Ecommerce store owners are busy enough as it is. SEO, social, design. You don’t need another to-do.

So we’ll apologize right away for adding one. It’s just that, well, GDPR compliance is too important to ignore.

It’s been over a year since GDPR was implemented, and there are certainly lessons still to be learned and steps to take to beef up your GDPR compliance.

This post will look at what GDPR says, what GDPR compliance means for you, what it takes to be compliant, and how you can use it to your advantage.

Start selling online now with Shopify

Start your free trial

What is GDPR?

GDPR is short for General Data Protection Regulation. Adopted in April 2016, GDPR creates rules for how all European residents’ data must be managed. GDPR took effect in May 2018 and impacts the handling of data pertaining to everything from medical history to financial records to internet activity.

In the process, GDPR will reshape what it means to do ecommerce in Europe, influencing how you engage with your customers, the tools you use, and how you use them.

→ Click Here to Launch Your Online Business with Shopify

GDPR is not a tech document. At all. In fact, ecommerce is only discussed once. And that’s in a footnote. And they call it “electronic commerce.” GDPR is less of a digital playbook than a statement on fundamental rights: “The processing of personal data should be designed to serve mankind.”

But there is still plenty for shop owners to be aware of. So let’s get familiar with GDPR.

Why GDPR Is Important

GDPR implementation stems from the increasing amount of data that’s being collected, transferred, managed, and used in this day and age. The EU already had its Data Protection Directive in place, but the directive was enacted back in 1995 and is, today, outdated and not entirely applicable to the digital age.

As a result, the GDPR was implemented as a replacement to continue the proper safeguard of the data of European Union citizens. Under GDPR, organizations are obliged to abide by responsible data collection and usage in order to protect users’ rights and privacy.

By placing this responsibility on organizations, the GDPR is effectively giving EU individuals more rights to understand how and why their personal information is being collected and processed. It also gives them the right to decide how they want this information to be used.

If you were running an ecommerce business when the GDPR came into effect, you’ve probably done your fair bit of complying. But if you’re just starting out as a budding ecommerce entrepreneur and are still wrapping your head around GDPR, we forgive you for feeling overwhelmed.

We’re not gonna sugarcoat it – being GDPR-compliant is a lot of work. But it’s also extremely important and certainly not something you can just sweep under the rug and hope it’ll go away. 

According to the European Commission, in the first year since the GDPR’s implementation, there were approximately 145,000 cases of queries and complaints and nearly 90,000 notification of data breaches.

Failure to abide by GDPR can result in pretty hefty fines and penalties – up to 4 percent of a company’s annual turnover! Case in point: just recently, a Polish retailer was hit with the biggest GDPR fine yet of €650,000. 

In the following sections, we’ll take a look at how GDPR affects you and how to be compliant. 

Who Does GDPR Apply To?

European Union flags flying in Brussels

Regardless of where you are based, GDPR applies to all companies that offer products or services to consumers in Europe.

“It doesn’t matter if the company is in Europe, outside of Europe, or on some island,” Dr. Christoph Bauer, CEO of ePrivacy, told us. “If the services are offered to European customers, they need to follow the law.”

So if your ecommerce shop is available in Europe, you probably have to comply with GDPR. 

Just remember: GDPR compliance isn’t simply for European companies selling products to European customers. It covers any interaction with customers in Europe, period.

Of course, GDPR applies to more than just shop owners. GDPR compliance also applies to your favorite tools. Google, Facebook, and Shopify, to name a few, must also comply with GDPR. Later on, we’ll look at how those tools and platforms are tackling GDPR compliance.

What Does GDPR Compliance Mean?

Before we get into how to comply with GDPR, we first have to understand what compliance actually entails.

To ease you in, we’re not going to get too technical just yet so here’s a simple way of grasping GDPR compliance.

Browse around your website and imagine yourself as a user of your own ecommerce website. Whenever your data is being asked for – be it your name, email, phone number, etc. – ask yourself these four questions:

  1. Do I know what data they’re collecting and what they’re using this data for?
  2. Do they need this information for the actions I’m carrying out on their website? 
  3. Can I request for my data to be modified or deleted at any time?
  4. Am I informed of my rights as a user?

If the answer to any of the questions is no, then you’re probably not quite GDPR compliant yet. If there’s a yes to any or all of the questions, congratulations, you’re on the right track! Either way, the next few sections will help to spruce up your knowledge and resulting efforts to get you and your business GDPR-compliant.

What’s up With GDPR for Small Businesses?

Small business owner analyzing GDPR compliance

GDPR affects companies of all sizes. From one employee to 10,000 employees, if a company handles data about Europeans, then GDPR applies.

Most ecommerce stores are much closer to one employee than 10,000, so it’s important to understand how GDPR distinguishes between big companies and small ones.

Ecommerce stores owners should know that GDPR doesn’t treat them the same way it treats huge businesses. For example, certain record-keeping requirements in GDPR apply only to companies with more than 250 employees.

When you read advice like, “It is essential to plan your approach to GDPR compliance now and to gain ‘buy in’ from key people in your organization,” you can relax. If you’re an online store owner, then the “key people” and the “organization” are probably you. If that’s the case, GDPR is a bit simpler.

But! There are still plenty of GDPR requirements that apply to everyone, no matter what. Let’s dive in.

What Should Store Owners Do for GDPR Compliance?

GDPR is 88 pages and more than 50,000 words long, and the writing is as interesting as a long line at the post office. If you don’t want to read GDPR, you are forgiven.

But the rules laid out are applicable to all stores selling to consumers in Europe, and Europe accounts for about 25% of global GDP. So even if you can’t be bothered to read GDPR, there are some things to keep in mind about GDPR compliance.

What Are the GDPR Requirements?

Every governing body or text sets forth principles and commandments that serve as a basis for the regulations it puts forth.

The GDPR is certainly no exception to this – it has seven principles to guide its implementation, regulation, and punishment. This next section will get a teensy (just a little, we promise) bit more technical as we take a look at the GDPR’s seven principles straight from the GDPR bible.

Bear with us!

The Seven Principles of the GDPR

1. Lawfulness, fairness and transparency

This states that whatever data you are collecting from your users must abide by GDPR requirements. Fairness and transparency refer to data usage and visibility of this usage. In other words, what you claim to collect their data for must correspond with your actions. Users must also have visibility over these actions.

2. Purpose limitation

The processing of data must be “specified, explicit and legitimate,” and that means usage of data collected beyond its specified purpose is considered infringement. To put it simply, if the user consents to giving you his/her email to receive newsletters, this information should not be used any other way, including for “statistical purposes.” 

3. Data minimization

Under the data minimization principle, data collected must be kept to a minimum and only what’s necessary. More specifically, it must be “in relation to the purposes for which they are processed.” If you’re asking for more data than actually needed for its purpose, you’ll probably be considered to be in violation.

4. Accuracy

“Accuracy” here means exactly what it sounds – having only updated information and making the effort to ensure they are up-to-date. That means you should be reviewing and cleaning out your data on a regular basis. Data deemed to be “inaccurate” must be removed immediately – or if you prefer to hear it from the horse’s mouth, “erased or rectified without delay.”

5. Storage limitation

This fifth GDPR principle is pretty long and jargon-filled, so let us simplify it for you – delete whatever data you no longer need unless you have genuine and legal reasons for storing it. If you decide to store data, you need to determine how long it will be stored for and its purpose (the GDPR does not explicitly state how long personal data should be kept for).

6. Integrity and confidentiality (security)

“Integrity and confidentiality” sets out to protect the data collected. Under this principle, you must have the proper and adequate “technical or organizational” security measures in place to prevent data theft and loss – be it internal or external. So definitely nothing like the Facebook-Cambridge Analytica scandal or anything even minimally close!

7. Accountability

The final GDPR principle is the EU government’s way of ensuring you are GDPR-compliant. It states that you must be able to demonstrate the steps taken to be compliant. That means having clear records of what was done when, whether you’ve hired a data protection specialist, whether you’re reviewing your data on a regular basis, and in general, whether and how you’re abiding by GDPR.

GDPR Best Practices

We know. The GDPR’s seven principles can be quite a mouthful. 

It may seem like a whole lot of unmotivating technical and legal jargon (and it is) that makes you want to do anything but abide by it. But fret not, we’re here to break it down to you in simple terms.

In this next section, we’ll go into GDPR’s best practices and share with you some examples to get you on your way to becoming a GDPR-abiding ecommerce owner and fully compliant.

How Do You Get GDPR Compliance?

Consent is king.

GDPR empowers Europeans to control exactly how their data is used. As a result, being GDPR compliant means you can’t assume what your users want.

For example, GDPR says, “Silence, pre-ticked boxes or inactivity should not constitute consent.” That means you should avoid stuff like this:

Pre-filled checkbox that violates GDPR

 

Econsultancy has a good post on what GDPR-compliant UX looks like when it comes to consent.

Only collect data that you need.

The heart of GDPR compliance is protecting people’s data. You can limit your exposure by not collecting data that you don’t need.

If there is no business value in knowing, say, what company your shopper works for, then GDPR gives you an incentive to not even ask.

If you use Shopify, you can adapt the questions you ask your visitors in the “Checkout” settings:

Checkout settings in the Shopify backend

If you’re not going to use the information, then don’t ask for it. And if you are going to use it, be really clear about what you’ll use it for.

For example, sometimes you’ll see checkout pages that ask for a shopper’s phone number. Store owners need to ask themselves, “What am I going to use this person’s phone number for?”

There are definitely legitimate reasons to ask for a phone number. Could be for SMS campaigns, or as a safeguard against fraudulent orders. Shopify’s fraud detection mechanism flags orders if the shipping address and IP address are in different locations, and then uses the phone number to protect consumers and get confirmation. That is totally fine as far as GDPR compliance goes. Just make sure that you explain this stuff in the terms and conditions and privacy policy.

Make everything really clear.

Regulators in charge of GDPR compliance love transparency. You could put an “unsubscribe” link on your website next to “subscribe.” You could link directly to your terms and conditions from your footer. And your privacy policy.

Putting all of this stuff out in the open is one of the simplest ways to protect yourself from concerns about GDPR compliance. And if you have certified or verified processes, tell the world! This is how fashion giant Zalando does it:

Verified services notification

Don’t do sneaky stuff.

For companies under 250 employees, so much of GDPR boils down to simply not being sneaky. If you are honest and transparent and implementing best practices, you won’t face the massive fines that come with GDPR.

In a blog post about GDPR, tech security provider Sophos put it this way:

Daunting as it all may seem, small businesses can take comfort in this: as long as they can demonstrate that they’ve put their best foot forward to meet the requirements of GDPR, regulators will work with them on any problems that might arise.

Which means…

Keep selling in Europe!

Euro notes after ecommerce transactions

The European Union is not trying to shut down online stores. In fact, between the “Digital Single Market” and tens of billions pumped into broadband networks, the EU has been kind of obsessed with creating a more robust digital economy.

Plus regulators understand that some data storage is vital to keep the digital economy running. 

So, even if GDPR seems a bit old school, it’s not part of a coordinated effort to sink ecommerce. Which means you can sell in Europe all you want!

GDPR Compliance Checklist

In short, here’s a GDPR checklist of what you must abide by in order to be compliant.

  • Make sure to get clear consent. That means neither pre-ticked boxes nor assumptions.
  • Collect only the necessary. The rule is, if you don’t need it, don’t ask for it.
  • Be open about your GDPR compliance. Opt-out options, terms and conditions, privacy statements must be clear and visible. If you’ve got certified trust marks, show them off.
  • Be transparent and honest. Full GDPR compliance may not be a walk in the park, if you’re straight with your methods, regulators may close one eye on any soft violations and even help you with it.

Do note that this GDPR checklist only serves as a guide. Each organization will have its own specific GDPR requirements to fulfill and policy to state.

How to Write a Successful GDPR Compliant Privacy Policy

You’ll have noticed by now that the term ‘privacy policy’ keeps coming up. That’s because it’s one of the key GDPR requirements and components.

Whether you’re using a privacy policy generator or doing one from scratch, your privacy policy should clearly list and clarify how you collect and process the data you receive, and the measures you have in place to prevent violation of your data protection principles.

So for starters, your privacy policy must

  • be easily accessible from every single page of your website; 
  • be visible and not obscured by with coloring or positioning; and
  • use a commonly used term such as ‘Privacy Policy’ or ‘Privacy’ or ‘Data Protection Notice’.

For example, here’s how Shopify has its privacy policy in its footer.

In the privacy policy itself, “clear and plain” language must be used. That means avoiding language like (taken from the EU’s official transparency guidelines):

“We may use your personal data to develop new services” (as it is unclear what the “services” are or how the data will help develop them);  

“We may use your personal data for research purposes (as it is unclear what kind of “research” this refers to); and  

“We may use your personal data to offer personalised services” (as it is unclear what the “personalisation” entails).

These are all vague and insufficiently concise for users to understand just how their data is being used.

Here’s a good example put forth by the EU that’s applicable to ecommerce businesses:

“We will retain your shopping history and use details of the products you have previously purchased to make suggestions to you for other products which we believe you will also be interested in.”

Clear and simple language aside, for your privacy policy to comply with GDPR requirements, it must also be comprehensive. Here’s what you need to include:

  • Your company’s full contact details. That includes, at the very least, your name, address, phone number, and email.
  • What data you’re collecting and how you’re processing this data. Again, and we cannot emphasize this enough – clear language must be used.
  • How long the data will be stored for. If you cannot provide a specific time period, simply list the criteria you use to determine this said period.
  • If the data will be used, in any way, to a third-country (outside of the EU). If you’re not based in the EU, you’ll likely be transferring data in one way or another.
  • If the data you collected will be shared. This may, for example, be with third-party providers/suppliers.
  • User’s right to their personal information. You have to explicitly state the rights of the users to access, modify, erase, their data, and everything in between.
  • User’s right to withdraw consent. According to GDPR guidelines, “it shall be as easy to withdraw as to give consent.”

Are There Benefits to GDPR Compliance for Ecommerce Shops?

Big time. GDPR isn’t just rules and headaches. It’s a huge opportunity: European customers will like you more if you are GDPR compliant.

No doubt, data privacy is a big deal in Europe. And you can see topics related to GDPR compliance pop up all over the web. In fact, European companies from every sector use data protection and data privacy as a selling point, and store owners can do the same.

Here, for example, is the homepage of the German supermarket chain Edeka. When you arrive, you get a heads up that they use cookies, as well as a link to its “Privacy Policy” page (“Datenschutzhinweisen”).

This data privacy stuff is way bigger than the Edeka logo. It’s front and center and huge:

Interested customers can also find a massive cookies section in the imprint, as well as yet another link to the data privacy section. Topics surrounding GDPR compliance are planted all over the website.

And this isn’t a financial institution or government body. It’s a supermarket.

This isn’t just a German thing. The French entertainment website tf1.fr has a floating banner about cookies — right below its dedicated “privacy policy” and “cookies” sections:

French website links to information on cookies and data privacy

The Dutch might take the cake. Or take the cookie, as it were. Just look at this massive cookie notice that every visitor sees upon arrival at the popular site Marktplaats:

Cookie banner from Dutch website Marktplaats

Meanwhile, top Dutch news site Telegraaf has no fewer than three data privacy-related sections in its footer:

Privacy information from website De Telegraaf

Simply put, data privacy and data protection are huge topics in Europe. Sure, some countries require websites to give details about cookies and data protection. But these websites don’t just give details. They show it off. It’s marketing!

European consumers want to feel comfortable about GDPR compliance issues before making a purchase or engaging with a brand. That’s why websites ranging from supermarkets to news outlets make such a big deal about GDPR-related topics like cookies and data privacy.

You can leverage these attitudes to grow your ecommerce business. Let people know that you are GDPR compliant. Make GDPR compliance part of your Terms and Conditions page. Put it in the footer of your emails. Every little advantage helps.

If you’re GDPR compliant and your competitor isn’t — or even if both of you are GDPR compliant but you’re the only one who brags about it — then that might be a big selling point in the European market.

What About GDPR and Marketing?

Let’s say you do everything in your power to be GDPR compliant. You remove those pre-ticked boxes, you only collect vital data, your policies are clearly explained. Awesome.

There’s still the issue of your tools: Are they GDPR compliant?

After all, store owners typically use a handful of platforms and solutions to optimize their marketing, analytics, social, email, and so on. What’s more, most of those ecommerce tools are based outside of Europe — Google Analytics, Google AdWords, Facebook, email service, and a whole lot more. 

Can a store owner be GDPR compliant and still use these tools? Let’s take a look.

What About Google and GDPR?

Google and GDPR compliance

Chances are that you interact with Google’s suite of products on a daily basis. As the world’s most used analytics solution, Google Analytics is probably already a tool you’re using  for your ecommerce business. Plus, Google AdWords is No. 1 in search marketing and you might even run your email with Google.

Store owners know Google. Does Google know GDPR?

Absolutely. In fact, Google has gone out of its way to reassure ecommerce store

owners that it will be completely GDPR compliant by May 2018. As Google puts it:

We are working hard to prepare for the EU’s General Data Protection Regulation (GDPR)…. We are committed to complying with the new legislation and will collaborate with partners throughout this process.

Google AdWords updated its terms and conditions in August 2017, unveiling data protection measures “related to the EU General Data Protection Regulation.”

Google also announced recently that it would stop scanning emails to deliver personalized ads and services. PageFair, a British group specializing in digital advertising, speculates that GDPR compliance “may be the real reason, or at least a contributing reason, why Google announced that it will stop mining people’s emails for ads.”

At Google’s dedicated URL for GDPR compliance — google.com/cloud/security/gdpr — you can find what amounts to a promise from Google about GDPR compliance and Google Cloud:

You can count on the fact that Google is committed to GDPR compliance across Google Cloud services. We are also committed to helping our customers with their GDPR compliance journey by providing robust privacy and security protections built into our services and contracts over the years.

In short, Google plans to be ready.

What About Shopify and GDPR?

If your shop runs on Shopify, don’t worry. Shopify is a thoroughly global company. Its founder and CEO is from Germany; the company is based in Canada; they are currently hiring in San Francisco and Ireland; their users are scattered around the globe.

Shopify now even has a section in its user manual specifically tackling GDPR topics:

Shopify's GDPR compliance section in user manual

Shopify has dealt with international regulations since its inception, which is why the company can say, “Shopify expects to be GDPR compliant when it takes effect on May 25, 2018.”

What About Facebook and GDPR Compliance?

Facebook has definitely had its legal issues in Europe. The company was fined €110 million in May 2017 for linking user accounts and user data between Facebook and Facebook-owned messaging app WhatsApp. That is exactly the type of data privacy issue that GDPR addresses.

But even if Facebook has a history with European regulators, they know GDPR compliance is a requirement. And they want every shop owner who uses their marketing tools — Facebook Custom Audiences, Facebook Connect, Facebook Beacon, and so on — to keep on using them.

In August 2017, a Facebook spokesperson told The Financial Times,

We have now assembled the largest cross-functional team in the history of the Facebook family of companies. Dozens of people at Facebook Ireland are working full time on this [GDPR] effort.

The article goes on to say that Facebook Ireland’s data protection team will swell 250 percent this year to support efforts surrounding GDPR compliance.

Start selling online now with Shopify

Start your free trial

Conclusions on GDPR Compliance for Store Owners

So what does all that mean for GDPR and your online store? Here is the tl;dr version:

  • GDPR affects businesses that interact with consumers in Europe — or that might interact with Europeans — no matter where those companies are located.
  • GDPR compliance is a bit simpler for small companies. Which means GDPR compliance is different for your ecommerce business than it is for a massive company.
  • You can help your store with GDPR compliance by making sure your terms and conditions are clear; removing pre-ticked boxes; and generally respecting the privacy of your customers and potential customers.
  • Your ecommerce business can take advantage of GDPR. Data privacy is a huge deal in Europe, so if you take steps toward GDPR compliance, you can let all your European shoppers know about it.
  • The marketing tools and channels that you use in your online store will need to be GDPR compliant by the time GDPR takes effect in May 2018. You need to keep an eye on this, and contact them directly if you have questions. But GDPR is not a secret to anyone.

Resources

There are some great resources available for people wondering how GDPR impacts their online shop or dropshipping business. Here are a few goodies.

ePrivacy’s overview page, which includes a webinar, white paper, “quick check” and more

Econsultancy’s post, GDPR: 10 examples of best practice for obtaining marketing consent

The GDPR section of Microsoft’s “Trust Center”

The General Data Protection Regulation section of the Shopify manual

Boxcryptor’s overview of GDPR apps

And if you’re feeling brave, the actual text of the General Data Protection Regulation

This guide is for informational purposes only. By providing this guide, we are not acting as your lawyer or providing legal advice, and we are not responsible for how you use it.

Want to learn more?