General Data Protection Regulation.
The world's most comprehensive data protection regulation. Applies to any business that offers goods or services to EU residents or monitors their behavior, regardless of where the business is located. Requires lawful basis for processing, explicit consent, and grants extensive data subject rights.
/ Diagnostic check ClearConsent scans your storefront for signals related to this law — consent banner state, GPC support, Do Not Sell links, privacy policy disclosures, cookies, and trackers.
What the law requires.
- 01Lawful basis for each processing activity (consent, contract, legitimate interest, etc.)
- 02Explicit, informed, freely-given consent for data processing
- 03Right to access personal data (Subject Access Request)
- 04Right to rectification of inaccurate data
- 05Right to erasure ('right to be forgotten')
- 06Right to data portability
- 07Right to restrict processing
- 08Right to object to processing
- 09Data Protection Impact Assessments (DPIAs) for high-risk processing
- 10Data Protection Officer (DPO) appointment when required
- 1172-hour breach notification to supervisory authority
- 12Privacy by design and by default
- 13Records of processing activities (Article 30)
- 14Cross-border data transfer safeguards (SCCs, adequacy decisions)
- 15Clear cookie consent (opt-in, not pre-checked boxes)
Penalties & cure period.
Up to 4% of annual global turnover or €20 million, whichever is greater (for most serious violations). Up to 2% or €10 million for lesser violations.
None (DPAs may issue warnings before fines)
National Data Protection Authorities (DPAs)
What this means for
your store.
Applies if you sell to or track EU visitors regardless of your location. Cookie consent must be opt-in (no pre-checked boxes). Consent must be as easy to withdraw as to give. Google Consent Mode v2 compliance is critical for running Google Ads in the EU.