GDPR recommendations for merchants

GDPR is finally here and, as I guess, you did everything in your power to stay compliant with the new EU rules. Today, we have a few recommendations and good practices for you, just in case. All to make your business run smoothly, with new rules in mind.

As you know, the GDPR is for protecting the data of European citizens. This is why, especially when Europe is your target market, you need to follow the new rules to keep your clients assured that their data won’t be used in an inappropriate way. That said, here are a few major things you need to have on your checkout page.


Following are best practices based on GDPR rules and our banking partners recommendations. I’m not a lawyer and I can’t guarantee that following the points mentioned in this article is going to make you 100% compliant.

GDPR-ready checkout

I assume that you already have Terms and Conditions, Privacy Policy and cookies information on your site, so let’s dive into a checkout page.

Firstly, it’s important how you will gather consent for specific activities. Under the new GDPR legislation, there need to be separate boxes for every consent that clearly explain the reason for collecting the data and how you plan to use it. Note that the checkboxes can’t be pre-filled. And, what’s also important, make sure that you really need the data you ask for.

The information included next to checkboxes could be following:

  • Consent to direct marketing, for instance, “Enter your email address to receive our monthly newsletter with product updates and important industry news.
  • Consent for using the data by third parties for specified purposes.

Before GDPR you’ve usually seen checkboxes like the following:

[x] Yes, I want to join to subscription.

As you can see, the box is checked by default, so people that registered on your site only had the option to opt-out. Now, under the GDPR law, users should have the chance to choose whether they want to share their information with you or not. This means now they have two options: to opt-in and to opt-out.

Keep in mind that all the consents you ask your users for can’t be merged with the Terms and Conditions box — each consent should come with a separated checkbox. Also, remember that when the cardholder doesn’t accept the consents or in case of withdrawal, they should be allowed to make the transaction.


Even if a piece of data is intended for multiple purposes, you need a separate consent for each purpose. Always tell people why you need information you collect, forget about asking for information ‘just in case.’ Ask for the bare minimum.

What if you don’t need consents for mentioned activities? In this case, you can only place a link to your Privacy Policy in a visible part of your checkout page. In result, there are no pre-ticked boxes on your checkout page, your policy is easy to find and you only collect the vital data.

In general, a Privacy Policy contains information about how your customers’ data is gathered, stored and used. Here’s what should be included in your Privacy Policy (the minimum required).

  • Company’s contact details and Controller’s identity.
  • What data you collect. This can be name, email address, physical address, IP address, etc.
  • The reason you collect and process the data, as well as the legal basis for processing.
  • Categories of personal data intended to be collected.
  • Retention period for storing the data.
  • How to delete data.
  • Right to opt-out at any time and the consequences of such withdrawal. The cardholder needs to clearly know that their consent is freely given and that not giving the consent won’t affect the ability to receive the service.
  • The list of third-party organizations that handle your tracking data, such as Google Analytics.
  • Awareness of subject data rights.
  • List of automated decisions or profiling, if applicable.


When you require user registration to make a purchase on your site, you also need to add a Privacy Policy checkbox near the form to make it easy for customers to see it.

What’s more, you need to have a security data breach response process in place. Why? Under the GDPR, you have to notify users within 72 hours right after noticing the data breach that affected your service (and customers’ sensitive information.)

Wrapping up

Agreeing to Terms and Conditions before accessing a certain service isn’t anything new, but you need to know that you can’t make the decisions on users’ behalf on how their data can be used. New rules give Europeans exact control over how their data is processed so you should only collect the data you need. And always be clear for what purposes you need the data you collect.

Beside all these changes made on the checkout page, make sure that you link directly to your Privacy Policy and Terms and Conditions from the footer on your page. It’s important, as GDPR is fully based on transparency so make all your information visible to everyone that visits your site.

And last but not least, note that it doesn’t matter where you’re based, GDPR applies to your company if you deliver your products or services to European consumers. And it applies to companies of all sizes.