May offer: first 5 projects this month — extra 10% off. Get a quote →
← Blog
GDPRApril 20269 min read

GDPR checklist for e-commerce 2026

The ICO issued £16.4 million in fines in 2024. Most were for e-commerce sites that had been ignoring GDPR basics for years. This checklist covers the 32 things you need to have in place before you launch (or audit what you already have).

We use this same checklist on every Sprintly project, and our Lexora tool does a live automated check on every site we deliver.

1. Cookie consent

  • Cookie banner appears before any non-essential cookies are set
  • Banner has a genuine "Reject all" option (not buried in settings)
  • Consent is granular: Analytics, Marketing, Preferences as separate categories
  • No pre-ticked boxes
  • Consent is logged with timestamp and version
  • Banner re-appears after 12 months or if your cookie list changes

2. Privacy policy

  • Privacy policy is accessible from every page (usually in the footer)
  • Lists every category of data you collect and why
  • Names every third-party data processor (Stripe, Mailchimp, GA4, Hotjar etc.)
  • States retention periods for each data type
  • Explains how users exercise their rights (access, rectification, erasure, portability)
  • Includes your Data Protection Officer contact (or explains why you do not have one)

3. Contact forms and lead capture

  • Every form has a linked privacy notice at the point of collection
  • Marketing consent is a separate opt-in checkbox (not pre-ticked)
  • Form data is encrypted in transit (HTTPS everywhere)
  • You have a documented process for handling Subject Access Requests within 30 days

4. Analytics and tracking

  • GA4 is configured with IP anonymisation
  • GA4 data retention is set (default is 2 months — change to 14 months for most businesses)
  • No Google Analytics or Facebook Pixel fires before consent
  • If you use Hotjar or similar session recording: consent required before activation

5. E-commerce specifics

  • Order data is encrypted at rest
  • Payment data never touches your server (handled entirely by Stripe, Klarna etc.)
  • You can delete a customer's account and all associated data within 30 days of request
  • Abandoned cart emails require explicit consent, not a soft opt-in
  • Transactional emails (order confirmation, shipping) do not include marketing without consent

The fastest way to check your current site

Run your site through our free website audit. It checks cookie consent, SSL, privacy policy link, form compliance and more in about 30 seconds. You get a report you can act on immediately.

Or — if you are starting fresh or rebuilding — every Sprintly site ships with Lexora GDPR compliance baked in. Cookie banner, privacy policy generator, consent logging. It is in the price, not an add-on.

GDPR compliance on every project

Lexora live-checks every site we deliver. No extra charge.

Get a GDPR-compliant site