General Data Protection Regulation (GDPR) and Ecwid stores

The General Data Protection Regulation (GDPR) is a European privacy law that took effect on May 25, 2018.

The GDPR is not limited to European companies. The regulation includes every company that can potentially process EU nationals’ data – so that’s basically every company in the world regardless of its location.

The GDPR gives people more rights over their personal data. Specifically, it provides the right to access, correct, delete, and restrict processing of consumer data, and sets strict guidelines for user consent. If you collect or store any information that can be linked to an individual, that counts as personal data. You can read the full text of the GDPR to learn more.

We recommend consulting with a legal professional as every business is different. Some businesses may need more preparation than others to comply with the GDPR. This article provides a general overview of GDPR compliance and directs you to the most common requirements.

Steps to take when preparing for the GDPR

According to the GDPR, Ecwid merchants must comply with the regulation if they are based in the EU or sell to EU customers.

Ecwid collects and processes personal data in a compliant manner. However, it is your responsibility to comply with GDPR requirements when you collect and process personal data from your EU customers. Under the new regulation, personal data is defined as any information that can be used to directly or indirectly identify a person. This includes: a name, a photo, an email address, an IP address, bank details, posts on social networking websites, medical information, and even random codes that are assigned to users to gather analytics, conduct A/B tests, and more.

We recommend the following:

Get clear consent before collecting any data

You must obtain consent to process your customers’ personal data. Prepare a clear privacy policy specifying why you collect personal data, explaining what data is retained, and offering a right to withdraw consent.

To require your customers accept your terms of service before checkout, enable the Show "I agree with Terms & Conditions" checkbox at checkout checkbox in your Ecwid admin, go to Settings → General → Legal Pages. This feature ensures all orders include a confirmation of consent. As it is impossible to place an order without agreeing to Terms and Conditions, the fact that an order is placed is a confirmation of consent.

To see how to add a privacy policy, terms & conditions and other legal pages to your Ecwid store, please refer to Legal pages in Ecwid.

Get clear consent before sending promo emails

You must obtain clear consent to send out non-order related emails to customers. With Ecwid you can add a sign-up option above the Checkout button in your store. This way you will capture such consent and then build a list of customers who agreed to receive your promo emails. This instruction describes how you can add the sign-up option to your store’s checkout: Requesting customers’ approval for your promo emails.

Clearly show in forms what fields are optional or required

Ecwid clearly shows what fields are required and what fields are optional for filling out:


Make sure that you are using the Next-gen Checkout in your store where this EU requirement is met. You can enable Next-gen storefront in your Ecwid admin, go to  Settings → What’s New page. If you do not see this option there, it means you are already using it.

Get clear consent for tracking store visitors via cookies

You should ask your store visitors for consent to track their actions in your storefront via cookies. Ecwid allows merchants from the EU to add a special banner to gather such consents. How to enable it in your store:

  1. From your Ecwid admin, go to Settings → General → Tracking & Analytics.
  2. Enable the GDPR cookie consent banner.

Once enabled, the cookie consent banner will appear on the storefront with the option to accept or decline:


If you track visitor's behavior with the help of Google Analytics/Facebook Pixel, visitors that click "Decline" in the banner won't be counted in the statistics.

You may need to adapt the text displayed in the cookie banner or add a different text. For this, you can edit the label called Notice.TrackingConsent.description.

The cookie consent banner works in the Next-gen storefront only. Make sure that all Next-gen options are enabled in your Ecwid control panel → Settings → What’s New page. If you do not see these options, it means that they are already enabled.

Provide customers with the right to access their data

This means you must provide your customers with a copy of their personal data in an easily readable and portable format. You can access the customers' personal data right in your Ecwid Control Panel. If you need help with getting and providing the data, Ecwid can give you the information that it stores. You should also take into consideration any third party services you use who may have access to your customers’ personal data.

Provide customers with the right to delete, edit, restrict certain data uses

Along with access requests, Ecwid can help delete personal data that it stores on your behalf. However, basic requests (e.g., a customer asks you to delete their order) can be quickly managed inside your control panel. Again, remember any third party services who may have access to this data.

We recommend storing data digitally. Encrypted data protected with a password of minimum recommended strength – or protected by means of a password generator – offer a secure option compared to printed invoices.

Data breach notifications

Ecwid acts as a Data processor while our merchants (you) act as Data controllers. If your website is experiencing a data breach of any kind, you might be required to notify affected customers. Under the GDPR, a notification must be sent within 72 hours from the time you become aware of the breach. Data processors are also required to notify users as well as the Data controllers, immediately after becoming aware of a data breach.

What Ecwid has done to comply with the GDPR

Ecwid collects, stores, processes and shares personal data based on GDPR guidelines and complies with GDPR requirements in the following ways:

  • we assigned a Data Protection Officer who is in charge of the Ecwid Data Protection Policy;
  • we started to deliver GDPR-focused training to our key teams and personnel;
  • we implemented a detailed procedure to deal with all data subject access requests, deletion requests, and government access requests;
  • we work only with subprocessors who provide an adequate protection of the personal data through robust technical and organizational measures;
  • we developed a reliable method to detect, report and investigate a personal data breach;
  • we established the necessary records of data processing activities;
  • we are certified under the EU - U.S. and Swiss - U.S. Privacy Shield frameworks; this arrangement calls for certified organisations to guarantee a level of security in line with EU data protection law regarding the transfer of personal data from the EEA and Switzerland to the U.S.

Related articles

What legal pages can I have in my Ecwid store?
Adding Terms & Conditions to your e-commerce site
Setting up your store to comply with German laws

Was this article helpful?

Awesome! Thanks for your feedback!

Thanks for your feedback!

Sorry about that! What went wrong?
32 out of 44 found this helpful