Scroll Top
19th Ave New York, NY 95822, USA

GDPR, e-Commerce, and Collective Actions in 2023

The year 2023 has marked a significant uptick in GDPR fines, making it the year with the highest penalties for data protection violations. While the world is abuzz with high-profile GDPR fines against tech giants like Meta and Google, it’s crucial to understand that smaller companies are also under regulatory scrutiny.


According to the GDPR Enforcement Tracker, the total fines have skyrocketed in 2023. As of September 2023, the total fines stand at a staggering €4,396,643,224. While the big names contribute to a significant portion of this, the increase in fines across sectors, including industry and commerce, is noteworthy.


The GDPR landscape is complex, and e-commerce platforms are particularly susceptible to various types of violations. Let’s delve deeper into the most common pitfalls in the e-commerce realm.

  • Information Provision: many e-commerce platforms have vague or inaccessible privacy policies, which is a violation of GDPR’s requirements for clear and transparent information. This violation often goes unnoticed but can have severe financial repercussions for businesses. The insufficient fulfilment of information obligations, accounting for a staggering €237,275,080 in fines across 178 cases.
  • Unsolicited Marketing: a balance between promoting products and respecting consumers’ privacy is essential. Unsolicited marketing, such as spam emails or intrusive advertisements, can infringe upon individuals’ data privacy rights. Businesses must ensure that that they obtain proper consent, respect opt-out requests, and securely manage customer data. Read our article for more information.
  • Consent: many e-commerce platforms assume that a pre-ticked box or passive user behaviour equates to consent. However, the GDPR requires explicit consent for data processing. Moreover, consent must be granular, meaning separate consents for different processing activities – a single Accept All button is not sufficient. Find more tips on consent in this article.
  • International Transfers: businesses often transfer and store data in different countries, like the US, without adequate safeguards, violating GDPR’s data transfer rules. E-commerce platforms frequently use third-party services for payment processing or customer analytics, which may not comply with GDPR’s international data transfer regulations.
  • Cookies: many e-commerce sites use tracking cookies without obtaining explicit consent. The European data protection regulations mandates that cookie banners must not only inform users but also provide them with an option to accept or reject cookies. For more details on cookie banners, read our article here.


The collective facet of GDPR enforcement is a rapidly evolving area that e-commerce businesses need to be particularly aware of. While GDPR has always been about protecting individual data, the scope for collective action has widened, allowing for a more comprehensive approach to data protection.

One of the most notable cases in this context is the legal proceedings initiated by the Dutch consumers’ association, Consumentenbond, along with the Privacy Protection Foundation against Google on September 12, 2023. The case revolves around Google’s alleged unlawful data processing methods, particularly in the realm of targeted advertising. The organisations argue that Google’s practices violate the GDPR regulations and have initiated legal proceedings to protect the collective interests of consumers.

E-commerce platforms collect vast amounts of data, from personal information to shopping habits. This makes them prime targets for collective action proceedings, notably if they are found to be in violation of the GDPR. E-commerce businesses must proactively ensure compliance not just to avoid fines, but also to mitigate the risks associated with collective actions.


The vitality of data protection compliance in e-commerce cannot be overstated. It’s not just about avoiding fines; it’s about maintaining customer trust and avoiding collective actions that could have far-reaching consequences.

We invite you to book a free 20-minute consultation with our data protection lawyer to discuss your data protection strategies.

| Image by Freepik | 

Anna Levitina

Senior Associate

More about Anna

Read other articles written by Anna Levitina

Popup Form