What the GDPR Means to Online Stores

Effective May 25, 2018, all stores that conduct business in Europe must comply with a new privacy and data protection law. The new law is known as the General Data Protection Regulation or GDPR. You do not have to be located in the EU for this to apply. If you are selling into the European Union, these rules apply to you.

In a nutshell, the General Data Protection Regulation requires that businesses be transparent about how they use data, that adequate protection be in place to protect customer data, and that consumers have the ability to have their data removed from your systems.

While compliance is not required if you do not sell into Europe or the United Kingdom, the U. S. is considering similar legislation and making sure your systems are up to par now, should reduce your stress levels if these requirements spread to other countries. Given that most of the information on the GDPR is written in legalese, determining what you must do, as a store owner, has been challenging. We’ve done our best to explain the law and requirements in simple language below.

How does this impact your business?

GDPR provides people with enhanced rights to the information that companies keep on them. You need to be prepared to answer questions regarding what information you have and what you are doing to keep it secure.

This law sets specific requirements for how you collect, store and share customer data. It applies to all sized businesses. Even small companies must comply. If you’re on BigCommerce, your customer’s data is stored on their servers. They have met the technical requirements to be compliant with the new law. However, this may not meet your full obligations under the law. As a business owner, you are required to ensure that all the companies you deal with that have access to customer data are also in full compliance. This may apply to all the software that you use, marketplaces you sell on, and even how you store information in your office.

The steps you need to take to be GDPR compliant

Sitewide SSL – Makes sure that every page on which you collect customer information is secure. Any page with a contact form, your shopping cart pages, and customer account pages must be secure. If your site is not already on a sitewide SSL, get that done now.
You will want site visitors to proactively acknowledge your use of cookies, and have that use explained in your Privacy Policy.
Email subscriptions need to be opt-in. If your customers sign up for your email directly, that is adequate. However, automatically subscribing people to your marketing email list must meet a higher standard. They will need to check off a box indicating they agree to your Privacy Policy and Terms of Service. Alternatively, you can switch to double opt-in for your email service.
Clean up your data. Destroy your customer information when you no longer need it. This could include addresses, phone numbers, and email addresses, in addition to credit card numbers (which you should not be storing offline or in any non-PCI compliant place).
Make sure your business related computers are properly secured. This is something you might not think about. If you take your laptop home and it has customer information on it, you need to ensure that data is secure if someone gets to your laptop.
Within your organization, you should designate a “Data Protection Leader.” It is their job to ensure you are compliant with the new regulations.
Verify with all your vendors that they are also compliant. This would absolutely include your shopping cart, email service provider, shipping software, and drop ship vendors. If you have any plug-ins that contact the customer, for example sends cart recovery emails, they must be compliant.
Keep a document that details everything you are doing to protect customer data. List exactly what you collect and where that information is stored.
Update your Privacy Policy. You must describe how data is being used and collected, asking for consent in advance of collection. You will need a cookie policy and check-boxes where customers opt-in.
Set up a way for customers, also known as Data Subjects, to submit requests for what information you have on them, as well as the ability to request their data be deleted from your servers.

Email and SMS (text messaging) signup forms

Your email marketing sign up forms need to clearly explain that they will receive marketing emails and special offers.
We recommend you also make it clear you do not sell or rent their information on the form, or alternatively include a link to your new privacy policy.

An example:

If you have a BigCommerce store

Their security and privacy polices can be accessed here. This chart, from their page, details the rights your customers (data subjects) have that you must comply with. You will want to activate the cookie policy in your admin panel. We expect a check box to be added to that feature shortly.

If you are automatically adding all new customers to your email list, you want to insure there is a tick box in the checkout where they opt-in (check the box). The recommendation is to turn off the pre-check of the opt-in box. Yes, this will reduce subscription rates, but there’s little business advantage to send emails to anyone that doesn’t want it. We recommend you add a pitch to subscribe to your invoices as a back up.

You should enable Terms and Conditions and require it during checkout. We recommend that you appropriately update your terms and conditions page and link to it. If you need help writing a proper terms and condition page, let us know. You can do this under Advanced Settings > Checkout. Note pre-checking the box does not meet the requirements of the law. The customer must proactively opt-in or agree to your data collection policies.

Updating your Privacy Policy

You are probably going to have to review your software providers’ Privacy Policies for the right language to add to your Cookie Policy. The Privacy Policy for BigCommerce is here. You can use this content and modify it to apply to your business. For example, change “your BigCommerce account” to “your Nameofyoursite account.” I would include language that states your cart is on BigCommerce.

Google does a great job with their privacy policy. It explains in easy to understand language which data is collected, that individuals have controls to protect their privacy and that the can request their data be removed from their servers.

We’re big fans of swiping language from big companies that have paid lawyers to ensure it is done right. Between these two companies you should be able to craft a well-written and compliant Privacy Policy.

Google Analytics & the GDPR

Google has added new settings that allow you to set a maximum time to retain customer data. You can choose to retain data for a time period ranging from 14 months to always (Do not automatically expire). The standard aggregated data reports are not affected. However, custom segments and some uncommon custom reports may be. Once you select an expiration time, all customer data is deleted the month after that date is hit. Here is how you manage this:

Log in to Google Analytics
Go to the admin section and make sure you’re working with the property you wish to edit.
In the Property column, click Tracking Info, then Data Retention.
Set the desired time period.
You will also probably want to turn “Reset on new activity” on. This means that every time a customer returns to your site, it resets the start point of the expiration period so you can continue to track that user.

You may want to add language to your Privacy Policy indicating the use of Google Analytics and link to their policy which is here.

We don’t do business in Europe, do we still have to comply?

If you do not ship into Europe or market into Europe, the mere availability of your website to be accessed within impacted countries does not require your compliance with the law.