On May 25, 2018 the General Data Protection Regulation (GDPR) went into effect. This is a European Union (EU) law designed to give EU citizens control over their personal data and to change the way businesses handle their personal data. You may be wondering if this law applies to your business. It does if your website or storefront has visitors from any of the European Union countries. So if this does apply to you, then you need to educate yourself so that your business is compliant with the law and avoids the potential for some heavy fines.
What this document will do is to cover what changes Pressero has made to help you with those compliance concerns as they pertain to your websites. What it will not do is replace legal advice about GDPR that you should be seeking out to make sure your business is compliant.
Select the checkbox for “Enable Explicit Consent” in your Site Settings, General Information tab to add Explicit Consent to your website and activate the additional fields needed.
By enabling Explicit Consent in the site, two new items will be added to the Create Account Form.
- A prompt for Consent to Contact that by default says “I would like to be contacted about offers and product information.” This prompt can also be customized in the admin > site settings area. This is not a required field, but if your customer does not check this box, you should assume they did not give you permission to send them marketing information.
For both of these areas, if you choose to customize the message be sure to not “bundle” more than one specific request with another. The question you are asking your customer to agree to needs to be specific and clear to the one topic.
In this image, you can see the two new areas added to the Create Account Form.
When one or both of these prompts is responded to, we will note in the customers admin account the date/time they agreed to the terms, along with their IP address. Each of these prompt responses will have its own date/time/IP stamp. (See image below).
- In the image above you can see two new fields added to the User Account in Admin for the permission to contact them with marketing information.
Explicit Consent available for B2B, B2C and Information Sites
In most situations, you will only enable Explicit Consent in your B2C and Informational Sites. That is due to the fact that typically you will have a prior agreement with your B2B customers that can cover the privacy policies and what they consent to ahead of time. We made the changes to all three types of sites because we know that there are unique situations where B2B sites are used for customers where no prior agreements have been discussed and consented to.
Right to be Forgotten
Your customers have the right to “be forgotten.” You may hear from your customers that they would like to have their personal information removed from the website. GDPR allows them this right, but only when the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed. In an online store you will probably feel the existing structure of your data is important and that certain information is still needed for financial history and reporting purposes. In this case, you should anonymize the identifying information in the user account (last name, email, address, tax id numbers, etc) by first removing any information that is not required by Pressero so that you can save the changes, and then for the required fields consider adding to, or replacing the data with a passphrase or hash tags. When you are done, delete the user account. Basically, you want to be sure that whatever method you choose, there is no way to recover that users record or be able to re-identify them.
Right to Access
Important Pressero Features to Consider:
- If you enable Explicit Consent on your website, you might not be able to use some features available to you.
- Shared Users (B2B) - because each user should give their own consent and have access to their own profile information.
- Guest Checkout (B2C) - because a guest user is wanting to order, but not to create an account with you. The way Pressero handles guest users is to create an account for them in the background and send them a password to use the next time they want to order. The customer is not giving you explicit consent to create this account.
- Impersonation - either for admin users, or for site users (B2B) with permission to impersonate other site users, unless explicit consent has been received.
- Create New Users - Pressero allows admin users to create new accounts either manually through admin, or via excel import. You should not create new accounts for your users without explicit consent to do so. This is also true for B2B sites where you have the option of giving permission to a site user to create and manage users accounts.
Questions and Answers:
Question: Where can I learn more about GDPR?
Answer: Here is a link to the government website: https://www.gdpreu.org/ that has all the legal details. If you do an online search you will find a lot of helpful information and examples of how others have handled these new regulations. It is highly suggested that all organizations and companies that work with personal data appoint a data protection officer or data controller who is in charge of GDPR compliance.
Question: I do not want to enable Explicit Consent, but how can I keep customers from other countries from creating an account on my website?
Answer: Limiting the countries shown on the Country dropdown selector when a visitor is creating a new account, adding/editing an address on the site, or using a shipping estimator on the product page, can be done by adding some code to the head section of your site. Select here for full details on how to do this.
Answer: A script that adds this notice can be generated from various third-party sites and added to the head content section of your site. Select here for full details on how to do this.