European Data Protection Authorities — the CNIL in France, the AEPD in Spain, the BfDI and the regional Landesdatenschutzbehörden in Germany, the Garante Privacy in Italy, and others — issue dozens of enforcement actions against e-commerce operators every year. Across the EU, the average fine has nearly doubled in two years. The reason is structural: online stores collect large volumes of personal data (payment details, addresses, purchase history) while often being less legally sophisticated than large platforms. The result: e-commerce sits at the top of every regulator’s annual audit programme.
If you operate an online store, the seven mistakes below are the ones that consistently push websites into the priority audit list. This article details each one with the exact legal references and concrete fixes. Start by auditing your store with a free compliance scanner to identify your gaps, then follow the GDPR compliance 10-step action plan to fix them.
Why regulators target e-commerce specifically
Every European Data Protection Authority publishes an annual programme of thematic audits. Since 2022, e-commerce has been on the list every single year, alongside health-tech and direct marketing. The reasons are structural.
Volume: an average e-commerce site collects 30+ categories of data per customer (identity, payment, browsing behavior, preferences, geolocation). Multiplied by tens of thousands of customers, the exposure is significant.
User-journey traceability: third-party cookies, advertising pixels, retargeting, marketing automation — every additional tool weakens the consent framework.
Sub-processing complexity: between the hosting provider, the platform (Shopify, WooCommerce, PrestaShop), the payment processor, the email marketing tool, and any scoring or analytics solution, an average e-commerce site relies on 8 to 15 sub-processors that touch personal data. The mapping is rarely up to date.
International transfers: Google Analytics, Mailchimp, Stripe, AWS — many services hosted in the United States require specific contractual safeguards (Standard Contractual Clauses, supplementary measures post-Schrems II).
Mistake 1: Cookies without valid explicit consent
This is the most common — and the most easily detectable from outside. A cookie banner must satisfy three cumulative requirements (per the European Data Protection Board guidelines, complemented by national DPA recommendations across 2020-2024):
- Free consent: refusing must be as easy as accepting. An “Accept all” button without a “Reject all” button of equivalent visibility is a violation.
- Specific consent: per purpose (advertising, audience measurement, personalization), not global.
- Prior consent: no third-party cookie can be set before the user clicks.
Recent enforcement: French, Italian and Spanish regulators have sanctioned major platforms with fines in the €60-150 million range on these specific grounds. For SMBs, fines typically range from €20,000 to €200,000 depending on company size and how long the non-compliance lasted.
The fix: deploy a compliant cookie banner with auto-blocking of trackers before consent. The free WebLegal cookie banner auto-blocks 37+ trackers and respects EU cookie guidelines plus Google Consent Mode v2.
Mistake 2: Generic or missing privacy policy
A significant share of e-commerce websites audited by European regulators in recent years lacked a compliant privacy policy. The most common gaps:
- Notices copy-pasted from another site without adapting to the actual data flows.
- Retention periods not specified per data category.
- Sub-processor list missing or outdated.
- Legal bases for processing not specified (consent, contract, legitimate interest, legal obligation).
GDPR Article 13 mandates 12 specific disclosures when data is collected directly from the data subject. Omitting any one of them is a breach — even if the site is otherwise secure.
The fix: generate a privacy policy adapted to your actual operations. Avoid generic templates. For the full list of mandatory elements, see our guide Mandatory Privacy Policy: Risks and Fines.
Mistake 3: Incomplete legal notices (impressum)
Legal notices on an e-commerce site are governed by national consumer codes (Article L111-1 of the French Consumer Code, §5 TMG in Germany, the Spanish LSSI, the Italian Codice del Consumo) and by national e-commerce laws. They typically must include:
- Identity of the seller (name, company name, legal form)
- Physical address and professional email
- Phone number
- Trade register number and share capital for incorporated entities
- VAT number
- Identity of the publisher
- Hosting provider details
Penalties vary by country. In France, the absence of these notices can trigger an administrative fine of up to €75,000 for a natural person and €375,000 for a legal entity (L. 121-3 of the French Consumer Code). In Germany, the Wettbewerbszentrale and Verbraucherzentralen issue cease-and-desist letters (Abmahnungen) carrying typical legal costs of €1,000-3,000 per case. In Spain, the consumer protection authority (Spanish: Dirección General de Consumo) handles infringements of legal-notice obligations, while the AEPD focuses on personal-data aspects. For the French context, see our guide Legal notices: €75,000 fine if missing.
Mistake 4: Unsafeguarded data transfers outside the EU
Since the Schrems II ruling (July 2020), any data transfer to the United States (and other countries without an adequacy decision) must be framed by specific safeguards:
- Standard Contractual Clauses (SCC), version June 2021 — earlier versions ceased to be valid on 27 December 2022.
- A documented Transfer Impact Assessment (TIA).
- Supplementary measures where SCCs alone are insufficient (encryption, pseudonymization).
Common e-commerce tools concerned:
| Service | Risk | Action |
|---|---|---|
| Google Analytics 4 | Sanctioned by the CNIL, the Garante and the AEPD between 2022 and 2023 | Enable IP anonymization + Consent Mode v2, or migrate to Matomo / Plausible |
| Mailchimp | US hosting | SCC + annual audit, or EU alternative (Brevo, Mailjet) |
| Stripe | Partial US hosting | SCCs active by default, verify version |
| AWS / GCP | Depends on region | Prefer eu-west-* / europe-west-* |
The fix: inventory your sub-processors, verify SCCs, and consider European alternatives for non-critical tools. For Google Analytics specifically, see our Google Analytics and GDPR: compliant alternatives.
Mistake 5: Sub-processors without a data processing agreement
GDPR Article 28 requires a written contract — a data processing agreement (DPA) — between the controller (you) and every processor that accesses your customers’ personal data. The contract must include 9 mandatory clauses: subject matter, duration, purposes, types of data, processor obligations, controller rights, transfers outside the EU, sub-processing, end-of-engagement clauses.
Major platforms (Shopify, Stripe, AWS, Mailchimp) provide a standard data processing agreement signed online. The catch: you have to actually sign it and archive the copy. Regulators systematically request these agreements during an audit. Missing one for even a single sub-processor can be enough to trigger a formal warning.
The fix: maintain a sub-processor register with, for each entry: types of data processed, hosting country, signature date of the data processing agreement, link to the archived contract. Update it whenever you add a new tool.
Mistake 6: No process for data subject rights
GDPR grants customers seven enforceable rights: access, rectification, erasure, restriction, portability, objection, and rights related to automated decisions (Articles 15 to 22). The company must respond within one month maximum (extensible to three months for complex requests).
In practice, regulators regularly find:
- No dedicated email address for requests (a generic contact email is not enough).
- No documented internal procedure — requests get delayed or forgotten.
- Incomplete responses: for example, on an access request, the company sends a customer-account export but forgets login logs, archived payment data, or marketing emails received.
- No identity verification for the requester, or conversely, excessive demands (systematic copy-of-ID).
The fix: create a dpo@yoursite.com or privacy@yoursite.com address, document the internal process (who receives, who validates, who responds, in what timeframe), and check your team’s training cadence.
Mistake 7: Security breaches not notified within 72 hours
GDPR Article 33 requires notification of a data breach to the relevant supervisory authority within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the risk is high, Article 34 also requires individual notification of affected customers.
The most common e-commerce breaches:
- Customer database leak via export bug (wrong public URL).
- Unauthorized access following an admin account compromise.
- Data theft via SQL injection or XSS.
- Mass-email mistake (email containing the customer database in attachment).
Regulators regularly note that e-commerce operators, out of unfamiliarity or fear of reputational damage, fail to notify within the deadline. This is an aggravating factor: sanctions are then significantly heavier than for an initially minor breach reported on time.
The fix: prepare a notification protocol upfront (template letter to your regulator, responsible team, breach register). Each EU Data Protection Authority publishes its own online notification form — the European Data Protection Board’s portal lists every national authority and the corresponding submission channel.
How to get compliant fast
The seven mistakes above are correctable in less than a week for most SMBs. The recommended sequence:
- Day 1: audit the existing setup via an automated compliance scanner to identify public-facing errors (cookies, legal notices, privacy policy).
- Day 2: generate or refresh legal documents (privacy policy, legal notices, terms) with a specialized tool.
- Day 3: deploy a compliant cookie banner with auto-blocking.
- Day 4: inventory sub-processors and verify DPAs.
- Day 5: create the dedicated rights-request email + document the internal process.
- Days 6-7: prepare the breach notification protocol and train the team.
For penalties incurred in case of audit, see our country-specific dossiers: GDPR fines: top 15 CNIL sanctions in France, GDPR fines 2026: top 15 in Germany, or our cross-jurisdiction guide Non-compliant GDPR website: up to €300,000 fine.
FAQ
Do regulators audit randomly, or only on complaint?
Both. The majority of audits follow a complaint (customer, competitor, advocacy organization). The remainder are annual thematic audits (e-commerce, health, public sector) or follow-up audits after an earlier formal warning.
What’s the average fine for an EU SMB e-commerce in 2026?
For SMBs (revenue < €5M), the typical range is €5,000 to €50,000. For mid-market companies, €50,000 to €500,000. Multi-million-euro sanctions are mostly for large platforms or deliberate violations.
Do I need a Data Protection Officer (DPO) for an e-commerce site?
Not always. A DPO is mandatory if you process data on a large scale (Article 37 of the GDPR). A general-purpose e-commerce site with under 50,000 customers per year typically does not need one but can designate an internal GDPR lead. From 100,000 customers per year, or if you process special categories of data (health data, unencrypted banking data), a DPO becomes necessary.
How do I know if my Google Analytics is compliant?
Three points: (1) IP anonymization enabled, (2) Consent Mode v2 connected to your cookie banner, (3) data processing agreement signed with Google. If you’re uncertain about any of the three, consider Plausible or Matomo, which are compliant by default.
What should I do if I discover a data breach today?
In order: (1) contain the leak (rotate compromised passwords, isolate the system), (2) assess the risk to data subjects (who, how many, what data), (3) notify your Data Protection Authority within 72h via their online form if there is a real risk, (4) if the risk is high, individually notify the affected customers, (5) document everything in your breach register.
How long does a regulator audit take?
An on-site audit lasts one to two days. The investigation phase that follows can run six months to two years before the final decision. During that period, you have an obligation to cooperate and respond to additional document requests.
Auditing your online store today takes less than five minutes with an automated scanner — and saves you weeks of uncertainty in case of an audit. For Shopify-specific obligations, see our dossier Shopify and GDPR: protecting your store from fines.
