GDPR (General Data Protection Regulation) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU (source: Wiki).
Since personal data has tremendous value, those sites who are noncompliant with GDRP will be put in a disadvantage that their reputation can be deteriorated. Moreover, merchants who don’t follow the regulations can be fined up to four percent of their yearly revenues. That’s why you shouldn’t ignore the rules.
Now that you understand how important GDPR compliance is to an e-commerce site, you can ensure your Shopify site to be ready for GDPR by following these checking steps:
1. Check consent checkboxes
Make sure that you have explicit checkboxes on all data-gathering forms which explain to the users how their data will be used.
If any form doesn’t have one, go into the settings of that form to add a clarification for the intended data use and a control for affirmative consent. If you are using the popular Shopify App Form Builder, you can do this easily from Shopify admin panel.
2. Audit cookies
It should be noted that not every cookie is created on every page. So, you need to have an engineering team to search the theme code for cookie logic, document and evaluate every cookie on your site pages carefully to make sure it is GDPR compliant.
To check if a cookie is an offender, you can’t just look at the cookie, but you need to look at what data service collects and if that data is tied to an individual person. If the cookie allows the service to track personal information about individual users, it is not compliant.
3. Audit Shopify apps
Some popular apps like Google Analytics are compliant, but many others may not, so you have to audit all Shopify apps, and defer the use of noncompliant ones until you fix the second-page load, refine the integration configuration, or find another app together.For this step check, find the Apps section in your Shopify Admin panel. Here, if you discover any app which has the potential to gather data covered by GDPR, contact the app provider to ask about its compliance. Full contact information of app providers is provided in the Shopify App Store.
Information protected by regulations is likely to include: Name, email address, timestamped location information, physical address, government ID number or ID number assigned by other entities, public or private, your customer ID, database ID you use, IDs in a browser cookie, pseudonymization, etc.
4. Check if an easy-to-use deletion request page is included
GDPR compliance also requires a user-friendly page that visitors can use to request the removal of their data from your systems easily.A popular Shopify app that collects customer requests is Form Builder App. Once installed, this app can configure the form to transfer the data from the submission form to the customer support system to guarantee that your site won’t miss any request.
To add the link to this page into your site, go to Shopify’s Navigation section in the admin panel. The link should be located in an easy-to-see position (the footer is recommended) on every page so that customer can quickly make a request.
5. Review the data flow of referral systems
One of the features of the referral system is sending notification emails (like the coupon) to your customers. If the system doesn’t store the email addresses of the recipients after sending the emails, it’s fine. However, if those addresses are stored and sent to another system to serve for marketing purposes, you need to have acceptance of customers.In Shopify store, there are many apps that can ensure the consent for the data flow such as Klaviyo, Bronto, Mail Chimp, Emma, etc.
6. Ensure implied consent flow to not gather data on the first-page load
Implied consent is the content asking for customer’s acceptance right at the first time they visit the site. The thing is, whether customers click on the acceptance button or not, their data are already been recorded just by landing on the website.This approach is compliant with existing regulations and common across the medium to large-sized US e-commerce organizations. However, it’s not valid in GDPR. In this new law, a standard called affirmative consent must be given to clients.
Any company who wants to be GDPR compliant have to experience a change in the implied consent flow, which is, data cannot be gathered until the second-page load. This leaves customers two options: staying and having their data recorded, or navigating away from the site and keeping their data.
Is there any way to solve this issue? The answer is yet but it is deemed to be tricky. You may want to have your engineering team to write code to defer cookies created by the Shopify theme layer until the second-page load easily enough. However, at the same time, Shopify apps can go out of control. You need to contact each Shopify app provider to determine if they support cookie determent for their apps. If this approach doesn’t work, you will need to install new Shopify apps.
7. Ensure data to be properly segmented
Even you intend to be GDPR compliant today or in the future, the customer data that you collect need to be properly segmented for EU and non-EU citizens.You may want to fine-tune the data collecting form flows by adding a checkbox for citizenship. Besides, remember to audit all newsletter sign-ups and marketing emails to ensure that they flow into a system that tracks their geography and citizenship status.
In conclusion, you can gain a lot of benefits when being GDPR compliant, some of the notable ones are enhanced cybersecurity, better data management, increased customer trust, and improved store’s reputation. With this in mind, don’t hesitate to embrace GDPR at the earliest and see how advantageous it is to your e-commerce business.