When there are just over 7 days until the new GDPR regulations come into force, remember that as of May 25, all European webstores must fulfill with GDPR. Is your Shopify store ready?
Before continuing reading, keep in mind that E Trend Talk is one of the best and well known blog, we are not lawyers. This post is not legal advice and is for informational and / or educational purposes only.
If you have not already done so, we recommend that you request legal advice on compliance with the GDPR. Only qualified legal professionals will give you the best advice.
The GDPR affects many points of business
The administrative implications of the GDPR are enormous. They affect all databases, marketing, sales, human resources and accounting. It is important to emphasize the importance that as a trader you are, adopt a holistic approach to its fulfillment. In the end, the responsibility falls on the merchant to ensure that all third parties that process customer data comply with the requirements. By third parties we refer to mail delivery systems, loyalty programs and even accounting software.
The objective of this post is to make you reflect on the type of questions you should ask. How data is collected in your Shopify store, and how customers are being informed about what is being done with their data.
How are we asking for the data?
Most of our clients have had to address the strictest regulations around explicit consent for data collection. You cannot:
- Save data without asking for consent.
- Save client data by default.
- Save data based on the general consents of your store.
Check boxes previously checked, complex legal jargon and confusing double negatives will be a thing of the past. The user must give a specific declaration of consent through a “clear affirmative action”.
Can customers be removed from our databases?
Another key change of GDPR is the right to erase or ‘be forgotten’. This requires that people can easily withdraw their consent for data processing if there is no “legitimate primary interest” for the Data Controller to have it. It also establishes that the individual has the right to erase their data when the processing is no longer necessary in relation to the purpose for which it was originally collected.
Shopify only allows the complete elimination of clients without transaction history, however, having a record of a transaction could be considered as a primary legitimate interest so that you can hold on to your data. So, your main concern should be how to eliminate clients with accounts, but without transaction history.
Shopify has made it clear that the burden will fall on the merchant to implement a deletion process. Therefore, make sure you do it correctly and inform your client in case you have no orders or tell him that you cannot delete it since he has placed orders with you and therefore you must keep his information even if you do not share it or use it with commercial purposes.
In the event that in your Shopify store you have implemented complex systems of loyalty plans or shopping clubs or other membership systems that involve storing data in custom fields / third-party applications, or those that send customer information to an ESP, they need to have a defined process for a disposal according to the new GDPR.
What are we doing with our cookies?
The right of consent of the Subject of the Data also applies to cookies. The unique pseudonymous identifiers of Cookies mean that they qualify as personal data, so to be compatible; websites must obtain individual consent through clear affirmative action.
However, it is good practice to offer customers the option to delete all cookies. This can, of course, be done with a warning that it can affect the performance of the site.
We recommend the use of Cookie Pop-Up, with the options to eliminate Marketing and other cookie options.
Are all our policies clear and obvious?
The subject’s right to be informed means that privacy, cookies and pages of terms and conditions must be thorough and well referenced in the ecommerce, as well as use a “concise, transparent and intelligible” language.
Remember that to comply, it is imperative that the client has easy access to a breakdown of what personal data will be collected exactly and how it will be used.
What do we have to do now?
The first step is to sit down with a lawyer and the person in charge of Data Protection to be able to audit your Shopify Shop. Make a list of all instances where data is collected or referenced. If you are asking customers to accept the data collection, write down why and how you are requesting it. If you are using non-essential cookies, register your final use. When requesting consent, ask yourself if it is written in a clear and intelligible way.