If you have not yet heard about it, the General Data Protection Regulation (GDPR) is an EU regulation that went into effect on May 25, 2018. The goal of the regulation is to give EU citizens a measure of control over what type of data is collected by businesses they interact with. This is a MUCH stricter version of a law that was passed back in 1995 called the Data Protection Directive. This time, they are not joking around, as penalties for non-compliance can be up to €20 million or 4% of your annual sales. Ouch.
If you are doing business in any EU country (taking online orders from Germany for example), you MUST comply with this regulation. And no, there is no way around it. Even if you aren’t actively taking orders from the EU, you are technically still in the scope of GDPR as you are collecting user info in the form of cookies and IP addresses. Some legal experts are saying you must comply if your web site is available to EU visitor at all, but some are saying that is never going to be enforced. If you are only doing business in the US, Canada or elsewhere, you can probably take a ‘wait and see approach, but if you ARE doing business in the EU, keep reading.
A Summary of the Regulation
I’m not going to get into the legal-speak of the regulation, but if you want to torture yourself you can download the pdf here. Below is a summary of each of the major points:
Definition of Personal Data
The key piece of what the regulation covers is the actual definition of personal data, which includes:
- a name
- a photo
- an email address
- bank details
- posts on social networking websites
- medical information
- computer IP address
- random code that is assigned to users to track them for analytics and A/B testing
- and a lot more (see the above PDF)
Essentially, the bulk of information your site collects from a user is consider personal information, which means it falls under the GDPR. This is a huge change from the previous regulation.
Along with requiring a user to give consent (i.e. agreeing to your Terms and Conditions), you now also have to give them the ability to WITHDRAW consent. That means that once they check the box that gives consent, you have to provide another box that lets them withdraw consent at any time.
Speaking of Terms and Conditions, you can’t fill it up with legalese and unintelligible boilerplate text any longer. Your terms have to be simple, clear and easy to understand. Basically, don’t make your T&C read like that cell phone agreement you never read.
Under the regulation, Europeans have three data rights: access, to be forgotten, and data portability. These were present in the old regulation as well, but the new one is much stricter and gives the users much more control.
Right #1 – Right To Access
This covers the right of the user to know what you are doing with their data – how it is processed and for what purpose. If the user requests their personal data, you have to provide it to them free of charge in an electronic format. This isn’t just a copy of their name, address and email – this is a complete disclosure of how their data was used and what tools you used to access their data. Google Analytics, Facebook Tracking Pixels, etc. The more ways your site interacts with the user, the more complex this disclosure gets.
This is also a headache for the software vendors themselves as they have to be able to easily provide the site owner with details on how the data was used so they can then pass it on to their users.
Right #2 – Right To Be Forgotten
Basically if the user asks to be forgotten you have to completely erase them from your system and any third party systems you use including your database, Facebook, mailing lists, stored customer spreadsheets, etc. It also needs to be just as easy for them to request this as it is to provide consent in the first place. The only exception to this is order data, which must be kept for 10 years.
Right #3 – Right To Data Portability
If a user asks for their data, you need to provide it in a “commonly used and machine readable format”. Basically this means you have to provide the data in a common software format (Excel, Word, .txt, .csv) etc. In other words, giving them a file they can’t easily open isn’t going to cut it.
The user also has the right to share this information with another vendor. That means they could take their buying history from you and provide it to your competitor. This could work in your favor as well, as you could get customer information from your competitor if the user provided it for you.
There is also the right for Breach Notification. Notification of data breaches is mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first becoming aware of the breach. This is the direct result of companies like Equifax being breached and not notifying their customers for months afterward. This is a regulation EVERYONE should approve of!
So What do you Actually Have to DO?
Now that you know the basics of the regulation, what does this actually mean for your site? There are a number of steps you should take immediately. Note that these are not all-inclusive, as each site will need to go through how they handle their data and what third party systems they share that data with and make the necessary adjustments.
- Consent to email them if they order
- Consent to email them in the event of a data breach or product recall
- How you use their data
- Who you share your data with (Google Analytics, Facebook, vendors, etc.)
- What cookies you set and what they are each used for
Many sites have the ‘receive emails from us’ checkboxes checked by default on the registration and checkout pages. That has always been a gray area, but under this regulation it is definitely off limits. You actually have to provide all sorts of extra items around the checkbox to explain what you plan on doing with the email address. Here’s what the Mailchimp GDPR compliant sign-up form looks like now:
Obviously adding that huge block of text to your registration or checkout page is not good for your conversion rate, so it is probably best to remove it from those pages all together.
One of the biggest headaches is the cookie portion of the policy. In a nutshell, cookies are considered ‘personal information’ and therefore you have to disclose ALL of the cookies that are set by your site, what they are used for and allow the customer to opt-out BEFORE they are set. The old trick of ‘by browsing this site you accept cookies’ disclaimer is no longer valid.
If the customer wants to see more info or pick individual cookies, they can then view which cookies are set, and in which categories:
Necessary – these HAVE to be set for the site to function and can’t be opted out of
Preferences – things like category sort, products per page on a category, etc
Statistics – Google Analytics and the like
Marketing – Facebook, Klaviyo, Mailchimp, etc.
You’ll never get accurate Google Analytics data again and I’m guessing this will throw a wrench in many re-targeting campaigns as well, but this portion of the policy is one of the most visible aspects so it will be obvious to everyone if you are not complying. We are recommending CookieBot, which makes it fairly easy to set up and maintain your cookies. They charge a monthly fee based on the number of pages your site has.
When the customer first visits the site, they see a bar at the bottom of the site that looks like this:
If you click on the ‘show details’ link, it shows all of the site’s cookies, broken down into sections:
If you are using Pinnacle Cart please contact us and we can install it for you, as it isn’t something that you can just plug and play unfortunately.
Incentivizing Data Collection
If you have any sort of ‘sign up and get x’ types of deals on your site, these have to go away.
Explicit Consent to use Data
You can no longer assume that completing a transaction on your site implies consent to email your customer, except for information related to the specific product/order they purchased. Explicit consent (likely in the form of a checkbox) must be provided in order to email that customer. If they opt-out, your site can’t email them with newsletters, promos, etc. You may be able to include this opt-in to your general terms and conditions so if they don’t agree they can’t order, and that eliminates the need to customize your cart’s automated email process. Check with an attorney on this though.
Review Internal Data Handling
How you handle your customers’ data is just as important as how you collect it. Review your internal data processing including who has access to it (vendors, developers and third party software), how it is stored (both offline and online). Credit Card data should NEVER be stored, but you also have to be careful about the user’s personal information as well. Hint: if you are storing it in a heap on your desk, that is probably not considered compliant.
Create a System for Removal/Export
You don’t want to have to scramble and figure this out the first time a user asks for their data, or for their data to be deleted from your system. Create a process that wipes the user from your systems and an export process to get the data into a portable format (Excel is probably the best bet) that can easily be presented to the user. This will involved your cart vendor/developer and any third party services you use such as Mailchimp, Facebook, Klaviyo, etc. Many of them are already on top of this regulation and will be able to provide you with reliable information. You should create a form expressly for providing a user with a means to request data removal.
Appointing a Data Protection Officer
A Data Protection Officer (DPO) oversees how your organization collects and processes personal data. The GDPR includes specific tasks that a DPO needs to do, such as conducting data protection impact assessments when your organization changes how it collects and processes personal data. Consider whether you are required to appoint a DPO to advise on your compliance with the GDPR.
The GDPR includes specific parental-consent requirements for processing the personal data of users under the age of 16 (this age can be lower in certain countries). Consider whether you need to change how you process customer data to either stop processing the data of those users under the age of 16 or get parental consent?
Consider Wiping Existing European Data
If you have a number of EU customers already in your system and they weren’t added according to the old EU privacy standards, you may want to consider wiping them now or sending out a re-authorization request to them. This will avoid any headaches with compliance down the road if one of those customers says they never opted in.
DO NOT Ignore GDPR
This is not a regulation you want to ignore, as all it takes is one customer (or malicious competitor) to report you for a violation. Think of it like the IRS – you don’t want them in your business so it is best to fly under the radar. If you only do a little business in the EU, you may want to consider turning off those countries entirely in your shop. At the very least, have some company notes/meeting minutes dated BEFORE the 25th to show your intent to adhere to the guidelines. It doesn’t appear as though businesses will be fined right away, there will likely be a warning first along with steps needed to comply. If you don’t comply by the next time they check, you will be in trouble.
We are happy to answer any questions you have regarding GDPR and how it affects your shopping cart/site in particular, just drop us an email.
Here are a few resources that are useful if you are completely lost as to what to do.
Revision Legal – John Di Giacomo – an experienced attorney who is intimately familiar with internet law and the GDPR
CookieBot – a service that provides the cookie opt-in/opt-out mechanism
OneTrust – another service that provides cookie management and form/policy generators
Disclaimer: This article is a summary only and not meant to be used as a comprehensive guide to GDPR compliance. We are not attorneys and cannot provide legal advice or guidance on how GDPR applies to your specific business. Please consult with an attorney who is familiar with GDPR for advice on how to achieve compliance.