May 25, 2018: entry into force of the GDPR (1) implying a GDPR ecommerce compliance for the management and protection of data of EU users residents.
Discover the functional and technical focus with the Magento, Prestashop or WooCommerce ecommerce solutions about the GDPR.
Key points of the GDPR for ecommerce
The little cookies notification’s acceptance is not sufficient! You must integrate the features below if your ecommerce site contains personal data of an European resident. This also applies if your ecommerce platform is outside the EU.
In case of non-compliance with the regulations, you risk a fine up to 4% of your turnover!
- Who you are and how you comply with the GDPR
- What data do you keep? Example of personal data: fisrt name, last name, addresses, email, telephones, age, sex, date of birth, orders, comments. But also: IP address, cookies, type of devices, tracking data, durations of visits, segmentations, etc.
- How are the data processed and for which purposes (marketing, accounting, sales reports, UX, etc.)
- Who has access to personal data (you, SalesForce, Google, Facebook, MailChimp, etc.)
- Where are they located (Europe, Outside Europe) which are third-party services
- How long are they kept
Users: More control over their private data
- Right to erasure: provision of a functionality for consultation and deletion of personal data concerning the user (downloading and / or deletion of the account and data). Delay of one month to respond to this request.
- Right to portability of personal data: provision of a feature to receive personal data (in a structured format, commonly used and humanly readable). Several EDI data exchange formats can be envisaged, cf. EdiFact .
- Profiling: provision of profiling adjustment functionality (management of marketing preferences, cookies, segmentation). Everyone has the right not to be the subject of a decision based exclusively on automated processing, including profiling, that produces legal effects that affect or significantly affect the user.
The right to rectification is possible natively in the customer area of ecommerce solutions, it is however necessary to indicate it in your Terms.
- Information: Explain how you process the data. Put in place full internal documentation where the data is located and check if the third party services are compliant with GDPR. Be transparent!
- Opt-in s: disable all! Never checked boxes by default.
- Security : implementation of data protection from the outset (default security) including the anonymization of data in the database (encryption based on all the personal data).
- Data breach notifications: you are required to notify your National Protection Authority (CNIL in France for example) as soon as possible in the event of serious data breaches within 72h.
- Privacy by design / by default : depending on your activity, you can not request personal information that is not related to your business. Stay within your legal minimum (eg, ask for the date of birth for a florist merchant site but not for a shoe seller).
- Appoint a Data Protection Officer (DPO) = Data protection officer for ecommerce sites carrying out a systematic and repeated processing of data (big sites).
You can not:
- Send unsolicited emails to anyone. Forget the purchased lists or merger lists of different companies.
- Send automatic emails from abandoned baskets offering discounts, unless the customer has chosen to receive commercial discounts via e-mail.
GDPR ecommerce Magento
Magento 1 and Magento 2 are not ready for GDPR compliance. The editor generally communicates about data protection but does not provide a roadmap for a native implementation. This is quite surprising considering that it is leader with its open source ecommerce solution. Here is an excerpt of the communication on the technology aspect of Magento, quite confusing:
Magento’s products have strong architecture and security features built into their cores, so no major modifications are necessary to enable merchant compliance.
We are working closely with legal and engineering experts to assess our products to better assist customers to indentify what personal data is being stored and where that data resides in an effort to help customers comply with GDPR-related transparency or data removal requests.
Our security team is also conducting detailed security audits across all Magento products.
On the Magento Marketplace side? Some extensions for M1 and M2 are available to spartan, missing native features. Identified features:
- Account deletion (not found data download)
To be continued.
GDPR ecommerce Prestashop
The publisher seems to be late to deliver a native technical response or through modules. In April 2018, there was still no native implementation of the GDPR for the Prestashop ecommerce solution! They are announced during May, in paid modules for Prestashop 1.6 and for free for version 1.7. These new features will allow users of the PrestaShop solution to:
- Facilitate the obtaining of the consent of the customers by the choice of the establishment of box(es) to check on the consent on the forms of collection where you wish to make it appear;
- Facilitate the management of the implementation of requests concerning the rights of your customers, in particular with regard to their right to erasure; and
- Provide proof of the effective exercise of the right of access and the management of the consent of your customers regarding the sending of your emailing marketing (newsletter): a newspaper will make it possible to list all the actions of these last ones on these points.
Regarding the customers, the module will allow the latter to manage directly, via their account, access to their personal data and the portability of the latter.
A general white paper on the GDPR is available for download, after giving some personal information …
There are some modules, but the advice is to wait for the publisher solution that will be released between May 10 and 20, 2018.
GDPR ecommerce WooCommerce (WordPress)
WooCommerce is the ecommerce brick of WordPress. Remember that WordPress represents 30% of websites! WooCommerce provides some recommendations but does not provide native implementation. Reminder of features that a standard WordPress site can collect user data:
- user registrations
- contact form entries (plugins)
- traffic log analytics and solutions
- all other logging tools and plugins
- security tools and plugins.
The only plugin currently incorporating the most features for the GDPR is WP-GDPR (WordPress, Plugins: Gravity Forms, Contact Form DB7, WooCommerce).
- (1) GDPR
- General Data Protection Regulation is the European reference text for the protection of personal data. It strengthens and unifies data protection for individuals in the European Union. To find out more about the GDPR please consult the Regulation on the European Official Journal
- Fingerprint icon made by Alexander Simone and added to the European flag by myself.