GDPR for Ecommerce: Customer Orders, Abandoned Carts, and Retargeting

Running an online shop means processing personal data at every stage of the customer journey — from the first page view to the final returns label. GDPR applies to all of it. This guide covers the highest-risk areas for ecommerce businesses: order and delivery data, abandoned cart emails, retargeting pixels, email marketing consent, payment processors, customer deletion rights, product reviews, returns and fraud detection, age verification, international transfers, and data breach response. Order and Delivery Data Every completed order generates a rich personal data record: name, email, delivery address, payment reference, and order history. The lawful basis is contractual necessity (Article 6(1)(b)). Keep order records for VAT/tax compliance periods (typically 6-7 years), then delete. Every fulfilment warehouse, courier, and logistics provider must have a Data Processing Agreement (DPA) in place. Abandoned Cart Emails: Consent vs Legitimate Interest Abandoned cart emails are one of th