ClawHub

Privacy Compliance Guide

Navigate e-commerce privacy regulations including GDPR, CCPA/CPRA, cookie consent, data collection policies, email marketing compliance, and customer data handling to protect your business from fines and build customer trust.

Audits

Pass
ClawScanPass

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalPass

Multi-engine malware detections and file reputation.

Install

openclaw skills install privacy-compliance-guide

Privacy Compliance Guide

Build a privacy-compliant e-commerce operation that protects customer data, avoids regulatory fines, and turns privacy into a competitive advantage. This skill covers the major regulations, practical implementation steps, and ongoing compliance maintenance for online sellers.

Quick Reference

DecisionStrongAcceptableWeak
Privacy policyCustom-drafted, regulation-specific, regularly updatedTemplate-based, covers key regulationsGeneric boilerplate or missing
Cookie consentGranular opt-in banner with category controlsBasic opt-in/opt-out bannerNo consent mechanism or implied consent
Data inventoryComplete map of all data collected, stored, processed, sharedMajor data flows documentedNo documentation of data practices
Email complianceDouble opt-in, easy unsubscribe, CAN-SPAM + GDPR compliantSingle opt-in with working unsubscribePurchased lists or no unsubscribe option
Data retentionDefined retention periods per data type with auto-deletionGeneral retention policy existsNo retention policy, data kept indefinitely
Breach responseWritten plan with 72-hour notification procedureAwareness of notification requirementsNo breach response plan

Solves

  1. Regulatory fines — GDPR fines up to 4% of global revenue or €20M; CCPA fines up to $7,500 per intentional violation
  2. Cookie consent gaps — Non-compliant cookie banners that expose the business to enforcement action
  3. Email marketing violations — CAN-SPAM penalties of $50,120 per email; GDPR consent requirements for marketing
  4. Data breach liability — Lack of breach response plan leading to delayed notification and increased penalties
  5. Customer trust erosion — Poor privacy practices driving customers to privacy-conscious competitors
  6. Third-party data risks — Sharing customer data with vendors/partners without proper agreements
  7. Cross-border complexity — Selling internationally without understanding jurisdiction-specific requirements

Workflow

Step 1: Conduct a Data Inventory

Map every piece of customer data your business collects, stores, and shares.

Data collection points:

TouchpointData CollectedLegal BasisRetention
Account registrationName, email, passwordContract performanceUntil account deletion
CheckoutAddress, payment info, phoneContract performanceOrder + 7 years (tax)
Browse behaviorPages viewed, time on site, clicksLegitimate interest / Consent90 days
Email signupEmail, name, preferencesConsentUntil unsubscribe
Customer supportIssue details, communication historyContract / Legitimate interest3 years
ReviewsName, rating, review textConsentUntil withdrawal
Cookies/trackingIP, device info, browsing patternsConsentPer cookie category

Third-party data sharing:

PartnerData SharedPurposeDPA in Place?
Payment processorCard details, billing infoPayment processing[ ] Yes / [ ] No
Shipping carrierName, address, phoneOrder fulfillment[ ] Yes / [ ] No
Email platformEmail, name, segmentsMarketing[ ] Yes / [ ] No
AnalyticsIP, behavior, deviceAnalytics[ ] Yes / [ ] No
Ad platformsEmail (hashed), behaviorAdvertising[ ] Yes / [ ] Noo
Reviews platformEmail, name, order dataReview collection[ ] Yes / [ ] No

Step 2: Implement Cookie Consent

GDPR-compliant cookie banner requirements:

  • Must appear before non-essential cookies fire
  • Must offer granular category choices (not just "accept all")
  • Must be as easy to reject as to accept
  • Must not use dark patterns (pre-checked boxes, confusing language)
  • Must store consent records

Cookie categories:

CategoryExamplesConsent Required?
Strictly necessaryCart, authentication, securityNo (always active)
FunctionalLanguage preference, recently viewedYes
AnalyticsGoogle Analytics, Hotjar, MixpanelYes
MarketingFacebook Pixel, Google Ads, retargetingYes

Implementation options:

  • Cookiebot ($12-46/month) — Auto-scans and categorizes cookies
  • OneTrust (free tier available) — Enterprise-grade, GDPR + CCPA
  • Termly ($10-39/month) — Simple setup, good for Shopify
  • Custom implementation — Full control but higher maintenance

Step 3: Draft Privacy Policy

Required sections (GDPR + CCPA coverage):

  1. Identity and contact details — Who you are, how to contact your DPO
  2. Data collected — What personal data you collect and how
  3. Legal bases — Why you process each type of data (consent, contract, legitimate interest)
  4. Data sharing — Who you share data with and why
  5. International transfers — If data leaves the EEA/UK, what safeguards apply
  6. Retention periods — How long you keep each data type
  7. Individual rights — Right to access, rectify, erase, port, restrict, object
  8. Cookie policy — What cookies you use and how to manage them
  9. Children's data — COPPA compliance if applicable (under 13)
  10. California-specific disclosures — CCPA/CPRA rights for California residents
  11. Updates — How you notify customers of policy changes

Placement requirements:

  • Footer link on every page
  • Link in account registration flow
  • Link at checkout
  • Link in email footer

Step 4: Configure Email Marketing Compliance

CAN-SPAM requirements (US):

  • Accurate "From" name and email address
  • Non-deceptive subject lines
  • Clear identification as advertising (if applicable)
  • Physical mailing address in every email
  • Working unsubscribe mechanism (honored within 10 business days)
  • No purchased email lists

GDPR requirements (EU/UK):

  • Explicit opt-in consent (pre-checked boxes are NOT valid consent)
  • Double opt-in recommended (confirmation email)
  • Separate consent for each purpose (newsletter vs. promotions vs. partner offers)
  • Easy withdrawal of consent (one-click unsubscribe)
  • Record of when and how consent was obtained

Best practice — double opt-in flow:

  1. Customer enters email → receives confirmation email
  2. Customer clicks confirmation link → added to list with timestamp
  3. Welcome email sent with preference center link
  4. All emails include one-click unsubscribe + physical address

Step 5: Set Up Data Subject Request Handling

GDPR rights you must support:

RightTimelineImplementation
Access (SAR)30 daysExport all data for the individual
Rectification30 daysAllow customers to update their data
Erasure ("right to be forgotten")30 daysDelete data (except where legal obligation to retain)
Data portability30 daysProvide data in machine-readable format (CSV/JSON)
Restriction30 daysStop processing but retain data
Objection30 daysStop processing for direct marketing immediately

CCPA/CPRA rights:

RightTimelineNotes
Know45 daysWhat data collected, categories, sources, purposes
Delete45 daysDelete personal information
Opt-out of sale/sharingImmediate"Do Not Sell My Personal Information" link
Correction45 daysCorrect inaccurate information
Limit use of sensitive dataImmediateRestrict use of sensitive PI

Implementation: Create a dedicated email or web form (e.g., privacy@yourstore.com or /privacy-request page) and establish an internal process with assigned responsibilities and tracking.

Step 6: Prepare a Data Breach Response Plan

72-hour notification timeline (GDPR):

  1. Hour 0-4: Identify and contain the breach
  2. Hour 4-12: Assess scope — what data, how many individuals, what risk
  3. Hour 12-24: Notify DPO/privacy lead, begin documentation
  4. Hour 24-48: Draft notification to supervisory authority
  5. Hour 48-72: Submit notification to supervisory authority
  6. Day 3-30: Notify affected individuals (if high risk) without undue delay

Breach notification must include:

  • Nature of the breach
  • Categories and approximate number of individuals affected
  • Categories and approximate number of records affected
  • Name and contact details of DPO or contact point
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

Step 7: Ongoing Compliance Maintenance

Monthly tasks:

  • Review new third-party tools/integrations for data impact
  • Check unsubscribe processing (test it works)
  • Review and respond to any data subject requests

Quarterly tasks:

  • Audit cookie consent banner functionality
  • Review data retention — delete data past retention period
  • Update privacy policy if any data practices changed
  • Review vendor DPA status

Annual tasks:

  • Full data inventory refresh
  • Privacy policy comprehensive review
  • Staff privacy training
  • Data protection impact assessment (DPIA) for new high-risk processing
  • Regulatory update review (new laws, enforcement trends)

Example 1: Shopify DTC Brand — GDPR + CCPA Setup

Scenario: US-based skincare brand selling to US + EU customers via Shopify. 50,000 email subscribers, uses Klaviyo, Google Analytics, Facebook Ads.

Step 1 — Data inventory findings:

  • Shopify collects: name, email, address, phone, payment, order history
  • Klaviyo receives: email, name, purchase history, browse behavior
  • Google Analytics: IP (anonymized), pages, sessions, device
  • Facebook Pixel: IP, browsing behavior, purchase events (hashed email for Custom Audiences)
  • DPAs needed: Klaviyo (has standard DPA), Facebook (Business Tools Terms), Google (Data Processing Terms)

Step 2 — Cookie consent: Installed Cookiebot on Shopify ($14/month). Configured categories: necessary (cart/checkout), analytics (GA4), marketing (Facebook Pixel, Klaviyo tracking). GA4 and FB Pixel only fire after consent.

Step 3 — Privacy policy: Drafted with GDPR + CCPA sections. Added "Do Not Sell My Personal Information" link in footer for CCPA. Listed all data categories, purposes, and third-party recipients.

Step 4 — Email compliance: Configured Klaviyo double opt-in. Added physical address to all email templates. Created preference center with separate toggles for promotional emails, new product alerts, and educational content.

Step 5 — Data requests: Created privacy@brand.com inbox monitored weekly. Built internal SOP: requests triaged within 48 hours, fulfilled within 25 days (buffer before 30-day deadline).

Step 6 — Breach plan: Documented response procedure. Identified Shopify's breach notification process. Assigned roles: CEO (decision authority), CTO (containment), Operations (customer communication).

Result: Fully compliant setup in 2 weeks. Ongoing cost: ~$15/month (Cookiebot) + 2 hours/month maintenance.

Example 2: Amazon + Multi-Channel Seller — Minimal Viable Compliance

Scenario: Small team selling on Amazon, eBay, and own Shopify store. Limited resources. Need practical compliance without a legal team.

Priorities (risk-based approach):

  1. Email compliance (highest fine risk): Switched to double opt-in, added physical address, tested unsubscribe links. Deleted purchased email list.
  2. Cookie consent (EU fine risk): Installed free OneTrust banner on Shopify. Amazon/eBay handle their own cookie consent.
  3. Privacy policy (foundation): Used Termly generator ($10/month) customized with actual data practices. Added to Shopify footer and eBay "About" page.
  4. Data retention: Set Shopify to anonymize order data after 3 years (beyond tax retention requirement). Configured email platform to auto-remove unsubscribed contacts after 30 days.
  5. "Do Not Sell" link: Added CCPA link to Shopify footer. Disabled Facebook Custom Audiences for California IP addresses (Shopify geolocation).

Result: 80% compliant in 1 week. Ongoing cost: $10/month + 1 hour/month. Remaining 20% (formal DPIA, full data inventory, breach response plan) scheduled for quarterly improvement.

Common Mistakes

  1. Relying on "implied consent" — Under GDPR, pre-checked boxes, continued browsing, or scroll-based consent are NOT valid. You need affirmative action (click "Accept") for non-essential cookies and marketing.

  2. Using purchased email lists — This violates CAN-SPAM (if recipients haven't opted in) and GDPR (no consent basis). Delete purchased lists immediately and build organically.

  3. Firing tracking pixels before consent — Many sites load Google Analytics and Facebook Pixel on page load, before the cookie banner is answered. This is a GDPR violation. Implement consent-gated loading.

  4. Missing physical address in emails — CAN-SPAM requires a valid physical postal address in every commercial email. A PO Box counts. Missing it is a per-email violation ($50,120 each).

  5. No unsubscribe mechanism — Every marketing email must have a visible, working unsubscribe link. Honor within 10 business days (CAN-SPAM) or immediately (GDPR best practice).

  6. Ignoring data processor agreements — If you share customer data with any third party (email platform, analytics, payment processor), you need a Data Processing Agreement. Most major platforms offer standard DPAs.

  7. One-size-fits-all retention — Different data types have different retention needs. Tax records require 7 years; browse behavior should be deleted within 90 days. Define retention per data category.

  8. No breach response plan — GDPR requires notification within 72 hours. Without a pre-written plan, you'll miss the deadline. Even small businesses need a one-page breach response procedure.

  9. Treating marketplace sales as exempt — While Amazon/eBay handle some compliance on their platforms, you're still responsible for data you collect independently (email lists, customer support data, CRM data).

  10. Neglecting state-level US laws — Beyond California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states have privacy laws. If you sell nationally, consider the strictest standard as your baseline.

Resources