Consent is king. With the growing internet penetration and digitization, there is a need to protect and empower consumers. GDPR for eCommerce has changed the way business interacts with the customers.
Even though there’s much hype around GDPR, the current status of compliance isn’t very impressive. Nobody feels fully compliant irrespective of the budget they have. (Source)
- Reasons for the introduction of GDPR
- How different eCommerce platforms are preparing for GDPR:
- The Do’s & Don’ts
- Using GDPR for your benefit
- GDPR ready checklist for store owners
1. Why the EU introduced GDPR?
1. The earlier EU data privacy regulations were outdated. They date back to 1980 with later being updated in 1995. The privacy measures don’t take into account social media, AI, smartphones, and other technological advancements so far.
2. They were only instruction. So, most of the companies choose not to follow. However, GDPR is a rule; not following will lead to a fine.
2. How is eCommerce GDPR-ready?
Shopify has reviewed how GDPR affects its platform. They have taken certain steps to ensure GDPR for eCommerce:
- They have reorganized the documents, privacy team, and kept records of certain privacy-related decisions made by them to hold accountability.
- They have ensured the rights of all European merchants and customers are protected by introducing GDPR ready apps.
- To use 3rd party subprocessor, they will have to make and receive confirmed contractual commitments with their merchants.
Magento is the market leader and most preferred eCommerce platform, they have worked hard to ensure GDPR compliance. The Magento team has taken the following actions:
- Contracting & processing with regard to privacy
- Proactively probing & continuously revising its policies
- Asking their customers to check their services and contracts linked to 3rd party organizations
- Evaluating its products to help customers find out what exact data is being retained by Magento & where they store it
- Encouraging their customers to review extensions that are linked with their accounts
WooCommerce is continuously helping its customers to get ready for GDPR. They have provided information about the rules to help them better understand. WooCommerce has even built tools to help store owners deal with GDPR requests and privacy policies on the checkout.
You can join their WordPress Slack in the #gdpr-compliance room to participate in the discussion.
Just like other eCommerce platforms, BigCommerce has also worked on to protect the rights of Europeans. They have also created a Privacy & Security group to help its customers know and comply with GDPR policies.
3. GDPR for eCommerce: What to do & not to do
3.1. Checking or tracking the IP addresses
You can’t check or track the visitor’s IP address for their geographic preferences, locations or currency. Accordingly, altering the CTAs, pricing, and changing the available SKUs.
What you can do: You need to explicitly ask for visitor’s permission in order to do these things.
3.2. Use of Targeted content
What you can do: To comply with the GDPR, follow these rules:
1. The visitor should have a choice when it comes to using cookies. There should also be a choice to reject cookies.
2. Simply saying “If you use this site, you accept cookies” won’t work. You have to properly ask for a visitor’s consent.
3. You may also want to consider removing extensions like the custom popups. In fact, any extension which may collect and track data either needs to be removed or should explicitly ask for permissions.
3.3. Identifiable information
You can’t store the personal information directly to your databases. When a visitor puts their information, the server should replace the data with values. A token will be generated to read these values.
This is called pseudonymization. It is a way of processing personal data in such a way that it can no longer be attributed to a specific data subject without further information. In short, make the data unintelligent to enhance visitor privacy.
It includes IP addresses, names, country, gender, location, race, and more.
What you can do:
- Use the tokenization method.
- Using masking to store partial information instead of full values.
- Partitioning space on your server to separate personally identifiable data. This way one single set of data can’t be identified without the other.
3.4. Don’t keep irrelevant data or multiple copies
GDPR has limited collection and storing of data. If the data is irrelevant, you can’t collect it. In fact, the store owners can’t keep multiple copies of the data. This also applies to the period for which you can keep the data. For instance, if you run a poll and several EU citizens fill it up, you must delete the data once the poll is over or the result is out.
What you can do:
Clean up your databases. Delete the data once it has become irrelevant to the purpose it was originally collected for. This could be time-consuming but it’s crucial.
Cleaning up the database also makes your website load faster especially if you have a host who knows the proper implementation of NGINX and Apache. At MageHost, we use NGINX in our server stack for faster performance.
4. Using GDPR for eCommerce to stay ahead
There’s a lot of work to be done. But if you see GDPR as an opportunity, the benefits are immense. Once you’re compliant, use GDPR as a selling point.
1. Boost business reputation & increase customer loyalty
Starting a business digitally comes with responsibility. This is where a smart business will differentiate from the masses. After the Cambridge Analytica incident, it is important to assure your visitors that you respect their privacy.
2. Lesser IT Maintenance Costs
Another way of using GDPR for eCommerce to your benefit is reducing the cost of maintenance. You can let go of any data software or application that is no longer relevant and compliant.
3. Better Decision Making Power
With GDPR, there will only be relevant data. We will be able to better manage, make intelligent decisions, and see ROI improvements for Data Analytics projects.
5. Become GDPR Compliant: Checklist
- Irrespective of the company size, GDPR rules are applicable to every store if you have European visitors.
- If you have an employee size less than 250, then it’s a bit simpler for you. You don’t have to hire a DPO (Data Protection Officer) to get your work done.
- Make your T&C (Terms & Conditions) clear. Don’t use pre-checked boxes and only collect information that’s relevant.
- Review your marketing tools and third-party extensions/channels. If they aren’t GDPR compliant, replace them with GDPR-ready tools.
- Show off your visitors that you’re GDPR compliant.
Pro tip: Host your store on a GDPR compliant host so you don’t have to worry about security issues and data breaches. Your managed hosting provider will take care of data anonymization.