On this page
concept

GDPR in Ecommerce

Created 2026-06-29 47 connections

GDPR in Ecommerce

Regulation (EU) 2016/679 (General Data Protection Regulation), in force since 25 May 2018, is the primary EU data protection law governing how online retailers collect, process, store, and share personal data of EU/EEA residents. Post-Brexit, UK ecommerce businesses comply with UK GDPR (substantially equivalent, transposed via the Data Protection Act 2018) alongside the EU regime for EU customer data. GDPR shapes nearly every ecommerce data touchpoint: cookie banners, email marketing, Personalisation and Recommendation Engines, payment processing, Returns Management, order tracking, and carrier data-sharing.

Firewall: every claim is what a source reports. See ../../CONTEXT.md Rule 1.


Enforcement landscape

As of June 2026, the GDPR Enforcement Tracker records 3,195 tracked enforcement actions totalling €6.31 billion in cumulative fines across the EU/EEA, with 150 new fines issued in 2026 and 159 in the preceding six months (as-of 2026-06-28). (GDPR Enforcement Tracker, enforcementtracker.com, 2026-06-28)

Total cumulative GDPR fine figure: The GDPR Enforcement Tracker (live database, 2026-06-28) records €6.31 billion. UniConsent (May 2026) states 7.1 billion euros across more than 2,500 fines. The discrepancy likely reflects different inclusion criteria — the Enforcement Tracker may exclude some ePrivacy-only fines; UniConsent may include them — or different tracking windows. (enforcementtracker.com 2026-06-28 vs uniconsent.com 2026-05-01)

UniConsent reports approximately 1.2 billion euros in GDPR fines were issued in 2025 alone, at an average fine of approximately 2.4 million euros (as-of 2026-05-01). (UniConsent, uniconsent.com/blog/gdpr-enforcement-fines-2026, 2026-05-01)

Daily personal data breach notifications across Europe reached 443, a 22% year-on-year increase (as-of 2026-05-01). (UniConsent, 2026-05-01 — figure not independently sourced in the article; treat as directional)

DPA geography. Ireland's DPC accounts for approximately €4.04 billion in cumulative fines — around 57% of all EU GDPR fine value — because Meta, Google, TikTok, LinkedIn, Apple, and Microsoft all have European headquarters in Dublin, making the DPC their lead supervisory authority under GDPR's one-stop-shop mechanism (as-of 2026-05-01). France's CNIL overtook Luxembourg in 2025 to become the second-largest enforcer by total fine value (over €1 billion cumulative), with particular focus on cookie consent and ad-tech violations. Spain issues the highest volume of fines by count (nearly 1,000) but at much lower average values (as-of 2026-05-01). (UniConsent, 2026-05-01)

Appeal and collection gap. Of the approximately €4.04 billion in fines issued by Ireland's DPC, only approximately €20 million has been collected (around 0.5%) because almost every major fine is under appeal. However, companies typically implement the corrective operational orders accompanying fines even while contesting the fine amount itself (as-of 2026-05-01). (UniConsent, 2026-05-01)

Enforcement is mostly complaint-driven. A self-identified DPA insider confirms (r/gdpr, Jun 2025, 726 upvotes): "Most DPAs are severely understaffed and underfunded and receive hundreds of complaints per month they cannot investigate. Most SME complaints go unanswered unless they fit into a larger pattern investigation." Ecommerce has been "a focus sector in several DPAs." (r/gdpr/comments/1lhm22a/, 2025-06)

SME risk is non-zero. A first-person account describes a Belgian DPA investigation of a €2m-revenue ecommerce business following a customer complaint about marketing emails without consent — outcome: €15,000 fine after 18 months. Competitor complaints are described as "an under-appreciated enforcement vector" (r/gdpr/comments/1f7j9ri/, 234 upvotes, 2024-08). noyb (Max Schrems' organisation) is named as a specific high-risk vector: "If noyb decides your sector is a target, that significantly raises your risk profile even if you're small." (r/gdpr/comments/1lhm22a/, 2025-06)

Rational non-compliance calculation exists. Practitioners describe a structural tension: "if the conversion hit from a compliant banner is X% and the probability of being fined is very low, non-compliance is the financially rational choice. DPAs estimated to be catching maybe 1–2% of violations." (r/gdpr/comments/1h4mn2x/, 312 upvotes, 2024-12)


Key enforcement cases relevant to ecommerce (2023–2026)

EntityDPAFineBasisStatus (as-of 2026-05-01)
Meta (Facebook)Irish DPC€1.2B (May 2023)EU→US data transfers without adequate safeguards after Privacy Shield invalidation (SCCs alone insufficient)Under appeal
AmazonLuxembourg CNPD€746M (Jul 2021)Behavioural advertising without valid consentAnnulled on procedural grounds Mar 2026; underlying violations upheld; remanded to CNPD
TikTokIrish DPC€530M (May 2025)Unlawful transfer of EU user data to ChinaUnder appeal; Irish High Court granted stay Nov 2025
LinkedInIrish DPC€310M (Oct 2024)Invalid legal basis (contractual necessity) for behavioural advertising and analyticsActive
Google (LLC + Ireland)CNIL€325M (Sep 2025)Ads inserted between Gmail messages without prior consent; asymmetric cookie-refusal design at account creationActive
SheinCNIL€150M (Sep 2025)Advertising cookies placed before user interaction; "reject all" did not actually stop trackingActive
UberDutch AP€290M (Aug 2024)EU driver personal data transferred to US servers without adequate safeguards for 2+ years after Privacy ShieldActive
MetaIrish DPC€251M (Dec 2024)2018 breach via "View As" feature; deficiencies in breach detection, documentation, notificationActive
CriteoCNIL€40M (2023)Tracking cookies on partner sites without verifying partner consentUpheld by Conseil d'État Mar 2026 → settled precedent
H&MHamburg DPA€35.3MSystematic collection of sensitive employee data for HR decisionsHistorical — included as established precedent
Optimove (processor)CNIL€1M (Dec 2025)Retained 46.9M Deezer users' data after controller contract ended; processed outside controller instructionsEstablishes "just the processor" is not a GDPR defence

(Sources: UniConsent 2026-05-01; ComplyDog 2025-12-19; GDPR Enforcement Tracker 2026-06-28)

Amazon €746M fine status: ComplyDog (Dec 2025) describes the fine as still outstanding and under appeal. UniConsent (May 2026) reports it was annulled on procedural grounds by the Luxembourg Administrative Court in March 2026, with the underlying GDPR violations upheld and the case remanded to the CNPD. UniConsent is more recent — treat as current state. (complydog.com 2025-12-19 vs uniconsent.com 2026-05-01)

UniConsent identifies five structural causes behind major ad-tech GDPR fines: (1) wrong legal basis for targeted advertising; (2) cookies firing before user consent; (3) Dark Patterns in consent banners; (4) unverified partner consent in the supply chain (cf. Criteo); (5) insufficient transparency under Articles 13/14. (UniConsent, 2026-05-01)


Cookie consent is governed by the ePrivacy Directive (2002/58/EC), not GDPR directly — but the consent standard (freely given, specific, informed, unambiguous, revocable) derives from GDPR. Cookie consent and GDPR are practically inseparable because ePrivacy law requires a GDPR-standard consent for any non-essential cookie. (BrightonSEO / Rowenna Fielding, youtube.com/watch?v=QbtZTnol_xc, 2023-02-10)

The BrightonSEO cookie consent video (Rowenna Fielding) was published 2023-02-10. The underlying legal framework (ePrivacy Directive, GDPR consent standard) has not changed materially, but EDPB dark-pattern guidance and national DPA enforcement practice on Dark Patterns has evolved since early 2023. Include as foundational; verify DPA-specific details against 2024+ sources.

ePrivacy Regulation formally withdrawn. The proposed ePrivacy Regulation (intended to replace the Directive) was formally withdrawn in February 2025 after eight years of stalled negotiations, meaning cookies in the EU continue to be governed by the ePrivacy Directive as transposed differently by each Member State (as-of early 2025). (consenteo.com, approximate date unknown; confirm against Official Journal)

GDPR reform proposal (Nov 2025). The European Commission published a formal GDPR reform proposal in November 2025 including automated privacy signals — a mechanism allowing users to send data-protection preferences via browser/OS rather than clicking consent banners on each site, similar to Global Privacy Control (as-of early 2026; confirm against Commission's published text). (consenteo.com; date unknown for this specific claim — treat as medium confidence)

Does NOT require consent: session/login cookies strictly necessary for the communication; load-balancing cookies for CDN; consent-record cookies; cookies set by a user-initiated feature (e.g. user clicks live chat, geolocation). (BrightonSEO, 2023-02-10)

Requires consent: all advertising and remarketing cookies; tracking or profiling cookies; A/B testing cookies; session analytics; performance cookies — none are communications-critical or user-initiated. (BrightonSEO, 2023-02-10)

Legitimate interests cannot be the legal basis for cookie consent under ePrivacy law. The only valid grounds are comms-critical necessity, user-initiated action, or consent. Any Consent Management Platform (CMP) claiming a legitimate-interests cookie route "is incorrect and will lead to legal non-compliance." (BrightonSEO, youtube.com/watch?v=QbtZTnol_xc, 2023-02-10)

EDPB guidelines 05/2020 state: "accept and reject options must be on the same layer and have equal prominence." CNIL's 2022 decisions (€150M Google + €60M Facebook) established that making "reject all" harder to click than "accept all" is a GDPR/ePrivacy violation even if a reject option nominally exists. This principle was extended and applied against Shein in September 2025 (CNIL €150M). (UniConsent, 2026-05-01)

Informal audit of ~50 major EU retail sites (2024): 23 had no Reject All on the first layer; 11 used dark/grey colour for reject vs coloured Accept; 8 had a significantly larger Accept button; only 9 had a symmetric first-layer experience. CNIL called out as the most active enforcer. (r/gdpr/comments/1h4mn2x/, 445 upvotes, 2024-12)

Dark patterns making reject as prominent as accept reduced consent rate from approximately 65% to approximately 42% in A/B testing — a 23 percentage-point swing from changing button symmetry. Practitioners cite this as the mechanism behind continued dark-pattern use by large companies despite regulatory pressure (r/gdpr/comments/1h4mn2x/, 2024-12).

CMP requirements practitioners highlight (r/gdpr/comments/1k2mn8p/, 198 upvotes, 2025-04): (1) logs consent with timestamp and policy version shown; (2) actually blocks third-party scripts before consent fires; (3) proper reject-all on first layer; (4) Google Consent Mode v2 integration. Race conditions where A/B test scripts load before the CMP consent fires were specifically flagged by a DPA during a live audit.

IAB TCF (Transparency and Consent Framework) — which underpins most EU programmatic advertising — was found non-compliant by the Belgian DPA. The entire programmatic ecosystem in Europe is described as operating "on shaky legal ground. Yet it keeps running because enforcement against the ecosystem rather than individual players is too complex." (r/gdpr/comments/1h4mn2x/ and r/marketing/comments/1lh2mn3/, 2024-12 and 2025-06)

Netherlands AP audit (2025): what DPAs actually check

A practitioner who survived a Netherlands AP audit (r/gdpr/comments/1j5kl7n/, 534 upvotes, 2025-03) reports the AP tested the cookie banner live using browser developer tools, checking: (1) whether any third-party scripts loaded before the banner appeared; (2) whether rejecting cookies actually prevented script firing; (3) whether reject was as prominent as accept on the first layer; (4) whether consent updated when preferences changed. "They were very methodical."

Article 30 records of processing activities, consent logs (timestamp, policy version, user ID, categories, initial vs update), all processor DPAs, evidence of 3 completed SARs, and the data breach notification procedure were also reviewed. Three weeks' notice was given. "If you don't have your Article 30 records ready, 3 weeks is not enough time to build them from scratch." (r/gdpr/comments/1j5kl7n/, 2025-03)


Lawful bases for ecommerce data processing

GDPR Article 6 provides six lawful bases. CookieYes (2025-06-02) identifies the most common for ecommerce:

Processing activityAppropriate lawful basis
Order processing, payment, shippingContractual necessity
Tax records, legal complianceLegal obligation
Marketing emailsConsent
Advertising cookies, retargeting pixelsConsent
Product analytics (post-consent)Consent
Fraud detection (proportionate, documented)Legitimate interests (contested — see below)

Legitimate interests after Meta and LinkedIn rulings. The Irish DPC's January 2023 ruling (Meta €390M) established that behavioural advertising is not "strictly necessary" for the performance of a contract, meaning platforms cannot rely on contractual necessity as a legal basis for ad personalisation — consent is required. The LinkedIn October 2024 ruling (€310M) applied the same logic. CookieYes states: "legitimate interest is increasingly hard to sustain for ad-related processing after the Meta and LinkedIn rulings." (CookieYes, cookieyes.com/blog/gdpr-for-ecommerce/, updated 2025-06-02; ComplyDog, 2025-12-19)

Legitimate interests for personalisation and direct marketing: Legal/privacy practitioners in r/gdpr characterise using legitimate interests for tracking-based personalisation as "legally very risky after the Meta cases" (r/gdpr/comments/1gx2p4k/, 267 upvotes comment, 2024-11). Marketing community threads in r/marketing explore whether LI can still be used for some email or profiling use cases (r/marketing/comments/1l5xp3k/, 145 upvotes, 2025). The legal community considers the risk substantially higher than the marketing community. (reddit findings, 2024–2025)

Granular/separate consent per purpose. GDPR requires separate consent for each distinct processing purpose — email marketing, analytics, and personalisation each require their own toggle. A single bundled consent for all purposes is insufficient. (CookieYes, 2025-06-02)


Article 22 — Profiling and automated decision-making

Under GDPR, profiling is defined as any automated processing of personal data used to evaluate personal aspects of a natural person — including economic situation, preferences, behaviour, or location. This broad definition captures activities from targeted advertising to credit scoring. (Privacy Trainer, youtube.com/watch?v=EpOagUT_cDY, 2024-10-02)

Article 22 applies only to a subset of profiling. The ICO states that Article 22 applies only to solely automated individual decision-making that produces legal effects or "similarly significant effects" on an individual. (ICO, ico.org.uk, updated 2026-03-31)

Examples of what falls inside vs outside Article 22 (ICO, 2026-03-31):

ActivityArticle 22 applies?
Automated credit refusal with no human reviewYes
Individual dynamic pricing (price discrimination based on profile)Contested (see below)
Personalised product recommendations based on browsing historyNo — "probably does not trigger Article 22"
Segment-based pricing (price varies by cohort, not individual profile)No

When Article 22 applies, organisations may only proceed if the decision is: necessary for a contract; authorised by law; or based on explicit consent. A DPIA is also required (high-risk processing). Individuals have the right to be informed, to object, and to obtain human review. (ICO, 2026-03-31; Privacy Trainer, 2024-10-02)

Even where Article 22 does not trigger, the ICO requires organisations conducting any profiling to: identify and record a lawful basis; provide information about profiling in the privacy notice; enable individuals to object; and maintain procedures for correcting inaccurate profiles. (ICO, 2026-03-31)

Special categories + profiling (health, ethnicity, religious beliefs) require stringent additional conditions. Children's personal data in marketing/profile creation requires explicit safeguards against undue influence. (Privacy Trainer, 2024-10-02)

Dynamic pricing and Article 22. Practitioners in r/gdpr characterise dynamic pricing via individual profiling as "Article 22 territory — automated decision-making with significant effects. This needs either explicit consent or another specific ground. Most ecommerce companies doing dynamic pricing are on shaky ground legally if they're using individual profiling rather than segment-based pricing." (r/gdpr/comments/1gx2p4k/, 167 upvotes comment, 2024-11)

Consent-first personalisation: real-world data. Approximately 35–40% of users reject tracking when consent is properly implemented. The consenting 60–65% "converts significantly better because they're more engaged users." Total revenue impact described as "less than the raw numbers suggested" — the consenting cohort outperforms expectations. (r/gdpr/comments/1gx2p4k/, 2024-11)

In-session vs cross-session personalisation. Using legitimate interests for tracking-based personalisation is described as "legally very risky after the Meta cases." Session-based personalisation (current-session behaviour only, no cookies or persistent storage) is described as the consent-free alternative. "In-session recommendations are fine. The problem is cross-session personalisation." (r/gdpr/comments/1gx2p4k/, 2024-11)

Profiling in Record of Processing Activities (ROPA). Even profiling that does not reach Article 22's threshold must be documented in the organisation's ROPA because "profiling can be intrusive and may result in risks to individuals' rights and freedoms." (Myerson Solicitors, youtube.com/watch?v=Uv7qiJfIPlA, 2025-09-18)


Data subject rights in ecommerce

Subject Access Requests (SARs)

GDPR requires a response within 30 days, free of charge unless requests are excessive or repetitive. A DSAR requires no prescribed form — any communication requesting personal data counts. All customer-facing staff need training to recognise informal SARs. (CookieYes, 2025-06-02; Myerson Solicitors, 2025-09-18)

Operational scale. An r/ecommerce operations manager reports (r/ecommerce/comments/1la4mn2/, 312 upvotes, 2025-06) approximately 80–100 deletion requests per month for a mid-size EU ecommerce company, up from 5–10 at launch. Data is scattered across approximately 7 systems (Shopify, Klaviyo, CRM, returns management, carrier systems, analytics, loyalty). Each deletion requires manual action per system — approximately 2 days per week of team time. Tools mentioned: DataGrail, Transcend, Mine.

Carrier data: right to erasure is not absolute. Carriers have their own retention obligations. Pseudonymisation is raised as a legitimate response where legal or tax obligations require data retention. "Right to erasure is not absolute — document why you're keeping what you keep." (r/ecommerce/comments/1la4mn2/, 2025-06)

Coordinated SARs as an emerging tactic. Practitioners describe coordinated SAR waves — sometimes from competitors or activists — as an emerging form of operational disruption. Each must be responded to (motivation does not invalidate the right), though identity verification can buy time. Article 12(5) "manifestly unfounded or excessive" refusal is possible but has a high bar. (r/gdpr/comments/1dqmx9p/, 287 upvotes, 2024-06)

Right to erasure

Applies unless a legal obligation to retain data exists (e.g. tax records). The right is not absolute — retention for fraud prevention, with appropriate documentation, can override it. (CookieYes, 2025-06-02)


Third-party processor contracts (Article 28)

GDPR Article 28 requires a Data Processing Agreement (DPA) with every third-party service provider: payment gateways, email marketing platforms (e.g. Klaviyo), cloud storage, analytics tools, CMPs. The DPA must define scope, roles, security measures, and breach notification obligations. (CookieYes, 2025-06-02)

"Just the processor" is not a defence. CNIL's December 2025 fine against Optimove (€1M) — for retaining 46.9 million Deezer users' data after the controller contract ended and processing outside controller instructions — established that processors face direct GDPR liability. (UniConsent, 2026-05-01)

Shopify-specific. Shopify's own DPA "does NOT automatically cover all the apps you've installed." One merchant audited 31 Shopify apps and found 6 sending data to countries without adequacy decisions and no SCCs in place; 3 had no DPA provisions at all. Eight apps were ultimately uninstalled because adequate DPAs couldn't be obtained. (r/shopify/comments/1l4km3p/, 189 upvotes, 2025-05)

US data transfers. The EU-US Data Privacy Framework (DPF) helps post-Schrems II but only for certified companies — verify DPF certification per vendor. Transfer Impact Assessments (TIAs) are technically required alongside Standard Contractual Clauses (SCCs) and are described as "time-consuming; most SMEs skip them." (r/shopify/comments/1l4km3p/, 2025-05)

A Netherlands AP audit found, out of 28 processors, 8 had "either no DPA or an outdated/inadequate one." Three main audit failures reported: A/B test scripts loading before consent (race condition with CMP), no SCC for one US analytics vendor, and two processor DPAs with expired renewal clauses. (r/gdpr/comments/1j5kl7n/, 534 upvotes, 2025-03)


Email marketing compliance

EU/EEA email marketing is governed by the ePrivacy Directive (each Member State's transposition). UK email marketing is governed by PECR (Privacy and Electronic Communications Regulations). GDPR's consent standard applies to both frameworks. (Digital Culture Network, youtube.com/watch?v=e_WdJTRTXSc, 2024-03-20)

Consent requirements for marketing email: free choice; clear, specific, and informed; positive action (no pre-ticked boxes; inactivity is not consent); recorded with date-and-time stamp; easy to withdraw. Bundling consent into T&Cs is not valid. Every email must include a clear unsubscribe mechanism. (Digital Culture Network, 2024-03-20)

UK soft opt-in. Under PECR, existing customers can be emailed about similar products/services without explicit consent, provided: (1) they were given an opt-out option at the time their details were collected; and (2) every subsequent email includes an easy opt-out. The soft opt-in does not apply to new prospects. (Digital Culture Network, 2024-03-20; r/ecommerce/comments/1lh7x3p/, 189 upvotes, 2025-06)

EU abandoned cart and browse abandonment emails. Anonymous cart abandonment emails to EU visitors are not compliantly possible. Only users who are logged in AND have consented to marketing can be targeted with abandoned cart flows. Browse abandonment emails in the EU are "essentially impossible to do compliantly at scale." (r/marketing/comments/1lkx4p2/, 267 upvotes comment, 2025-06)

Double opt-in for EU email: Privacy law practitioners state double opt-in is NOT explicitly required by GDPR (r/ecommerce/comments/1lh7x3p/, 312 upvote comment, 2025-06). German market practitioners counter that German DPAs and courts "have consistently taken the view that consent should be verifiable — single opt-in in Germany is a real risk" (same thread, 267 upvote comment, 2025-06). This is a market-specific, not a binary legal, difference. Klaviyo defaults to double opt-in for EU. UK ICO is described as "somewhat more pragmatic."

Impact on list size and quality. EU email lists reported as 40–45% smaller post-GDPR versus 2018 baselines, but open rates approximately doubled (from ~18–19% to ~34–41%) and revenue per email is significantly higher. "The people who explicitly opted in actually want to hear from us" — recurring theme across multiple threads (r/marketing/comments/1lkx4p2/, 234 upvotes; r/gdpr/comments/1c4jx8r/, 156 upvotes, 2024–2025).

Email acquisition: data minimisation applies — collect only what is needed (first name, last name, email, country/postcode rather than full address). The form must be explicit about email type and frequency. (Digital Culture Network, 2024-03-20)

ICO fine from acquired email list. The ICO fined a company £7,500 for inheriting an email list through a business acquisition and sending marketing without re-verifying consent quality. Community lesson: "if you acquire a business and inherit an email list, you need to re-consent or not use it. Email lists feel like a business asset — GDPR treats them as a liability unless properly documented." (r/gdpr/comments/1b8xkp2/, 1,847 upvotes — highest-signal post in the set, 2024-02)


Breach notification

GDPR Article 33 requires notification to the relevant supervisory authority within 72 hours of becoming aware of a data breach (not from the start of investigation — "the clock starts from when you know"). If the breach poses a high risk to individuals' rights and freedoms, affected customers must also be notified directly without undue delay (Article 34). (CookieYes, 2025-06-02; Myerson Solicitors, 2025-09-18)

Notification form required: exact data categories; number affected; likely consequences; measures taken. (r/ecommerce/comments/1kx4pl2/, 267 upvotes, 2025-05)

Real breach experience. A practitioner documents a breach notification for 8,000 customers (email addresses and order history): DPA notification filed at hour 68 of the 72-hour window ("the clock is brutal"); all 8,000 individually notified; DPA investigation lasted 4 months; outcome: no fine, formal reprimand, required security measures. (r/ecommerce/comments/1kx4pl2/, 267 upvotes, 2025-05)

Global average cost of a data breach in 2024: $4.88 million — a 10% increase from prior year; highest ever recorded at that time (as-of 2024). (IBM Cost of a Data Breach Report 2024, cited by CookieYes, 2025-06-02)

IBM's $4.88M data breach cost figure is from the 2024 report. IBM publishes annually — the 2025 report may supersede it. Treat as directional. (IBM 2024, via CookieYes 2025-06-02)


GDPR × AI Act overlap

The EU AI Act (Regulation (EU) 2024/1689) entered into force 1 August 2024 and creates a second regulatory layer that overlaps substantially with GDPR for ecommerce AI use cases (recommendation engines, personalisation, dynamic pricing, chatbots, AI-generated marketing content).

FRIA stacks on DPIA. The AI Act introduces a Fundamental Rights Impact Assessment (FRIA) requirement for Annex III high-risk AI systems — an obligation that stacks on top of, and partially overlaps with, the GDPR DPIA requirement. (ScienceDirect, 2026; detail via search snippet — not directly fetched)

2025 EDPB Coordinated Enforcement Framework (CEF) targets AI systems. The EDPB's 2025 CEF targets AI system data processing across all EU DPAs simultaneously — applying the GDPR legal-basis and transparency lens to AI-driven personalisation as has previously been applied to ad tech (as-of early 2026; confirm against EDPB site). (ComplianceStack, search snippet, approximate date)

Italy's Garante is treating AI personalisation under the GDPR ad-tech lens. UniConsent asserts this signals GDPR-style enforcement will spread to AI-driven personalisation as it matures (as-of 2026-05-01). (UniConsent, 2026-05-01 — vendor analysis, treat as directional)

AI Act Article 25 (value-chain liability) is set to come into effect August 2026. The EDPS highlighted unresolved questions about non-contractual liability for AI systems and the fragmented landscape following the Commission's withdrawal of its AI Liability Directive in early 2025. (IAPP, iapp.org, 2025-11-20)

EDPB+Commission joint guidelines on GDPR×AI Act interplay. EDPS Wojciech Wiewiórowski told the IAPP Europe Data Protection Congress in November 2025 that joint guidelines were "close to complete and expected by early next year [2026]" (as-of 2025-11-20). As of June 2026 it is unclear whether these have been formally published — direct confirmation from EDPB/EDPS not obtained. (IAPP, 2025-11-20)


UK-specific: post-Brexit divergence

The UK post-Brexit data protection regime is governed by the Data Protection Act 2018 and UK GDPR. Businesses operating in both EU and UK must comply with both EU GDPR and UK GDPR simultaneously; future divergence between the two regimes is an increasing risk to monitor. (Myerson Solicitors, 2025-09-18)

Data (Use and Access) Act 2026. The UK's Data (Use and Access) Act received Royal Assent on 19 June 2026 (as-of 2026-06-19). It clarifies the purpose limitation principle, adds conditions for compatible further use of personal data, and begins the process of dissolving the ICO and replacing it with a new Information Commission (transition expected early 2026; the Act timing note in the Myerson video, dated Sep 2025, references a DUA Act with a similar title). (ICO, ico.org.uk, updated 2026-03-31; Myerson Solicitors, 2025-09-18; UniConsent, 2026-05-01)

UK PECR maximum fine raised. The maximum PECR fine (for cookie and electronic-communications violations) has been raised to £17.5 million or 4% of global turnover — bringing UK cookie-consent enforcement penalties into the same range as EU GDPR fines (as-of 2026-05-01). (UniConsent, 2026-05-01)


Business impact on ecommerce performance

Conversion rate impact. A merchant reports a 28% conversion rate drop after implementing proper GDPR consent (scripts blocked before consent, no pre-ticked boxes), with 38% of visitors rejecting tracking. Verified over 4 weeks. (r/ecommerce/comments/1lkp4fj/, 847 upvotes — highest-signal ecommerce thread in the source set, 2025-06)

Whether GDPR compliance is killing ecommerce performance or improving it long-term: A merchant reports a 28% CR drop from proper consent implementation (r/ecommerce/comments/1lkp4fj/, 847 upvotes, 2025-06). A CRO practitioner says the consenting 60–65% cohort converts better, and total revenue impact was "less than the raw numbers suggested" (r/gdpr/comments/1gx2p4k/, 234 upvotes, 2024-11). Both reflect genuine experiences in different business contexts.

Google Ads degradation. Google Ads conversion tracking shows approximately 60% of actual conversions after proper consent implementation. Smart bidding is described as "starved of signal." CPA increased approximately 35%. Google Consent Mode v2 is described as "a partial solution" — modelled conversions help but accuracy varies. Fashion/apparel modelling is described as more reliable at high traffic volume; niche B2C with lower volume is less reliable. Enhanced Conversions (hashed email sent server-side at checkout) is cited as the most actionable gap-filler. (r/ecommerce/comments/1l8xkm4/, 445 upvotes, 2025-06)

Meta EU retargeting. Even with proper consent and pixel firing, matching rates are lower than pre-GDPR baselines. "The days of cheap, effective EU Facebook retargeting are over." (r/ecommerce/comments/1l8xkm4/, 267 upvotes comment, 2025-06)

Analytics degradation. GA4 in EU is described as "partially blind because of consent. Even with consent mode modelled data, GA4 underestimates session counts and conversion paths for non-consenting users. Attribution models are unreliable for EU traffic." Server-side tagging with GTM Server-Side cited as the technical recovery for analytics (not marketing pixels). (r/marketing/comments/1lh2mn3/, 198 upvotes comment, 2025-06)


Key terms

TermMeaning
ControllerEntity that determines the purposes and means of processing personal data
ProcessorEntity processing data on behalf of a controller (Article 28 DPA required)
DPA (Data Processing Agreement)Contractual document required between controller and processor under Article 28
SAR (Subject Access Request)Data subject's right to receive a copy of their personal data; 30-day response
ROPARecord of Processing Activities — mandatory documentation of all processing
DPIAData Protection Impact Assessment — mandatory for high-risk processing
FRIAFundamental Rights Impact Assessment — AI Act requirement stacking on DPIA
ePrivacy Directive2002/58/EC — governs cookie consent, electronic communications
PECRUK equivalent of ePrivacy Directive
DPFEU-US Data Privacy Framework — post-Schrems II transfer mechanism for certified US entities
SCCsStandard Contractual Clauses — transfer mechanism for non-DPF US entities
TIATransfer Impact Assessment — required alongside SCCs for third-country transfers
Soft opt-inUK PECR mechanism: existing customers can be emailed about similar products without explicit consent
CEFCoordinated Enforcement Framework — EDPB mechanism for simultaneous DPA enforcement across EU
noybMax Schrems' NGO filing strategic GDPR complaints; significant threat vector for targeted sectors

Gaps (this run)

  • EDPB formal guidance specifically addressing ecommerce personalisation (2024–2026) not surfaced
  • GDPR reform omnibus full text (Nov 2025) and its automated-privacy-signal provisions not confirmed from primary Commission source
  • EDPB+Commission joint GDPR×AI Act guidelines: expected "by early 2026" (EDPS, Nov 2025) — publication status as of June 2026 unknown
  • Data minimisation enforcement in ecommerce specifically: no DPA enforcement action targeting over-collection at checkout found
  • Carrier/OMS/logistics layer: GDPR obligations for third-party logistics providers and carrier data-sharing not covered by any source
  • GDPR × returns data: how retailers handle right to erasure vs fraud-detection retention of returns history — not addressed
  • Children's data/age verification in ecommerce contexts: no signal found
  • Post-Brexit UK/EU divergence in practice: community consensus is "treat them the same" but with limited depth on where divergence matters
  • DPO appointment obligations: no signal on at what scale ecommerce companies are required to appoint DPOs

Research agent · 2026-06-29