What Effect Did the General Data Protection Regulation — or GDPR — Really Have on Merchant Operations?
It’s been nearly a decade since the European Union’s General Data Protection Regulation, or GDPR, went into effect.
As one of the first global data protection laws, the sweeping ruling affected virtually every business that processed the data of EU consumers or sold into EU markets. All of them are now subject to the GDPR. And, according to EU legislators, doing so worked to “strengthen and unify data protection for individuals within the European Union.”
But, how effective has the GDPR really been at delivering on that promise? And what do its provisions require of merchants, both inside and outside of the EU? Here, we take a closer look at the GDPR’s intended purpose, the rights it grants to consumers, and the compliance requirements it imposes on businesses.
Recommended reading
- American Express Chargeback Time Limits: The 2026 Guide
- Chargeback Laws: What's the Legal Basis for Card Disputes?
- Chargeback Time Limits: the Merchant's Guide for 2026
- California Consumer Privacy Act (CCPA): Requirements & More
- Chargeback Police Report | Can You Report Dispute Abuse?
- Is Chargeback Fraud Illegal? Here’s the Simple Truth.
What is the General Data Protection Regulation?
The General Data Protection Regulation is a data protection and privacy regulation implemented as part of EU law in May 2018. It governs how consumer data is used and stored.
The General Data Protection Regulation (GDPR) is a comprehensive EU privacy law, implemented on May 25, 2018. It grants individuals control over their personal data and mandates how organizations must collect, store, and process that information.
Specifically, the core purpose of the GDPR is to return control of personal data to consumers. Under the law, businesses do not own consumer data. Instead, consumers own their own data, and merchants who borrow and collect it to provide services must process and use it in a compliant manner.
For this and other reasons, the GDPR is known as the strictest privacy and security law in the world. That said, the 2018 law isn’t exactly a brand-new hurdle for merchants. Rather, the GDPR is the successor legislation to the much older 1995 Data Protection Directive, which was created when the internet was in its infancy.
Because of its age, the 1995 Directive could not modern information-sharing practices like social media and smartphone tracking. The GDPR improves upon the legacy directive by creating a legal framework for data protection in an era where biometrics, geolocation tracking, eCommerce personalization, and other data-heavy approaches abound.
Does GDPR Apply to Merchants Outside the EU?
The GDPR applies globally if you serve customers in the EU, or handle the data of EU-based individuals.
A common misconception among North American merchants is that the GDPR only applies to merchants located in the EU. But, this isn’t true.
Instead, the GDPR applies to any business if you process the personal data of subjects residing in the EU — regardless of where your company is headquartered. Put another way, the GDPR applies based on activity, rather than location.
You are subject to the GDPR if your business offers goods or services to EU residents, for instance, even if no payment is required. You’re also subject to the law if your business monitors the behavior of individuals within the EU by using tracking cookies, behavioral analytics, or other monitoring tools.
Here’s an example. Say your US-based Shopify store accepts Euros, offers shipping to France, or uses a German-language version of your site. If so, then you’re “offering goods or services” to EU residents and must comply with the GDPR. If you use Google Analytics to track visitors from Spain, you are “monitoring the behavior” of EU subjects and likewise fall under the GDPR’s scope.
The only way to fall out of the GDPR’s scope is if you neither do business with EU residents nor track their digital footprints. For most eCommerce businesses, this is effectively impossible; you’d basically have to block all EU-based incoming traffic.
What Are the Penalties for GDPR Non-Compliance?
There are stiff penalties for GDPR noncompliance, including fees that can amount to tens of millions of Euros per year.
The GDPR gives European regulators teeth, letting them levy disruptive penalties on any businesses that fail to comply. Fines are administered in two tiers, depending on the severity of the infringement:
- For less severe violations: Up to €10 million or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever is higher.
- For more severe violations: Up to €20 million or 4% of the firm’s worldwide annual revenue from the preceding year, whichever is higher.
2,245 individual fines have been issued under the GDPR since 2018, with total penalties exceeding €5.65 billion.
Major worldwide tech platforms have particularly provoked the ire of EU regulators. For example, in 2023, Facebook (now Meta) was hit with a €1.2 billion fine — the largest ever under the GDPR — for mishandling data transfers between the EU and the US. That same year, the Irish Supervisory Authority fined TikTok €345 million under the GDPR for its improper handling of children’s data.
Later, in 2024, LinkedIn was fined €310 million by the Irish Data Protection Commission for processing of personal data for behavioral analysis in violation of the GDPR. And, in the very same year, the Dutch Supervisory Authority fined Uber €290 million for transferring the data of European drivers to the US without implementing appropriate safeguards.
To be clear, you don’t have to be a tech giant to be penalized under the GDPR. Some violations that frequently attract fines include:
- Non-Compliance with Principles (Article 5): Failing to adhere to data minimization or accuracy standards.
- Insufficient Legal Basis (Article 6): Processing data without a clear purpose. For example, collecting emails without having a stated purpose for that database.
- Lack of Transparency (Articles 13 and 14): Privacy policies that are vague, hidden, or filled with “legalese” to obscure what’s really being said.
- Insufficient Security (Article 32): Failing to implement technical measures to prevent breaches, such as tokenization or encryption.
As for whether you’re prepared for the GDPR as a non-EU merchant, consider the following:
Yes, though it’s complex. While EU regulators cannot physically walk into a US office to seize assets, they have mechanisms to enforce penalties. They can leverage international cooperation treaties to force local governments to act, or seize assets the company in question holds within the EU. Failure to pay can also mean being blocked from the EU market entirely, which can hinder your plans for international expansion.
No. Under Article 3 of the GDPR, the regulation applies to the processing of personal data of subjects in the EU, whether you have a physical presence there or not. So, if you’re a US merchant who sells digital goods to customers in Belgium, you are liable.
Generally not. Being compliant on paper — having the right documents but the wrong practices — is a common trigger for fines. Regulators look for operational compliance: Are you actually encrypting data? Do you really delete data when requested? Do you have a Data Processing Agreement (DPA) with your vendors? Documentation is necessary but not sufficient; you’ll need to pair it with real action for it to count.
Make sure you're never caught off guard by legal and policy changes.
Request a Demo
The 7 Principles of GDPR
Article 5.1-2 of the General Data Protection Regulation lays out the seven principles the GDPR aspires to address. These are as follows:
#1 | Lawful, Fair, and Transparent
Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
#2 | Of Limited Purpose
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.
#3 | Data is Minimized
Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
#4 | Accuracy
Personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
#5 | Storage Limitation
Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest; i.e. scientific or historical research purposes or statistical purposes in accordance with Article 89(1).This will be subject to the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject.
#6 | Confidential Integrity
Personal data shall be processed in a manner that ensures appropriate security of the personal data. Examples include protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
#7 | Accountability
Finally, the controller shall be responsible for, and be able to demonstrate compliance with, all the other principles outlined above.
These seven principles are meant to ensure that individuals have the right to refuse the use of their data for privacy purposes. They also have the right to restrict businesses from obtaining or using this information without consent.
Key Consumer Rights Under GDPR
The GDPR grants individuals eight fundamental rights. Each of them have implications for eCommerce merchants and may affect or shape your store’s online interface and backend processes.
Right to Be Informed (Articles 13 and 14)
This obligates you to tell consumers exactly what you are doing with their data at the moment you collect it. Beyond merely having a privacy policy, your policy should be written in clear, plain language. It should explicitly state your identity, your lawful basis for processing data, how long you will keep the data, and who (if anyone) you share it with.
Right of Access (Article 15)
This is the right for a consumer to know if you are processing their data and, if so, to receive a copy of it. Businesses must provide a clear overview of what data is being held, why it is being processed, and who else (like third-party vendors) has access to it.
Right to Rectification (Article 16)
If the data you hold is inaccurate or incomplete, the consumer has the right to correct it. For merchants, this may mean providing a user portal where customers can easily update their shipping addresses, email preferences, or billing details without jumping through administrative hoops.
Right to Erasure, or “Right to be Forgotten” (Article 17)
This right allows consumers to request the deletion of their personal data when it is no longer necessary for its original purpose. Note, however, that this right is not absolute. In the following section, we’ll explore instances where merchants can decline this request, particularly when it comes to transaction records.
Right to Restriction of Processing (Article 18)
In certain scenarios — such as when a consumer contests the accuracy of their data — they can request that you stop processing it even while you’re storing it. During this period, you may retain the data, but you cannot use it for marketing, analytics, or other active processes until the issue is resolved.
Right to Data Portability (Article 20)
Consumers have the right to receive their personal data in a structured, commonly used, and machine-readable format (e.g. as a CSV file) so they can transfer it to another service. This prevents vendor lock-in and forces merchants to maintain data systems that are interoperable.
Right to Object (Article 21)
Individuals can object to the processing of their data for specific uses, such as direct marketing. If a customer objects to having their data used for marketing purposes, you must stop immediately — there are no exceptions or “legitimate interest” defenses for ignoring a marketing opt-out.
Rights Related to Automated Decision-Making & Profiling (Article 22)
Consumers have the right not to be subject to a decision based solely on automated processing — an algorithmic credit card denial, for example, or automatic fraud rejection — if it significantly affects them. This may have implications for you if you use AI-driven fraud tools that auto-decline orders without human review. If a customer challenges an automated decline, you must provide a mechanism for a human to review the decision and for the customer to express their point of view.
However, before you hand over a file containing sensitive personal history, you’ll want to verify the identity of the person asking. If you fail to authenticate the requester, you could inadvertently trigger a data breach by accidentally sending a customer’s private data to a fraudster.
How GDPR Impacts Chargeback & Fraud Management
You’re allowed to keep customer data that you may need in the event of a chargeback, as long as the data is classed as necessary for the performance of a contract (i.e. a transaction). Responding to a chargeback falls under the purview of “performance of a contract.”
A major point of friction for merchants is the perceived conflict between privacy laws and fraud prevention. If a customer demands their data be deleted, do you have to destroy the evidence you might need to fight a chargeback three months later?
Luckily, the short answer is “no.”
Although payment data — including card numbers and transaction histories — is classified as “personal data” under the GDPR, you can process data if you have a lawful basis. For payment processing and fraud management, your legal basis is the “performance of a contract,” rather than mere consent. The rationale is that you cannot fulfill your contract to sell a product without processing payment data, and for that reason, you have the right to handle it.
A data subject’s Right to Erasure is not absolute. Article 17(3) of the GDPR explicitly permits businesses to retain data if it is necessary for the establishment, exercise, or defense of legal claims. This includes re-presenting chargebacks.
Keep in mind that consumers have a long window of time to exercise their chargeback rights. Card networks sometimes give cardholders up to 540 days to file a dispute. Although it’s possible that a customer may request that their data be deleted during this timeframe, the carveouts we mentioned permit you to retain the specific transaction data required to defend against potential future disputes.
To be clear, you should delete marketing data (like emails or customer profiles) if requested. However, you can — and should — retain transaction information (such as AVS matches, delivery signatures, and IP address information) in case a chargeback arises.
GDPR Compliance Checklist for Merchants
GDPR compliance is complex. If you conduct business with EU residents or store their data, you may wish to consult an experienced privacy attorney.
Still, there are some things you can do yourself. Below, I’ll share some steps you can take to bring your business into compliance with GDPR regulations:
Audit Your Data
It’s difficult to protect what you don’t know you have. That’s why you should map out what personal data you collect, where it enters your system, where it is stored, and why you acquired it to begin with.
Establish Legal Basis
For every type of data processing, document your lawful basis. Whether it’s “consent” for your newsletter or “performance of a contract” for shipping and billing, you must be able to prove you have a legal right to process that specific information.
Update Your Privacy Policy
Your privacy policy should not be written in legalese. If it is, you’ll want to rewrite it so that it offers clear, accessible, and plain-language explanations of how you handle customer data, making it easy for even the average shopper to understand their rights.
Implement Consent Mechanisms
Review your opt-in forms and ensure that you’re securing customer consent in an active and granular fashion. For example, implement cookie banners that contain opt-in checkboxes or buttons that require a user to physically click to agree.
Review Your Data Retention Schedules
Hoarding customer data you don’t have a legal basis for retaining can expose you to GDPR fines. That’s why you’ll want to establish specific retention periods for different types of data. For example, you may want to keep emails for marketing purposes until the user opts out. But in general, if you don’t absolutely need the data, consider deleting it.
Assess Your Third-Party Processors
Beyond being internally compliant, the onus is also on you for ensuring that your tech stack is similarly GDPR-compliant. That’s why you’ll want to audit your payment processors, CRM platforms, and marketing tools to make sure that they also adhere to GDPR standards. After all, you don’t want their failure to become yours, too.
Prepare for Data Subject Requests
Proactively prepare for consumers to exercise their rights under the GDPR — don’t wait for a request to come in before figuring out your workflow. Instead, create a standard process ahead of time that you can follow to receive, verify, and fulfill data subject requests within the mandatory 30-day window.
Implement Security Measures
A privacy-first framework requires robust technical safeguards. To protect customer data, use encryption and tokenization, implement strict access controls, and deploy breach detection systems to keep the data you store safe from internal and external threats.
Document Everything
Accountability is a core GDPR principle. That’s why you’ll want to keep detailed records of your processing activities, consent logs, and internal audits so you can demonstrate compliance to regulators if you’re ever challenged.
Train Your Staff
Just as a chain is only as strong as its weakest link, your compliance is only as robust as your least-informed employee. For this reason, you’ll want to provide monthly or quarterly GDPR training to all staff members who handle customer data so that they understand the requirements and don’t accidentally violate the regulation out of ignorance.
Make compliance simple.
Request a Demo
Third-Party Compliance: Vendors, Payment Processors, & GDPR
I touched on this a moment ago, but I think it’s worth going into more detail on how to handle GDPR compliance as it relates to your third-party vendors.
Many merchants assume that if they use a major platform like Shopify or Stripe, they are automatically compliant with GDPR requirements. This is far from the truth. Under the GDPR, you are assigned the role of Data Controller, and your vendors are Data Processors. If your processor mishandles data that you provided to them, then you can be held liable for the fallout.
To protect yourself, you want to make sure you have a Data Processing Agreement (DPA) in place with every vendor that touches your customer data. This is a legally binding contract that obligates the vendor to protect data to GDPR standards. When evaluating potential partners, ask:
- Where is the data physically stored?
- Does the vendor have a documented DPA available for signature?
- How does the vendor assist you in fulfilling data subject requests, like deleting a user’s data from their servers?
While major platforms generally have built-in compliance features, it is your responsibility to configure them correctly. Simply using a compliant tool doesn’t make your business compliant if you haven’t enabled the necessary privacy settings. So, take the time to onboard and integrate things correctly.
Adopt a Multi-Layer Strategy
To remain compliant with GDPR, you will be required to adopt a strong, multi-layered approach to fraud prevention and management. You need to use advanced tools like AVS, CVV, and geolocation… to name just a few. The more safeguards you have in place and working together, the better.
Fighting back against fraud isn’t going to be your only concern, though. Although GDPR doesn’t directly impact your rate of chargebacks, your business will be affected by them no matter where in the world you operate.
Pairing effective fraud and chargeback management together can help your business not only meet the demands laid out in GDPR but could help you exceed them. To make this a reality, having a professional team with industry knowledge and expertise in your corner could be exactly what you’re looking for.
No one understands this better than the experts at Chargebacks911®. That’s why we offer the most comprehensive chargeback management services and products available. Call us today for your FREE ROI analysis.
FAQs
Does GDPR apply to my US business?
It may. GDPR applies to US companies that sell goods or services to (or collect the data of) consumers in the EU.
What are the 7 principles of GDPR?
The 7 principles of GDPR compliance include: 1) lawfulness, fairness, and transparency; 2) purpose limitation; 3) data minimization; 4) accuracy; 5) storage limitation; 6) integrity and confidentiality (security); and 7) accountability.
What was the main goal of the GDPR?
EU policymakers created GDPR regulations to standardize and improve consumer protections and increase consumer understanding of, and agency over, their own data. To do this, the law redefined much of the terminology concerning the mining, storage, and processing of consumer information and privacy.
Who does GDPR apply to?
If you sell goods or services to anyone that resides within or is a citizen of the EU, then GDPR applies to you, regardless of your location. This means that even tech companies in California, Texas, or Florida are beholden to the law if they operate websites that are available internationally that also track, analyze, and market to EU citizens. Thus, the only way to opt-out of General Data Protection Regulation is to refuse to do business in the EU.
Did the GDPR work?
GDPR did increase protections for EU consumers pretty much across the board. It also ensured that merchants who cater to EU consumers, even overseas, would be beholden to the same standards. From this standpoint, GDPR is an overwhelming success.
However, many merchants feel GDPR fell far short of its proposed benchmarks: namely, streamlined regulation and consistent implementation. Indeed, many merchants claim GDPR remains an infuriatingly complex set of imposed rules that fail to provide either benefit in any meaningful way.
Can I keep customer data for chargeback disputes under GDPR?
Yes. However, you must have a legal basis for keeping the data (e.g. due to legitimate interest or performance of a contract). In addition, you must only collect essential data and use it for a specific purpose.
What are the maximum GDPR fines?
Less severe GDPR violations carry a penalty of up to €10 million or 2% of global annual turnover, while more severe breaches can result in penalties of up to €20 million or 4% of global annual revenue.
Do I need a Data Protection Officer?
Public bodies and authorities, as well as companies that monitor or collect consumer data at large scale, are required to have a Data Protection Officer (DPO).
How long can I retain payment data?
Under GDPR, companies may retain payment data as long as necessary for its purpose.
