Browse by Topic

General Data Protection Regulation (GDPR)

EU General Data Protection Regulation (GDPR) is an update to regulations for the processing of data and private information online. This will apply to online stores based in the European Union or those that do extensive business in Europe. GDPR places the responsibility on businesses to give individuals more control over their personal data. If your online store violates the regulations, you could face fines. GDPR goes into effect starting May 25th, 2018.


Disclaimer: The information in this article is for guidance only and does not constitute legal or professional advice. Always consult a qualified lawyer on any specific legal problem or matter. BigCommerce disclaims all liability with respect to the information in this document.

Is my Business Affected?

GDPR applies to you if your online store is based in the European Union or your store targets shoppers in the European Union. To be more certain if GDPR applies to your business, contact a legal professional.


How BigCommerce is Compliant

As an ecommerce platform, BigCommerce is compliant with GDPR. BigCommerce provides the following features that make it compliant:

  • Continue to meet requirements of the Privacy Shield program and will action all Data Subject Access Requests submitted to, within the required 30 days.
  • Deleting customer data from the BigCommerce Control Panel will remove Personal Data associated with that customer within 14 days.
  • Customers can correct or update their data when they log in to their account.
  • Make data portable. Customer data can be exported into the CSV format by the Bulk Import Export tool.
  • Requires consent to use data. You can easily add a checkbox to give your users the ability to view and agree to your privacy policy.
  • In the event that any data breach involves BigCommerce, we will report the event to you without undue delay.
  • The BigCommerce security team ensures data that transits to our platform is protected at every stage.

While BigCommerce meets these requirements, any add-ons to your store, such as third-party apps, custom code, or payment gateways, are not included in this consideration. 


Suggested Actions for GDPR

There may be some steps your business will need to take to make your store fully compliant. 

Create a GDPR compliant Privacy Policy 

Make sure you have a Privacy Policy page on your store. See our example privacy policy for an idea of what the page should include.

Check your Apps and Integrations

Any apps that you use with your online business will also need to be compliant. If the app or integration does not explicitly say their product is compliant, you will have to reach out to the vendor directly to confirm if they meet GDPR requirements for compliance.

For account sign-up forms, you can include a required checkbox for consent to your privacy policy. See Creating a Privacy Policy | Requiring Consent for Account Signup for instructions on how to do this for your store. 

Report Security Breaches

Take steps to make sure your customers' data is secure, and if there's a breach, disclose it to the Supervisory Authority within 72 hours.

To learn more about security and privacy, join our Security & Privacy Community Group. Our security team will answer questions about security issues and how to make sure you are compliant.



Who is my Supervisory authority?

  • The Supervisory Authority is based on which country you are based in. A list of Data Protection Authorities (DPA) can be found here.

How do I make sure shoppers get the notification to accept cookies?

  • Under Miscellaneous Settings, there is a privacy section that allows you to turn on the EU cookie notifications and customize the text of the notification.

Is the Abandoned Cart feature GDPR compliant?

  • The abandoned cart feature is compliant as long as you provide your customers an easy way to opt-out. In all the abandoned cart emails that your customers receive, they will find a link that they can click if they want to unsubscribe. Their choice will be automatically recorded in the "Receive ACS/Review Emails" field under the Customer Details page.

Are apps from the App Marketplace GDPR compliant?

  • BigCommerce is not responsible for making sure apps are compliant with the legalities of specific jurisdictions, it is the responsibility of the individual app developer to ensure their product meets these requirements. If you are unsure if one of your apps is GDPR compliant, reach out to the app developer directly for answers. BigCommerce is planning on making it easier to see if an app is GDPR compliant from the app marketplace in the future.
How can I link to my Privacy Policy during checkout for guests?
  • You can link to your Privacy Policy during checkout by checking Enabling Terms & Services in Checkout Settings. This will also show up for logged in shoppers. 

Can I offer a double opt-in for newsletters? 

  • Double opt-in signups are not required for GDPR compliance. While BigCommerce collects newsletter sign-ups that can be shared with third-party apps, it does not utilize double opt-in or contains a native newsletter feature. Check with your email marketing provider to see if they have this feature.

Where can I get more information?

  • For more answers about how BigCommerce meets GDPR compliance, join our Security & Privacy Community Group. For questions about your individual business situation, contact a legal professional for the best support. 

Was this article helpful?