Growing Your Ecommerce Store

In previous chapters, we've looked at some of the privacy implications of operating an ecommerce store. Many of these will be relevant to practically any internet business - for example, creating a Privacy Policy, processing customers' personal information in a secure way, and earning the necessary consent to send marketing emails.

Privacy runs through every aspect of ecommerce. Alongside the more conventional ways of promoting your ecommerce store, you might decide to use innovative marketing tools such as analytics, session recording and remarketing. There are additional, more complex privacy implications when it comes to using these tools.


Analytics is a broad term encompassing a number of different techniques used to measure and analyze data about your website. This data may or may not constitute personal information, depending on:

  • The nature of the data you collect
  • How personal information is defined under the relevant privacy laws
  • The steps you take to ensure that individuals are not personally identifiable from the data you collect from them

There are two important principles that you should try to remember at all times:

  1. You must maintain control over what you're collecting, and
  2. You must be transparent with your customers about it

It's possible to end up collecting personal information "by accident" if you aren't careful. Make sure you know what you're collecting and what you need it for. And make sure you disclose anything you're collecting that might be personal information in your Privacy Policy.

Analytics and Privacy Law

Analytics platforms use third-party cookies. It's essential that you're upfront about this, and seek consent where necessary.

One of the most popular analytics services, Google Analytics, requires that websites running the service operate a Privacy Policy that explains how Google uses their personal information. Here's the relevant part of Google's Terms:

Google Analytics Terms of Service Privacy clause with disclosure requirements highlighted

Here's how you can implement this:

Amunix Privacy Policy: Google Analytics clause

We use Google Analytics, which uses cookies and similar technologies to collect and analyze information about use of the Site and report on activities and trends. This service may also collect information regarding the use of other websites, apps and online resources. You can learn about Google's practices by going to, and opt out of them by downloading the Google Analytics opt-out browser add-on, available at

It's best to get consent to use Google Analytics if you have EU customers.

Here's how TrendMD does this:

TrendMD Google Analytics and cookies consent banner notice

Note that it's just as easy to select "Yes" as it is to select "No." This is a really good practice under the GDPR.

It's also possible to make various adjustments to how you collect analytics data in order to minimize the amount of personal information you're collecting.

Under Article 25 of the GDPR, you must keep the amount of personal information you collect to an absolute minimum.

Analytics software provider Adobe Analytics allows users to label the different types of data they collect so as to maintain control over how it is used:

Adobe Analytics GDPR Labels for Analytics Variables: excerpt of Identity Data Labels chart

Session Recording Tools

Session recording is a type of analytics technology which allows you to view your customers' activity on your website in detail by actually recording and replaying their session as they move their mouse pointer around, click links and enter information into forms.

This can allow you to see exactly where visitors might get "stuck" on your website, shows which areas of your website might be difficult to find, and helps you put analytics data into context.

As you can imagine, there are serious implications here for your customers' privacy. If the proper safeguards aren't put in place, it will seem like you are "spying" on people as they move around your site.

Session Recording Tools and Privacy Law

The companies offering session recording tools are very conscious of this potential privacy threat, and many pride themselves on apparently being GDPR-compliant. EU privacy law is seldom straightforward, but many of these services have clearly done their homework.

First, we'll look at how a Privacy Policy can disclose the different types of information it collects on behalf of businesses:

Mouseflow Privacy Policy: Information We Collect on Behalf of Third Parties clause

Note that "third parties" here refers to third parties other than the company itself - which is, of course, a third party in relation to your customers.

You can provide some instructions to your clients in a way that ensures they are using the software in a legally compliant way:

Excerpt of Mouseflow GDPR compliance instructions chart for clients: Website Audit and IP Addresses

You can also explain such things like all IP addresses being anonymized or excluded automatically within the EU. For businesses operating outside of the EU, IP address anonymization is optional.

Excerpt of Mouseflow GDPR compliance instructions chart for clients: Explicit consent

When EU courts rule on what constitutes personal information, they tend to make very broad interpretations. Monitoring your customers' behavior on your site can render them identifiable under certain circumstances, even where safeguards are in place. Therefore, it is safest to earn your customers' consent for session recording technology.

Different session recording services approach GDPR compliance in different ways. Tracking tool Hotjar, which also offers session recording, has drawn up a Data Processing Agreement:

Hotjar Sign Data Processing Agreement page

It's necessary under Article 28 of the GDPR for a data controller to have a legally binding agreement with any data processors. Hotjar has set this out very explicitly for its clients.

Another similar service, Inspectlet, has conducted a Privacy Impact Assessment in order to ensure GDPR compliance. This is a requirement under Article 35 of the GDPR for processing involving new technology.

Here's part of Inspectlet's Privacy Impact Assessment where it discusses the measures it takes to anonymize IP addresses:

Inspectlet Privacy Impact Assessment for GDPR: Technical and security measures section

Technical and security measures

All data is encrypted during transmission and collected data is stored encrypted at rest using AES encryption. If the Customer has enabled IP address anonymization, the last two octets of the IP address will be removed and not be available to the user nor Inspectlet. Backups of data collected are made routinely and tested occasionally to verify restore procedure functionality. All data is physically stored only in AWS data centers meeting ISO 27001 compliance.

Inspectlet has decided that removing the last two octets of IP addresses will help ensure that users' personal information is not revealed. This is one of the methods suggested by the Internet Engineering Task Force's Internet Area Working Group (IntArea) for anonymizing log data in a GDPR compliant way:

IntArea Working Group Logging Recommendations for Internet-Facing Servers: Providers section

Session recording technology does represent a considerable privacy risk if not used carefully. However, the examples above show that companies offering such tools do take privacy seriously.


Remarketing (retargeting) is a method of using cookies to display ads to your users after they've left your site.

If you've ever added a product to your cart and then abandoned the purchase, you might have spent the next few weeks noticing ads for that product pop up in unexpected places. This is no coincidence. The ecommerce store most likely placed a cookie on your device that followed you around the ad network to tempt you into completing the sale.

This is a highly effective marketing technique, but your customers might find it a little creepy. However, with the right privacy protections in place you should be able to put their minds at rest.

Remarketing and Privacy Law

Google Ads is one of the more popular ad networks to offer a remarketing service. It makes clear that anyone wishing to use the service must disclose that they are doing so in their Privacy Policy, and explain the implications.

Here's how Clickseed fulfills this requirement:

Clickseed Privacy Policy: Google AdWords and Facebook Remarketing Tags clause

This website uses Google AdWords & Facebook Remarketing Tags

This website uses Google AdWords & Facebook remarketing service to advertise on third party websites to previous visitors to our site. It could mean that we advertise to previous visitors who haven't completed a task on our site, for example using the contact form to make an enquiry. This could be in the form of an advertisement on the Google search results page, a site in the Google Display Network, or somewhere on Facebook. Third-party vendors, including Google & Facebook, use cookies to serve ads based on someone's past visits to the ClickSeed website. Of course, any data collected will be used in accordance with our own privacy policy, as well as Google & Facebook privacy policies.

You can opt-out of remarketing by visiting the links below:

For Google:

For Facebook:

You should give your customers a choice about whether they want to be subject to remarketing. You can do this by seeking their consent in the same way that you've sought their consent for other types of cookies.

You then can use a tool such as Google Tag Manager to ensure that you're excluding customers from remarketing where they have not opted in (or perhaps where they have opted out, if they're outside of the EU).

Case Study

Perfect Pasta is an Italian food company that sells dried pasta through its ecommerce store. It hopes to promote its business and improve its website through the use of analytics and tracking technologies.

Perfect Pasta should be sure to:

  • Make absolutely sure that any third-party services it uses to provide this service are GDPR-compliant
  • Only conduct business with such third parties under a clear and legally-binding contract
  • Give a clear explanation of the tracking and targeting technologies it uses and the reasons that it uses them in its Privacy Policy
  • Earn its customers' consent to be subject to such marketing techniques
  • Offer any customers that have opted in a clear method by which to opt out
  • Use such technologies in a responsible way that keeps the amount of personal information collected to a minimum

Note From the Editors

We hope this has been a helpful overview of the legal implications of running an ecommerce store. As you can see, there are a number of different legal policies you'll need, and some you'll benefit greatly from having. There are also a variety of laws that you'll need to be aware of that affect the ecommerce landscape. From your Privacy Policy to handling returns, these seemingly small details can truly transform the way the public perceives your ecommerce store as trustworthy and compliant.

As your business grows and changes, and as you enter into new business relationships, your company's policies will remain the backbone of your dealings with the public and with legal authorities. Paying attention now and creating the most compliant policies in line with legal requirements will help you consistently save time, effort and money in the future so you can focus on the more enjoyable, exciting aspects of running your unique business.

We wish you the best in your business endeavors, and want to remind you that you can return to the relevant chapters of this book at any time to make sure you're getting it right. And you can always visit our TermsFeed blog for the most up-to-date and relevant information on the ever-changing legal and regulatory landscape.