*This post is for educational purposes only. It is general information and a general understanding of the law, not to specific legal advice. Our blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your country or state.
GDPR effects every element of your business
Affecting all databases, marketing, sales, HR and accounting, the administrative implications of the GDPR are huge. It’s important to stress how important it is that you, as a merchant, are embracing a holistic approach to your compliance. The onus is on the merchant to ensure all third parties processing customer data are compliant. Third parties can include mail delivery systems, loyalty schemes, even accounting software.
As an account manager in the Ongoing Success department, I have been helping our retainer clients work towards becoming front-end compliant. The purpose of this blog is to get you thinking about the kind of questions you need to be asking about a) how data is collected on your site, and b) how you communicate to customers what you’re doing with their data.
How are we asking for data?
The biggest front-end changes for most of our merchants have been to address the tightened regulations around explicit consent for data collection. New rights of the Data Subject (anyone providing identifying personal data) means the elimination of:
Blanket or bundled consent.
Consent by default.
Consent as a condition of sale, service, or general Ts & Cs.
Pre-ticked checkboxes, complex legalese and confusing double negatives will be a thing of the past. The individual must give a specific statement of consent via a “clear affirmative action”.
Language that is “concise, transparent, intelligible” should let the Data Subject know what they are consenting to, and who they are giving consent to (including any third parties). This means any marketing tick-box copy & behaviour needs to be examined and amended, including efforts to gain separate consent instances for data collection for the purposes of marketing. A great example from Sainsbury's below:
Can customers delete themselves from our databases?
Another key GDPR change is the Right to Erase or ‘to be forgotten’. This demands individuals be able to easily withdraw their consent for data processing if there is there is “no overriding legitimate interest” for the Data Controller to hold it. It also states the individual has the right to erasure of their data when processing is no longer necessary in relation to the purpose for which it was originally collected.
Shopify only allows the full deletion of customers with no transaction history, however, having a record of a transaction would arguably count as an overriding legitimate interest for you hanging on to their data. So your primary concern should be how to delete customers with accounts but no transaction history.
Shopify has made it clear that the onus will be on the merchant to put in place an erasure process, so make sure this is addressed on your website, outlining clearly to the customer what their rights are dependant on whether or not they’ve made an order on the store. Merchants with complex loyalty or membership schemes involving storage of data in custom fields/third-party apps, or those who push customer info into an ESP, need to have a defined process in place for a GDPR compliant deletion.
What are we doing with our cookies?
The Data Subject’s right to consent also applies to cookies. Cookies’ unique pseudonymous identifiers mean they qualify as personal data, so to be compliant, websites must gain individual consent via a clear affirmative action.
It’s important to note that though the ICO does, in their Cookie Guidance (extract below), make a distinction between necessary cookies (for example those that track ‘Add to Cart’) and those used to track users for social, marketing or sales use (Facebook or Rakuten tracking pixels).
However, it’s best practice to offer customers the option to remove all Cookies. This can, of course, be done with a warning that it may affect the performance of the site.
Are all our policies clear and obvious?
The Data Subject’s Right to be Informed means that privacy, cookie and T’s & C’s pages need to be thorough and well referenced on the site as well as utilising “concise, transparent, intelligible” language. The ICO recommends a few approaches but most popular will probably be an unobtrusive layered approach (short informative notices containing key privacy information that have additional layers of more detailed information):
Or a just in time model (“relevant and focused privacy information delivered at the time individual pieces of information about people are collected”):
In all cases, to be compliant it’s imperative that the customer has easy access to a breakdown of exactly what personal data will be collected and how it will be used.
What do we need to do right now?
The first step is to sit down with your own lawyer and your appointed Data Protection officer to audit your site. Make a list of all instances where data is being collected or referenced. If you are asking customers to consent to data collection, record why and how you are asking for it. If you are using non-essential cookies, record what their end use is. When asking for consent, ask it is written in a clear and intelligible way. Work through the list looking at how each instance can be made compliant, in line with the backend process changes being made.