You collect customer data. Names, emails, payment information, usage data. You need a privacy policy, sure. But what must your actual terms and conditions say about data? That's where GDPR requirements and contract terms intersect.
GDPR and contract law: they work together
GDPR (UK General Data Protection Regulation) is a regulatory framework—it sets out how personal data must be processed. Your terms and conditions are a contract. They work together. Your terms should incorporate GDPR principles, clarify what data you collect, and explain consumers' rights.
If your terms don't comply with GDPR, or if they conflict with GDPR requirements, they might be unenforceable and you could face ICO (Information Commissioner's Office) action.
What data are you processing?
Start here: identify what personal data you collect. Names, emails, phone numbers, IP addresses, payment information, behavioural data, cookies. If you process any of this, GDPR applies.
Personal data includes any information that identifies or could identify an individual. That's broad. Even an email address, combined with purchase history, can identify someone.
Your terms must disclose data collection
Under GDPR, you must be transparent about data processing. Your terms (or linked privacy policy) must say:
What data you collect: Be specific. "We collect your name, email, and payment information" is clear. "We collect data" is vague.
Why you collect it: The legal basis. Are you collecting for contract performance (to send goods)? Marketing (to send newsletters)? Fraud prevention? Legal compliance? State the purpose.
How long you keep it: "We retain your data for 3 years after purchase, then delete it" is clear. "We keep data for as long as necessary" is vague.
Who has access: Do you share data with payment processors, delivery companies, or marketing partners? Say so.
International transfers: Do you transfer data outside the UK or EEA? You must say this, and explain the safeguards (like standard contractual clauses).
Transparency matters. If data collection is hidden or unclear, you're not complying.
Consent: when is it required?
GDPR distinguishes between different types of data processing. Some require explicit consent; others don't.
Consent not always required: Processing necessary for a contract (e.g., collecting payment info to process an order) doesn't require consent. You have a legitimate business interest.
Consent required: Marketing emails, newsletter subscriptions, tracking cookies, or any non-essential processing usually needs explicit consent.
Explicit consent: An opt-in checkbox. "I agree to receive marketing emails" and the customer checks the box. Not a pre-checked box (the customer must actively opt in).
Your terms must be clear about what requires consent and what doesn't. If you say "we need your consent to process your payment," that's misleading—payment processing is required by contract, not consent.
Consumer rights under GDPR
Consumers have rights under GDPR. Your terms should acknowledge them:
Right of access: Consumers can ask: "What data do you have about me?" You must provide it within 30 days.
Right to rectification: If data is wrong, consumers can ask you to correct it.
Right to erasure: Consumers can ask you to delete their data ("right to be forgotten"). You must comply unless you have a legitimate reason to keep it (like a legal obligation).
Right to object: Consumers can opt out of marketing, profiling, or other processing.
Right to data portability: Consumers can ask for their data in a structured format so they can move to another service.
Don't try to contract away these rights. They're statutory. Your terms should explain the process: "To request access to your data, email privacy@ourcompany.com with your name and order number. We'll respond within 30 days."
Cookies and tracking
GDPR covers cookies and tracking pixels. If you use cookies (including analytics cookies), you must:
Get consent: Before placing non-essential cookies, you need the user's explicit consent. A banner on your website that says "We use cookies—click OK" and then hides an "Decline" button is not valid consent.
Explain them: Say what cookies you use, what they do, and how long they last.
Allow opt-out: Users must be able to withdraw consent. Provide a clear link to a preference centre where they can manage cookies.
Your terms or cookie policy should cover this. If your website still uses an old cookie banner that doesn't comply, update it.
Data breaches and notification
If there's a data breach (hackers access customer data), you must notify affected individuals and the ICO. Your terms should explain this: "If there's a breach of your personal data, we'll notify you as required by law and take steps to secure your information."
You don't need consent to notify of a breach—it's required. But your terms can acknowledge the obligation and reassure customers.
Data processors and third parties
If you use third parties to process data (payment gateways, email marketing platforms, cloud storage), you have responsibilities. Your terms should mention this: "We use [Company] to process payments. Their privacy policy is [link]."
You also need data processing agreements with third parties. Your terms don't need to include the full agreement, but you should reference data protection standards.
Compliance checklist for your terms
Before finalizing terms, check:
[ ] Clear disclosure of what personal data you collect.
[ ] Explanation of why you collect it (legal basis).
[ ] How long you keep data.
[ ] Who you share data with.
[ ] How to exercise consumer rights (access, deletion, objection).
[ ] Cookie policy and consent mechanism.
[ ] Data breach notification procedure.
[ ] Link to privacy policy for detailed information.
Next steps
Review your terms and conditions for GDPR compliance. If you're not sure your terms adequately address data protection, have them reviewed. Upload your terms to QuickLegalCheck for a GDPR compliance assessment.