Data Protection in E-commerce: Why Online Stores and Marketplaces Need to Rethink How They Handle Personal Data

03.06.2026

• Contact our lawyer to learn more details

Today, e-commerce is a fully developed digital ecosystem where businesses collect, store, and transfer a significant amount of personal data on a daily basis: customers’ full names, phone numbers, delivery addresses, order histories, payment data, geolocation, loyalty program data, return records, and customer support communications.

In practice, e-commerce projects are under increased scrutiny in terms of personal data protection. The reason is simple: the more customer touchpoints there are, the more data is processed, and the higher the risk of violations.
 

In Kazakhstan, the basic requirements for personal data processing are established by the Law of the Republic of Kazakhstan “On Personal Data and Their Protection.” The law regulates the collection, processing, storage, transfer, and protection of personal data, and also provides special rules for cross-border data transfer.

What data is most commonly processed in e-commerce?

Online stores, marketplaces, and delivery services typically work with several categories of data:

• account registration data: name, phone number, e-mail; 
• order fulfillment data: delivery address, purchase history, order comments; 
• payment data: banking details, payment transactions, receipts, and refunds; 
• marketing data: subscriptions, push notifications, SMS campaigns, cookies, behavioral analytics; 
• customer support data: customer inquiries, call recordings, chat correspondence. 

That is why privacy compliance in e-commerce is not a formal “checkbox” in the form of a privacy policy on a website, but a comprehensive system: from proper user consent to contracts with contractors and technical protection of databases.

What businesses should pay attention to:

1. User consent must be clear and provable.

If a company collects and processes customers’ personal data, it is important to properly formalize user consent. In practice, a common weak point is that consent is included in general website terms, is formulated too broadly, or does not allow the company to prove when and for what exactly the user agreed.

2. The privacy policy must reflect actual business practices.

Many companies use template privacy policies that do not correspond to their real processes. For example, a policy may state that data is not shared with third parties, while in reality the company uses a CRM system, payment provider, delivery service, call center, cloud services, and advertising platforms.

A good privacy policy should honestly answer the following questions: what data is collected, for what purpose, on what legal basis, to whom it is transferred, where it is stored, how long it is processed, and how users can exercise their rights.

3. Personal data storage requires special attention.

Kazakhstan’s regulations include a requirement that personal data must be stored in a database located within the territory of the Republic of Kazakhstan. This is particularly important for companies using foreign cloud services, CRM systems, helpdesk platforms, or global e-commerce platforms. Clarifications also indicate that if the owner or operator is a non-resident, they must ensure primary localization and storage of the personal data database within Kazakhstan.

4. Cross-border data transfer must be reviewed separately.

E-commerce is often associated with transferring data outside Kazakhstan: to foreign CRM systems, analytics services, advertising platforms, cloud storage, payment solutions, or parent companies of a corporate group. The law explicitly regulates cross-border transfer of personal data, meaning the transfer of data to the territory of foreign states.

Therefore, businesses need to understand not only “where the information physically goes,” but also who has access to it.

5. Contractors must be regulated by contracts.

If an online store transfers data to a delivery service, call center, accounting provider, IT contractor, or marketing agency, these relationships must be governed by a contract including provisions on confidentiality, processing purposes, security measures, retention periods, and incident response procedures.

In practice, contractors often become a weak link: they have access to the database, but data protection obligations are either vaguely defined or completely missing.

Conclusion

For e-commerce, personal data is one of the key assets of the business. The more actively a company uses data for sales, personalization, advertising, and logistics, the higher the requirements for transparency and security of processing.

Proper handling of personal data not only reduces legal risks but also increases customer trust. In the context of growing digitalization, trust itself becomes a competitive advantage for online stores, marketplaces, and delivery services.

REVERA advises online stores, marketplaces, and digital platforms on:

• compliance in the field of personal data;
• cross-border data transfers;
• data localization;
• preparation of privacy documentation;
• audits of websites, applications, and internal processes.

If necessary, we can conduct a privacy audit of current processes and assess key legal risks for the business.