The General Data Protection Regulation (or GDPR for short) is set to take effect soon and impacts anyone who handles EU citizen and resident personal data.
Looking at the GDPR for ecommerce especially, there are lots of questions and concerns that merchants have at the moment.
With huge fines and other serious consequences, it is very important that ecommerce merchants understand what these rules mean for their business and how they can prepare for them.
If you’re on Omnisend, there’s no need to worry. Huge new laws can be seem very scary, but Omnisend is making sure the way you collect and store personal data is GDPR-compliant.
Over the next few weeks we’ll unveil effective, GDPR-ready ways to make sure you’re covered when it comes to your marketing automation.
In this guide, we’ll go over (click to jump ahead):
Please note however: we are not lawyers. Therefore, don’t take this educational content as being legal advice.
Since it’s a law that hasn’t been implemented yet, there will be many different situations and even exceptions. If you have specific questions, consult an attorney with knowledge of the new GDPR.
What is the GDPR and when does it take effect?
The GDPR concerns the personal data protection of European Union citizens.
It determines the ways that personal data about EU citizens can be handled, within the EU and outside the EU in other countries.
The GDPR takes effect on May 25, 2018.
The main aim of the GDPR is to actually give the control of the data back to the citizens and residents of the EU. That means that they will be able to determine who has access to their data.
This includes the ability to demand that any personal data stored previously by a business, including an online store, be deleted or modified quickly and permanently.
The GDPR will also simplify the regulation requirements for international businesses, who often had to comply with different sets of rules for different counties in the EU.
While it can seem a daunting new, resource-heavy problem, the GDPR is actually allowing you to find out who your real subscribers are: the ones who are eager to hear from you.
After all, those are the ones who are buying your products on a regular basis.
Andy Sambandam sees the GDPR’s new requirements—and your readiness—as actually a huge competitive advantage:
“You should start considering the GPDR as an opportunity to win more business since you can earn greater trust through transparency. The recent Facebook data scandal demonstrates that businesses built on insufficient privacy protections risk large consumer backlashes in the future, resulting in billions of dollars in lost market cap. Privacy protections can be a powerful competitive advantage. Just don’t procrastinate any longer. With less than a month to go, there’s barely any time left.”
It’s important that you understand how you can be impacted by the GDPR and what you need to do in order to get ready.
Be sure to check out our GDPR for ecommerce checklist below to get ready.
Who does the GDPR apply to?
Many businesses wrongly believe that the GDPR was made by the EU for the EU, and therefore should only impact EU ecommerce businesses.
But that is flat-out wrong.
The GDPR applies to anyone who handles EU citizen or resident personal data.
This is worth repeating.
The GDPR applies to any business, everything from Facebook to your own online store, which handles EU citizen or resident personal data.
If you’ve ever collected a European person’s email address, name, telephone number, etc., or plan to do so in the future, the GDPR applies to you.
It doesn’t matter where you are in the world. It only matters that you have stored—somewhere, anywhere—the personal data of EU citizens and residents.
It is of course difficult to say in such an internationally-connected space known as the internet and ecommerce, whether you have European customers or subscribers.
But if you have thousands of customers and subscribers, chances are many of them are European.
And even if you have just 20 subscribers or customers, it’s likely that even one of them could be European.
“We urge any ecommerce business that thinks GDPR doesn’t apply to them to reconsider. If any employee, customer, client or contractor is an EU citizen and your organization holds any of their personal data, you are subject to compliance. In the future individuals will have more and more say over their own data.
Businesses with that future in mind will look to their data privacy approach as a strategic shift that earns better ROI related to GDPR vs. a solution that just brings you back to square one.”
But don’t look at the GDPR as being negative. In fact, if you really look at it, it allows you to find and connect with those subscribers and customers who really are excited to hear from you.
That means that you’ll be able to build strong, profitable, and long-lasting relationships with your customers.
The ecommerce GDPR fines you need to know about
So let’s get the alarming stuff out of the way.
As I mentioned above, the GDPR aims pretty clearly at the way enterprise-level businesses handle Europeans’ personal data.
The fines are:
- up to €10 million or up to 2% of the annual worldwide turnover for the previous year, whichever is higher. This is for any business that does not comply with the new GDPR.
- up to €20 million or up to 4% of the annual worldwide turnover for the previous year, whichever is higher. This fine is for any business that suffers a data breach where the personal data of Europeans is compromised.
Whatever else you get from the above information, the worst part is probably the phrase “whichever is higher.” That means that if, for example, you did not comply with the GDPR and gathered or processed data against GDPR rules, you can get a 2% fine of your annual worldwide turnover for the previous year.
Imagine you made $500,000 for 2017, so 2% would be $10,000. That’s quite a hefty fine. But in this situation, that wouldn’t actually be what you’d have to pay.
You would have to pay €10 million (about $12 million), seeing as €10 million is greater than $10,000.
Let’s not even think about what you’d have to pay if you had a data breach (€20 million or $24 million).
Luckily, the words “up to” are included in the language.
But even if you only had to pay 10% of the greater fine, that would still be €1 million, or $1.2 million, for the first offense, and €2 million, or $2.4 million, for a data breach.
I’ve never been that good at math, but these numbers seem astronomically larger than they should be.
But what that means for ecommerce merchants, then, is that these enterprise-level fines will and can still be levied on your small- or medium-sized business if you aren’t GDPR compliant.
That’s why it’s especially crucial that you make sure you adhere to the upcoming GDPR and make sure you have all your ducks in a row.
If you don’t, and there’s even one situation of mishandled personal data, that could be the end of your ecommerce adventure.
Ecommerce for GDPR: The 3 essential parts
Now that I’m pretty sure I’ve scared you, let me put you at ease by letting you know it’s not that hard for ecommerce stores to get prepared.
Let’s look at how you can make sure your ecommerce store is prepared for the upcoming GDPR.
Remember, the essence of the GDPR concerns the following three areas:
- Get consent: the user must agree to be included in your marketing campaigns
- Provide adequate protection: you must protect the user’s personal data adequately
- Delete, correct, or restrict when asked: if the user requests you delete, correct, or restrict the personal data you have, you must comply quickly
One of the most important parts of the GDPR for ecommerce businesses is the idea of “consent.”
If the user has consented to the message and communication channel that you are offering, then you can continue to do as you always have. But if there was no consent, then you cannot send them marketing materials or advertise to them.
I’ll repeat: get consent when you collect their information, and make sure you have consent to send them various messages.
You’ll usually be fine if your customer signs up for your newsletter, since it’s understood as a regular marketing channel.
And of course, this goes for any type of marketing you’ll be doing with them, including retargeting, emails, Messenger, SMS/text message, etc.
If you don’t have explicit, unambiguous consent from the visitor to get these kinds of marketing messages, then you won’t be able to send them messages—or else face heavy fines.
Privacy consultant KJ Dearie emphasizes that ‘affirmative consent’ is a key phrase woven throughout the pages of the GDPR:
The second core of the GDPR for ecommerce and other businesses revolves around the idea of personal data protection.
If a user does consent to your storing and processing their personal data (through personalized marketing or advertising messages, for example) you have the obligation to make sure that that data is adequately protected.
When it comes to exactly what “personal data” is, according to the GDPR the definition is pretty broad: any data that can be used alone or in combination to link to or point to a person.
This includes the visitor’s:
- physical address
- demographic data (age, location, etc.)
- email address
- IP address
If you have any of this kind of data from your shoppers or subscribers, then you need to make sure the data is adequately protected.
Now, because it is a law that has not been enforced yet, there are still some remaining questions. One big question concerns what “adequate data protection” actually means.
According to the GDPR, businesses are supposed to appoint a Data Protection Officer (DPO), who will be responsible for ensuring adequate security for the personal data.
It simply states that DPOs will be required for companies that process large amounts of personal data, so smaller ecommerce stores should be in the clear.
However, it’s still very important that you have someone in your organization who is in charge of data protection.
#3 Deletion, correction, or restriction
The last of the 3 essential areas of the GDPR for ecommerce concerns user requests to have their personal data deleted, corrected or restricted.
The GDPR allows, at its core, for European citizens and residents to have more complete control over how their personal data is used.
For that reason, if an EU subscriber or shopper whose personal data you have asks you to erase or change it in any way, you have to do so within a reasonable amount of time.
We don’t know how long this reasonable amount of time should be, but we can assume that for ecommerce stores, it shouldn’t take more than a week.
Out of all the essential parts of GDPR for ecommerce, this one should be the easiest to adjust to. In fact, you probably should already be doing it.
If a user asks you to change or delete their personal data, it’s best to do it sooner rather than later.
With that, you’ll have nothing to worry about for this part of GDPR.
How Omnisend is helping merchants be GDPR-ready
Omnisend is already working hard on making sure that all ecommerce merchants using our marketing automation platform are fully covered.
We are doing this in 5 important ways.
#1 Easy-to-export customer profiles
Merchants will be able to export the data they have on their customers using Omnisend.
You will be able to export the data in two ways: as a PDF or a JSON file.
The first way, the PDF, is in order to show the customers what personal data you have on them.
This will allow your store to be compliant with the “right to access” aspect of the GDPR for ecommerce, which states that all of your customers or subscribers should be able to acess and view the data you have on them.
The second type, the JSON file, is more technical and has to do with the way other apps or platforms use your subscribers’ personal data.
This has to do with the data portability aspect of the GDPR for ecommerce, which makes it easy for you to carry all personal data and move it comprehensively.
#2 GDPR-ready consent and re-consent
In order to continue sending marketing messages to your subscribers and customers, you need to show that you have consent from those customers to receive these marketing messages.
This “proof of consent” is one of the most important parts of the GDPR for ecommerce, and it’s one that will impact your ecommerce business the most.
Not only will you need to have proof of consent, but you’ll also need to have proof of specific consent.
For example, if you have a subscriber’s email address, you can’t just use it for all your marketing needs.
You’ll need to have separate, distinct, and clear check-boxes for all the ways you intend to use their personal data—whether that’s general newsletter, retargeting, SMS marketing, etc.
Luckily, all Omnisend merchants will be able to get ready for this easily with our re-consent forms.
Omnisend is introducing 3 new ways throughout April to make sure you’ve opted-in your current subscribers:
- a new automation workflow that will allow you to send messages specifically to those subscribers who have not yet opted-in
- a separate popup that will allow you to show a message only to those subscribers for whom you don’t have an opt-in date
- a new element you can add in your newsletter campaigns that will allow you to get opt-ins from your subscribers. Note that this message will be shown to all your subscribers, not just those who didn’t opt-in.
You can now create a segment of your subscribers for whom you don’t have any proof of consent information:
You’ll also notice a new template that you can choose.
This is so that you can more easily create and send out your re-consent emails:
You’ll be able to use the pre-made re-consent forms in different languages as well, so that you can send them out to different EU countries.
Although you can use our pre-written form to communicate with those customers for whom you don’t have proof of consent, we still recommend you edit it to fit your brand.
Soon you’ll also have the option to add more checkboxes to any of our signup forms, so that you can make sure your new subscribers are perfectly clear about what their personal data is going to be used for.
Even better, you don’t have to create separate signup forms to target your visitors.
You can set the GDPR-ready popups and signup forms to only go out to visitors from EU countries. For visitors from non-EU countries, the regular popups and signup forms will show.
That way, you can make sure your ecommerce store is GDPR-ready for both your new and old subscribers.
#3 Easy data anonymization
An important aspect of the GDPR is to make sure that the personal data you have on EU citizens and residents is adequately protected.
For GDPR for ecommerce, Omnisend is getting ready by giving you the option to anonymize your subscribers’ and customers’ personal data.
With ecommerce personal data, there are a lot of data points.
This not only includes the direct personal data (email, phone, physical address, etc.) but also the order ID, product ordered, cookies, IP addresses, etc.
If you enable it, Omnisend will anonymize customers so that by looking at the data itself, you won’t be able to identify the customer or subscriber in any way.
This is in line with a customer’s request for complete anonymity, or for the “right to be forgotten” part of the GDPR.
With this anonymization, your subscribers and customers can be safe knowing that even if there is a problem such as a data breach, their personal information won’t be exposed and that they’ll be protected even in the worst case scenario.
#4 GDPR-ready SMS messaging
Our new SMS marketing feature is set to roll out in the next few days.
While this will allow our merchants to connect with their customers and subscribers more effectively, it still raises a few questions.
There are two kinds of messages you can send with SMS: transactional and bulk.
Think of bulk campaigns as the ones that you normally send: emails (with some customization) that go to a large or small group of subscribers.
Then there are transactional emails, which only go to one person for one specific, transactional purpose, such as order confirmation, shipping confirmation, etc.
Transactional emails have no GDPR restriction, since it is a legitimate, necessary message being sent between a business and a customer.
For bulk campaigns, however, you’ll have to get explicit consent from the subscriber in order to send them SMS messages.
We’ll also include an unsubscribe option for SMS messages, so that subscribers who no longer wish to receive text messages from your brand can easily unsubscribe.
This unique feature will allow your business to be GDPR-compliant, and also means you’ll be able to get in closer contact with those subscribers who really want to hear from you.
The 10-step ecommerce GDPR checklist to help you get prepared for the GDPR for ecommerce
The 10-step ecommerce GDPR checklist
Okay, so now that we know a lot about the essential aspects of the GDPR for ecommerce and businesses in general, how can you make sure you are following the rules, or at least preparing for it?
We’ll go over these steps right now so that you can be GDPR-compliant.
#1 Find out what personal data you’re collecting or storing.
For the purposes of GDPR for ecommerce, you’re probably collecting your users’ payment information (credit card numbers, PayPal ID), their email address, phone number, name, demographic data (age, location, etc.) and others.
Also, make sure users understand whether some data is mandatory.
For example, if they don’t provide an email address, users won’t be able to create an account. Or if they don’t provide payment information, they won’t be able to buy your products.
SEO strategist Alex Juel says you also shouldn’t forget about what data you’re pushing to your Google Analytics:
“My best tip for businesses to get ready for GDPR would be to audit your Google Analytics account for personally identifiable information within URLs and page titles. I’ve seen businesses that send personal information to Google Analytics within URL parameters, such as email addresses and names. For example, something like /firstname.lastname@example.org.
Other types of data that must be removed include user ID’s, location data, transaction ID’s, and IP addresses. Here’s more information from Google on how to avoid sending personal information. Everything other than IP addresses needs to be removed at the code level of the site before it reaches Google Analytics. It can’t be removed with a GA filter. To filter IP addresses, Google has instructions here.”
#2 Make sure you gathered that data fairly.
Basically, you’ll have to ask yourself whether the user consented to your collecting their personal data (probably, because they entered it). But more importantly, whether they consented to be marketed to.
If you had a giveaway and did not explicitly ask if they’d like to receive marketing messages, or even to sign up to your newsletter, you’ll need to get their consent.
That’s why our re-consent popups and signup forms will be so useful and an essential part of making your ecommerce store GDPR-ready.
#3 Make sure you’re keeping data only for as long as necessary.
For GDPR for ecommerce purposes, you’re probably fine. You’re selling to customers. Even if they haven’t bought anything from you in 6 months or a year, there’s still a possibility that you’ll be able to sell t them.
As long as you got the consent in the first place, you’re fine.
#4 Appoint a Data Privacy Officer.
You may not need to hire someone full-time to make sure the personal data you’re processing and storing is protected.
However, you will need to make sure that you have someone who is responsible for that. It can even be you, as long as you keep yourself informed about the data protection levels you’re using.
Natasha Kvitka, who runs the digital marketing strategies for GiftBasketsOverseas, makes sure that their customers have an easily accessible point-of-contact:
“Besides the other ways we’re complying with the new rules (including ensuring that the data will be secured for a limited time), users and authorities have a point of contact via our website to communicate about their data and its security, request data removal or extraction.”
#5 Make sure data protection is at the core of your activities.
If you plan on launching any new campaigns, make sure that you’ve got your users’ personal data protection at the core of your activities.
That means there’s no accidental (or intentional) situation where you’ll reveal your users’ personal information.
#6 Protect your employees.
This one goes specifically if you have employees that are European citizens or residents. If so, you’ll have to make sure that you handle their data carefully, with the same high level of protection that you use for your European customers.
If you don’t have European employees, then you can skip this part.
#7 Make sure it’s easy to delete or modify user personal data.
When a user comes to you with a request to have their information deleted or modified in any way, make sure you know how to do it in a timely manner.
This means you’ll have to find the data, edit or delete it, and confirm it’s been edited or deleted in your entire system.
#8 If there’s a data breach, make sure you can inform all your users quickly.
According to the GDPR rules, businesses have 72 hours to inform their affected user or users that their data was breached.
At this point, it is already quite a tough situation, as you’ll be liable to be fined up to 4% of your previous year’s global turnover or €20 million.
But without informing the affected users in a timely fashion, you’ll make the situation even worse and be liable for more damages.
It should be accessible by anyone, and clear about how you plan to use your users’ personal data and in for what reasons.
“The privacy notice should include where appropriate the contact details for its data protection officer, how a user can request access, delete or change their personal information. If you use online advertising pixels, you need to include the vendor’s required language. You should also make sure you have cookie consent banners and only fire a pixel and drop a cookie after the user has expressed consent. This is just a sample of the requirements.”
Termly also has a free policy generator you can use.
#10 Make sure third-party apps or vendors are GDPR-compliant.
You’re probably using third-party platforms and apps to help you run your ecommerce store. In that case, make sure that they’re GDPR-compliant. This includes Shopify, Bigcommerce, and whatever other subscription-based ecommerce platforms you’re rusing.
But it also includes any other apps that will be processing your users’ personal data.
The GDPR may seem scary, but it really isn’t that bad, at least when we’re talking about GDPR for ecommerce stores.
The main reason for this is that ecommerce stores commonly have lots of third-party apps storing or processing EU citizens’ and residents’ personal data.
If those third-party apps and platforms are reliable, then they’ll already be GDPR-ready.
However, that doesn’t mean that you have no responsibility or accountability in this at all.
It is important to remember that you have to be able to take care of the following for the GDPR for ecommerce:
- get consent for all marketing activities. Make it clear why you’re collecting information
- adequately protect your subscribers’ and shoppers’ personal data
- respond quickly to requests to delete, modify or restrict your subscribers’ and shoppers’ personal data
- follow the steps outlined in the checklist above
With these aspects covered, there’ll be no reason for you to be concerned about the GDPR.
In fact, you’ll see it for what it really is: a way for you to find and connect with subscribers and customers who really want to hear from you, making it easier for you to build strong, long-lasting relationships.
P.S. If you enjoyed reading this post, you can share it easily here.