Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
- Overview
Practical Steps And Common Mistakes
- 1. Map your data flows properly
- 2. Make your privacy notice specific
- 3. Fix marketing consent and opt-out settings
- 4. Review your cookies and tracking tools
- 5. Put proper contracts in place with service providers
- 6. Set retention rules that reflect real business needs
- 7. Train your team on daily handling
- 8. Have a breach plan, even if your business is small
- Key Takeaways
If you run an online shop, customer data is woven into almost every sale. You collect names, delivery addresses, email addresses, payment details, browsing data, account logins and marketing preferences, often without stopping to map where it all goes.
The common mistakes are usually simple: copying a privacy policy from another site, adding everyone to marketing lists without valid consent, and sharing customer details with couriers, payment providers or app plug-ins without properly explaining it.
That creates real business risk. In the UK, online retailers must handle personal data under the UK GDPR, the Data Protection Act 2018, PECR rules for electronic marketing and cookies, and general consumer transparency standards. The detail matters before you launch an online store, before you switch on marketing automations, and before you sign up new software providers.
This guide explains what customer data rules for online retailers mean in practice, when the issue usually comes up, the steps to sort out first, and the mistakes founders most often make when selling online in the UK.
Overview
UK online retailers can collect and use customer data, but only if they do it lawfully, transparently and for clear business purposes. Most businesses do not need to stop using customer data, they need to organise how they collect it, explain it, secure it and limit it to what they actually need.
The core legal position usually turns on what data you collect, why you collect it, who you share it with, how long you keep it, and whether you are sending direct marketing messages or using cookies and tracking tools.
- Identify every type of personal data your store collects, including order details, account information, marketing data, device data and customer service records.
- Work out your lawful basis for each use of data, such as fulfilling an order, complying with legal obligations, legitimate interests or consent.
- Make sure your privacy notice clearly explains what happens to customer data and when third parties receive it.
- Check your cookie banner and marketing sign-up process, especially for email and SMS promotions.
- Review contracts with payment gateways, ecommerce platforms, fulfilment providers, apps and other processors.
- Set retention periods so you are not keeping customer information indefinitely.
- Put security measures in place for staff access, passwords, payment handling and breach response.
- Have a practical process for customer rights requests, including access, deletion and objection to marketing.
What Customer Data Rules for Online Retailers Means For UK Businesses
For a UK retailer, customer data rules are not just about publishing a privacy notice. They affect how your website is built, how your checkout works, how your email marketing runs, and how your team handles day to day customer information.
What counts as customer data?
Personal data means information that identifies a person, or could identify them when combined with other information. For online retailers, that usually goes well beyond a customer name and address.
It often includes:
- names, usernames and account details
- billing and delivery addresses
- email addresses and phone numbers
- order history and returns history
- payment references and transaction data
- IP addresses, cookie identifiers and device information
- recordings of customer service calls or chat logs
- marketing preferences and engagement history
Some retailers also handle higher-risk categories of information. That might include health-related details for personalised products, age information for restricted goods, or accessibility information given to customer service teams. If you collect anything more sensitive, the compliance standard rises quickly.
The main UK rules that usually apply
The main framework is the UK GDPR, supported by the Data Protection Act 2018. These rules set out principles for handling personal data, including fairness, transparency, purpose limitation, data minimisation, accuracy, storage limits and security.
PECR, the Privacy and Electronic Communications Regulations, also matters for online retail. PECR covers rules around cookies and electronic marketing, including many email and SMS campaigns.
Consumer-facing transparency matters too. Even where a practice is technically possible, the main risk is often that a customer was not told clearly what would happen with their data. That is where founders often get caught, especially when they rely on default settings in ecommerce tools.
Lawful bases matter more than most retailers expect
You need a valid lawful basis for each way you use personal data. A lawful basis is the legal reason that allows you to process data. You do not just choose one basis for your whole business and apply it everywhere.
For online stores, common lawful bases include:
- contract, where you need data to take payment, dispatch goods, send order updates or manage returns
- legal obligation, where you need records for fraud checks, accounting or regulatory reasons
- legitimate interests, where you use data in ways that are reasonably expected and balanced against customer privacy, such as some analytics, fraud prevention or service improvement
- consent, where the law specifically expects it, especially for certain marketing and cookie activities
A frequent mistake is relying on consent for everything. Another common mistake is doing the opposite and assuming legitimate interests covers all marketing and tracking. Neither approach is safe without looking at the specific use case.
Transparency is not just a formal document
Your privacy notice should tell customers what data you collect, why, how long you keep it, who you share it with, whether data leaves the UK, what rights customers have, and how they can contact you. But the legal issue does not end there.
The same story needs to match what customers actually see on your site. If your checkout adds them into promotional emails by default, or your cookie banner pushes users towards accepting tracking, the main problem may be the design of the customer journey rather than the wording of your privacy notice.
Retailer setup decisions also affect data compliance
When founders start an ecommerce business in the UK, they often focus on registration, business structure, trade mark protection, supplier agreements, website terms and consumer law. Data privacy should sit alongside those basics, not as an afterthought.
That is especially true before you launch online, before you spend money on setup, and before you print labels or marketing inserts. The apps and platforms you choose early on often determine where customer data is stored, who can access it, and what contracts you need in place.
When This Issue Comes Up
Customer data compliance usually becomes urgent at practical business moments, not abstract legal ones. Most online retailers discover gaps when they launch, scale, outsource or add new marketing tools.
Before you launch an online store
This is the best time to sort out your privacy position. Once the site is live, customer data starts flowing immediately through the checkout, analytics tools, contact forms, live chat widgets and email sign-up forms.
Before you launch online, check:
- whether your privacy notice reflects the actual plugins and services on your site
- whether your cookie banner blocks non-essential cookies until the right consent is given
- whether your checkout and account creation flow explain marketing choices clearly
- whether your website terms and privacy wording align with your returns process and customer communications
When you start email or SMS marketing
This is one of the most common trigger points. Founders often assume that because someone bought a product, the business can market to them however it likes afterwards. That is not always correct.
The rules depend on the channel, the relationship with the customer, how their contact details were collected, and whether they were given a proper chance to opt out. Purchased mailing lists are especially risky. So are mailing lists built from old leads where the business cannot show when and how consent was obtained.
When you add third-party providers
Most online retailers rely on a stack of providers, such as ecommerce platforms, payment processors, delivery partners, marketing platforms, customer support tools and review apps. Every new provider can create a fresh data-sharing issue.
Before you sign a contract with a new provider, look at:
- what customer data the provider receives
- whether it acts as your processor or uses data for its own purposes
- what security commitments it gives
- whether it stores data outside the UK
- whether the contract includes appropriate data protection terms
When you expand the business
Growth often creates compliance drift. A business that started with a simple webshop may later add loyalty programmes, subscriptions, marketplaces, fulfilment partners, affiliates, personalisation tools and multiple team logins. Each change can widen your data footprint.
This is where SMEs often need to revisit their original setup. A privacy notice written for a simple one-product store will not be enough once the business tracks customer behaviour across channels or shares information with a larger supplier network.
When a customer complains or makes a data request
A complaint usually exposes weak internal processes. A customer might ask for a copy of their data, object to marketing, request deletion of an account, or complain that they keep receiving emails after unsubscribing.
If your team cannot locate the data, does not know which system controls marketing preferences, or cannot tell who received the customer’s information, the legal and reputational risk increases quickly.
Practical Steps And Common Mistakes
The right approach is to map your real data use and fix the pressure points first. For most retailers, that means website transparency, marketing permissions, supplier contracts, retention rules and internal handling practices.
1. Map your data flows properly
Start with a practical list of what customer data comes in, where it goes and who touches it. Do not rely on assumptions from your web developer or platform provider.
Your map should cover:
- website forms and checkout fields
- payment processing
- delivery and fulfilment handoff
- returns and refunds handling
- email and SMS marketing tools
- analytics, pixels and ad platforms
- customer support inboxes, chat functions and helpdesk tools
- internal staff access and spreadsheets
The common mistake is only documenting the obvious systems. Founders often forget exported CSV files, warehouse access, review platforms or personal inboxes used for customer service.
2. Make your privacy notice specific
Your privacy notice should match your actual business model. A generic template often misses the categories of data collected, the legal bases used, third-party recipients and whether international transfers happen.
A better notice usually explains:
- what personal data you collect at each customer touchpoint
- why you collect it and the lawful basis for doing so
- which providers help you process payments, deliver goods, host the website or send marketing
- how long different categories of data are kept
- how customers can exercise their rights
The wording should be clear enough for a normal customer to understand before they place an order, not hidden in legal jargon.
3. Fix marketing consent and opt-out settings
Marketing is one of the biggest risk areas for online stores. Email and SMS campaigns can be high value, but the rules around consent and opt-outs need careful handling.
Common mistakes include:
- pre-ticked boxes for marketing sign-up
- bundling marketing consent into account creation or checkout terms
- sending promotions without a clear unsubscribe option
- treating newsletter sign-up and personalised ad tracking as the same consent
- keeping people on marketing lists after they opt out
If you use segmentation, retargeting or abandoned cart messages, review the legal basis and customer messaging carefully. These tools often combine privacy issues with PECR and cookie compliance issues.
4. Review your cookies and tracking tools
If your store uses analytics, advertising tags, social media pixels or personalisation software, cookie compliance matters from day one. Many retailers install these tools through apps without realising how much data they collect.
Your cookie setup should clearly separate essential cookies from non-essential tracking. Non-essential cookies will often need consent before they are placed. A banner that nudges users towards acceptance, or treats continued browsing as consent, may not be enough.
Founders also miss the need to keep the cookie information current. If your site changes, your cookie notices and settings usually need to change too.
5. Put proper contracts in place with service providers
If a provider processes customer data on your behalf, the contract should include data protection terms. This often applies to ecommerce platforms, email providers, fulfilment services, customer support software and cloud storage tools.
The contract should usually address:
- what data is processed and for what purpose
- security measures
- confidentiality
- sub-processors and onward sharing
- assistance with data requests and breaches
- return or deletion of data when the service ends
The common mistake is accepting commercial terms without checking the data position, especially before you sign with a fast-growing tech provider or overseas app vendor.
6. Set retention rules that reflect real business needs
You should not keep customer data forever just because storage is cheap. Different categories of data may need different retention periods.
For example, order and payment-related records may need to be kept longer for legal and accounting reasons, while unused marketing leads or dormant support chat records may not. The right period depends on the purpose and any legal obligations.
The mistake here is keeping everything indefinitely because deletion feels risky or inconvenient. That can increase your exposure if a breach happens or a customer exercises their rights.
7. Train your team on daily handling
Many data issues are operational rather than technical. Staff may forward customer emails internally, download order reports to personal devices, or use old mailing lists without understanding the rules.
Your team should know:
- who can access customer data
- how to verify identity before disclosing account information
- how to record and honour opt-outs
- what to do if a customer asks for their data or requests deletion
- how to escalate a suspected breach quickly
Small businesses often skip formal training, but a short internal process can prevent avoidable mistakes.
8. Have a breach plan, even if your business is small
A data breach does not just mean a hacker attack. It can include sending an order spreadsheet to the wrong recipient, exposing addresses through a mailing error, or giving too many staff members access to customer information.
You need a practical response plan that covers internal reporting, containment, investigation and decisions about notification. A founder should know who takes ownership and what records are kept if something goes wrong.
FAQs
Do online retailers in the UK need a privacy policy?
Yes, in practice most online retailers need a clear privacy notice because they collect personal data through orders, accounts, enquiries, marketing forms or cookies. The notice should reflect what your business actually does, not generic wording copied from another website.
Can I email customers about new products after they buy from me?
Sometimes, but not automatically in every case. The answer depends on how you collected their details, whether they were given a proper opt-out opportunity, the type of marketing you send and the PECR rules that apply.
Do I need customer consent for cookies?
For many non-essential cookies and tracking tools, yes. Essential cookies needed to run core website functions are treated differently, but analytics, advertising and similar tracking tools often require consent before they are set.
What happens if a customer asks me to delete their data?
You need to assess the request and respond properly. Deletion is not always automatic because some data may need to be kept for legal, accounting or contractual reasons, but you should have a process to identify what can be erased and what must be retained.
Do small online shops have to follow the same data rules as larger retailers?
Yes. The scale of your business may affect what measures are proportionate, but the core legal duties still apply. Small retailers are often more exposed because informal systems and copied templates create gaps.
Key Takeaways
- Customer data rules for online retailers in the UK usually involve UK GDPR, the Data Protection Act 2018 and PECR.
- Your business should know exactly what customer data it collects, why it collects it, where it goes and who receives it.
- A privacy notice needs to match your real website, checkout, marketing and supplier setup.
- Email, SMS, cookies and tracking tools are common risk areas, especially where consent and opt-out processes are weak.
- Contracts with platforms, payment providers, fulfilment partners and software tools should deal with data protection clearly.
- Retention rules, staff access controls and a breach response process are just as important as customer-facing wording.
- Growth, outsourcing and new marketing tools are the moments when online retailers most often need to review their privacy setup.
If your business is dealing with customer data rules for online retailers and wants help with privacy notices, marketing consent, supplier data protection terms, and website compliance, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.







