Retail websites are non-compliant with the incoming GDPR, new survey finds


A survey of almost 300 retail websites by international law firm Bryan Cave has revealed that 100% are non-compliant with the incoming General Data Protection Regulation (GDPR) which comes into force on 25 May 2018.

The GDPR will impose uniform data protection laws across the EU member states in an effort to harmonise national laws, and will thereby create additional obligations for many businesses that process personal data. The new law will apply to both EU and non-EU data controllers and data processors that either (1) offer goods or services to data subjects in the EU or (2) monitor data subjects’ behaviour insofar as their behaviour takes place within the EU. Failure to comply with the incoming GDPR may expose businesses to a fine of up to the greater of €20 million or 4% of annual revenue.

Bryan Cave’s specialist Website Review Team tested 284 UK retail sites between 26 September 2017 and 26 October 2017 and assessed the GDPR compliance of the cookie banners; online legal notices (including privacy policy, cookie policy, terms and conditions, etc.); shipping, order cancellation and returns provisions; and consent mechanisms at the point of registering to use the website, check out and newsletter subscription. All of the websites surveyed were found to be inadequate in one or all of these aspects.

Nicola Conway, Associate in Bryan Cave’s Technology, Entrepreneurial and Commercial Team and Coordinator of Bryan Cave’s Website Review Service, commented: “Our GDPR Website Review Service has revealed a consistent lack of compliance across the customer-facing elements of UK e-commerce sites. Businesses are expected to make a multitude of internal organisational changes to ensure GDPR compliance ahead of May 2018 including, but not limited to, updating their websites. Our findings are undoubtedly indicative of deeper non-compliance throughout businesses generally, and that needs to change.”

Carol Osborne, London office Managing Partner and Partner in the Retail Team at Bryan Cave, commented: “Customer data is at the core of a retailer’s business and the incoming changes in data privacy laws will have significant ramifications for these businesses. The worst case scenario is that previously collected customer data will be unavailable for use after May 2018 without risking substantial fines. With the compliance deadline just over 200 days away, time is running out for website operators to bring their websites into compliance and to complete the necessary internal assessments of their data collection and data protection practices.”

The Retail Team in Bryan Cave’s London office undertook this research using the Bryan Cave Website Review Service that assesses and tests the GDPR-compliance of the customer-facing elements of e-commerce websites governed by English law.