Let's start with the fact that we do not have a license for the storage and processing of personal data mentioned by @Kaaboeld in our country (and there are not even any close concepts).
Next, you really should familiarize yourself with FZ-152 .
In your online store, most likely, the following set is processed:
1. Full name
2. Delivery address
3. Contact phone number
4. E-mail
5. ...
Let's go further on 152-FZ:
your case for processing personal data is described in Clause 1 5) of Article 6
Regarding consent, Article 9 says:
Thus, you can do what is more convenient for you or add a section about the consent of the subject to the offer agreement on the site or make a separate checkmark during registration.
If you do not carry out any delivery, then you can simplify your life by describing that you are processing anonymized data (by which it is impossible to determine the ownership of personal data by a specific subject of personal data without using additional information).
1. Login (instead of full name)
2. e-mail
In general, fulfilling the requirements of 152-FZ is not only consent, but also the implementation of a number of technical and organizational measures described primarily in 152-FZ itself, Government Decree No. 1119, FSTEC Order No. 21.
I understand that for an ordinary online store, all these measures are only additional problems, and I advise you to at least comply with the requirement of paragraph 2 of Article 18.1 and publish the Policy regarding the processing of personal data on the website. Samples can be viewed online.

The operator is obliged to publish or otherwise provide unrestricted access to the document defining its policy regarding the processing of personal data , to information about the implemented requirements for the protection of personal data. An operator that collects personal data using information and telecommunications networks is obliged to publish in the relevant information and telecommunications network a document that defines its policy regarding the processing of personal data and information on the requirements for the protection of personal data being implemented, as well as to provide access to this document using the means of the corresponding information and telecommunication network.

If my memory fails me, then it is necessary (in some cases?) not only the consent of the end client, but also a license for the storage and processing of personal data. That is, if he agreed, and you do not have "permission", then the law will still be violated and in a conflict situation it will be extremely problematic for the company to prove its innocence.