GDPR Website Checklist
GDPR introduces the concept of freely given consent that is both specific and informed. Your website may not be GDPR compliant, depending on how you obtain consent and how you ensure that the visitor to your website is informed about the consent that they are providing.
The following points all apply to anyone capturing individual's details - not just eCommerce websites but CMS and Static websites can capture this information too via, for example, enquiry forms.
Users must opt-in
This point may seem an obvious one but you cannot assume that anyone is happy to receive marketing communications unless they have given their consent.
In other words, if you ever intend to contact any customer about anything other than the specific orders that they have placed, you must get their permission first.
Users must take a postitive action to opt-in
It must be clear to the user that they are opting in and they must make a conscious decision to do so. Essentially, this bans opt-in boxes that are pre-ticked and "reverse logic" opt-outs. See Examples below.
Separate Opt-Ins from other Confirmations
You should not bundle the consent for future contact into other consents, such as accepting terms and conditions.
Easy to Withdraw Consent
It must be as easy to withdraw consent in the future as it to give it. Generally, this means not only ensuring that every email communication contains an unsubscribe link but also that your website should provide a means for people to withdraw consent without waiting for your next marketing email.
You should ensure that the various policy documents accessible via your website are updated for any required GDPR changes - for example, making it clear what you do with information received, how long you will retain it and where it may be stored.
Third Party Service Providers
You should verify the GDPR position regarding any third party service providers that you use and, especially, tracking applications. It is possible that these applications track users in a way that they have not consented to and so you should check with the individual service providers. Other service providers should be checked, such as review management companies and Payment Service Providers (PSPs).
BAD - This is an opt-out rather than an opt-in
BAD - This does not require a positive action to opt-in
BAD - This is an implicit opt-in
GOOD - They are only opted-in if they specifically choose to do so
and if they do nothing, they are not opted-in