On May 25, 2018 the EU's new data privacy law, the General Data Protection Regulation (GDPR), will go into effect. This applies to any merchant 1) based in Europe or 2) having (or possibly having) customers within the European Union.
Disclaimer: This is not legal advice. The General Data Protection Regulation is complex and each merchant should obtain legal advice to discover how the regulation applies to their specific business.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new data privacy law passed in the European Union. The law calls for additional detail and transparency when processing personal data you collect on EU customers.
The GDPR Replaces the 1995 fragmented European Union data protection law known as the "Data Protection Directive." The new regulation strengthens, enhances and unifies the data protection laws and regulations across all EU countries.
Personal data includes any information that could be used on its own or combined with other information to identify an individual. For example, this information includes (but is not limited to) name, physical address, email address, social media information, financial data or digital identifiers such as an IP address, cookie and local storage.
Who is impacted by the GDPR?
The General Data Protection Regulations impacts any merchant that is based within the European Union or having (or possibly having) customers located in the European Union. While UltraCart™ provides tools to help these merchants comply with the new regulation, you should review the regulation and take independent action to comply.
How to Comply with the GDPR?
Make Your Team Aware
Ensure anyone on your team involved in handling or processing user's personal data is aware of the changes and new regulations.
Data Protection Officer
Assign an internal Data Protection Officer to track GDPR compliance, especially when processing large amounts of user data.
Create a detailed outline for the flow, storage, and processing of personal consumer data. For example,
What data do you collect?
How do you collect and store the information?
How do you use or process the data?
Below are some Basic questions that will help get you started in creating this audit:
Are you collecting data from your European customers?
Make note any integration or script that gathers and/or process data.
Does your Payment Gateway/Payment Processor collect and/or process your customers personal data?
You must be able to provide customers with a common, readable, and portable copy of their personal data upon request. A response is expected within a 30 day period. Exceptions can be made if the request is difficult to fulfill, but communicate any problems to the customer.
Customer must use the MyAccount customer portal to update their information or privacy settings. The MyAccount portal is part of the StoreFront. You need to update your theme to the following versions (or higher) to incorporate these settings:
You can export, in excel format, customer information within the your UltraCart account. Additional tools will be forthcoming for providing customers with personal data upon request.
UltraCart Cannot Handle Your GDPR Compliance
UltraCart has provided tools to assist with GDPR compliance, however you must look into what steps you need to take to comply with new European General Data Protection Regulation.
For your reference The EU has provided the following guidance:
What Changes have been made to UltraCart to comply with the GDPR?
Updated Terms and Policies
Updated our Terms and Conditions to include a data processing addendum (as required by Article 28 of the GDPR).
New Data Collection Settings
We've added additional settings and tools within the Privacy and Tracking section for each StoreFront. Navigate to StoreFronts → YourStoreFrontDomain.com → Privacy & Tracking
The new Privacy tab allows you to control and restrict the data collection settings for your customers. There are five settings:
Show the Privacy/Cookie Notice
Anonymize the IP address
Disable the Return Email
Set the Default Mailing List to Off
Exclude Purchase Bubble History
Each setting may apply to one of these audiences:
None of your customers (by leaving each dropdown blank)
EEA (European Economic Area) Customers
In addition to the new general privacy settings, each tracking integration now has an Opt into section. Within this option you can require opt in for
EEA (European Economic Area)
Setting this field will require the target audience to opt into Statistics, Preferences or Marketing data collection before the integration will load. For example if you desire Google Analytics for everyone except EEA customers (until they opt in) then select "Statistics" and "EEA Customers".
What The Customer Sees
If a customer on your StoreFront falls into the segment selected in your privacy settings (Privacy & Tracking → Privacy) The will be presented with the following dialogs:
Second, if the user clicks "MORE INFORMATION", they are given additional control over which elements of the cookie and privacy settings they would like opt-into.
Note: you can customize the colors and layout within the Cookie & Privacy Settings by placing your custom css in your override.css
Frequently Asked Questions
Question: Can UltraCart handle these required changes for us?
Answer: UltraCart Cannot Handle Your GDPR Compliance for you. UltraCart has provided tools to assist with GDPR compliance, however you must look into what steps you need to take to comply with new European General Data Protection Regulation.
For your reference The EU has provided the following guidance:
Given that these regulations can impose penalties upon your company, UltraCart recommends that you consult your own legal counsel in determining appropriate settings for your business.
Question: Our company is primarily based in, and aimed at, US based customers. What should be the determining factor in choosing the audience in which to apply these privacy tools? Would it be a good idea to apply it to all customers instead of just to the Non-US and/or EEA customers?
Answer: If your company is a "typical e-commerce shop" selling primarily to US customers, then you will probably want to go with "Non-US" option in order to avoid burdening (and potentially annoying) the vast majority of your customers (by forcing them to deal with the process of setting their privacy settings.)