GDPR compliance

This information is one in a series of topics to help Adobe Commerce and Magento Open Source merchants and developers understand the implications of the General Data Protection Regulation (GDPR). The information is intended for informational purposes only and should not be construed as legal advice. To determine whether and how your business should comply with any legal obligations, consult with your legal counsel.

The General Data Protection Regulation (GDPR) is legislation that regulates data protection and privacy for all individuals in the European Union and the European Economic Area. The legislation also applies to the export of personal data outside the EU. The GDPR was adopted in April 2016, and became enforceable on 25 May 2018. Businesses that are not based in the EU, but engage in global commerce are required to comply with the regulation. The GDPA defines personal data as follows:

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

All organizations that process personal data must disclose the following:

  • The type of data that is collected
  • The purpose for collecting the data
  • The method that is used to collect the data
  • How long the data is retained
  • Whether the data is shared with others


If your business is required to comply with both the GDPR and the California Consumer Privacy Act (CCPA), you can use some of the work from your GDPR compliance program for the CCPA. Although the regulations have some similarities, a few differences include:

  • The definition of personal information differs for each regulation.
  • The GDPR requires consumers to opt in before their personal data may be used for certain purposes; CCPA provides consumers with the right to opt out.
  • The CCPA has additional data inventory and mapping requirements.
  • The regulations have different privacy policy requirements.

Businesses that comply with GDPR might have additional obligations under the CCPA. To learn more, see the CCPA Fact Sheet.

Best practices

  • Examine the current privacy policies for all of your stores to ensure that they align with any applicable legal requirements (including, but not limited to GDPR and CCPA).

  • Update your Google settings and ensure that they align with your legal obligations regarding the use of personal data.

  • Maintain transparency and keep thorough documentation.

  • To learn how Adobe helps merchants comply with applicable legal obligations, visit the website.

  • For data flow diagrams and database entity mapping, see the Personal Information Reference.