EU Market ReadyGDPR cookie consent for ecommerce
GDPR & UK GDPR consent guide for ecommerce covering lawful bases, banner patterns, DNT/GPC handling, DSAR logging, Shopify/Woo/Next.js setup, and audit tips.
GDPR cookie consent for ecommerce
This playbook translates GDPR & UK GDPR consent requirements into practical ecommerce steps. Treat it as operational guidance only; always validate with privacy counsel. Use the GDPR & UK GDPR Generator to create your first policies and consent logs.
Document each consent state with the GDPR & UK GDPR Generator; you’ll need those logs for VAT/GDPR joint audits.
Pair this guide with French & German packaging so DSA footers and privacy disclosures stay consistent.
Lawful bases
| Processing | Recommended basis | Next action | Linked tool |
|---|---|---|---|
| Analytics & ads | Explicit consent | Block scripts until consent stored | GDPR & UK GDPR Generator |
| Transactional emails | Legitimate interest | Document balancing test | EU compliance checklist |
| Fraud/security | Legitimate interest | Describe safeguards in privacy policy | EU market quick start |
| Personalization | Consent | Provide per-feature toggles | EU compliance FAQ |
Consent vs legitimate interest
Consent-required processing
Examples
Notes
- Analytics (GA4, Meta Pixel, TikTok), advertising, personalization.
- Store consent ID + timestamp before firing scripts.
Legitimate interest processing
Examples
Notes
- Transactional emails, fraud prevention, security logging.
- Run balancing tests and provide opt-out mechanism.
UK GDPR nuances
Divergence points
Controls
Notes
- ICO expects separate UK consent storage; don’t rely solely on EU logs.
- Keep cookie copy localized (EN/FR/DE/ES) if targeting multiple regions.
Data residency
Controls
Notes
- Host consent logs in GDPR-aligned regions or provide SCCs.
- Mirror DSAR portals for EU and UK data subjects.
Consent banners
Banner patterns
Explicit opt-in
Anatomy
Notes
- Buttons: Accept all, Reject all, Manage preferences.
- Provide granular toggles for necessary vs analytics vs marketing.
Contextual messaging
Anatomy
Notes
- Mention VAT/checkout implications (“we store VAT evidence”).
- Link to privacy policy and EU compliance FAQ.
Cookie categories & common tools
| Category | Purpose | Example tools | Consent requirement |
|---|---|---|---|
| Essential | Cart, checkout, security | Platform cookies, fraud tools | No consent, disclose purpose |
| Analytics | Traffic insights | GA4, Matomo, PostHog | Explicit opt-in before firing |
| Marketing | Retargeting, personalization | Meta Pixel, TikTok, Klaviyo | Explicit opt-in; allow per-network toggles |
| Functional | Chat, localization | Crisp, Intercom, Weglot | Usually consent; can rely on legitimate interest with opt-out |
Do Not Track vs consent
Browser signals
Handling DNT
Implementation
Steps
- Respect
navigator.doNotTrack === "1"; default to denied unless user overrides. - Document fallback inside CMP export.
Global Privacy Control
Implementation
Steps
- Parse
Sec-GPCheader in Next.js middleware and pre-set consent to “no”. - Provide modal letting user upgrade consent later.
Server-side rendering considerations
Hydration timing
Steps
Notes
- Delay script injection until CMP state resolved on both server and client.
- Cache per-locale banners to avoid showing incorrect language.
Edge vs node runtimes
Steps
Notes
- Limit heavy CMP logic on edge; use flags via Readiness Check config to avoid latency.
- Always sanitize cookies before hitting third-party APIs.
Implementation notes
Shopify
Must-dos
Checklist
Items
- Enable Customer Privacy API, block scripts in theme until consent stored.
- Use Shopify Flow/Webhooks to log DSAR events.
Nice-to-haves
Checklist
Items
- Sync consent IDs into your CRM for marketing segmentation.
- Stagger scripts for EU vs rest-of-world with Geolocation app.
WooCommerce
Must-dos
Checklist
Items
- Use CMP plugins (Complianz, Cookiebot) with auto-block features.
- Log consent decisions into WordPress database tables.
Nice-to-haves
Checklist
Items
- Mirror consent per subsite if running WP Multisite.
- Store DSAR history in Help Scout/Zendesk for SLA audits.
Custom Next.js
Must-dos
Checklist
Items
- Implement middleware hooking into GDPR basics snippet to check cookies before rendering.
- Delay third-party script tags until CMP context
consented === true.
Nice-to-haves
Checklist
Items
- Serve localized CMP from
NEXT_LOCALEcookie; reference EU market quick start. - Stream DSAR dashboard events to security incident tooling.
Consent monitoring
Daily tasks
Banner QA
Ownership
Checklist
- Verify banner loads per locale/device; screenshot evidence weekly.
- Confirm reject-all truly blocks analytics.
DSAR queue
Ownership
Checklist
- Monitor SLA timer; respond within 30 days.
- Log fulfillment method (export, deletion) with timestamp.
Weekly tasks
Policy sync
Ownership
Checklist
- Sync privacy policy updates with DSA footer from French & German packaging.
- Share changes with finance so VAT invoices reference latest policy.
CMP audit
Ownership
Checklist
- Compare CMP logs vs server logs; investigate mismatches.
- Export summaries for compliance steering committee.
Next steps
- Run the Readiness Check for your scenario → Start now
- Use the GDPR & UK GDPR Generator → Open tool
- Cross-check packaging/DSA disclosures in France & Germany packaging to align footers.
- Share this guide with finance / ops teammates.
FAQ
Do I need a cookie banner even if tracking is server-side?
Yes. GDPR and UK GDPR require consent before setting non-essential cookies or firing analytics/ads, even when proxied server-side. Block scripts until consent, document lawful bases, and respect DNT/GPC. Keep consent IDs with order references for audit trails and apply the same rules to server events so users can revoke tracking consistently.
How should I respect Do Not Track and Global Privacy Control?
Default to reject when DNT or GPC is detected. Pre-set CMP state accordingly, let users upgrade later, and log the signal plus decision. Ensure the logic works on both server and client, and avoid backfilling historical events without consent. Publish this handling in your privacy policy for transparency.
What records do I need for audits?
Store consent logs (ID, timestamp, versioned copy, locale), DSAR tickets with SLA dates, and proofs that non-essential scripts were blocked pre-consent. Keep separate UK and EU logs, retain them for at least six years where required, and align with your billing/VAT evidence so refunds and tax records reconcile.
How do Shopify, WooCommerce, and Next.js differ for consent?
Shopify: enable Customer Privacy API, block GA/Meta until consent, and sync DSAR via Flow. WooCommerce: use a CMP with auto-blocking and store decisions in the DB. Next.js: enforce middleware to stop scripts pre-consent, parse GPC headers, and hydrate banners per locale. In all cases, link consent IDs to orders.