Some of you may already have heard of GDPR. So what is exactly GDPR?

GDPR stands for General Data Protection Regulation it is the new data protection legislation of the European Union (EU) applicable from May 25, 2018.

It will enhance the security and confidentiality of user data. within the EU and will impose new obligations on all companies that manage the personal data of EU citizens. It means the consent of individuals on the collection of data will be mandatory.

GDPR affects companies of all sizes. From one employee to 10,000 employees, if a company handles data about Europeans, then GDPR applies.

Most ecommerce stores are much closer to one employee than 10,000, so it’s important to understand how GDPR distinguishes between big companies and small ones.

Ecommerce stores owners should know that GDPR doesn’t treat them the same way it treats huge businesses. For example, certain record-keeping requirements in GDPR apply only to companies with more than 250 employees.

The reform on the protection of personal data has 3 objectives:

  • Strengthen the rights of individuals, in particular by creating a right to the portability of personal data and provisions specific to minors.
  • Empowering data actors (processors and contractors)
  • Increasing regulatory awareness through enhanced cooperation between data protection authorities, including the possibility of adopting joint decisions when data processing is transnational and increased penalties.


Email marketing is an important part of e-commerce. According to the GDPR, organizations need to be clearer about how to obtain the consent of their clients. Consent must be granted through a "clear and affirmative action" on the part of the person concerned. The company will also need to explain what information will be collected and why it is needed for processing. The persons concerned must also be able to withdraw their consent.

Consent requests must be:

  • Dissociated: requests for consent must be separate from the general conditions of sale.
  • Opt-in: Pre-checked boxes or other preselected options are not valid.
  • Granular: If the data is used in a variety of marketing activities, consent must be given for each one.
  • Identified: The application must name all organizations and third parties that will use this consent.
  • Documented: records must be kept to demonstrate when, how and why the data subject gives consent.


If a company does not conform to this new regulation, authorities will will have the option of fining companies up to 20 million euros or 4% of their annual turnover.

Double opt-in

As of May 25th 2018, companies will no longer have the right to send unsolicited emails to Internet users. They will have to set up a double opt-in procedure for their e-mailing campaigns, so as to inform users clearly and explicitly about the purpose of the data collected and thus obtain their consent.

The first opt-in is to set up when the individual completes the form where you will inform him about the reason for collecting their email. Once he has validated this step by checking, the second opt-in intervenes with the confirmation email in which the person agrees to receive the information they have accepted in the first opt-in. That's when it will be added to your database.

For customers already present in your database, they will have to send them personalized emails (with relaunch) to have their agreement in order to continue to contact them.

If for some the double opt-in will slow the acquisition of new customers, this implementation will still allow companies to have a more qualitative database, which will lead to a cleaner market.

Adjust cookies

As a site owner, you already have the obligation to notify Internet users of the setting up of cookies to collect information about their browsing (eg: "This website uses third-party cookies to obtain statistical information about If you continue to browse this site, we will consider that you accept its use. "). However, at present, if the Internet users do not click on "Ok" or "I understand" and that they consult another page of the site, the cookies are put in place automatically.

With this new regulation, the cookie procedure will be strengthened with the introduction of more detailed acceptance levels. Thus, users will be able to modulate all of their cookies and will no longer be able to access the site without first accepting cookies by clicking on an "Allow or Deny" button.

Manage the data

For users who do not want their data collected, businesses will be forced to encrypt it. This pseudonymisation consists of replacing an identifier with a pseudonym, so that the information of an individual remains secret.

In addition, if visitors to your site agree to collect their data, they will also have the right to delete. This means that if necessary, they will have the option to request the complete deletion of their customer data collected on your platform in order to maintain control over their data.


There are some tools available to check and see if your website is compliant to the new regulation. WordPress has a couple of interesting plugins.


What will change for website operators with the EU's general data protection regulation? Here are the main changes:

  • The obligation to document compliance with the General Data Protection Regulation.
  • More complex consents and authorizations
  • The principles of Privacy by Design and Privacy by Default
  • Extension of rights to information and dereferencing (deletion of data)
  • The right to transferability of data
  • Far more extensive information requirements (eg for the privacy statement of a website)
  • Prohibition of making consent conditional on the performance of a contract
  • Very high fines