With an unprecedented rise in technology, a man’s privacy is at stake in this world of computers and other gadgets. All data related to a person, whether personal or private, is just a click away. In this scenario, the possibility of data misuse is higher and undoubtedly there arises a need for laws that oversee this. Most importantly, the law must keep the customer at the forefront and this was how GDPR was conceptualized.
Read along to know more.
GDPR stands for General Data Protection Regulation which was specifically created for the people belonging to the European Union on April 14, 2016 by the European Parliament and Council of the European Union.
Though created in 2016, the regulation came into effect two years later on 25th May 2018.
This was created for the purpose of protecting personal data of the EU citizens in the online world. Any organization that handles customer data is liable to follow this regulation.
Prior to this enforced regulation, it was just a directive that governed data protection for the citizens. It was a suggestion and was not strictly followed. The misuse of customer data for the sake of business made the authorities take this step of coming up with GDPR - a set of laws to safeguard digital privacy.
Officially, the law is applicable only for the EU states. Unfortunately, it is an undeniable reality that the repercussions of the GDPR digital privacy rules are felt worldwide.
Say if you are an organization headquartered in Australia with clients from every corner of the globe and when Citizens of EU too are a part of it, you will have to comply with the GDPR checklist to serve them and their needs as your customer. The rules are set in such a way that you cannot stay away from it unless you do not have any association with the European Union at any cost.
If GDPR is all about data protection eCommerce sector is nothing without data. The need for customer data is minimal when one shops physically. When the same shopping goes online without the need for physical presence, things literally go for a spin with the need of hoards of data related to the customer.
Each and every step in the eCommerce shopping process needs data. Some of the steps are marketing, sales, accounting, shipping, and delivery.
Authentic office address - an address that can be geographically located, not a virtual one.
Types of data collected - email, phone number, and other personal data.
The purpose of data collection - email marketing, tracking, etc.
Data storage methods - how long you retain the customer information and how.
User rights of data - methods to access and request to delete data.
How we use your information
Sharing your information
Seeing adverts for ASOS.com online
Your information and countries outside Europe
Keeping your information
Changes to how we Protect Your Privacy
How to contact us
The writing on the page is in a simple and clear fashion as directed by the GDPR. Considering the fact that ASOS is a Shopify store, these sections can act as a Shopify GDPR eCommerce checklist.
This is a comprehensive eCommerce GDPR compliance checklist that can be put to use for both WooCommerce and Shopify stores.
The maiden step to take when planning to abide by the GDPR is to create an eCommerce GDPR template for subscription forms and emails with an added checkbox.
Checkboxes are added to fulfill two requirements:
To make the person abide by the terms and conditions
To get consent for marketing campaigns
GDPR eCommerce consent for an eCommerce store can be created in the following format with the help of the Shopify platform.
This Shopify account creation form shows a checkbox to confirm subscription.
Shopify also allows to add the same checkbox in the checkout page.
Please note that the checkbox is unticked. This is mandatory. Online store owners used to place ticked checkboxes in forms and emails. As per the new regulations, this is prohibited and the person must tick the box to confirm consent.
Here is another sample form with checkboxes to confirm both subscription and marketing consent.
The usage of double opt-in for confirming an email subscription is essential to make sure that the consent given by the customer to process the data is “unambiguous and freely given” as directed by the GDPR.
By doing this, the possibility of the consent for subscription being ambiguous can be ruled out completely. To be more clear, it is a double confirmation from the subscribers’ side for you as an email marketer to send marketing-related newsletters and content.
Here is an example of double opt-in email by Puma online store that comes with eCommerce GDPR compliance.
Perks of a double opt-in:
A confirmed list of subscribers who are genuinely interested in being associated with your eCommerce store.
Decreased spam and bounce rates.
Increased click-through and open rates.
If you have already been using GDPR - compliant terms and policies to document and store information about subscriber consent, then there is very less for you to do further. Otherwise, you will have to get down to work immediately.
It is obvious that the new methods will be applied to the new subscribers but have you thought about your existing customer base? They cannot be ignored and must become GDPR compliant too.
For this, revamp your existing email list by doing the following:
- Send a re-subscription email to the old customer base, especially to all inactive email ids
- Make sure to document the consent at any cost
- Remove the subscribers from the list who have not made an effort for re-subscription
- Revamp the email list and merge the new subscribers to the same
- This is a sample email to confirm subscription by Crabtree & Evelyn, London.
The GDPR applies to children too and the related article is given below.
Article 8 of the GDPR states
“the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.”
Only children who are 16 and above are allowed to share their personal data on eCommerce domains and if the child is found to be younger, consent must be sought from the parents or guardian.
The same article also allows member states of the EU to lower the age bar to 13 and only Britain has done it till date.
Such a rule is mandatory for eCommerce stores that sell liquor, cigarettes, and similar stuff.
Jack Daniel’s has done this right by sending out emails just to verify the age
The ‘batch and blast’ method of sending out emails is not going to work out anymore when you follow the GDPR rules.
This is because you cannot simply barge into people’s inbox with email after email without their consent. A big supermarket chain in the UK, the Morrisons were fined 10,500 euros for doing this.
Morrisons had a database of 230,000 members and they sent out emails regarding one of their loyalty programs to the whole lot. The result was a fine imposed by the Information Commissioner’s Office (ICO). It happened that 131,000 members of the database had already unsubscribed from getting marketing emails.
This fine was imposed as per the GDPR rule that fines can go upto 20 million euros or 4% of the global turnover in case of any non-compliance.
A simple updated data could have avoided the issue. So, your existing email list must be thoroughly checked prior to sending a marketing message.
As per the GDPR regulations, the customer is given complete control over the data. The following are the rights of the customer:
Right to access data
Right to make corrections in the data
Right to delete data called as ‘Right to be forgotten’ by GDPR
You, as an eCommerce site owner, are liable to present the data to the owner at any point of time upon request. Customer must also be capable to edit the data when necessary.
The most important factor is the ‘Right to be forgotten’ as mentioned in Article 17. According to this, the data that the site owner has must be deleted without a trace from the database when the customer wants it to be done. All GDPR eCommerce Shopify and GDPR eCommerce Wordpress sites comply by these rules and put the customer first.
Communicating about a breach of personal data is as important as storing and securing it. Misuse of data that is personal to the customer base is a serious issue and punishable if needed measures are not taken at the right time.
Articles 33 and 34 of GDPR mention clearly about the steps to be taken in case of any data misuse.
There are two steps involved:
Communicating about the data breach to
The supervisory authority
The data subject/customer
As per the rules, the communication must be initiated within 72 hours after the incident happens.
Following this, the customer has the authority to decide whether to use the services of the eCommerce store or not.
To run an eCommerce business successfully, it is a fact that you are not the only person involved in it. Partnering with platforms like Shopify and WooCommerce is essential and it does not stop there.
Applications from third parties are also used to make marketing successful and an Email Service Provider too plays a crucial role. In this case, do you think it would suffice if you alone follow rules without a second thought?
Priority must be given to make sure that people you partner with also comply with the GDPR in eCommerce.
Gives a head start to your GDPR compliance journey.
Own a database of thoroughly filtered loyal audience completely interested in buying from you.
The whole process of data collection, usage, and storage get eventually better leading to lesser maintenance costs.
The complete workflow of your store becomes transparent which gives an uplift to your online eCommerce store/brand with improved customer confidence.
This checklist is not a piece of legal advice but a suggestion on how to apply the digital data privacy rules to your eCommerce store.
Get armed with the essential eCommerce ingredients to make your site GDPR compliant.