GDPR for Ecommerce FAQ (Frequently Asked Questions)
Today we’ll look at the 7 most common FAQs concerning the GDPR for ecommerce.
By looking at the most important information concerning the GDPR, you can be sure your store is GDPR-ready. So let’s dive into the top 7 ecommerce GDPR FAQs.
#1 Do I need to have consent for newsletter subscribers?
Perhaps the biggest FAQ (and point of confusion) for ecommerce marketers is about the first of 3 foundations of the GDPR, which is consent. (The other two are data protection and speedy response to requests from “data subjects” such as customers, subscribers, etc.)
The GDPR seems to state that you need to have specific consent for all data subjects that have signed up to receive marketing messages from you.
Therefore, marketers naturally assume that you need to have clear, explicit consent on your newsletter signup forms.
However, that’s not necessary at all.
In fact, nowhere in the GDPR’s text does it say you require this. The GDPR is pretty clear about consent:
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her – GDPR, Article 4(11)
While it’s not as heavy on the legalese as these kinds of regulations can usually be, in plain English it simply means:
Data subjects’ consent must be clear, informed, specific and unambiguous, by performing an affirmative action.
What this means is that you’ll no longer be able to use pre-filled checkboxes, because that would not be an ‘affirmative’ action.
But more generally, it means that if the data subject clearly understands what he/she is signing up for, then that would fall under ‘consent.’
That’s why you don’t need a separate checkbox for your newsletters, seeing as when you sign up for a newsletter, you are already aware that it includes getting promotional or educational messages regularly.
That’s the entire point of the newsletter—for a business to send regular emails to the recipient. By signing up for the newsletter, data subjects are consenting.
Plain and simple.
If you want to make it more obvious, include in your newsletter signup form that you’ll be sending regular messages. This can be something like:
“Sign up now to get regular emails about [your brand]’s exciting new products and amazing offers.”
You can make it more appealing (by offering free shipping or a discount) but this will be enough to make it GDPR-compliant.
#2 Can I send promotional emails to customers?
Did your customers (data subjects) agree to receive promotional emails from you?
If they didn’t, then you can’t send them promotional emails.
We’ll classify promotional emails as emails that are not necessary for the process of buying your products. These include emails about new products, discounts, and free shipping, as well as cart abandonment or emails asking for feedback.
Necessary (transactional) emails would only include order confirmation (receipts), shipping/cancellation confirmation, any order status updates, refunds, etc.
When talking about your ability to send promotional emails, this concerns the consent mentioned above.
In order to receive promotional emails from your brand, they’ll have to have opted in. This means either they signed up separately via one of your newsletter signup forms, or they actively checked “Subscribe to our newsletter” in the process of buying from you.
If they didn’t, then you don’t really have proof that the data subject gave “clear affirmation action” to get promotional messages from you.
You therefore cannot (according to the GDPR) send them any promotional messages.
#3 Do I need to send re-consent (re-permission) emails to all of my subscribers?
The GDPR only affects businesses dealing with EU citizens/residents, so you should only be sending the re-consent emails to them.
You can narrow it down even further, by checking which of your EU data subjects you have proof of consent for.
With Omnisend, this is pretty easy to do by creating a segment, which will allow you to send them a quick, pre-filled re-consent email.
But remember: you can only send re-consent emails up to May 24. On May 25, when the GDPR goes into effect, re-consent emails will count as promotional emails, and because you didn’t have consent to send that email (or why else would you be sending it?), you will be non-compliant and can face heavy fines.
However, if you aren’t sure whether you have this proof of consent (or don’t even know how to find out), then you’ll have to send re-consent emails to any data subjects you wish to continue sending promotional emails to.
It’s also important to note that if you don’t plan on sending promotional emails to those who didn’t provide proof of consent, then you don’t need to send a re-consent email (seeing as you won’t send them emails anyways).
Practically, this means that if you’re not sending promotional emails to customers who didn’t sign up for your newsletter, then there’s no need to send re-consent emails.
Don’t fill up your customers’ inboxes with unnecessary emails.
#4 Can I retarget visitors without their consent?
No consent, no promotional messages. That includes retargeting ads. If the user does not agree to the cookies policy or refuses in any obvious way, then you cannot track that user.
That means no cookies, and no pixels.
While this seems to accomplish the task, it is still unclear at this moment whether it is fully compliant, since consent is something that should be active.
That’s why, for Omnisend, we’re asking visitors to perform an affirmative action by clicking on the button that says “Accept Cookies.”
#5 Can I still send abandoned cart emails?
Abandoned cart emails count as promotional (unnecessary, or non-transactional) emails.
If you don’t have clear consent from the data subjects (subscribers, existing customers, etc.) agreeing to receive promotional emails from you, then no, you cannot send abandoned cart emails.
If you have consent from your data subjects, then yes, you can send abandoned cart emails.
One way to do this is to add an unticked check box underneath the signup form when they first create their accounts with copy similar to:
“Yes, please subscribe me to the [brand] newsletter to receive regular updates on new products, offers, and other promotions.”
#6 Do I really need to have a Data Protection Officer (DPO)?
Probably not, but it all depends.
According to the GDPR, Data Processing Officers (DPOs) are required if the company’s
“core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale”
For regular ecommerce stores, you’re probably not ‘systematically monitoring’ data subjects ‘on a large scale.’
(What does ‘large scale’ mean anyways? How large is large?)
This means that, for private companies such as yours, you’ll probably need a DPO if you meet any of the two conditions:
- the core part of your business involves processing personal data
- the core part of your business involves processing sensitive information (such as race, ethnic origin, political or religious views, etc.) or information regarding criminal records
Ecommerce stores don’t generally have the processing of personal data as their core business activity (such as Facebook or a human resources service provider), but processing personal data definitely is an important part of your business (emails, IP addresses, location, phone number, names, etc.).
Therefore, while you probably don’t need a DPO, it’s best to just appoint one.
This person can be you or anyone else who will be responsible for ensuring that data subjects’ personal data is protected and how to become compliant.
#7 What’s the difference between a data controller and data processor?
You, the ecommerce marketer or owner, are the data controller. You determine why you’re collecting personal data, and how you’re doing so.
The way you collect their personal data can be via cookies consent, advertising pixels, tracking codes, signup forms, and many other means.
The data processor is any company or person that processes the personal data you collected on your behalf.
This can be Facebook (via retargeting ads, etc.), Omnisend (via marketing automation to your subscribers), and many other 3rd party apps.
Data controllers and data processors have different responsibilities under the GPDR.
You, the data controller, are the point of contact whenever a data subject wishes to modify, delete or restrict the data you have for them. You then follow through with the data processor to make sure this happens.
Data processors must ensure that the processing of personal data must be done with adequate data protection (such as encryption and pseudonymization) and with the full knowledge and permission of the data controller (you).
Any failures on the part of either party will result in potential fines for the data controller or data processor of 2% of global yearly turnover or €10 million (about $12 million) for non-compliance, or 4% of global yearly turnover or €20 million or ($24 million) for a data breach, whichever is higher.