"they've determined they're in GDPR compliance" Their claim is BS. They are collecting third party data because the customers are the merchants customers not theirs. The data collected is not necessary for business because the customer doesn't have a business relationship with them.

A few years ago I reviewed a platform offer from a corporation you've heard of. They had a similar clause regarding data protection issues - it basically said "all your data is going to be sent to US servers and we're going to do basically whatever we want with it and there's nothing you can do to opt out. It's your responsibility to let your customers know about it".

I told my boss that, while I was not a lawyer, in my opinion we simply could not sign that contract and provide a service without blatantly violating the then-recent GDPR. (We didn't sign it, although I don't know if that played a part.)

Chec seems to be using a similar approach? They're running a B2B service which doesn't provide analytics opt-out, and their B2C users are supposed to tell the customers "hey, we can't offer you an opt-out on data collection because it's required to make the software platform work" (except that you're not required to run your store on Chec specifically, otherwise it would be a trivial method to bypass the GDPR).

Nonetheless, it's inexcusable that the words 'purpose' and 'analytics' do not appear in that blog post. Those are essential aspects of the GDPR, and if you're not explicitly stating that you won't re-sell the collect data to third parties without the owner's consent, I assume you do.

Honestly asking - it they are just a proxy for that info, does it change things?