HomeResourcesBlogGDPR
🇪🇺 GDPR🏭 Industry🛒 For E-commerce

GDPR for E-commerce — Cookies, Tracking and Customer Data

The cookie banner is the most-fined surface on the internet. Most online stores are still getting it wrong in the same handful of ways.

GK
Gauri Khatate
🔐 Cybersecurity Expert & Technical Writer·📖 5 min read
📅 June 2026·🏢 SecComply
GDPR for e-commerce cookies banner consent tracking customer data

For online stores, the banner is the single most-tested compliance surface — and the failures regulators keep fining are remarkably consistent.

In This Article
Tracking Starts Before the SaleThe Banner Failures Regulators Keep FiningConsent and the Ad StackCustomer Data Beyond the BannerLooks Compliant vs. Is CompliantCompliance Doesn’t Have to Kill ConversionFinal ThoughtFAQ

E-commerce runs on tracking — what shoppers browse, abandon, and buy feeds the ads, the recommendations, and the retargeting that drive revenue. It’s also the most heavily enforced corner of the privacy regime, because the cookie banner is where data collection meets the public, and regulators have spent years fining the same predictable failures. The uncomfortable part for most online stores: the banner that looks fine, converts well, and was copied from a competitor is very often the one a regulator would reject on sight.

Prior consent
Non-essential cookies and trackers need it before they load, not after
Reject = Accept
Refusing must be as easy and prominent as accepting, on the same screen
€35M
The cookie fine on a major retailer for an implied-consent banner
€150M
A 2025 cookie fine on a fast-fashion retailer — enforcement hasn’t slowed

Tracking Starts Before the Sale

An online store collects personal data long before anyone reaches checkout. Analytics scripts, advertising pixels, session recorders, and retargeting tags all fire as the page loads, building a profile of a visitor who hasn’t bought anything and may never. Non-essential trackers like these need prior consent; only the genuinely essential ones — the shopping cart, fraud prevention, load balancing — are exempt. The line between “essential” and “nice for marketing” is narrower than most stores assume, and almost everything in the typical ad and analytics stack sits on the wrong side of it.

The Banner Failures Regulators Keep Fining

After years of enforcement, the failures are no mystery — they’re a short, repeated list. Implied consent (“by using this site, you accept cookies”). Pre-ticked boxes. Trackers that fire on page load before the visitor clicks anything. An “Accept” button that’s prominent while “Reject” is buried two screens deep or absent entirely. Vague purposes that tell the shopper nothing about what’s actually being collected or by whom. Regulators have fined every one of these, repeatedly, which means none of them can be passed off as an honest misunderstanding anymore.

RequirementWhat it meansWhere stores fail
Prior consentNon-essential tags wait until the shopper opts inTags fire on page load, before any choice is made
GranularityA choice per purpose — analytics, ads, personalisationA single “Accept all” covering everything
SymmetryReject as easy and prominent as Accept“Accept” one click; “Reject” buried in settings
ClarityPlain-language purposes, third parties named“We use cookies to improve your experience”

Customer Data Beyond the Banner

The banner is one slice of a much larger footprint. An online store also holds accounts, order histories, shipping addresses, payment tokens, and the marketing profiles built on top of them — and each needs its own treatment. Marketing emails need consent or a valid soft opt-in to existing customers, with an easy unsubscribe in every message. Abandoned-cart retargeting is consent-based. Building rich customer profiles for personalisation needs a lawful basis and transparency. A perfect cookie banner sitting on top of a sloppy customer-data operation is a familiar regulator finding.

Looks Compliant vs. Is Compliant

Pattern-matching from real store reviews — the gap between a banner that looks fine and one that holds up tends to follow the same shape:

Looks compliantIs actually compliant
✗ “By using this site, you accept cookies”✓ A real choice before non-essential tags load
✗ Tags fire the moment the page loads✓ Tags held until the shopper opts in
✗ “Accept all” with no easy way to refuse✓ Reject as prominent as accept, on the same screen
✗ One toggle for ads, analytics, everything✓ Granular consent per purpose
✗ Banner consent that never reaches the tags✓ Consent propagated to the ad stack via Consent Mode
✗ Marketing emails to everyone who bought✓ Consent or a valid soft opt-in, with easy unsubscribe
✗ “Everyone’s banner looks like this”✓ A banner built to the rules, not to the neighbours

Compliance Doesn’t Have to Kill Conversion

The objection is always the same: a genuine reject button will tank the numbers. In practice the trade-off is overstated — a clear, honest banner with a real choice tends to perform close to a manipulative one, and the shoppers who decline tracking were rarely the high-intent buyers anyway. What is not overstated is the fine. The store that bets its banner against the regulator is risking a number with seven or eight digits to protect a conversion delta that usually turns out to be small.

Final Thought

E-commerce lives and dies on tracking, and tracking is exactly what regulators watch most closely. The banner isn’t a cosmetic detail to copy from a competitor — it’s the most-enforced surface in the entire regime, and the failures that get fined are the same ones, over and over: consent assumed, choice denied, reject hidden, purpose obscured. Getting it right is neither hard nor expensive. Getting it wrong has a price list, and it runs into the hundreds of millions.

The test: load the store fresh and answer three things — do any non-essential tags fire before a choice is made, can a shopper refuse as easily as accept on the same screen, and does the banner actually say what’s collected and by whom. If any answer is no, the banner is a finding waiting for a complaint.

Would Your Banner Survive a Regulator Loading the Page?

SecComply audits e-commerce where it’s actually enforced — what fires before consent, whether reject truly matches accept, how granular and honest the banner is, and how customer data is handled beyond the banner.

Book a Free E-commerce Consent Review →

Frequently Asked Questions

Do non-essential cookies really need consent before they load?

Yes. Prior consent means the analytics, advertising, and personalisation tags wait until the shopper opts in. Only genuinely essential cookies — the shopping cart, fraud prevention, load balancing — are exempt, and the line is narrower than most stores assume.

Does the Reject button really need to be as prominent as Accept?

Yes. Symmetry is one of the most-fined failures. If accepting is one click and refusing takes two screens, the consent is not freely given and regulators have repeatedly held that against retailers.

We use Google Consent Mode — is that enough?

Consent Mode is the mechanism that carries the shopper’s choice to the ad and measurement stack, so it is necessary if you run those tools. It is not a substitute for a compliant banner — the choice still has to be valid before it is propagated.

Won’t a real Reject button kill conversion?

In practice the impact is overstated. A clear banner with a real choice tends to perform close to a manipulative one, and the shoppers who decline tracking were rarely the highest-intent buyers. The conversion delta is usually small; the fines are not.