GDPR Compliance Checklist for Shopify and BigCommerce
If You Are a Shopify or BigCommerce Merchant, Here’s What You Need to Know About GDPR Right Now
You’ve probably seen it all over the news and maybe even received emails warning you about the impending implementation of GDPR. Yes, there are lots of changes and important things for eCommerce merchants to consider. But it’s not big and scary. In reality it’s a new set of laws and regulations that make a lot of sense.
All of the articles and guidance you see online mentions that this is very new law, and that the information provided does not constitute legal advice. We say the same thing about this article. That said, after some basic information, this article provides a basic 9-point GDPR Checklist to help Shopify and BigCommerce merchants get to compliance.
What is GDPR and Why Does it Matter?
“GDPR” stands for “General Data Protection Regulation.” It was adopted a few years ago to expand and supplement previous consumer data protection laws cover the European Union. You are hearing a lot about it in the news now because it goes into full effect on May 25, 2018.
We give a lot of details at the end of this article about specific rules and regs in the GDPR, but everything boils down to this: The GDPR states that each individual person owns their data no matter how individuals and businesses collect it and no matter what clauses exist in their website terms of service.
Does GDPR Apply to Your Shopify or BigCommerce Store?
Legally, GDPR applies to residents of the EU. But the GDPR likely applies to you and your business no matter where you are located. There are two reasons for this. The first is that GDPR is widely viewed as a successful and reasonable set of regulations to protect online shoppers and internet users. Already, governments outside of the EU are drafting legislation of their own using GDPR as the model. We suspect that substantially similar – and even identical – regulations will be in place soon in many countries.
The second reason that GDPR applies to you and your eCommerce store is that the rules don’t apply just inside the EU. There are some questions around enforcement, but the rules apply to all EU residents whether or not the individuals (referred to as “data subjects”) are in the EU at the time they visit your site. And it also doesn’t matter if your site is hosted in the EU. This law – at its core – is about protecting the data rights of individual citizens, and that’s something we can all support, right?
So, because of those two reasons, we say that GDPR applies to every business website … period. And since there are potential financial penalties involved, we all have to pay attention. Fortunately, Shopify and – to some extent – BigCommerce are on-the-ball with their platforms and make it easier for their merchants to comply.
Enhanced Rules for Acquiring eCommerce Data Consent
Under the old rules, a business could put a few clauses in their website terms of service and put a cookies notification on their website and probably be in compliance. The new rules are greatly strengthened. If your website is collecting data about a customer – any customer – there needs to be a clearly visible consent notification and it needs to link to a clearly-written, easy to understand policy that states what specific data is being collected and how it is going to be used.
New Individual User Rights In the GDPR for Data Subjects
As we’ve said above, a “data subject” could be anyone who visits your site. If you use tracking pixels and cookies, this applies even if they never fill out a form or make a purchase. The new rules give data subjects the following rights:
- Data Breach Notification – if there is a breach or if your website or third-party apps are hacked, you have to let everyone who might be impacted know within a specific time period of when you discover the breach.
- Right of Data Access – all of your site users and customers have the right to see and even get a copy of all the data you collect on them.
- Data Portability – customers and visitors can take that data and give it to someone else … even a competitor of yours if they want to. We don’t see this as a huge risk.
- Data Erasure … “The Right to Be Forgotten” – this means that if a customer or visitor requests it, you have to delete all of the information that you have about them from your files and systems (except data that you are otherwise required to keep by law such as revenue and taxes collect, etc.).
Remember ... GDPR is built on the concept that the person – the data subject – owns the data about themselves, so they have control of it.
“Privacy by Design” – The Importance of the Platform
Which brings us to our GDPR eCommerce Compliance Checklist.
GDPR Compliance 9-point Checklist for eCommerce Sites on Shopify and BigCommerce
1) Review Your Third-Party Apps #1 – Delete Unused Apps
First things first … since we help so many Shopify and BigCommerce sites with development projects and performance improvements, we have seen hundreds of sites that have lots of unused apps installed. This is perfectly natural. Entrepreneurs like to experiment and try to things to improve. But even if they are not “active,” take this opportunity now to uninstall anything that you are not using and getting value from.
It is a good idea to get rid of unused apps on a regualr basis on a regular basis anyway (improves site performance). The TaskHusky team can help you with app deletion if you need it (start a task).
2) Review Your Third-Party Apps #2 – App Inventory and Documentation
3) Sales Channels
4) Payment Gateways
Same goes for payment gateways. Shopify Pay is reporting compliance, and so are PayPal and the other big services. But still get their documentation in your files to keep yourself safe. If you are using a smaller payment gateway service, take a hard look at their GDPR policies and statements and – if they don’t have any, you have to act on that.
5) Product Drop Shippers and Logistics Vendors
A lot of Shopify and BigCommerce stores use drop shipping suppliers that ship directly to your customers. They need to be complaint too. Ditto if you are sending your products to a third-party logistics/delivery company
6) Make a List, Check It Twice
7) Appoint a Data Protection Officer
You also need to let people know that they can request a copy of their data and even have their data deleted. And you need to provide them a written, easy-to understand and follow set of instructions on how to get those things done that aligns with your internal process to actually do them. This will include the contact info (usually an email address) of your Data Protection officer if they need help or have a question.
To be clear, unless you are a big company with high volume, we think that these kinds of requests are going to be few and far between. But you need to understand that you are obliged to have these policies and be ready to comply.
9) Gaining Customer Consent in GDPR
Whenever you are collecting information, the customer must be empowered. This means that in all cases, consent must be:
- Freely given – which means not coerced, tricked, or bundled with other things.
- Specific – you must clearly identify why that info is being collect and why it’s important.
- Informed – you must tell folks how that information will be used.
- Clear and Unambiguous – writing things in simple, everyday language that can be easily understood (no “fine print” or “legalese” allowed).
For example, if you are collecting email addresses for your marketing campaigns your opt-in form must state that the email will be used for marketing, promotions, special offers, etc. You can’t just say “get our newsletter” because that’s not super-clear.
More Shopify and BigCommerce Resources for GDPR
Don’t let all of this overwhelm you. It seems like a lot, and sure, it’s going to be work that you may not “want” to do. But it’s important and as time goes on customers are going to want to see businesses comply with GDPR and similar regulation because everyone wants to have data privacy and protection.
There is a lot more information online. You can read Shopify’s guidelines and instructions here, and you can access BigCommerce’s help files on GDPR here. And there are some other, less-common requirements – such as special rules for websites that do business with children – so we have also included a more general listing of links and external resources below if you want to dive deeper into the regulations for all kinds of websites and businesses.
Thanks for reading.
Additional GDPR Links and Resources
A searchable, digital version of the new GDPR requirements and regulations: https://gdpr-info.eu
The official GDPR website for reference: https://www.eugdpr.org
A summary of the GDPR on Wikipedia: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
A summary of the preceding EU data privacy directive on Wikipedia: https://en.wikipedia.org/wiki/Data_Protection_Directive
An article in The Guardian newspaper in the UK that provides a good overview: https://digitalguardian.com/blog/what-does-gdpr-mean-for-you
Shopify GDPR Guidance for Merchants: https://help.shopify.com/manual/your-account/GDPR/GDPR-merchants
Shopify’s GDPR White Paper: https://help.shopify.com/assets/pdfs/gdpr-whitepaper.pdf
BigCommerce GDPR Help Files: https://support.bigcommerce.com/articles/Public/General-Data-Protection-Regulation