the cookie banner is answered. This is a GDPR violation. Implement consent-gated loading.
- Missing physical address in emails — CAN-SPAM requires a valid physical postal address in every commercial email. A PO Box counts. Missing it is a per-email violation ($50,120 each).
- No unsubscribe mechanism — Every marketing email must have a visible, working unsubscribe link. Honor within 10 business days (CAN-SPAM) or immediately (GDPR best practice).
- Ignoring data processor agreements — If you share customer data with any third party (email platform, analytics, payment processor), you need a Data Processing Agreement. Most major platforms offer standard DPAs.
- One-size-fits-all retention — Different data types have different retention needs. Tax records require 7 years; browse behavior should be deleted within 90 days. Define retention per data category.
- No breach response plan — GDPR requires notification within 72 hours. Without a pre-written plan, you'll miss the deadline. Even small businesses need a one-page breach response procedure.
- Treating marketplace sales as exempt — While Amazon/eBay handle some compliance on their platforms, you're still responsible for data you collect independently (email lists, customer support data, CRM data).
- Neglecting state-level US laws — Beyond California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states have privacy laws. If you sell nationally, consider the strictest standard as your baseline.
Resources