Effective May 25, 2018, all stores that conduct business in Europe must comply with a new privacy and data protection law. The new law is known as the General Data Protection Regulation or GDPR. You do not have to be located in the EU for this to apply. If you are selling into the European Union, these rules apply to you.
In a nutshell, the General Data Protection Regulation requires that businesses be transparent about how they use data, that adequate protection be in place to protect customer data, and that consumers have the ability to have their data removed from your systems.
While compliance is not required if you do not sell into Europe or the United Kingdom, the U. S. is considering similar legislation and making sure your systems are up to par now, should reduce your stress levels if these requirements spread to other countries. Given that most of the information on the GDPR is written in legalese, determining what you must do, as a store owner, has been challenging. We’ve done our best to explain the law and requirements in simple language below.
How does this impact your business?
GDPR provides people with enhanced rights to the information that companies keep on them. You need to be prepared to answer questions regarding what information you have and what you are doing to keep it secure.
This law sets specific requirements for how you collect, store and share customer data. It applies to all sized businesses. Even small companies must comply. If you’re on BigCommerce, your customer’s data is stored on their servers. They have met the technical requirements to be compliant with the new law. However, this may not meet your full obligations under the law. As a business owner, you are required to ensure that all the companies you deal with that have access to customer data are also in full compliance. This may apply to all the software that you use, marketplaces you sell on, and even how you store information in your office.
The steps you need to take to be GDPR compliant
- Sitewide SSL – Makes sure that every page on which you collect customer information is secure. Any page with a contact form, your shopping cart pages, and customer account pages must be secure. If your site is not already on a sitewide SSL, get that done now.
- Clean up your data. Destroy your customer information when you no longer need it. This could include addresses, phone numbers, and email addresses, in addition to credit card numbers (which you should not be storing offline or in any non-PCI compliant place).
- Make sure your business related computers are properly secured. This is something you might not think about. If you take your laptop home and it has customer information on it, you need to ensure that data is secure if someone gets to your laptop.
- Within your organization, you should designate a “Data Protection Leader.” It is their job to ensure you are compliant with the new regulations.
- Verify with all your vendors that they are also compliant. This would absolutely include your shopping cart, email service provider, shipping software, and drop ship vendors. If you have any plug-ins that contact the customer, for example sends cart recovery emails, they must be compliant.
- Keep a document that details everything you are doing to protect customer data. List exactly what you collect and where that information is stored.
- Set up a way for customers, also known as Data Subjects, to submit requests for what information you have on them, as well as the ability to request their data be deleted from your servers.
Email and SMS (text messaging) signup forms
- Your email marketing sign up forms need to clearly explain that they will receive marketing emails and special offers.
If you have a BigCommerce store
If you are automatically adding all new customers to your email list, you want to insure there is a tick box in the checkout where they opt-in (check the box). The recommendation is to turn off the pre-check of the opt-in box. Yes, this will reduce subscription rates, but there’s little business advantage to send emails to anyone that doesn’t want it. We recommend you add a pitch to subscribe to your invoices as a back up.
You should enable Terms and Conditions and require it during checkout. We recommend that you appropriately update your terms and conditions page and link to it. If you need help writing a proper terms and condition page, let us know. You can do this under Advanced Settings > Checkout. Note pre-checking the box does not meet the requirements of the law. The customer must proactively opt-in or agree to your data collection policies.
Google Analytics & the GDPR
Google has added new settings that allow you to set a maximum time to retain customer data. You can choose to retain data for a time period ranging from 14 months to always (Do not automatically expire). The standard aggregated data reports are not affected. However, custom segments and some uncommon custom reports may be. Once you select an expiration time, all customer data is deleted the month after that date is hit. Here is how you manage this:
- Log in to Google Analytics
- Go to the admin section and make sure you’re working with the property you wish to edit.
- In the Property column, click Tracking Info, then Data Retention.
- Set the desired time period.
- You will also probably want to turn “Reset on new activity” on. This means that every time a customer returns to your site, it resets the start point of the expiration period so you can continue to track that user.
We don’t do business in Europe, do we still have to comply?
If you do not ship into Europe or market into Europe, the mere availability of your website to be accessed within impacted countries does not require your compliance with the law.