As if online sellers need another thing to worry about, right? Most of us are solopreneurs who manage a wide range of business tasks, including inventory, marketing, customer service, and accounting. Time is in short supply as it is!
Now there’s one more task that eCommerce store owners need to add to that list: GDPR compliance.
If you’re running an online business, it’s highly likely that GDPR affects you. So we’ve done a heap of research to uncover exactly what eCommerce business owners need to do to be compliant.
While online privacy might sound a bit overwhelming, you’re going to want to read on if you want to avoid facing large fines for being non-compliant, and potentially losing the trust of European customers.
We should make it clear that this is a general guide to GDPR for eCommerce. We aren’t lawyers and this shouldn’t be taken as legal advice. That said, we reckon it’s pretty sound advice.
What Is GDPR?
GDPR stands for General Data Protection Regulation. It is new data protection law, passed by the European Union (EU), that came into effect in May, 2018.
It’s designed to give EU citizens more control over their personal data and alters how businesses and state organisations use that data.
Personal data includes photos, social media posts, IP addresses, bank details and any other identifying information.
In an age where companies, websites, and mobile apps are collecting masses of data from users every day, GDPR seeks to put greater checks and balances in place.
Under GDPR, users must give clear opt-in consent for their data to be stored and used, and companies must provide users with easy access to their personal data. We’ll explain additional obligations, outlined by GDPR, below.
You might be thinking, what does EU law have to do with me if my business is in the United States, Canada, Australia, or New Zealand?
The thing is, it doesn’t matter where your business is based. If you have customers anywhere in the EU, or your business is available to people n the EU, your website has to comply with GDPR.
What does GDPR Mean for eCommerce Store Owners?
Thankfully, GDPR requires more of large companies (think Facebook, Google, Amazon etc) than it does of small businesses like your eCommerce store.
However, eCommerce stores that are available to people in Europe do have some important obligations under GDPR.
As a business owner, you are considered a data controller, according to GDPR. All of the web tools, including the web host, apps, and extensions you use (Mailchimp, Shopify, Salesforce etc) are data processors.
As a data controller, you are ultimately responsible for the protection of personal data collected and stored by these data processors.
GDPR Requirements for eCommerce: How to Make Your Business Compliant
We’ve compiled a guide to making your online store comply with GDPR. These steps are specific for eCommerce, but will likely apply to most small businesses.
You would have seen the flood of emails from companies who have been updating their privacy policies to comply with GDPR.
It should be easily available on your website and you should email your mailing list with the version that’s updated for GDPR.
- Include a line that states you comply with your obligations under the GDPR.
- State what information you collect and store from visitors to your website. That might include IP addresses, device information, credit card details, cookies, mouse and swipe actions, email, name etc. All of the information you collect must be listed.
- Specify how and where you process this personal data. This means what do you use the data for? Marketing, accounting, UX research etc.
- Specify who has access to this personal data, including third-party applications and plugins (Mailchimp, Quickbooks, Shopify).
- Include contact details for the Data Protection Officer in your organization. If you’re a small online store, that responsibility probably falls on you.
- Tell people how to lodge a data subject access request. This means you have to provide a way for users to access the information you have on them.
- Specify how long you store personal information.
Source: GDPR for eCommerce
2. Only Collect Personal Information that You Really Need
The idea here is that less information you collect and store, the less information you have to protect.
You should have a good think about what information you really need to run your business effectively, and what is superfluous.
You can start by deleting whatever you don’t need from servers and databases. And don’t forget about old emails that might have attachments that contain personal information. It all needs to go!
Keep your data collection and storage to a minimum. This makes it easier to manage and also helps you to remain GDPR-compliant.
Information that eCommerce websites might collect:
- User registrations
- Contact form entries
- Any other logging tools and plugins
- Security tools and plugins
- Purchase information
- Credit card information
- Delivery addresses
3. Have a Plan and Process for Data Breach
GDPR requires that All data breaches must be recorded and actioned with a preventative measure within 72 hours.
That means you need to have a plan of action in place for when data breaches occur.
Common data breaches include:
- Personal data being accessed by an unauthorized third party
- The sending of personal data to an incorrect recipient
- Computing devices containing personal data being lost of stolen
- Alteration of personal data without permission
- Loss of availability of personal data
- Personal data being leaked as a result of a hack on a website
- Passing of personal data into a non GDPR-compliant country
You need to let users know when a breach occurs and also be equipped with preventative measures that can avoid similar breaches happening in future. This is a legal requirement under GDPR.
4. Remove All Automatic Opt-ins from Your Site
You know when you make a purchase on an online store and there’s a box that automatically checked to sign you up to the mailing list? That’s a no-go under GDPR.
You must remove all automatic opt-ins from your website. That’s because anything a user agrees to via a checkbox has to be explicit and recorded.
This ensures that users are giving explicit consent for their data to be collected and used in a specific way.
You might have to use some persuasive copy to convince people to check the boxes of their own accord.
5. Have a System for ‘Right to be Forgotten’ Requests
If you’ve collected and stored data on a specific person, that person can ask you to “forget” that data. Basically, that means that you erase that person from your company’s digital memory. It’s like they never even existed.
Under GDPR, you business should have a system for handling “right to be forgotten” requests.
How do you do this?
- Verify the person’s identity.
- Make sure you have the data before processing the request. If you do not have the data, you can’t erase it.
- Be careful not to create more personal data while performing the request, such as the fact that the person has asked you to erase their data.
- Remove and/or redact the personal data you have stored. Also make sure to remove it from third-party applications, plugins, and services.
- Record the erasure in you data audit log.
- You should process the request within 20 days, or as soon as you can.
6. Have a Process for When Customers Revoke Consent to Process Their Data
This step is specific for eCommerce stores. Customers have a right to revoke permission to process their data following an online transaction.
They will have to consent to you collecting their personal information - name, location, purchase and shipping details - to complete the transaction.
But under GDPR, they can withdrawal their permission to process their personal data following the transaction.
They might make this request if they don’t want their data being used in marketing reports, or other post-transaction processing.
This will most likely be a rare occurrence, but you’re obliged to have a process in place for when it does?
How do you do this?
Follow the process outlined in the previous step, but rather than erasing all of their information, simply flag the data in your database as not to be used in any post-transaction processing.
7. Make Sure Personal Data is Easily Available on Request
Under GDPR, website users and customers can request a copy of the data you have stored on them. This is commonly referred to as a Subject Access Request and can be made by website users, customers, and employees - anyone who has provided you with their information.
Therefore, you need to be able to easily access, copy, and provide data for every individual that you collect it from.
A couple of things that will help you to comply with this requirement:
- Store data in a way that makes it easy to access on request
- Provide data in a portable, universal format such as a .csv file
How do you do this?
Make sure to verify the person’s identity before providing their data in .csv format (ideally) and recording it in your data audit log.
There’s a good checklist for Subject Access Requests here.
8. Update Internal Contracts, NDAs, and Privacy Policies
If you have staff, you need to get them up to speed with GDPR.
This means updating staff contract, non-disclosure agreements, and internal privacy policies to include clauses relating to GDPR. It’s also a good idea to provide data protection awareness training and to have internal guidelines for staff.
If you require customers to agree to contracts these should also be updated to mention your GDPR obligations.
If you’re a solopreneur, running your eCommerce store alone, then you just need to worry about yourself.
What should eCommerce store owners avoid?
You can’t send unsolicited emails to anyone as they haven’t given their explicit consent for you to do so. Under GDPR, users and customers have to be given the option to opt-in to mailing lists etc. This means you can no longer buy mailing lists or merge lists from other companies or products you manage into one another.
Abandoned Shopping Cart Emails
You have to be really careful about emailing customers who have abandoned their shopping cart with reminders, offers, or discounts. A shopper has to have given their consent to receive emails of this nature. So you either need to get really good at writing copy to convince them to opt-in, or avoid the sales tactic altogether.
Refusing Personal Data Requests
Under GDPR, you’re obliged to respond to Subject Access Requests and personal data requests. You can’t refuse to provide customers with their personal information just because it’s a hassle and takes up your precious time.
If you’re a one-person eCommerce store, it’s highly unlikely that you’ll receive many, if any, of these requests, but it’s best to have a process in place just incase.
Unsolicited Text Messages
Just like emails, you can’t be texting people who haven’t given you their consent to do so. Find a way to convince people to consent to these activities, or avoid them.
GDPR Fines and Penalties for Non-Compliance
GDPR imposes serious fines on data controllers (that’s you) and data processors for non-compliance.
Supervisory authorities take several factors into account when deciding on the fine and penalty, such as the nature of the infringement, whether it was intentional or negligence, and the measures taken to mitigate damage and prevent it happening again.
Low level fines can be up to €10 million ($US11.7 million), or 2% of the worldwide annual revenue of the prior financial year.
High level fines can be up to to €20 million ($US23.5 million), or 4% of the worldwide annual revenue of the prior financial year.
You would have to be seriously non-compliant or cause some major damage to face the highest fines and penalties.
But if those numbers aren’t enough to make you want to comply, I don’t know what will. It just goes to show that the GDPR is not mucking around.
What are the Benefits of GDPR Compliance?
All of these requirements under GDPR might sound like a major hassle for eCommerce store owners who just want to get on with business.
But there are major benefits of GDPR compliance.
The most obvious one is that your online store will be much more attractive to European customers.
Personal privacy and data protection are major issues in Europe so by showing that you take GDPR seriously, you are likely to earn the trust of European citizens.
A lot of companies in Europe don’t hide their privacy and data protection information on their websites, they flaunt it loud and clear.
It turns out that being really upfront about data collection is a marketing tactic as it suggests that you’ve got nothing to hide.
Aside from advantages in the European market, GDPR compliance is an opportunity to reassess the way you collect and manage data as a business.
It’s likely that other countries, including the United States, will eventually introduce more stringent data protection laws, so complying with GDPR is a good chance to introduce efficient and effective processes without delay.
If you have any questions about how to make your online store comply with GDPR, or you have some tips of your own, please let us know in the comments below.