🖥️ What is GDPR ?

GDPR, General Data Protection Regulation, is a European Union regulation that constitutes the reference text for the protection of personal data.

💰 How much is the fine for not being GPRD ready ?

In the case of more serious infringements linked to non-compliance with the GDPR, the administrative fine may be up to €20,000,000 or, in the case of a company, 4% of worldwide turnover.

📆 When do I need to be GDPR Ready ?

European states should have all passed the local GDPR laws since 25 may 2018. Every compagny in the world targeting european customer should be GDPR compliant by now

GDPR and e-commerce

The deadline for the compliance of your e-commerce site with the GDPR is coming, and it is surprising to note that despite the many articles and conferences on the subject, it is difficult to know exactly what needs to be changed on your site to comply with the law.

We are being told everywhere about the interpretation of texts, the impacts at the global level of the company, and the main principles of the GDPR. But no one seems to be able to say in concrete terms how to modify their e-commerce site, which does not facilitate the work of e-merchants who now have to manage this project in an emergency

GDPR : list of elements to change on your E-commerce

You may have a Shopify website, A preasthop or Magento, be in dopshipping or not. Here are the points to be modified to bring your site into compliance with the GDPR:

Create or update the page containing the privacy policy of the data collected
Create a contact form dedicated to requests to update personal data
The management of cookies for each visitor
Modify the wording of consent on forms or validation steps.
Customer data management
The double opt-in for any subscription to a mailing list

Data Collection, Management and Confidentiality Policy

You have now an obligation to provide a "Personal Information" page on the site, which is a content page explaining the entire personal information management policy in relation to the GDPR. It allows to list all the information that is collected from the site and its possible use by the company.

Create a contact form dedicated to GDPR requests

It is also mandatory to propose a dedicated contact form for any request related to the management of a customer's personal data. This form is sent to the GDPR Manager of the company who is responsible for processing the requests.

Every counrty has it own odata protection organisation. Here are some of the links for severals countries :

France : CNIL official template

Enable cookie management on the site

From now on, visitors must be given the opportunity to choose for themselves the type of cookies they wish to leave active when browsing.
I'm quite sure you've already seen one of them on any website. This results in the appearance of a banner or a tassel that appears as soon as the visitor arrives on any page of the site, and which cannot disappear until the visitor has made an action among the choices offered. This banner contains a legal notice and allows access to the personalization of the site's cookies.

As an French e-commerce consultant, I'm refering a lot the CNIL . So For France, for the text of the banner, the CNIL proposes the following wording:

"By continuing to browse this site, you agree to the use of[Cookies or other tracking devices] to provide you with[For example, targeted advertising tailored to your interests] and[For example, to compile visit statistics]. »

In addition to this mention, it is ideal to add on this banner:

a link that redirects to the content page on the personal data management policy.
A "Customize" button that links to a page that allows you to separately configure the cookies and trackers that the visitor wishes to accept while browsing. This requires a specific development, or the use of a tool dedicated to this use

Due to popular demand, there are cookie management solutions available for E-commerce to managed GDPR and to enable several levels of settings.

For a detailed management of the cookie settings:

Trustee by Trustarc (SaaS solution)
CookieBot (SaaS solution)
Lemon pie (Open source solution, with a paid version).

The CNIL specifies that "this banner must not disappear until the visitor has continued to navigate". If the visitor continues browsing without confirming, the default maximum privacy setting is required for the duration of the session.

From now on, the maximum lifetime of a cookie for audience measurement is 13 months maximum. At the end of this period, the visitor's consent must be obtained again. This involves setting up your Google Analytics account accordingly and any other tools that generate cookies/trackers.

The classification of cookies by type of use to comply with the GDPR is not clearly defined by the CNIL, but we can generally classify them into 3 categories of influence on the functioning of the site:

Mandatory cookies. These cookies are necessary to enable the activation of key functions of the site. This is the minimum level of acceptance. This concerns cookies related to maintaining the connection to his customer account, securing the session, or memorizing actions performed on the site (products added to the basket) or allowing the transaction to be completed. Cookies related to the use of Google Analytics or any other audience measurement solution fall into this category. On the condition that they collect the data in a non-nominative way. See the conditions on the CNIL website.
Functional cookies. These cookies enable additional features such as customizing site content in connection with the analysis of the visitor's profile or actions, or enabling social interactions. This often involves third-party solutions used on the site to customize merchandising (Earlybirds, Nosto, Doofinder, Target2sell, Antidot), AB testing (AB Tasty, Kameloon) or CRO (Shopimind, Hotjar, Optimizely, Convertize), or social login tools or with third-party solutions (Facebook Connect, Google Connect, Amazon Pay, etc.), and sharing tools in social networks.
Advertising cookies. They are used by the company and by third parties to broadcast ads corresponding to the visitor's interests. This concerns all advertising or remarketing tracers (Facebook, Google, Bing, Criteo, Adroll, ...)

Customer data management

A customer must be able to modify all his personal information independently, via his customer account in particular. This is already the case on most of the Customer Centres of e-commerce sites.

The GDPR incorporates a new concept, the "Right to erasure", sometimes callef "right to forget" or " right for individuals to have personal data erased" :

This means that customer data can be kept for as long as necessary for the proper management of the business relationship. Thereafter, they can be stored for up to 3 years. The customer must also be able to delete his data at any time.
For data relating to non-customers, the storage period is a maximum of 3 years after the last contact (which may also be the first). At the end of the 3 years, the consent must be renewed.
Exception: the archiving of evidence data (proof of a right, contract or legal obligation).

In concrete terms, this applies in 3 ways in the site:

The possibility of deleting your own customer account or only certain information about it. Most e-commerce solutions do not currently allow this. You must therefore add a "Delete my account" button from the customer account that will allow the customer to delete not only his account data but also all the declarative and non-reporting information that your company holds on this customer. This can be effective immediately if this function is automated in the e-commerce solution. It can also be an "Account Deletion Request" if the manipulation involves manual intervention at the company level. In both cases, the client must receive confirmation that his request has been taken into account and made, within a reasonable time.
The company must regularly "clean up" its database of non-active customers, by removing all customers who have not placed an order for 3 years, or who have not logged into their account for 3 years. This cleaning is to be defined according to your own rules which must be indicated in your page on the management of personal data. It can take place at least once a year, or more regularly.
Data portability = addition of a button to export customer data. Neither the text of the DSMP nor the CNIL specify the type of information that must be included in this import, but it is probably necessary to provide at least personal information and order history

But you can add a lot more if you want to ! Like :

information related to a loyalty program,
the history of email exchanges with Customer Service if they are archived,
the history of after-sales service requests for a product (exchange, refund, repair).

How to get consent on forms and validation steps ?

This applies to all forms that involve data collection:

Creating an account
The order confirmation
Subscription to the newsletter
Availability alert on out of stock product

Each registration will require informing the visitor of the personal data management policy and obtaining his or her consent. It must be ensured that on each page, the information next to the validation button is sufficiently explicit on this point, with a message such as :

By creating your account, you acknowledge that you have read our privacy policy (link) and agree to it.

By subscribing to our newsletter, you acknowledge that you have read our privacy policy (link) and accept it.

By validating your order, you accept our general terms and conditions of sale (link), you acknowledge that you have read our policy on the management of personal data (link).

The addition of a checkbox is not clearly expressed as mandatory, but there is no reason to change habits on this point. It is better to keep a checkbox for the acceptance of the T&Cs and the subscription to the newsletter.

Double optin by email

The double opt-in consists of doubling the consent procedure for subscribing to a mailing list.
The 1st opt-in is done at the time of registration from the site, there is no change from the generally observed functioning. To subscribe to a mailing list, simply tick a box on the site page. However, it will be necessary to clearly explain how the collected data are used by adding appropriate text.
This 1st registration action automatically triggers an email that generates the 2nd optin. The message contains a confirmation request to receive the desired information. It is only from this click that the address can be added to the database.
It is therefore necessary to adapt the newsletter subscription procedure to these 2 elements.

With this list, you should be able to quickly modify your site to comply with the principles of the GDPR. As the GDPR will be deployed on e-commerce sites, you will probably find other ways to implement this recommendations