GDPR for eCommerce: Everything a Store Owner Should Know

GDPR for eCommerce: Everything a Store Owner Should Know
Last updated Nov 17, 2020

Webscoot Consent is king. With the growing internet penetration and digitization, there is a need to protect and empower consumers. GDPR for eCommerce has changed the way business interacts with the customers.

Even though there’s much hype around GDPR, the current status of compliance isn’t very impressive. Nobody feels fully compliant irrespective of the budget they have. (Source)

2 pie charts with overview of readiness and GDPR program costs.

Blog Overview

  1. Reasons for the introduction of GDPR
  2. How different eCommerce platforms are preparing for GDPR:
    • Magento
    • WooCommerce
    • Shopify
    • BigCommerce
  3. The Do’s & Don’ts
  4. Using GDPR for your benefit
  5. GDPR ready checklist for store owners

1. Why the EU introduced GDPR?

1. The earlier EU data privacy regulations were outdated. They date back to 1980 with a later being updated in 1995. The privacy measures don’t take into account social media, AI, smartphones, and other technological advancements so far.

2. They were only instruction. So, most of the companies choose not to follow. However, GDPR is a rule; not following will lead to a fine.

2. How is eCommerce GDPR-ready?

2.1. Shopify

Shopify has reviewed how GDPR affects its platform. They have taken certain steps to ensure GDPR for eCommerce:

  • They have reorganized the documents, privacy team, and kept records of certain privacy-related decisions made by them to hold accountability.
  • They have ensured the rights of all European merchants and customers are protected by introducing GDPR ready apps.
  • To use 3rd party subprocessors, they will have to make and receive confirmed contractual commitments with their merchants.

2.2. Magento

Magento is the market leader and most preferred eCommerce platform, they have worked hard to ensure GDPR compliance. The Magento team has taken the following actions:

  • Contracting & processing with regard to the privacy
  • Proactively probing & continuously revising its policies
  • Asking their customers to check their services and contracts linked to 3rd party organizations
  • Evaluating its products to help customers find out what exact data is being retained by Magento & where they store it
  • Encouraging their customers to review extensions that are linked with their accounts

2.3. WooCommerce

WooCommerce is continuously helping its customers to get ready for GDPR. They have provided information about the rules to help them better understand. WooCommerce has even built tools to help store owners deal with GDPR requests and privacy policies on the checkout.

You can join their WordPress Slack in the #gdpr-compliance room to participate in the discussion.

2.4. BigCommerce

Just like other eCommerce platforms, BigCommerce has also worked to protect the rights of Europeans. They have also created a Privacy & Security group to help its customers know and comply with GDPR policies.

3. GDPR for eCommerce: What to do & not to do

3.1. Checking or tracking the IP addresses

You can’t check or track the visitor’s IP address for their geographic preferences, locations or currency. Accordingly, altering the CTAs, pricing, and changing the available SKUs.

What you can do: You need to explicitly ask for the visitor’s permission in order to do these things.

3.2. Use of Targeted content

It’s a very common practice to deliver content that the user is interested in. For any eCommerce store, showing content on the basis of their purchase history or preferences is an integral part. To target the audience, you use cookies.

What you can do: To comply with the GDPR, follow these rules:

1. The visitor should have a choice when it comes to using cookies. There should also be a choice to reject cookies.

2. Simply saying “If you use this site, you accept cookies” won’t work. You have to properly ask for a visitor’s consent.

3. You may also want to consider removing extensions like the custom popups. In fact, any extension which may collect and track data either needs to be removed or should explicitly ask for permissions.

gdpr for ecommerce

3.3. Identifiable information

You can’t store the personal information directly to your databases. When a visitor puts their information, the server should replace the data with values. A token will be generated to read these values.

This is called a pseudonymization. It is a way of processing personal data in such a way that it can no longer be attributed to a specific data subject without further information. In short, make the data unintelligent to enhance visitor privacy.

It includes IP addresses, names, country, gender, location, race, and more.

What you can do:

  • Use the tokenization method.
  • Using masking to store partial information instead of full values.
  • Partitioning space on your server to separate personally identifiable data. This way one single set of data can’t be identified without the other.

3.4. Don’t keep irrelevant data or multiple copies

GDPR has limited collection and storing of data. If the data is irrelevant, you can’t collect it. In fact, the store owners can’t keep multiple copies of the data. This also applies to the period for which you can keep the data. For instance, if you run a poll and several EU citizens fill it up, you must delete the data once the poll is over or the result is out.

What you can do:

Clean up your databases. Delete the data once it has become irrelevant to the purpose it was originally collected for. This could be time-consuming but it’s crucial.

Cleaning up the database also makes your website load faster especially if you have a host who knows the proper implementation of NGINX and Apache. At Webscoot, we use NGINX in our server stack for faster performance.

4. Using GDPR for eCommerce to stay ahead

There’s a lot of work to be done. But if you see GDPR as an opportunity, the benefits are immense. Once you’re compliant, use GDPR as a selling point.

4.1. Boost business reputation & increase customer loyalty

Starting a business digitally comes with responsibility. This is where a smart business will differentiate from the masses. After the Cambridge Analytica incident, it is important to assure your visitors that you respect their privacy.

4.2. Lesser IT Maintenance Costs

Another way of using GDPR for eCommerce to your benefit is reducing the cost of maintenance. You can let go of any data software or application that is no longer relevant and compliant.

4.3. Better Decision Making Power

With GDPR, there will only be relevant data. We will be able to better manage, make intelligent decisions, and see ROI improvements for Data Analytics projects.

5. Become GDPR Compliant: Checklist

GDPR guidelines embedded in the infographic in 6 steps

Concluding Remarks

  1. Irrespective of the company size, GDPR rules are applicable to every store if you have European visitors.
  2. If you have an employee size less than 250, then it’s a bit simpler for you. You don’t have to hire a DPO (Data Protection Officer) to get your work done.
  3. Make your T&C (Terms & Conditions) clear. Don’t use pre-checked boxes and only collect information that’s relevant.
  4. Review your marketing tools and third-party extensions/channels. If they aren’t GDPR compliant, replace them with GDPR-ready tools.
  5. Show off your visitors that you’re GDPR compliant.

Pro tip: Host your store on a GDPR compliant host so you don’t have to worry about security issues and data breaches. Your managed hosting provider will take care of data anonymization.


1 Comment

  1. George

    any gdpr cases for ecommerce in 2019?


Submit a Comment

Your email address will not be published. Required fields are marked *