GDPR for webshops: where small shops actually get burned

Not the privacy policy — the pixel. Small shops get fined for tracking tools and unlawful marketing, almost never for the paperwork. Fix the five real risks.

Ranked by actual enforcement pain: (1) The tracking stack. Meta Pixel, Google tags and heatmap tools without valid prior consent is the most common small-shop violation in Europe — your banner must genuinely block them until “accept”, with an equal reject button; test it in a private window, because default plugin configs routinely fire early. (2) Marketing consent. Newsletter = opt-in, never pre-ticked; the existing-customer exception covers similar own products with an opt-out in every mail. Bought address lists: don’t — that is how small shops end up in complaint files. (3) Data hygiene. Collect what the order needs (a birth date field on a socks checkout is a minimisation violation in plain sight), purge stale accounts and unpaid carts on a schedule, and keep invoices per tax law — separately from marketing data. (4) Processor chain (Art. 28): platform, payment provider, fulfilment, mail tool — standard DPAs exist for all; the checkout data leaving the EU is your responsibility to paper (see transfers). (5) Breach readiness: a leaked customer table is 72-hour reportable; encrypted-and-key-safe usually spares notification — encryption is the cheapest insurance you can buy. Reviews, GPSR product-safety contacts and consumer-law duties stack on top — different laws, same inbox.

Verified against the sources above on 18 July 2026. Information, not legal advice.

← For small businesses📞 Your data protection authority