GDPR and your webshop - what does the law require?
Since May 25, 2018, the GDPR has set the framework for how all businesses in the EU must process personal data. For you as a webshop owner, this means that you have legal responsibility for the personal data your customers provide - name, address, email, payment details and more.
Violations can lead to fines of up to 20 million euros or 4% of the company's global annual turnover. But the vast majority of requirements can be met with the right platform and thoughtful processes.
Cookie consent and Consent Mode v2
The EU ePrivacy Directive requires you to obtain active consent from visitors before setting cookies other than strictly necessary ones. Your webshop must have a cookie consent banner that clearly explains the types of cookies you use and allows visitors to opt-in or opt-out. Consent must be voluntary, informed and specific.
With Consent Mode v2, Google has introduced a standard that adapts the behavior of Google services based on consent. When a visitor declines marketing cookies, Consent Mode v2 still sends anonymized pings - but without personally identifiable data.
In Shoporama, cookie consent with Consent Mode v2 is included by default. No third-party plugins, no configuration.
Privacy policy
Every online store must have a privacy policy that describes how you collect, process and store personal data. As a minimum, it should include:
- Who is the data controller (company name, CVR, contact details)
- What types of personal data you collect
- The purpose of the data processing
- The legal basis (consent, contract, legitimate interest)
- Who you share data with
- How long you keep data for
- Customer rights (access, rectification, erasure, portability)
- Contact details for the Danish Data Protection Agency
Data processing agreements
When you use external services to process customer data - payment gateway, shipping company, email system - you are obliged to enter into a data processing agreement with each supplier (GDPR Article 28).
For platforms with many third-party apps, you should in principle have an agreement with each app provider. In Shoporama, the data processing agreement is available directly in the admin. Because Shoporama is an integrated platform without third-party apps with independent data management, you only need one data processing agreement. See the difference to Shopify.
Server-side tracking and GDPR
Traditional client-side tracking is vulnerable to adblockers and cookie restrictions - you can lose 30-40% of your conversion data. Server-side tracking moves the data management to your server, giving full control over what data is shared.
From a GDPR perspective, server-side tracking is advantageous: better control over data flow, data is only shared with consent, and the risk of accidental sharing is minimized.
Shoporama offers server-side tracking as an add-on for 89 kr/month.
Customer data: access, deletion and portability
The GDPR gives your customers these rights:
- Right of access - the customer can ask to see all recorded data. Reply within 30 days.
- Right to rectification - errors in data must be corrected without delay.
- Right to erasure - the "right to be forgotten" (with the exception of e.g. bookkeeping obligations).
- Right to data portability - data in a structured, machine-readable format.
- Right to object - against direct marketing.
In Shoporama, all customer data is gathered in one place in the admin, making it easy to comply with requests.
GDPR checklist for merchants
- Cookie consent - Do you have a banner that collects active consent? Is Consent Mode v2 implemented?
- Privacy policy - Updated and accessible from all pages?
- Data processing agreements - Signed with all suppliers that process personal data?
- Newsletter consent - Explicit consent with double opt-in?
- SSL certificate - HTTPS on all pages?
- Data retention - Data within the EU?
- Access requests - Procedure to handle within 30 days?
- Record of processing activities - Documented?
- Data breach - Plan for notifying the Danish Data Protection Agency within 72 hours?
- Checkout - Only necessary personal data?
- Tracking - Do scripts respect user consent?
- Employees - Instructed in proper data handling?
How Shoporama helps you with GDPR
- Cookie consent with Consent Mode v2 - included, automatically integrated
- Data hosted in the EU - no international transfers
- Data processing agreement directly in admin - electronic signature
- No third-party apps with independent data management - only one data processor
- Server-side tracking - extra charge 89 kr/md, fully GDPR compliant
- SSL certificate - included on all webshops
- Unified customer data management - all data in one place in the admin
See all features and prices.
Conclusion
GDPR compliance is a legal requirement, but it doesn't have to be complicated. Ensure cookie consent, privacy policy, data processing agreements and respect for customer rights. Use the checklist above as a starting point.
Shoporama is designed to make GDPR compliance simple. With built-in cookie consent, EU hosting, electronic DPA, and server-side tracking options, you have a solid foundation to build on.
GDPR checklist: Shoporama vs. your task
| Requirements | Status at Shoporama | Your task |
|---|---|---|
| Cookie consent | Included with Consent Mode v2 | Enable in admin |
| SSL certificate | Included on all webshops | None - automatic |
| Data Processing Agreement | Ready in admin for electronic signature | Sign the agreement |
| Privacy policy | You must write it yourself | Create page with your policy |
| Data hosted in the EU | Yes - Danish servers | None - Danish servers |
| Server-side tracking | Purchase (89 kr/md) | Activate if desired |
| Right to insight/deletion | Customer data unified in admin | Handle requests within 30 days |
| Consent to newsletters | Double opt-in available | Set up proper consent flow |
| Inventory of processing | Not automatic | Document yourself |
| Plan for data breaches | Shoporama handles platform security | Have a plan for notification within 72 hours |
Also read about no transaction fee online store or find the best online store platform.
Frequently asked questions
What does the GDPR require of my online store?
You must have cookie consent, privacy policy, data processing agreements with all suppliers, and be able to handle customer rights of access, rectification, and deletion within 30 days.
Does Shoporama have GDPR compliance built in?
Yes, partially. Cookie consent with Consent Mode v2 is included. Data Processing Agreement can be signed electronically in admin. Data is hosted in the EU. Server-side tracking is optional (89 kr/md).
What is Consent Mode v2?
Google's standard for customizing tracking based on user consent. When a visitor declines cookies, anonymized data is sent to Google - without personally identifiable information. Included in Shoporama.
Try Shoporama free for 30 days and experience GDPR compliance out of the box. No credit cards, no strings attached.