The General Data Protection Regulation (GDPR) is a European privacy law that took effect on May 25, 2018.

The GDPR is not limited to European companies. The regulation includes every company that can potentially process EU nationals’ data – so that’s basically every company in the world, regardless of its location.

The GDPR gives people more rights over their personal data. Specifically, it provides the right to access, correct, delete, and restrict processing of consumer data, and sets strict guidelines for user consent. If you collect or store any information that can be linked to an individual, that counts as personal data.

We recommend consulting with a legal professional, as every business is different. Some businesses may need more preparation than others to comply with the GDPR. This article provides a general overview of GDPR compliance and introduces the most common requirements.

Note: The below-given instructions apply to stores created with Online Store and Advanced Store plans 💡

Table of content


Steps to take when preparing for the GDPR

According to the GDPR, store merchants must comply with the regulation if they are based in the EU or sell to EU customers.

We collect and process personal data in a compliant manner. However, it is your responsibility to comply with GDPR requirements when you collect and process personal data from your EU customers.

Under the new regulation, personal data is defined as any information that can be used to directly or indirectly identify a person: a name, photo, email address, IP address, bank details, posts on social networking websites, medical information, and even random codes that are assigned to users to gather analytics, conduct A/B tests, and more.


Get clear consent before collecting any data

You must obtain consent to process your customers’ personal data. Prepare a clear privacy policy specifying why you collect personal data, explaining what data is retained, and offering a right to withdraw consent.

To require your customers to accept your terms of service before checkout, in your Store Manager → Settings → Legal → Customers’ consent enable Require consent to terms and conditions at checkout.

This feature ensures all orders include a confirmation of consent: the “I agree with Terms and conditions” checkbox on the cart page. As it is impossible to place an order without agreeing to Terms and Conditions, the fact that an order is placed is the confirmation of consent.

To see how to add a privacy policy, terms & conditions and other legal pages to your store, refer here 💡


Get clear consent before sending promo emails

You must obtain clear consent to send out non-order related emails to customers. In your store, you can add a sign-up option above the Checkout button in your store. This way, you will capture such consent and then build a list of customers who agreed to receive your promo emails.

To add the sign-up option for your promo emails to your store’s checkout:

  1. Go to the Store Manager Settings → Legal.

  2. Scroll down to the Customers’ consent section.

  3. Enable Request customers’ approval for your marketing emails at checkout.

  4. (optional) Press Edit to change the text displayed for the sign-up option and/or to preselect the sign-up option.

You can also add the sign-up option to your store’s checkout in Marketing → Newsletters or in Settings → General Settings → Cart & Checkout (the Newsletters section).


Clearly show in forms what fields are optional or required

Store clearly shows what fields are required and what fields are optional for filling out:

GDPR__5_.png

For example, to make the phone number optional, in your Store Manager, go to Settings → Cart & Checkout → Checkout Settings and disable the Require phone number at checkout option.


Get clear consent for tracking store visitors via cookies

Ask your store visitors for consent to track their actions in your storefront via cookies. For this, you can to add a special banner to your store:

  1. In your Store Manager, go to Settings → Legal.

  2. Scroll down to the Customers’ consent section.

  3. Enable the Cookie consent banner.

You can also turn it on in Settings → General → Tracking & Analytics by enabling the GDPR cookie consent banner.

Once enabled, the cookie consent banner will appear on the storefront with the option to accept or decline:

GDPR__3_.png

Visitors who click Accept can always change their decision later on the My Account page in your store (it is available both for customers who have their accounts in your store and for non-registered visitors):

GDPR__2_.png

If you track visitor's behavior with the help of Google Analytics or Facebook Pixel, visitors who click Decline in the banner (or revoke their consent later) won't be counted in the statistics.

To edit the text displayed in the cookie banner, use the Label Editor and change the label called Notice.TrackingConsent.description.


Provide customers with the right to access their data

You have to provide your customers with a copy of their personal data – when they ask for it – in an easily readable and portable format. You can access the customers' personal data in your Store Manager:

  1. Go to Settings → Legal.

  2. Scroll down to the Customers’ personal data section.

  3. Click Get customer data.

  4. Enter the customer’s email address into the field and click Submit.

After that, you will receive an email that will contain personal data of the customer; it'll be available for download in .zip format (the link is valid for 10 days).

You should also take into consideration any third party services you use who may have access to your customers’ personal data.


Provide customers with the right to delete, edit, restrict certain data uses

Along with access requests, we can help delete personal data that it stores on your behalf. To delete personal data of a customer:

  1. In your Store Manager, go to Settings → Legal.

  2. Scroll down to the Customers’ personal data section.

  3. Click Delete customer data.

  4. Enter the customer’s email address into the field and click Submit.

After you press Submit, all the personal data associated with this email will be deleted permanently in 7 days. Also, we will notify the app developers from the app market (if you use apps from there) that the customer has requested the deletion of personal data.

If you need to cancel the scheduled deletion of data, click the Cancel link next to it:

GDPR__4_.png

Basic requests (e.g., a customer asks you to delete their order) can also be quickly managed inside your store admin.


Data breach notifications

We act as a Data processor, while you act as a Data controller. If your website is experiencing a data breach of any kind, you might be required to notify affected customers. Under the GDPR, a notification must be sent within 72 hours from the time you become aware of the breach. Data processors are also required to notify users, as well as the Data controllers, immediately after becoming aware of a data breach.

Make sure you use strong passwords (you can create them by means of a password generator) for your store to increase the security of data on your side.


What we have done to comply with the GDPR

We collect, store, process and share personal data based on GDPR guidelines and comply with GDPR requirements in the following ways:

  • We assigned a Data Protection Officer who is in charge of the Data Protection Policy;

  • We started to deliver GDPR-focused training to our key teams and personnel;

  • We implemented a detailed procedure to deal with all data subject access requests, deletion requests, and government access requests;

  • We work only with subprocessors who provide an adequate protection of the personal data through robust technical and organizational measures;

  • We developed a reliable method to detect, report and investigate a personal data breach;

  • We established the necessary records of data processing activities;

  • We are certified under the EU – U.S. and Swiss – U.S. Privacy Shield frameworks; this arrangement calls for certified organizations to guarantee a level of security in line with EU data protection law regarding the transfer of personal data from the EEA and Switzerland to the U.S.

Did this answer your question?