All terms

Glossary

Lawful basis

Under GDPR, you must have one of six legal grounds to process personal data. For ecommerce: contract, legitimate interest, or consent.

Lawful basis — under GDPR Article 6, every processing activity needs one of six legal grounds:

  1. Consent (Art. 6(1)(a)) — the user said yes, freely, specifically.
  2. Contract (Art. 6(1)(b)) — needed to perform a contract with the user (e.g., processing the order).
  3. Legal obligation (Art. 6(1)(c)) — required by law (e.g., tax records).
  4. Vital interests (Art. 6(1)(d)) — life-or-death situations.
  5. Public task (Art. 6(1)(e)) — government / public interest.
  6. Legitimate interests (Art. 6(1)(f)) — your interest, balanced against the user's privacy.

For Shopify merchants:

  • Order processing → contract.
  • Order confirmation email → contract.
  • Fraud screening → legitimate interest.
  • Marketing emails → consent (opt-in).
  • Behavioural ads / retargeting → consent + ePrivacy consent for the cookies.
  • Reviews follow-up → soft opt-in / legitimate interest (varies by member state).

Your privacy policy must state the lawful basis for each processing purpose.

See also: GDPR, Consent.

Related terms