Data Privacy in European Ecommerce

Data Privacy Laws

With the US embroiled in data privacy scandals, European governments plan on revisiting their data governance laws. These types of legal changes affect all ecommerce merchants. But the problem is not just one of legal compliance. According to Forrester Research, ecommerce companies must also balance how they use technology to drive revenue with how they design the optimal customer experience.

” … all companies dealing with European customers, not just European firms, should see the reform of the European Data Protection Directive as an inflection point for their data governance practice.”– via Forrester Research: EU Regulations And Public Opinion Shift The Scope Of Data Governance

Ecommerce Situations Impacted by Data Privacy Laws

Either way, whether it means complying with revised laws or consumer expectations, software merchants who sell to European customers will have to revisit how they:

  • Obtain consent to collect private data
  • Use private data for send commercial emails
  • Use private data to save an abandoned cart


The most important thing to remember is that as an ecommerce business, you must obtain the consent of your prospect or customer to collect data and use it. In other words:

  • Do you have permission to collect and store certain data?
  • Do you have permission to use that data to market other products to them

But what does consent look like? It depends on the situation. For example, merchants obtain permission to drop cookies on a user’s browser one way, permission to process a customer’s payment information in another way, and permission to send that customer a newsletter in yet a third way.

Consent to drop cookies

According to certain European legislation, the collection of personal information requires a user’s consent. Unlike places where simply providing a link to a Terms & Conditions page, in this case tracking a user visiting a website is generally prohibited. However, creation of visitor profiles is possible if the user:

      • Is made anonymous
      • Can opt-out
      • Is informed in the privacy policy
      • Does not have anonymous data combined with transaction data

Nevertheless, there are places where even this is not enough. In the UK, for example, websites that drop cookies on their visitors browsers must inform them immediately upon entering and obtain express consent to drop cookies. Asos is a good example of a UK merchant who takes compliance seriously.

131113 Asos express consent
Express consent to drop cookies on UK website

Consent to send email

Email marketing is important for offering promotions and content marketing. But if a customer wants to buy a product and the merchant creates an opt-out checkbox for a newsletter right somewhere on the payment submission form, does that signify consent? Or do vendors need to provide users a double opt-in process in order to send customers newsletters?

As we said before, it’s not just the data collection that is problematic. The way that collected data is used can also be problematic. So who are you allowed to email? This again touches on the issue of consent and its important that the people you send emails to have expressed their voluntary consent in the clearest way possible. This is why double opt-ins are the way to go.

Double Opt-In Process

Remember this is the age of the customer, the era of experience. Don’t just fulfill the law, go the extra mile to delivery awesome-sauce service to your customers.

In general, however, if you can record the following things, they can serve as proof of consent:

      • Time of registration
      • IP address of notifying party
      • Content of confirmation email
      • Time of confirmation
      • IP address of confirming party

Abandoned cart emails

Retargeting website visitors who start the checkout process but do not complete it is an important conversion optimization tactic. Often retargeting is done through advertisements or emails.

The problem with retargeted emails, is that under certain European legislation that email address is private information, which means you cannot use it for commercial messages without express consent.

An alternative to using emails to save abandoned carts is to use a “Don’t leave” pop-up page with a coupon code.

131113 Don't Leave Layer
Don’t Leave!

Another alternative to persuade customers to complete the checkout process and submit payment is to have a pop-up chat page, as Parallels has made.

Cart Abandonment Save Tactic
Cart Abandonment Save Tactic

Fines and penalties

If you’re not persuaded to revisit your data governance practices yet, consider the steep penalties. Fines for collecting or using data in a forbidden manner can cost hundreds of thousands of dollars per violation or a cut of a company’s revenue every year. As we said before, it’s also not just an issue of breaking the law; it’s also about eroding customer confidence.


The Internet has facilitated global trade like never before. It has also facilitated collecting and using private data like never before. Understand and implement protection for a number of data collection and usage scenarios across the globe.

Daniela Hagen contributed to this blog post