General Data Protection Regulation (GDPR)

On May 25, 2018 the EU's new data privacy law, the General Data Protection Regulation (GDPR), will go into effect. This applies to any merchant 1) based in Europe or 2) having (or possibly having) customers within the European Union. 

Disclaimer: This is not legal advice. The General Data Protection Regulation is complex and each merchant should obtain legal advice to discover how the regulation applies to their specific business. 

What is the GDPR? 

The General Data Protection Regulation (GDPR) is a new data privacy law passed in the European Union. The law calls for additional detail and transparency when processing personal data you collect on EU customers. 

The GDPR Replaces the 1995 fragmented European Union data protection law known as the "Data Protection Directive." The new regulation strengthens, enhances and unifies the data protection laws and regulations across all EU countries. 

Personal Data

Personal data includes any information that could be used on its own or combined with other information to identify an individual. For example, this information includes (but is not limited to) name, physical address, email address, social media information, financial data or digital identifiers such as an IP address, cookie and local storage.

Who is impacted by the GDPR? 

The General Data Protection Regulations impacts any merchant that is based within the European Union or having (or possibly having) customers located in the European Union. While UltraCart™ provides tools to help these merchants comply with the new regulation, you should review the regulation and take independent action to comply.   

How to Comply with the GDPR? 

Make Your Team Aware

Ensure anyone on your team involved in handling or processing user's personal data is aware of the changes and new regulations. 

Data Protection Officer

Assign an internal Data Protection Officer to track GDPR compliance, especially when processing large amounts of user data.

Update Your Privacy Policy

The GDPR requires that you outline specific information, typically within a privacy policy, to users whose data you are collecting and processing. The language within the policy must be clear and concise. The privacy policy must be easy to navigate to on your website. Your policy must contain what data you collect, why and how your collecting it, how long your keeping it, who (third parties) has access to it, how users can get to and change it, and how they can opt out of the data collection. 

You must, also notify your customers about the changes you've made in your privacy policy. 

Data Audit

Create a detailed outline for the flow, storage, and processing of personal consumer data. For example,

  • What data do you collect?
  • How do you collect and store the information?
  • How do you use or process the data?

Below are some Basic questions that will help get you started in creating this audit: 

  • Are you collecting data from your European customers? 
  • Make note any integration or script that gathers and/or process data.
  • Does your Payment Gateway/Payment Processor collect and/or process your customers personal data? 

Data Access

You must be able to provide customers with a common, readable, and portable copy of their personal data upon request. A response is expected within a 30 day period. Exceptions can be made if the request is difficult to fulfill, but communicate any problems to the customer.

Customer must use the MyAccount customer portal to update their information or privacy settings.  The MyAccount portal is part of the StoreFront.  You need to update your theme to the following versions (or higher) to incorporate these settings: 


You can export, in excel format, customer information within the your UltraCart account. Additional tools will be forthcoming for providing customers with personal data upon request. 

UltraCart Cannot Handle Your GDPR Compliance

UltraCart has provided tools to assist with GDPR compliance, however you must look into what steps you need to take to comply with new European General Data Protection Regulation. 

For your reference The EU has provided the following guidance: 

What Changes have been made to UltraCart to comply with the GDPR?

Updated Terms and Policies

  • Updated our Terms and Conditions to include a data processing addendum (as required by Article 28 of the GDPR).
  • Updated our Privacy Policy to include additional details and information about the personal data collected by UltraCart (as required by Article 13 and 14 of the GDPR).

New Data Collection Settings

We've added additional settings and tools within the Privacy and Tracking section for each StoreFront. Navigate to StoreFronts →  → Privacy & Tracking

The new Privacy tab allows you to control and restrict the data collection settings for your customers. There are five settings:

  1. Show the Privacy/Cookie Notice
  2. Anonymize the IP address
  3. Disable the Return Email
  4. Set the Default Mailing List to Off
  5. Exclude Purchase Bubble History

Each setting may apply to one of these audiences:

  1. None of your customers (by leaving each dropdown blank)
  2. All Customers
  3. EEA (European Economic Area) Customers
  4. Non-US Customers. 

In addition to the new general privacy settings, each tracking integration now has an Opt into section. Within this option you can require opt in for

  1. All Customers
  2. EEA (European Economic Area)
  3. Non-US Customers

Setting this field will require the target audience to opt into Statistics, Preferences or Marketing data collection before the integration will load. For example if you desire Google Analytics for everyone except EEA customers (until they opt in) then select "Statistics" and "EEA Customers". 

What The Customer Sees

If a customer on your StoreFront falls into the segment selected in your privacy settings (Privacy & Tracking → Privacy) The will be presented with the following dialogs: 

First, A general notice allowing the user to accept the cookie and privacy policy and continue to your store. 

Second, if the user clicks "MORE INFORMATION", they are given additional control over which elements of the cookie and privacy settings they would like opt-into.

Note: you can customize the colors and layout within the Cookie & Privacy Settings by placing your custom css in your override.css

Frequently Asked Questions

Question: Can UltraCart handle these required changes for us?

Answer: UltraCart Cannot Handle Your GDPR Compliance for you. UltraCart has provided tools to assist with GDPR compliance, however you must look into what steps you need to take to comply with new European General Data Protection Regulation.  

For your reference The EU has provided the following guidance: 

Given that these regulations can impose penalties upon your company, UltraCart recommends that you consult your own legal counsel in determining appropriate settings for your business.

Question: Our company is primarily based in, and aimed at, US based customers. What should be the determining factor in choosing the audience in which to apply these privacy tools? Would it be a good idea to apply it to all customers instead of just to the Non-US and/or EEA customers?

Answer: If your company is a "typical e-commerce shop" selling primarily to US customers, then you will probably want to go with "Non-US" option in order to avoid burdening (and potentially annoying) the vast majority of your customers (by forcing them to deal with the process of setting their privacy settings.)