Skip Repeated Content

Bryan Cave Research Reveals 100% of Retail Websites Surveyed are Non-compliant with Incoming GDPR

November 14, 2017

A survey of almost 300 retail websites by international law firm Bryan Cave has revealed that 100% are non-compliant with the incoming General Data Protection Regulation (GDPR) which comes into force on 25 May 2018.

The GDPR will impose uniform data protection laws across the EU member states in an effort to harmonise national laws, and will thereby create additional obligations for many businesses that process personal data. The new law will apply to both EU and non-EU data controllers and data processors that either (1) offer goods or services to data subjects in the EU or (2) monitor data subjects’ behaviour insofar as their behaviour takes place within the EU. Failure to comply with the incoming GDPR may expose businesses to a fine of up to the greater of €20 million or 4% of annual revenue.

Bryan Cave's specialist Website Review Team tested 284 UK retail sites between 26 September 2017 and 26 October 2017 and assessed the GDPR compliance of the cookie banners; online legal notices (including privacy policy, cookie policy, terms and conditions, etc.); shipping, order cancellation and returns provisions; and consent mechanisms at the point of registering to use the website, check out and newsletter subscription. All of the websites surveyed were found to be inadequate in one or all of these aspects.

Nicola Conway, Associate in Bryan Cave's Technology, Entrepreneurial and Commercial Team and Coordinator of Bryan Cave's Website Review Service, commented: “Our GDPR Website Review Service has revealed a consistent lack of compliance across the customer-facing elements of UK e-commerce sites. Businesses are expected to make a multitude of internal organisational changes to ensure GDPR compliance ahead of May 2018 including, but not limited to, updating their websites. Our findings are undoubtedly indicative of deeper non-compliance throughout businesses generally, and that needs to change.”

Carol Osborne, London office Managing Partner and Partner in the Retail Team at Bryan Cave, commented: “Customer data is at the core of a retailer's business and the incoming changes in data privacy laws will have significant ramifications for these businesses. The worst case scenario is that previously collected customer data will be unavailable for use after May 2018 without risking substantial fines. With the compliance deadline just over 200 days away, time is running out for website operators to bring their websites into compliance and to complete the necessary internal assessments of their data collection and data protection practices.”

The Retail Team in Bryan Cave's London office undertook this research using the Bryan Cave Website Review Service that assesses and tests the GDPR-compliance of the customer-facing elements of e-commerce websites governed by English law.

Below is coverage of this survey by media outlets including: 

Jan. 8, Financial Times (subscription required)

Nov. 14, Retail Times

Nov. 14, The Times’ Brief

About Bryan Cave LLP

Bryan Cave is a global law firm with more than 900 highly skilled lawyers in 26 offices in North America, Europe and Asia. The firm represents publicly held multinational corporations, large and mid-sized privately held companies, emerging companies, nonprofit and community organizations, government entities, and individuals. With a foundation based on enduring client relationships, deep and diverse legal experience, industry-shaping innovation and a collaborative culture, Bryan Cave’s transaction, litigation and regulatory practices serve clients in key business and financial markets.


Miriam Low
Byfield Consultancy
+44 (0)20 7092 3994

Tia Wright
Marketing Coordinator
+44 (0) 20 3207 1299

This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.