If you sell products or services to customers in the European Union, new regulations are about to hit you. Even if you are on another continent.
If you don’t comply, you could face huge fines. And that can be as easy as using the wrong cookies on your website or sending an email to the wrong person.
Fortunately, things aren’t as bad as they look at first sight. You’ll find out why in this article.
The General Data Protection Regulations (GDPR) will become enforceable on May 25, 2018.
They affect you if:
The regulations try to protect the personal information of EU citizens by defining
The fines for non-compliance are huge: up to 20 million Euros or 4% of annual turnover: whichever is higher. Which makes ignoring the GDPR a high-risk option.
Yet things aren’t as bad as they seem for online sellers. That’s because the regulations take sellers into account to make complying easier.
And they are not entirely new. They fine-tune and strengthen existing rules already in place.
Our online systems and services comply with the GDPR to help you along the way.
The following information will explain how you are affected. Just keep in mind that this isn’t legal advice. If you are in doubt, always seek legal advice for your specific situation.
So here we go.
The GDPR defines any data as personal which directly or indirectly allows identifying an individual, the so-called data subject If you want to use personal data, you must have consent from the data subject.
That includes the name, contact details and addresses. But also online user names, credit card numbers, tracking cookies, tracking images in emails and even IP addresses.
On top of that are special categories of personal data. Such as sex, religion, hair and skin color, political affiliations and more. These are even more regulated and are off limits to online sellers.
You can process all the personal data you need to fulfil an order without special consent. That’s because placing an order – or even the intention to place an order such as requesting a quote - implies automatic consent according to the GDPR.
That means the name, shipping and delivery address, contact details and payment details.
Processing by the way is anything you do with (or to) the personal data. From collecting, saving, displaying and printing to running it through automated processes. For example to approve payments or to send an email.
But what about adding customers to your direct marketing list? That’s not required to fulfil an order. So, can you still send your customers special offers and newsletters in the future without their explicit consent?
Yes, you can.
Because the GDPR has another exemption which works in your favour. Just like the old regulations it gives you the right to use the personal data you collect for your legitimate interests Article 6 (f). And legitimate interests don’t require consent.
The GDPR clearly define direct marketing as a "legitimate interest" in Recital 47. So you are totally covered, when it comes to email marketing to your customers.
Just like in the past you must always ask them for permission to add them to your email list. A simple checkbox “Please send me special offers” as part of a contact form is all you need (Recital 32). Make sure it is not pre-ticked, as that doesn’t count.
New is that you must store this consent. So you can prove it was real in the future, if required.
If you give away white papers, images or other freebies on your website, you won’t need an extra checkbox, but you must make clear that you will be adding the email address to your marketing list.
That’s because the GDRP require a clear and informed action by a visitor to indicate consent.
To achieve this simply add appropriate text to your download or landing page – ideally directly above the download button. Such as: “By downloading this document you agree to be added to our email list. You can unsubscribe at any time.”
You can continue to email your previous customers. You can continue to email anyone, who under the old regulations opted into your email lists.
Just remember to always include an unsubscribe link in your marketing emails.
According to the GDPR cookies are personal data, if they can identify a specific user.
The only cookies ShopFactory and Santu use are so-called session and shopping cart cookies. These are exempt from the GDPR and even from the so-called Cookie law.
Unless you have other scripts on your website, you don’t even have to show the Cookie warning to your EU customers. (Article 29 Working Party guidelines).
Google, Facebook, online chat programs and other scripts often use tracking cookies to track and identify your visitors. Not just on your website, but sometimes across the Internet. Email marketing programs add tracking images to marketing emails.
We believe that using basic website tracking via Google Analytics and similar services also fall under Article 6 (f). Meaning you don’t need consent when using them. In fact we don’t even think you have to show the Cookie warning anymore, provided you can clearly argue a legitimate interest.
The same could be said for social media cookies you use to improve your ability to market your products and services.
However if you are using cookies which collect personal data according to the GDPR, then you must make visitors aware of this on your privacy page. And you must allow them to opt out of these cookies.
ShopFactory has been adjusted to meet these requirements. This means ShopFactory will automatically add an opt-out function to your privacy page, if required. Just adjust your GDPR settings in ShopFactory Central / My Store, as required.
We also recommend you add some text at the bottom of your privacy page, in which you identify that you are using cookies, and why. We will then add the opt-out function at the bottom of the privacy page.
Here is a possible example:
They allow us to:
Not everyone agrees with this approach. So, if your legal advisor tells you that you must allow your customers to give you permission to use tracking cookies, you will be able to set that up, too.
The GDPR also gives data subjects more rights to their personal data. They can ask you to correct personal data, which you have stored incorrectly, and have the right to be forgotten.
ShopFactory now has a function, which will allow you to update personal data as required in your ShopFactory Cloud or Santu accounts.
The right to be forgotten means a customer or other person can ask you to completely wipe their personal details off your systems.
However, this right does not apply, while you must store the data for tax or other regulatory reasons. In most countries you must store contracts for seven or eight years, and sometimes even longer. During that time the right to forget does not apply.
Once the time is up, you can select the users and the orders they placed and easily delete them.
We will also be providing a function which will allow you to update the orders by removing the personal details, once the official storage period is over. That will allow you to keep the orders for statistical purposes, while still complying with the GDPR.
We accept and process personal data for you securely online as part of the checkout process and order management. We encrypt it while transferring it and encrypt it, when we store it on your behalf in our databases in Europe. They call this encryption in transit and at rest.
We also constantly backup your data securely, to prevent any loss.
So if you store your orders online with us, we have your back when it comes to data security.
Just make sure you have a Data Processing Agreement with us. And your other service providers, as required by the GDPR (more about that further down).
Be aware, that the GDPR also applies if you accept contact details for example on the phone and note them down on paper. Or if you send printed direct mail marketing letters via your post-office. You’ll have to make sure that part of your business will also safeguard personal data.
Fortunately, you don’t need a data privacy impact assessment or a data privacy officer if you run a normal online business.
When it comes to collecting and processing personal data, you as store owner are responsible for what happens to the data. However as you are outsourcing some of this work to us, we become your data processor according to the GDPR.
This means the GDPR requires, that you have a data processing agreement with us, so you can be sure we will comply with the GDPR on your behalf.
This doesn’t apply just to us. This applies to any service you use to process data on your behalf. For example your payment gateways, shipping providers and online accounting systems.
You can download our processing agreement by logging into your ShopFactory Cloud or Santu account and going to the ‘My Account’ section. Just countersign it and email it to us as explained in the document, to make the agreement binding.
Once you have ensured the safety of personal data online by using our services and entering into processor agreements with the different processors you use, there is still some paperwork left.
That’s because the GDPR require you as online store owner to document what data you collect, and what you with it.
Below is a simple example. Just make sure to run it past your legal adviser, if you adapt it for your purposes, as we cannot give legal advice.
Business Name: Cookie Bakers GmbH,
Controller: Egon Baker, 25 Baker Street, Bakers City, Backhausen, Germany
We process personal data from website visitors and customers on our website and in emails.
We collect and process personal data to fulfil orders including names, contact details, address details and payment details. We also collect data via cookies and similar tracking technologies to monitor the behaviour of visitors on our website and in emails, so we can improve the visitor experience on our website and in emails for example by making suitable product recommendations. We also use personal data collected for legitimate marketing purposes.
We use Santu Pty Ltd as processor to collect customer data on our behalf. We use PayPal as processor to process payments on our behalf. We use XY Couriers as processor to ship products on our behalf. We use Google Analytics to track traffic on our website. We use Monkeymail as processor to send and track marketing emails.
Personal data is stored for 8 years to comply with government regulations.
If we become aware of security breach which has exposed personal data, we will within 72 hours contact our supervisory authority, specifically: Name of authority and contact details.
The subjects of exposed personal data will also be informed without undue delay via their registered email address.
But you’ll find some good online generators for GDPR compliant privacy policies, such as https://goo.gl/piu79B.
We have put in a lot of work to help you become GDPR compliant.
Changes to allow you to use tracking cookies and other scripts on your website are included in ShopFactory since the GDPR enforcement date. By storing your orders in the ShopFactory Cloud you get access to the GDPR compliant online processing and a data processing agreement.
If you have not yet upgraded to ShopFactory 12, we highly recommend you do so as quickly as possible. You can run ShopFactory 12 on the same computer as earlier versions. You will be able to import your existing store and continue to work with it. ShopFactory Cloud is included free of charge for the first year, if you pay yearly.
Please contact us, if you have any questions or need more information.
**We have adjusted the section on Google analytics and other scripts to reflect our latest understanding.