The General Data Protection Regulation (GDPR) is a European privacy law that took effect on May 25, 2018.
GDPR applies not just to European companies. The new regulation applies to every company that can potentially process EU nationals’ data, which means that every company in the world regardless of its location is subject to GDPR.
GDPR grants people more extensive control over their personal data. Specifically, the new law gives people the right to access, correct, delete, and restrict the processing of consumer data, and it also sets strict guidelines for user consent.
If you collect or store any information that can be linked to an individual, that counts as personal data. You can read the full text of the GDPR to learn more.
Some businesses may need more preparation than others to comply with the GDPR. This guide provides a general overview of GDPR compliance and outlines the most common requirements.
How to prepare for GDPR
According to GDPR, merchants must comply with the regulation if they are based in the EU or sell to EU customers. Your online store collects and processes personal data in a compliant manner. However, it is your responsibility to comply with GDPR requirements when you collect and process personal data from your EU customers.
Under the new regulation, personal data is defined as any information that can be used to directly or indirectly identify a person. This includes a name, a photo, an email address, an IP address, bank details, posts on social networking websites, medical information, conduct A/B tests, and even random codes that are assigned to users to gather analytics and more. The following practices are recommended.
Create legal pages
1. In your Online store dashboard, navigate to Settings and click Legal. In this area, make yourself familiar with various legal requirements to your store and read the Legal compliance checklist.
2. Scroll down to Your Policies section. You will see a list of Legal pages and policies which you can populate with your own pages.
2. Understand which legal pages your store requires, then proceed to create them. Click Add Page button next to each page type and you will appear in a page editor which you can use to populate the page with your legal content such as Terms & Conditions, Return Policies, and more.
3. Once you are done writing the page content, click Save. The page(s) you have created will automatically be added to your Online Store.
Get clear consent before collecting any data
To enable consent query, do the following:
1. In your Online Store dashboard, go to Settings > Legal.
2. Scroll down to the Customers' Consent area and toggle all the necessary buttons to green:
4. Edit the message that your customers will see when you ask for their consent to receive marketing emails at the checkout. Click the Edit button to customize the following options:
You may adjust the following settings:
- Request for customers' permissions to receive marketing emails is turned on
- Your text label content that clearly requests customers' permission to send them marketing emails
- Pre-select the sign-up option (optional): the request to send marketing emails has been pre-defined as ON, however, by doing so you may not comply with your local privacy legislation.
Inform customers what fields are optional or required
Your online store clearly shows which fields are required and which fields are optional for filling out.
Make sure that you are using the Next-gen Checkout in your store, where this EU requirement is met. You can enable the Next-gen storefront in Settings.
Get clear consent for tracking store visitors via cookies
You should ask your store visitors for consent to track their actions in your storefront via cookies. Your online store allows merchants from the EU to add a special banner to gather such consents. You can enable it in your store in these easy steps:
- Go to Settings > Legal. Scroll down to the Customers' Consent area.
- Enable the GDPR cookie consent banner:
Once enabled, the cookie consent banner will appear on the storefront with the option to accept or decline.
The cookie consent banner works in the Next-gen storefront only. Make sure that all Next-gen options are enabled in your Settings.
Provide customers with the right to access their data
This means you must provide your customers with a copy of their personal data in an easily readable and portable format. You can access the customers' personal data in your dashboard > Settings > Legal.
1. Scroll down to Tools for managing customers' personal data section.
2. If your customer asks to receive a copy of their personal data, you can email them a copy. Click on Get Customer Data and enter the customer's email address:
If you want to delete the customer's data following their request, you can do this by clicking the Delete Customer's Data link. Enter the email address of the customer and their personal data will be deleted.
You will receive a confirmation once the data has been deleted.
You should also take into consideration any third-party services you use that may have access to your customers’ personal data. You can learn how to opt-out of non-essential data collection here.
Data breach notifications
Your online store acts as a Data Processor while our merchants (you) act as Data Controllers. If your website is experiencing a data breach of any kind, you might be required to notify affected customers. Under the GDPR, a notification must be sent within 72 hours from the time you become aware of the breach. Data processors are also required to notify users as well as the Data controllers, immediately after becoming aware of a data breach.