The European Union's General Data Protection Regulation (GDPR) is a regional law with global implications both in terms of its enforcement and its impact. So no matter where your company is located, if it does business with Europe, your ecommerce website must meet at least five requirements.
The GDPR, which took effect May 25, 2018, requires you to clearly communicate what information you collect and how that information is used. You will also need a basis for collecting personal data, and you must answer customer requests for information or erasure.
So here are the five things your website needs.
At its core, the GDPR is a personal privacy protection law. It clearly states that the protection of personal information is fundamental human right, and it sets out in 99 Articles and 173 recitals to regulate and defend that right.
While there is not necessarily a format your company must follow, you are going to want to include six concepts:
- Data collection
- Data use (processing)
- Data storage
- Data sharing
- Data control
Here are the sections covered.
- Section One: Transactional Information — describes what your company does with a data subject's personal information and includes email subscriptions.
- Section Two: Consent — describes how consent is given and withdrawn.
- Section Three: Disclosure — let data subjects know if information is shared.
- Section Four: Online Store — discloses information about your ecommerce platform and payment processing.
- Section Five: Third-party Services — identifies the use of third-party solutions which may also collect and process personal information.
- Section Six: Security — explains what your company and your ecommerce platform do to protect personal information.
- Section Seven: Do Not Track — explains cookies and how they work on your site.
- Section Eight: Age of Consent — addresses the minimum legal age of consent.
- Write your own using examples.
Consent on Forms
How you present these concepts can vary.
It may also be a good idea to "unbundle" consent, so rather than asking a site visitor to approve all cookies, for example, you might give them the choice to accept essential cookies necessary for the site to function while rejecting marketing cookies that monitor shopping behaviors.
Consent at Checkout
When a customer makes a purchase on an ecommerce site that customer understands that in order to receive the items purchased, he or she will need to provide personal data like a name, address, and payment card.
To be clear, your ecommerce operation does not need consent to process an online order.
The GDPR provides six valid and lawful bases for the collection and processing of personal data. These bases are consent, contract, legal obligation, vital interest, public interest, and legitimate interests.
An ecommerce checkout may be considered a form of a contract, since the data subject has specifically asked your business to do something — deliver a product — that requires the collection and processing of personal information.
However, there are a couple of things you may need to include on checkout pages.
As an example, if you have a checkbox in your shopping cart that says "add me to the email list," your company will need to get consent, since subscribing to an email list is not necessary for the completion of the order.
Similarly, if you ask a shopper to create a customer account at checkout, you will need consent.
Requests for Records
The GDPR allows for subject access, meaning that anyone covered by the GDPR whose data your business has collected has the right to request a record of all of the information you have about them.
Data subjects can submit a request in verbal or written form to any part of your business, and they do not need to specifically mention the GDPR. Your company will need to respond quickly.
Here again, the GDPR doesn't provide a specific template, but response best practices include:
- Identifying all the places (databases) personal data is stored in advance.
- Developing a system (automated if possible) that will retrieve all of a customer's personal data.
- Training employees to recognize requests.
- Developing a central repository for all GDPR-related requests.
- Identifying the individuals or departments responsible for handling requests.
- Creating form letters and responses.
- Validating each request.
- Keeping a record of all requests and your company's response for audit purposes.
Requests to Delete Data
The GDPR also includes a right to erasure or a right to be forgotten. With this right, a person covered by the GDPR can contact your company in the same way he or she would for a record request, but instead of asking for a copy of the personal data your business has collected, he or she can demand that you delete it, effectively forgetting them.
This right is not absolute. There are at least five instances when you would not comply, including for the purpose of freedom of expression and information; to meet a legal obligation; for the public interest; for public scientific or historical research with overarching benefits to the public; and for legal claims.
Follow the same best practices recommended for the request for records, but be prepared to delete the personal data and ask third-party partners to do the same.
Want to learn the fastest way to make your website fully GDPR-compliant? Download our free ebook below.