GDPR Compliance for E-Commerce: What UK Online Retailers Must Know
Your online shop handles more personal data than most banks. Are you treating it that way?
Every transaction on your e-commerce site generates a trail of personal data: names, email addresses, delivery addresses, payment details, browsing history, purchase patterns, device fingerprints. A single customer journey — from first ad click to delivered parcel — can involve a dozen data processors across multiple jurisdictions.
And yet, most online retailers treat data protection as a legal afterthought. A cookie banner bolted on at launch. A privacy policy copied from a template. An email list that has never been properly consented.
The Information Commissioner’s Office (ICO) — the UK’s data protection authority — sees it differently. E-commerce is one of the highest-risk sectors for personal data processing, and the ICO has made online retail a strategic enforcement priority.
Since 2018, some of the largest UK GDPR fines have targeted businesses that sell online. British Airways (£20 million), Marriott International (£18.4 million), DSG Retail (£500,000). No sector generates more data per customer interaction — and no sector is more exposed to ICO enforcement.
This is not about ticking boxes. It is about understanding that every piece of customer data you collect creates a legal obligation — and that failure to honour that obligation carries real financial and reputational consequences.
Here is what UK e-commerce businesses need to know, what the ICO is watching, and how to get compliant without hiring an army of consultants.
Why e-commerce is an ICO priority
The ICO publishes a regulatory action policy and an annual plan outlining its enforcement priorities. E-commerce sits at the intersection of several high-risk categories that the ICO explicitly targets.
- Volume and sensitivity of data — Online retailers process large volumes of personal data — including financial data (payment cards, billing addresses) and behavioural data (browsing history, purchase patterns). Under UK GDPR Article 32, the security measures you implement must be proportionate to the risk. More data, more sensitive data, higher obligations.
- Direct marketing abuses — The ICO receives more complaints about unsolicited marketing than any other category. In 2024-2025, the ICO issued over £1.5 million in fines specifically for breaches of the Privacy and Electronic Communications Regulations (PECR) — the UK law governing email marketing, SMS, and cookies. E-commerce is the primary source of these complaints.
- Cross-border data flows — UK online retailers routinely use US-based services (Shopify, Stripe, Klaviyo, Google Ads, Meta Pixel) that transfer personal data internationally. Post-Brexit, the UK has its own adequacy framework, but transfers to countries without adequacy decisions still require appropriate safeguards.
- Cookie and tracking ecosystem — A typical e-commerce site loads 30 to 60 third-party scripts: analytics, retargeting pixels, A/B testing tools, live chat widgets, social media embeds. Each one is a potential PECR violation if deployed without consent.
The ICO’s enforcement style has historically been more guidance-oriented than the CNIL (France) or the DPC (Ireland). But the trend is unmistakably towards larger fines and more proactive investigations. The £20 million British Airways fine in 2020 signalled a new era. The £12.7 million TikTok fine in 2023 confirmed it.
The 7 GDPR obligations every e-commerce site must meet
1. Cookie consent under PECR
In the UK, cookies are governed by PECR (Privacy and Electronic Communications Regulations 2003), not directly by UK GDPR. PECR requires prior consent before placing any non-essential cookie or similar technology on a user’s device.
The ICO’s cookie guidance is unambiguous: consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not count. Implied consent from continued browsing does not count. A “reject” option buried in a settings submenu does not count.
What e-commerce sites get wrong:
- Pre-consent tracking — Loading Google Analytics, Meta Pixel, or Klaviyo tracking before the user has interacted with the consent banner
- Cookie walls — Using cookie walls that force consent as a condition of access to the site
- Dark patterns — Making “Accept All” a bright, prominent button while “Manage Preferences” is greyed-out text or hidden behind a second click
- Failure to honour refusal — Scripts still fire after the user clicks “Reject”, rendering the consent mechanism meaningless
What to do: Deploy a consent management platform that blocks all non-essential scripts until the user actively consents. Cookilio blocks third-party scripts by default and presents rejection at the same level as acceptance, compliant with ICO requirements.
2. Email marketing — the PECR soft opt-in
This is where UK law genuinely differs from EU GDPR, and where many e-commerce businesses either miss an opportunity or break the law.
The PECR soft opt-in is unique to the UK and a genuine competitive advantage for e-commerce businesses that understand it. Unlike EU GDPR, which generally requires explicit consent for all marketing emails, UK law allows existing customers to receive marketing about similar products — provided strict conditions are met.
PECR provides a soft opt-in exception for existing customers: if someone has purchased from you (or actively negotiated a purchase), you can send them marketing emails about similar products or services without explicit consent — provided you gave them a clear opportunity to opt out at the point of data collection AND in every subsequent email.
For prospects who have never purchased — people who signed up for a newsletter, downloaded a guide, or abandoned a cart — you need explicit, affirmative consent before sending any marketing email.
Common violations:
- Purchased email lists — Buying email lists and treating them as soft opt-in when there is no prior commercial relationship
- Enquiry-only contacts — Sending marketing emails to people who only made an enquiry (no purchase = no soft opt-in)
- Missing opt-out at collection — Failing to offer an unsubscribe mechanism at the point of data collection
- Ignoring unsubscribes — Continuing to email people after they unsubscribe, whether through technical failure or intentional disregard
The ICO has fined companies specifically for PECR email marketing violations, including Pharmacy2U (£130,000 for selling patient data to marketing companies) and numerous businesses through its ongoing direct marketing enforcement programme.
3. Customer account data and retention
When a customer creates an account on your site, you collect personal data that you must manage throughout its lifecycle. UK GDPR requires that you:
- Define retention periods — Set specific periods for each category of data (order history, account details, support tickets)
- Delete or anonymise — Remove data when the retention period expires, or anonymise it so it no longer qualifies as personal data
- Justify retention — Link each retention period to a legitimate purpose (legal obligation, contract performance, legitimate interest)
HMRC requires you to keep financial records for 6 years. But that does not mean you can keep a customer’s full profile, browsing history, and marketing preferences for 6 years. The retention period must be specific to the purpose.
What to do: Document your retention schedule. Set automated deletion rules. When a customer requests account deletion under the right to erasure (Article 17), you must comply within one month — except for data you are legally required to retain.
4. Payment data security
Payment card data is governed by PCI DSS (Payment Card Industry Data Security Standard) as well as UK GDPR Article 32. Most e-commerce platforms (Shopify, WooCommerce with Stripe) handle card processing through PCI-compliant payment processors, which means the card data never touches your servers.
But that does not eliminate your GDPR obligations:
- Billing and transaction data — Billing addresses, order values, and transaction histories are personal data under GDPR
- Processor contracts — Payment processor contracts must include a Data Processing Agreement (Article 28)
- Breach notification — If your payment processor suffers a breach affecting your customers, you may need to notify the ICO within 72 hours (Article 33)
The British Airways breach that led to the £20 million fine involved payment card data skimmed through a malicious script injected into the checkout page. The ICO found that BA had failed to implement adequate security measures — including proper Content Security Policy headers that could have prevented the script injection.
5. Product reviews and user-generated content
Customer reviews, Q&A sections, and user-submitted photos all contain personal data. The reviewer’s name, their purchase history (implied by the review), and sometimes their location or other identifying details.
GDPR obligations:
- Legal basis — You need a valid legal basis for processing this data. Legitimate interest is the most common basis, but you must conduct a Legitimate Interest Assessment (LIA)
- Right to erasure — If a customer asks you to delete their review, you must comply unless you have an overriding legitimate interest
- Third-party review platforms — Platforms like Trustpilot, Feefo, and Reviews.io require a DPA, and you must inform customers that their data will be shared with a third party
6. Remarketing and ad trackers
Remarketing pixels (Meta Pixel, Google Ads remarketing, TikTok Pixel, Pinterest Tag) are the most common source of cookie compliance failures on e-commerce sites. Each pixel:
- Drops cookies — Places cookies on the user’s device, requiring PECR consent
- Transfers personal data — Sends personal data to the ad platform, requiring a GDPR legal basis
- International transfers — Often transfers data to the US, requiring appropriate safeguards
The ICO’s position is clear: remarketing pixels require explicit prior consent. Loading them before consent is a PECR violation. Loading them based on legitimate interest — without consent — is not compliant for advertising purposes.
What to do: Audit every third-party script on your site. Ensure no advertising or remarketing script fires before consent. For privacy-respecting analytics that do not require consent, Mirage Analytics tracks visitor behaviour without cookies, without personal data collection, and with all data hosted in Europe — no consent banner needed for analytics.
7. Cross-border data transfers post-Brexit
Since Brexit, the UK operates its own data transfer regime. The UK has received an adequacy decision from the EU (valid until June 2025, extended), meaning data can flow freely between the EU and the UK. In the other direction, the UK has issued its own adequacy regulations recognising the EEA and several other countries.
For transfers to countries without adequacy — most notably the United States — UK businesses must rely on:
- International Data Transfer Agreements (IDTAs) — The UK equivalent of EU Standard Contractual Clauses
- The UK Extension to EU SCCs — Allows continued use of EU Standard Contractual Clauses with a UK addendum
- The UK-US Data Bridge — The UK equivalent of the EU-US Data Privacy Framework, which facilitates transfers to certified US organisations
E-commerce implications: If you use Shopify (Canada/US), Stripe (US), Klaviyo (US), Mailchimp (US), or Google Analytics (US), you are making international data transfers. You must:
- Identify every transfer in your Records of Processing Activities
- Verify the legal mechanism for each transfer
- Conduct a Transfer Risk Assessment where required
Using European-hosted alternatives eliminates transfer risk entirely. Mirage Analytics processes all data on Scaleway infrastructure in Europe — no international transfer, no Transfer Risk Assessment, no legal uncertainty.
Notable ICO sanctions against e-commerce and retail
| Company | Fine | Year | Violation |
|---|---|---|---|
| British Airways | £20M | 2020 | Payment data breach (400K+ customers) |
| Marriott International | £18.4M | 2020 | Inherited data breach (339M guests) |
| TikTok | £12.7M | 2023 | Children’s data processing |
| DSG Retail (Currys) | £500K | 2020 | POS malware (14M customers) |
| Pharmacy2U | £130K | 2015 | Selling patient data to marketers |
British Airways — £20 million (2020)
The landmark case for UK e-commerce. In 2018, attackers compromised BA’s website and mobile app by injecting malicious JavaScript into the checkout page. The script skimmed payment card details, names, and addresses from approximately 400,000 customers over two months.
The ICO found that BA had failed to implement adequate security measures, including:
- Missing multi-factor authentication — No MFA for domain administrator accounts
- Insufficient vulnerability testing — Web application not adequately tested for common attack vectors
- Missing CSP headers — No Content Security Policy headers that would have blocked the injected script
The fine was originally set at £183 million — reduced to £20 million after BA’s cooperation and the economic impact of COVID-19.
The lesson for e-commerce: Website security is a GDPR obligation, not just an IT best practice. Every script on your checkout page is an attack surface. Monitor, audit, and restrict what runs on your payment pages.
Marriott International — £18.4 million (2020)
Marriott inherited a compromised Starwood Hotels reservation system when it acquired the company in 2016. The breach — which had been ongoing since 2014 — exposed the personal data of approximately 339 million guests, including 30 million EEA residents and 7 million UK residents.
The ICO found that Marriott failed to conduct adequate due diligence on the Starwood systems and failed to implement sufficient monitoring of the databases.
The lesson for e-commerce: If you acquire another business, you inherit its data protection liabilities. Due diligence must include a thorough data protection audit of acquired systems.
TikTok — £12.7 million (2023)
TikTok was fined for processing the personal data of children aged under 13 without parental consent. While not strictly e-commerce, the case established important principles for any online business that may attract underage users — including e-commerce sites selling products popular with young people.
The lesson for e-commerce: If your products appeal to under-18s (clothing, gaming, electronics), you must implement age verification mechanisms and obtain parental consent for children under 13. The ICO’s Children’s Code applies to any online service likely to be accessed by children.
DSG Retail (Currys/PC World/Dixons) — £500,000 (2020)
DSG Retail was fined £500,000 — the maximum under the old Data Protection Act 1998 — after a cyber attack exposed the personal data and payment card details of approximately 14 million customers. Attackers installed malware on 5,390 point-of-sale terminals across DSG’s stores.
The ICO found inadequate software patching, lack of a local firewall, and absence of network segregation.
The lesson for e-commerce: The £500,000 fine was the maximum available under the old law. Under UK GDPR, the maximum is £17.5 million or 4% of global turnover. The same breach today would likely attract a fine orders of magnitude larger.
Pharmacy2U — £130,000 (2015)
Pharmacy2U, an online pharmacy, sold over 20,000 patients’ personal details to marketing companies — without the patients’ knowledge or consent. The data included names, addresses, and information about health conditions.
The lesson for e-commerce: Monetising customer data through third-party sales without explicit consent is a serious violation. This applies to any e-commerce business considering selling or sharing customer lists with partners.
E-commerce GDPR compliance checklist
Immediate actions (this week)
- Website audit — Identify cookies loaded before consent, missing privacy notices, undeclared third-party scripts. Complio performs this audit automatically and produces a structured report with a compliance score and prioritised recommendations — 89 euros, 10 minutes.
- Cookie consent mechanism — Deploy a compliant CMP that blocks all non-essential cookies and scripts until the user consents. Offer “Reject” at the same visual level as “Accept”. Cookilio handles this out of the box.
- Email marketing review — Verify that prospects have given explicit consent. Verify that existing customer emails use only the soft opt-in for similar products. Include an unsubscribe link in every email.
- Privacy policy check — Ensure it covers all processing activities, names all categories of recipients, and states retention periods. It must be specific to your business, not a generic template.
Structural compliance (this month)
- Records of Processing Activities (ROPA) — Document every processing activity: what data, why, how long, who has access, where it goes.
- Data Processing Agreements — Execute DPAs with every processor: Shopify, Stripe, Klaviyo, your email provider, your review platform, your analytics tool, your hosting provider.
- Data retention schedule — Define and implement retention periods for different data categories. Automate deletion where possible.
- Data subject rights process — Set up a dedicated email address, document the procedure, and enforce the 30-day response deadline.
- Transfer Risk Assessments — Conduct a TRA for any international data transfer, or eliminate the transfer by switching to European-hosted alternatives.
Ongoing compliance
- Team training — Customer service, marketing, and IT staff all handle personal data. They need to understand GDPR basics and your internal procedures.
- Cookie compliance monitoring — New marketing tools, plugin updates, and platform changes can introduce new cookies without your knowledge. Audit quarterly.
- ICO guidance updates — The ICO regularly publishes new guidance, particularly around direct marketing, AI, and children’s data.
- Breach response testing — If customer payment data is compromised, you have 72 hours to notify the ICO. Rehearse the process before you need it.
| Need | Solution |
|---|---|
| Compliance audit | Complio — €89/audit |
| Cookie consent | Cookilio — €9/month |
| Cookieless analytics | Mirage Analytics — €19/month |
FAQ
Does UK GDPR still apply after Brexit?
Yes. The UK retained EU GDPR in domestic law as “UK GDPR” through the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018. UK GDPR is substantively identical to EU GDPR, with minor modifications (e.g., the supervisory authority is the ICO, not an EU DPA; the maximum fine is £17.5 million rather than €20 million). There is potential for future divergence — the UK government has signalled reforms — but as of April 2026, UK GDPR remains closely aligned with the EU regulation.
What is PECR and why does it matter for e-commerce?
PECR (Privacy and Electronic Communications Regulations 2003) is the UK law that governs cookies, email marketing, SMS marketing, and telephone marketing. For e-commerce businesses, PECR is as important as GDPR because it provides the specific rules for two critical activities: placing cookies/trackers on users’ devices, and sending marketing communications. PECR carries its own fines — up to £500,000 — separate from UK GDPR penalties. The ICO enforces both.
What is the PECR “soft opt-in” for email marketing?
The soft opt-in allows you to send marketing emails to existing customers without explicit consent, provided three conditions are met: (1) you obtained the email address in the course of a sale or negotiation of a sale, (2) you are marketing similar products or services to what they originally purchased, and (3) you gave the customer a clear opportunity to opt out when you first collected their email — and in every email thereafter. This exception does not apply to prospects, newsletter subscribers, or people who merely browsed your site.
How is the ICO different from the CNIL or other EU DPAs?
The ICO has historically taken a more guidance-oriented approach compared to the CNIL (France) or the AEPD (Spain), which tend towards stricter enforcement. However, the ICO’s fine levels have increased significantly since 2018, and its appetite for enforcement in the direct marketing and online tracking space has grown. The ICO also operates under a slightly different legal framework (PECR for cookies/marketing vs. the ePrivacy Directive in EU member states) and has its own international transfer mechanisms (IDTA, UK-US Data Bridge) distinct from EU SCCs and the EU-US DPF.
Can the ICO fine my business if it is based outside the UK?
Yes. UK GDPR applies to any organisation that processes the personal data of individuals in the UK, regardless of where the organisation is based. If your e-commerce site targets UK consumers — through a .co.uk domain, GBP pricing, UK delivery options, or marketing aimed at UK residents — you are within the ICO’s jurisdiction. The Clearview AI fine (£7.5 million in 2022) demonstrated that the ICO will pursue non-UK companies.
Also read — GDPR Website Checklist: 15 Essential Points | Cookies and GDPR: Everything You Need to Know | GDPR Fines: Complete Breakdown of Sanctions | GDPR Website Audit: Complete 2026 Guide | GDPR-Compliant Cookie Banner: Complete Guide
Sources: ICO — Guide to PECR: Cookies, ICO — Guide to PECR: Electronic Marketing, ICO — International Data Transfers, ICO — British Airways Penalty Notice, ICO — Marriott International Penalty Notice, ICO — TikTok Penalty Notice, ICO — Children’s Code, ICO — Age Appropriate Design Code. Published 9 April 2026.