01
Cookie banners and consent at scale
Most-fined GDPR area in retail. National DPAs (CNIL, AEPD, Garante) issue 7-figure fines for misleading consent UX.
IMPACTAggregate fines now in tens of millions per chain.
SECTOR PRACTICE · RETAIL & E-COMMERCE
EU compliance for retail & e-commerce
GDPR, PSD2, cookie consent, and NIS2 for retail and online platforms
REGULATIONS.STACK · RETAIL● 09
GDPRCustomer data, loyalty, profiling
EPRIVACYCookies, consent, marketing
DSAOnline marketplaces and platforms
CRDConsumer Rights Directive
OMNIBUSPrice reductions and dark patterns
PSD2Payment processing, SCA
GPSRGeneral Product Safety Regulation
AI ACTRecommender systems, dynamic pricing
CSDDDSupply-chain due diligence
FREE 30-MIN CONSULTATION
Talk to a senior advisor.
One business day reply. Clear next steps and indicative pricing.
1 BUSINESS DAY REPLY·NDA ON REQUEST·NO OBLIGATION
01 / WHO WE SERVE
Six retail profiles, one compliance map.
From physical chains to pure-play e-commerce and online marketplaces. The applicable laws change with the channel mix and the customer interaction model.
GROCERY
Grocery and food retail
Loyalty programmes, perishables, food information regulation, supply chain.
GDPRCRDGPSR
FASHION
Fashion and apparel
Online returns, sustainability claims, supplier transparency, CSDDD scope.
GDPROMNIBUSCSDDD
MARKETPLACE
Online marketplaces
Trader verification, notice-and-action, statement-of-reasons, DSA scope.
DSAGDPRCRD
BEAUTY
Beauty and personal care
Product safety, ingredient claims, influencer marketing transparency.
GPSROMNIBUSGDPR
ELECTRONICS
Consumer electronics
Warranty rules, energy labelling, repair right, returns at scale.
CRDOMNIBUSGPSR
MARKETING TECH
Loyalty, CRM and retail-media
Cookie consent, behavioural advertising, AI personalisation, transfer mechanisms.
GDPREPRIVACYAI ACT
02 / LANDSCAPE
The retail-sector regulatory clock.
Multiple regimes interlock. We sequence them around your operating cadence.
LIVEGDPR
IN FORCE
Customer data and profiling
Lawful basis for loyalty, behavioural advertising, profiling and automated decision-making. DSR workflows at scale.
LIVEEPRIVACY
IN FORCE
Cookies and electronic marketing
Consent management for cookies and similar technologies, soft-opt-in for email marketing, unsolicited contact rules.
LIVEDSA
IN FORCE
Online marketplaces
Trader-traceability, notice-and-action workflow, statement-of-reasons, annual transparency reporting.
LIVEOMNIBUS
IN FORCE
Modernisation Directive
Price-reduction transparency, dark patterns ban, fake reviews prohibition, individual remedies.
LIVEGPSR
DEC 2024
General Product Safety Regulation
Replaces 2001 directive. Applies to online sales, with traceability and recall obligations.
CRITICALAI ACT
AUG 2026
Recommender systems and pricing AI
Annex III high-risk where AI affects credit, employment or essential services. Many retail systems caught.
NEXTEPRIVACY
2026
ePrivacy Regulation
Replaces national rules. Stricter consent, harmonised cross-border enforcement, expanded scope.
NEXTCSDDD
2027
Corporate Sustainability Due Diligence
Retail companies above thresholds: supply-chain due diligence, risk analysis, remediation, board reporting.
03 / WHAT TO SOLVE
Where retail teams get stuck.
02
Loyalty data and profiling
Loyalty programmes process special-category inferences (purchase history reveals health, beliefs). DPIAs are mandatory.
IMPACTProgramme withdrawal in worst cases.
03
Omnibus price-reduction transparency
30-day prior-price rule, dark-pattern ban, fake reviews. Enforcement scaling up across Member States.
IMPACTSix-figure fines plus loss of consumer trust.
04
DSA for online marketplaces
Trader verification, notice-and-action workflow, transparency reports, statement-of-reasons. Operational lift is significant.
IMPACTMarketplace withdrawal if not implemented.
05
Cross-border returns and consumer rights
14-day cooling-off, repair right, faulty-goods rules vary across Member States. Returns logistics adds compliance load.
IMPACTSale-cancellation risk and reputational damage.
06
AI recommender system disclosure
DSA Article 27 requires explanation of recommender system parameters. AI Act adds high-risk classification.
IMPACTAlgorithmic transparency disputes with regulators.
04 / OFFERING
Our services for retail
RT-01
GDPR programme for retail
Loyalty data lawful basis, profiling DPIAs, customer rights workflow, breach response, transfer mechanisms.
DDPIADRightsDTransfers
RT-02
Cookie and consent rebuild
CMP audit, server-side tracking review, soft-opt-in marketing, consent-or-pay legality assessment.
DCMPDTrackingDMarketing
RT-03
DSA for marketplaces
Trader verification, notice-and-action workflow, statement-of-reasons, annual transparency report.
DNA workflowDTransparencyDTrader checks
RT-04
Omnibus and consumer-protection
Price-reduction logic, dark-pattern audit, reviews authentication, individual remedies workflow.
DPricingDUX auditDReviews
RT-05
GPSR product safety
Traceability, recall procedures, online sales obligations, market-surveillance liaison.
DTraceabilityDRecallDLiaison
RT-06
AI recommender and pricing
Recommender system disclosure, AI Act classification, dynamic-pricing transparency, fairness review.
DDisclosureDClassificationDFairness
RT-07
Payments and PSD2 / PSD3
SCA, strong customer authentication exemptions, chargebacks, fraud reporting, payment service compliance.
DSCADChargebacksDReporting
RT-08
CSDDD supply-chain readiness
Risk analysis, supplier code, remediation tracker, board reporting, due-diligence calendar.
DRiskDCodeDTracker
RT-09
Outsourced retail DPO
Senior DPO with retail experience, customer DSR programme, board reporting, complaint-handling oversight.
DRetainerDDSRDBoard memos
05 / SELECTED WORK
All case studies →Retail engagements.
CASE 01Pan-EU fashion brand
Cookie and consent rebuild after CNIL findings. Consent rate maintained, fine appeal partially successful.
14
MARKETS
−72%
FINE
−4 pp
CONSENT RATE
SCOPEGDPR · ePrivacy · CMP · DPA
CASE 02Online marketplace
DSA toolkit live in 14 weeks. Notice-and-action SLA at 24h. First annual report filed on time.
47K
TRADERS
< 24h
NA SLA
Filed
REPORT
SCOPEDSA · GDPR · Consumer rights · Content
CASE 03Grocery chain
Loyalty programme DPIA refresh, profiling consent rebuilt after AZOP enquiry.
2.1M
MEMBERS
Refreshed
DPIA
Closed
AZOP
SCOPEGDPR · DPIA · Profiling · DPA
06 / FREE TOOL
Map your retail stack to the EU rulebook.
Eight questions about your channels, products and customer base. Get an indicative obligations map across GDPR, ePrivacy, DSA, Omnibus, GPSR and AI Act.
Run obligations mapper~ 4 MINMAPPER.PREVIEWSTEP 4 / 8
Does your online store host third-party traders or sellers?
Yes, full marketplace modelA
Yes, but only curated third-party brandsB
No, first-party onlyC
Hybrid (own + third-party)D
INDICATIVE → DSA INTERMEDIARY + TRADER VERIFICATION
07 / FAQ
Frequently Asked Questions
01Does DSA apply to our online store?+
If you host third-party traders or content (marketplace model, UGC reviews at scale), DSA applies. Pure first-party online stores are outside DSA scope but remain subject to GDPR, ePrivacy and consumer-protection rules.
02How do we comply with the Omnibus 30-day prior price rule?+
When announcing a price reduction, the reference must be the lowest price applied in the prior 30 days. Member States have national variations. We help build the pricing engine logic and the audit trail.
03Can we still use cookies for loyalty personalisation?+
Yes, but with consent for non-essential cookies and a lawful basis under GDPR for the underlying profiling. Loyalty membership may make consent more practical; transparency obligations remain in full.
04Do AI-driven recommender systems need disclosure?+
Yes. DSA Article 27 requires explanation of main parameters. AI Act may add high-risk classification depending on impact. We help align the two disclosure obligations into one customer-facing flow.
05What is the operational impact of DSA for marketplaces?+
Trader verification before listing, notice-and-action workflow with SLA, statement-of-reasons for content moderation decisions, annual transparency reporting. Significant operations lift for first time.
06How do we handle returns and cooling-off for cross-border sales?+
Consumer Rights Directive sets a 14-day cooling-off, but Member States have specific variations. We map the obligations per market and build a unified returns workflow with local nuances.
07Do we need a DPO for our retail business?+
Retail businesses processing customer data at scale (loyalty programmes, profiling, marketing automation) typically need a DPO. We provide a senior DPO with retail-specific experience under retainer.
08How does CSDDD apply to retail?+
From 2027 phased application, large retail companies must conduct due diligence on their supply chains. We build risk analyses, supplier codes, remediation trackers and annual reports.
08 / RELATED
Related practices.
Data Protection (DPO)
GDPR programme for customer data, DPIA library and customer rights workflow.
Open practice →AI Compliance
AI Act for recommender systems, dynamic pricing and customer-experience AI.
Open practice →Vendor Risk
Supplier due diligence and CSDDD supply-chain readiness.
Open practice →09 / GET STARTED
GDPR and PSD2 compliance for retail
Typical outcomes: cookie consent deployed, customer data governance, PSD2 SCA implemented.