In March 2018, the General Data Protection Regulation (GDPR) came into force. It's the latest privacy law to be passed by the EU, the supranational political union that brought us the much-loved "cookie banner."
Many businesses have found that they have a lot of work to do in order to comply. It's easy to see why some find the law quite daunting. Firstly, it's over 50,000 words long. It threatens fines of up to €20 million. And it applies to companies all around the world - not just within the EU.
- 1. What is the GDPR?
- 2. Why is the GDPR Important for Ecommerce Stores?
- 3.1. Contact Details
- 3.2. Categories of Personal Data
- 3.3. Purposes and Lawful Bases
- 3.4. Recipients of Personal Data
- 3.5. Third Country Transfers
- 3.6. Storage Periods
- 3.7. Individual Data Rights
- 4. Principles of the GDPR
- 4.1. Lawfulness, Fairness, and Transparency
- 4.2. Data Minimization
- 4.3. Accountability
What is the GDPR?
The GDPR achieves two main objectives:
- It sets out clear rules about how personal data should be processed
- It gives people in the EU more rights and greater control over their personal data
This is probably the most comprehensive data protection law the world has ever seen. And it doesn't only to EU businesses. It applies to anyone, from an individual website developer to a massive social media company, so long as they:
- Offer goods and services to people in the EU, or
- Monitor the behavior of people in the EU
This is regardless of whether they are established in the EU or not. That means companies all over the world have to comply, whether they're from the United States, Australia, or South Korea.
Why is the GDPR Important for Ecommerce Stores?
Ecommerce stores process personal data. They collect, store or otherwise use information that could potentially identify an individual. This means that they must abide by the GDPR.
In fact, ecommerce stores are a prime target for the GDPR. They actually process quite a lot of personal data. For example:
- Names, email address, shipping addresses and other information that might be used to directly identify individuals.
- Payment card details, and in some cases sensitive or revealing information that must be processed securely.
- Technical information like IP addresses and cookies, that might be used to indirectly identify individuals.
All these things count as personal data under the EU's strict interpretation of the term. And therefore the GDPR applies to every aspect of how you handle it.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
The GDPR requires you to disclose the identity and the contact details of the controller.
"The controller" means your ecommerce store, which is a "data controller" in EU jargon. A data controller is an entity that "determines the purposes and means of the processing of personal data."
So, for example, an ecommerce store might record someone's address via a web form in order to send them a product.
- The "personal data" is the person's address.
- The "means" of processing the personal data is recording it via a web form.
- The "purpose" of processing the personal data is to send them their product.
The company has determined how and why to process personal data. It is a data controller.
You should also give the details of your EU Representative and Data Protection Officer (DPO), if you have appointed either.
Providing your company's name and contact details sounds simple enough. But it's still possible to get this wrong. The GDPR requires you to use "clear and plain language." Legalese is not allowed.
Take a look at how Chevrolet Europe has done this:
This isn't exactly bad, but it's not also not as easily understandable and simplified as it could be. There's no need to say "pursuant to Art. 27," for example. It can come across as complicated legalese, which the GDPR frowns upon when used in Privacy Policies that should be easily understandable to an average (non-lawyer) reader.
This first clause discloses who the data controller is, provides contact information and lets users know that the controller is the party who is "responsible for deciding how and why" personal data is held and used.
The other contact clause lists the contact information for the data protection officer. It's noted that users should contact this person with any questions or concerns about how personal data is used:
This is far more in-line with the rules around transparency and accessibility. The term "data controller" is used, but it's also explained, and users are invited to contact the DPO with issues related to their personal data.
Categories of Personal Data
You need to disclose what types of personal data you process. For example:
- Email address
- Shipping address
- Billing address
- Payment card details
- IP address (via server logs)
Here's how Amazon does this:
Purposes and Lawful Bases
Processing of data under the GDPR may only occur for good reason. The good news for ecommerce stores is that selling people stuff counts as a good reason to process their personal data. Well, it's a little more complicated than that.
The GDPR's six lawful bases apply to every lawful act of data processing.
- Legal obligation
- Necessary to protect vital interests
- Necessary for public interest or exercising official authority
- Legitimate interests
Here they are, set out at Article 6:
The lawful bases most commonly cited by ecommerce stores are:
- Contract: when processing personal data is required in order to fulfill contractual obligations. Once a customer makes a purchase, your contract with them requires you to send their payment card details to a payment processor, send their shipping address to a mail carrier, etc.
- Consent: when providing non-essential services that the customer can say easily "no" to. If you want your customer to sign up to your weekly marketing newsletter or allow you to use targeting cookies, you'll have to ask for permission.
- Legitimate interests: when carrying out low-risk data processing that benefits your company and carries a minimal impact on or risk to your customer. You may be able to justify storing an encrypted list of IP addresses of the people who've visited your site, for the purposes of maintaining security.
At points (a) and (b), the company explains that it uses personal information as part of a contract, to supply its products and services.
At points (c) and (d), the company explains that it uses personal data of visitors to its websites to optimize the experience of those sites. Optimizing web activity, for example by setting cookies that save the content on web forms, is usually justifiable under legitimate interests.
Here's another example from Safe Prescriber:
Personal data used to make purchases is processed to carry out a contract. Personal data used to subscribe to email notifications is processed subject to consent.
Recipients of Personal Data
An ecommerce store will almost certainly be sharing personal data with third parties.
- Payment processors like PayPal or Shopify
- Email marketers like MailChimp or SendGrid
- Mail carriers like UPS or FedEx
- Ad services like Google or AdRoll
Some Privacy Policies seem to imply that "disclosure" of personal data is equivalent to "sale" of personal data. Take a look at this clause from coffee supplier Has Bean:
Here's a better example from SendPilot:.
Note that you aren't required to list the names of the companies you share data with. Only what type of company they are.
Third Country Transfers
The good news for non-EU businesses is that the GDPR does allow personal data to be transferred outside of the EU. This is, however, subject to some pretty strict safeguards. This will be relevant if you're:
- A non-EU company with EU customers
- An EU company working with non-EU third-party companies
Broadly speaking, the EU allows for international data transfers so long as either:
- The receiving country is on the EU Commission's "adequate" list. Note that the United States is on the list, but only if the recipient is part of the Privacy Shield program.
- The sender and recipient have a contract containing certain legally binding standard clauses.
- The transfer is taking place within a multinational company that has adopted certain binding corporate rules.
- As a last resort, and only under certain conditions, where the person has given consent.
Here's an example from Minotaur Flight Store, who appear to be attempting to rely on consent for international data transfers.
There are arguably several problems with this, as far as the GDPR is concerned.
Consent for international transfers is only to be used under very strict conditions, and it isn't clear that these have been met. Besides which, a person cannot be told that they have expressly consented to something. They have to actually expressly consent to it.
Here's a better example from KEF:
KEF discloses that it relies on standard contractual clauses and even tells its customers how they can get a copy of them.
Ecommerce stores will typically have to store names, account details, and shipping addresses. But you must also consider technical information like cookies, as well as IP addresses and possibly other log data.
You may not be responsible for storing or deleting payment card details if you use a third party payment processor.
You don't need to state how long you'll store data in terms of months or years. Sometimes the period is determined in other ways.
Individual Data Rights
People in the EU have certain rights over their personal data. Data controllers (like ecommerce stores) must facilitate these rights.
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights relating to automated decision-making and profiling
You'll also need to know how to respond when users exercise their rights. For example, with the right of access you'll need to handle privacy access requests in a very specific way.
Some organizations provide a web form for individuals to make such requests, but providing an email address is sufficient.
Here's how Superdrug does this:
The right to object is highly relevant to ecommerce stores, which will often send direct marketing emails. As Superdrug points out, this right can be exercised simply by using the email's unsubscribe facility.
You must also make your customers aware of their right to lodge a complaint with a Data Protection Authority. Here's how Amazon does this:
Principles of the GDPR
The GDPR contains principles which should permeate every aspect of the data-handling activities. Here they are in the GDPR, with key words highlighted:
The principles are as follows:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
We're going to look at three of these principles and how they might might apply to the management of your ecommerce store.
Lawfulness, Fairness, and Transparency
One area where ecommerce stores (and other businesses) can slip up is where they rely on the lawful basis of consent. Consent is only valid under certain conditions.
It must be:
- Freely given
- Given via a clear affirmative action
Here's an example of how to ask for consent for cookies from The Schneider Group:
The user has genuine options and is not guided toward any choice in particular. Their consent, if given, would be clear and unambiguous.
At the opposite end of the spectrum, there's Cura:
It may look like Cura is requesting consent, but there's no genuine choice here.
The principle of data minimization requires that you don't collect any data you don't need. Ecommerce stores might slip up here when creating marketing mailing lists.
Here's an example from One Stop stores. This is what users are signing up for:
And here's what they're asked to provide:
Processing an individual's date of birth is arguably unnecessary in this context. To be fair, providing this is optional. But why ask for it at all? In the event of a data breach, this is just another item of personal data that could be compromised.
You only really need a person's email address in order to send them email.
Accountability sometimes isn't listed among the GDPR's principles (it inhabits a separate section from the others). But in many ways, it's the most important one.
You are accountable under the GDPR. You must understand and comply with your obligations under it.
For example, as we discussed above, ecommerce stores almost always need to engage other companies to process personal data on their behalf - payment processors, mail carriers, marketing companies, etc.
These are known as "data processors." Where you're passing on your customers' personal data to a data processor, you must have a Data Processing Agreement in place.
Many large data processors supply a Data Processing Agreement as part of their Terms of Service.
Here's a part of Shopify's:
And here's an excerpt from Hockeystick's:
You mustn't use a data processor without a Data Processing Agreement in place. And if you're provided with one, you must read it carefully and check that it complies with the GDPR.
In the event that your customers' data is compromised, you can't simply blame the data processor. You are accountable under the GDPR.
- Your company's contact details, and those of your EU Representative and Data Protection Officer if you have appointed either
- The categories of personal data you process
- How and why you process personal data
- Your lawful basis for each act of processing
- The categories of companies with whom you share personal data
- Details of any data transfers outside of the EU
- How long you need to store personal data for
- How you can help facilitate your users' data rights
- How your users can make a complaint about your data protection practices
You must also remember to apply the principles of the GDPR to your data protection practices at all times.