Space48 Logo
July 11, 2018

GDPR Debrief: How Retailers Have Approached Data Compliance

GDPR has been a hot topic for a while now and even though the deadline for data compliance has passed, the influence and impact of the General Data Protection Regulation is still in its infancy. Not only has GDPR forced businesses to change their processes and privacy policies, it’s changed the way that everyday users view data privacy and how brands use capture and process their data.

In this blog, Space 48’s Marketing & Events Manager, Natasha Wright, looks at some of the key areas where GDPR has impacted retailers and how retail brands have approached new data compliance rules and processes:

The rush to beat the data compliance deadline

How did you get on with the race for compliance? We say race, because it’s fair to say that a lot of businesses seemed to leave their GPDR compliance planning to the last minute. In fact, we had a lot of interest in our Checklist for GDPR Compliance in Ecommerce in the weeks (and even days) leading up to the May 25th GDPR deadline. This suggests that many retailers were still feeling a little unprepared for the new data rules right up until the deadline for compliance.

It’s no surprise then that in Econsultancy’s recent 2018 Email Marketing Industry Census, the report revealed that only 77% of company respondents said that they were confident of being compliant in time for the deadline. You might think this is a high percentage, but if you consider the long time that brands have had to prepare for GDPR and the magnitude of the risk of non-compliance (i.e. pretty hefty fines), almost a quarter of those surveyed not being confident in being compliant in time is a concern.

You’ll have seen your inbox flooded with emails about changing privacy policies and repermissioning in April and May, and many retailers left this late too. In fact, we even witnessed some brands sending emails about the looming deadline, after the deadline!

Having said that, we’ve generally seen a positive approach to GDPR from retailers, in terms of messaging and a renewed focus on customer-centricity and relevance, despite even the inevitable loss of email subscribers (through opt-out and unsubscribes).

Talking of repermissioning…

Repermissioning campaigns

We saw various different approaches from retailers regarding repermissioning during the countdown to compliance. From the softly, softly approach to the “is this the end?” break-up-style email. There was a wide range of design, frequency and tone of voice used by retail brands, to alert subscribers to changing privacy policies and to achieve positive opt-in to marketing emails.

Some retailers sent several emails as part of their repermissioning campaigns, to ensure as many of their subscribers stayed on board as possible. In terms of persuasion tactics, some brands focused on outlining the benefits and value of their content (such as exclusive offers, incentives and news), whilst others offered subscribers a chance to update their preferences and tailor the content to be more relevant to their needs.

Here’s a great repermissioning email example from Waitrose, which is friendly in tone and which outlines the value of the brand’s marketing emails, whilst evoking both trust and urgency:

GDPR repermissioning email example Waitrose

This email campaign example from Whistles shows how some brands incorporated repermissoning opt-in messages within promotional emails:

GDPR repermissioning email Whistles


There was also a varying level of confidence in existing marketing consent demonstrated by brands, as many retailers simply sent out emails to subscribers and customers about privacy policy updates. Repermissioning campaigns were only required where businesses did not have proof of valid consent for their communications for certain segments of their databases, in line with the stipulations of the General Data Protection Regulation rules on data processing and marketing consent.

This privacy policy update from Paul Smith is an example of how simple some retailers kept their GDPR-related emails. However, when it comes to messages about privacy policy and data processing, we recommend outlining your brand’s commitment to keeping personal data safe and using data in the right way.

GDPR repermissioning emails Paul Smith


Cookies have always been a source of debate amongst marketers and users, and the use of cookies to track website visitors and actions. GDPR brought this back into focus and new rules require more clarity and notifications from brands about the use of cookies on their websites.

Cookies play a key role in ecommerce, in enabling faster page loading for returning visitors to previously-viewed pages and for websites to recognise returning users, helping businesses to analyse data about webpage traffic and improve the browsing experience, tailoring it more effectively to customer needs. 

Most retailers have responded positively and embraced the need to notify visitors of cookie use, explaining the reasons for cookie use and implementing buttons for consent and further information on cookie policies. Here’s a good example from Gap:

GDPR cookie notifications Gap

Not only is this notification clear and compliant, but it explains the reasons Gap uses cookies and why they benefit website visitors. There is a simple option to browse without cookies or to find out more.


There have been a lot of questions in recent months about the impact of GDPR on personalisation and the ability of retailers to deliver personalised experiences and product recommendations, both onsite and via email marketing and paid social retargeting.

It’s understandably a concern for ecommerce businesses, especially when you consider that 75% of consumers are more likely to buy from a retailer that personalises (Source: Accenture).

If you have a ‘legitimate interest’, you don’t need permission. This is a little bit of a grey area within GDPR, but its an area of the data processing rules where retailers can back up their communications with users with a valid reason to market to them, both on ecommerce website pages and even with email. You don’t necessarily need permission to use data for presenting personalised offers during the purchase process. And transactional emails, such as purchase confirmation emails and cart abandonment messages come under legitimate interest – check out the ICO’s explanation of legitimate interest.

Under GDPR, users do have the ‘right to erasure’ and the ‘right to object’, where they can explicitly request to have their details erased or for permission-based marketing and personalisation to be stopped. So, the onus is on merchants and marketers to clearly explain the reasons for utilising personal data and the benefits to their customer journey.

Links to privacy policies and clear messages about the use of data for personalisation proposes must be easy to view and understand. Privacy policies can be pretty long and most users won’t read all of the content, but GDPR rules state that ‘any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used’. Layering is a good way to add further information. See example below:

GDPR privacy notice layering

Layering can offer users bitesize chunks of your privacy policy and data processing details, leading into links to the full information. This can give shoppers piece of mind and quick glance info, that builds trust quickly. The example below shows how you can also add ‘just in time’ information in sign-up forms: 

GDPR privacy notice just in time notice

Onsite data-capture

Personal data collection is a value exchange. Gaining personal data from consumers for marketing purposes requires clearly explained reasons for this data capture and processing, in order to convince people to join subscriber lists.

Like with cookies, we’ve generally seen a good response from retail brands in ensuring data capture forms are not only compliant but explain the value of signing up to subscriber lists, even adding incentives to convince users to submit details on sign-up forms.

See this example from Gap, which gives potential subscribers flexibility in the type of content they’ll receive and an added incentive in the form of an exclusive offer: 

Email marketing sign-up form - Gap

However, when actively seeking to subscribe to brand emails, users are showing intent. Therefore, like demonstrated in the email sign-up form below from Urban Outfitters, there doesn’t need to be a checkbox for consent in this case. Just a reiteration of what to expect from the brand’s emails and a link to the privacy policy. 

Email sign-up form GDPR - Urban Outfitters

Popovers are a good way to boost subscribers and grow your email database, but just like with other email sign-up forms, you must ensure they are GDPR compliant.


GDPR has already had a big impact on ecommerce and will continue to be a key consideration for retailers, as they push forward with their marketing campaigns and targeting. Retail brands will likely see their conversion rate and revenues suffer in the short term, as a result of repermissioning and more cautious users. However, the long-term influence should be a positive one, with brands forced to tighten up their data processes and focus on providing relevance and value to prospects and customers, whilst improving customers trust and offering them more targeted, transparent and engaging marketing content and communications.

If you want to learn more about how to deliver effective ecommerce communications, UX, personalisation or email marketing campaigns, why not book a free consultation with one of our experienced ecommerce specialists?


Space 48 is a leading UK ecommerce consultancy and website development agency, specialising in Magento and Shopware platforms. Do you have any questions about GDPR or any of the topics covered in this blog? Get in touch with our team today. Or explore our range of ecommerce audits and assessments, which will pinpoint your key growth opportunities and help you to increase your ecommere performance!