Ecommerce GDPR checklist: 12 items every online store should pass

A short, opinionated checklist for ecommerce operators in the EU. Each item maps to a specific GDPR article or to the ePrivacy Directive, and each one is something a regulator could test on your live site today.

Lukas Kontur · · 2 min read

This is a checklist for ecommerce operators in the European Union. It is not a substitute for a Data Protection Impact Assessment, and it is not a substitute for advice from a German Datenschutzbeauftragter or a French Délégué à la Protection des Données. It is the short list of items that, in our experience scanning the European web, are documented well enough that an operator can answer a regulator's questions about how the system handled a specific request, with timestamps.

The items are listed in the frontmatter and rendered by the checklist page template. Each one is a discrete, testable assertion, and each one maps to either GDPR or the ePrivacy Directive. Where the legal frame is more nuanced — for example, on transfer mechanisms after the EU-US Data Privacy Framework took effect — we have noted that in the detail line.

The two items that fail most often, by a wide margin, are:

For a live demonstration of what a non-compliant scan looks like:

Sample scan

45 / 100

Medium Risk · 8 trackers · pre-consent tracking: no

See sample report →

A medium-risk score on this scale typically indicates that the banner is present and the reject button works, but at least one tracker is firing pre-consent. Confirm that no non-essential trackers fire before the consent decision.

The recommended cadence is to walk this checklist quarterly, store the results as accountability evidence under GDPR Art. 5(2), and treat any item that has failed twice in a row as a P1 issue. Most operators will not have an enforcement event. The ones who do will be glad they kept the records.

Last updated: