GDPR and your Pressero Storefronts

On May 25, 2018 the General Data Protection Regulation (GDPR) went into effect. This is a European Union (EU) law designed to give EU citizens control over their personal data and to change the way businesses handle their personal data. You may be wondering if this law applies to your business. It does if your website or storefront has visitors from any of the European Union countries. So if this does apply to you, then you need to educate yourself so that your business is compliant with the law and avoids the potential for some heavy fines.

What this document will do is to cover what changes Pressero has made to help you with those compliance concerns as they pertain to your websites. What it will not do is replace legal advice about GDPR that you should be seeking out to make sure your business is compliant.

Use of Personal Data

You must clearly explain how you plan to use your customers personal data. To do this, you should update your current terms and conditions document, or create one to include a privacy policy. The Privacy Policy needs to be accessible to your customers via a URL and you need ensure they have read and agree to the terms outlined in order for them to do business with you. The consent you obtain must be freely given, specific, informed, and unambiguous. You should not “bundle” the request for consent with more than one request.

How does Pressero help you become compliant with GDPR?

We now have a Site Setting that allows you to enable Explicit Consent for a specific website in your account. When you enable Explicit Consent you will be prompted for the URL address for your privacy policy and presented with two text areas that you can use to customize the messages seen by your customer in the Create Account Form and their Storefront Profile. (see image below).

 Select the checkbox for “Enable Explicit Consent” in your Site Settings, General Information tab to add Explicit Consent to your website and activate the additional fields needed.  

By enabling Explicit Consent in the site, two new items will be added to the Create Account Form.

  1. A prompt to agree to the terms of your Privacy Policy which by default says “I have read and accept the Privacy Policy.” You will see in the settings area a place to customize this prompt if you would prefer it to say something else. The text will be a link to your Privacy Policy URL and the customer will be required to check the box agreeing with your policy in order to sign up for an account on the site.
  2. A prompt for Consent to Contact that by default says “I would like to be contacted about offers and product information.” This prompt can also be customized in the admin > site settings area. This is not a required field, but if your customer does not check this box, you should assume they did not give you permission to send them marketing information.

For both of these areas, if you choose to customize the message be sure to not “bundle” more than one specific request with another. The question you are asking your customer to agree to needs to be specific and clear to the one topic.

 In this image, you can see the two new areas added to the Create Account Form. 

When one or both of these prompts is responded to, we will note in the customers admin account the date/time they agreed to the terms, along with their IP address. Each of these prompt responses will have its own date/time/IP stamp. (See image below).

 In the image above you can see two new fields added to the User Account in Admin for the agreement of your Privacy Policy.  -  In the image above you can see two new fields added to the User Account in Admin for the permission to contact them with marketing information. 

When existing users log in to the website for the first time after you have enabled Explicit Consent, they will be directed to their Profile Page so they can agree to the Privacy Policy and if they choose, give you consent to contact them for marketing purposes. While your customer can browse your website, and add items to their cart, they cannot checkout without agreeing to the Privacy Policy. As mentioned earlier, the consent to contact is optional.

 When existing customers log into the website for the first time after enabling Explicit Consent they will be required to agree to your privacy policy as seen in the image above.   As also seen in the Create Account Form, existing users will have the same two prompts added to their website Profile Page. The acceptance of the privacy policy is required, where the option to be contacted about marketing information is not. 

If in the future if you have an update to your privacy policy and you need your customers to all read the new information and give their consent again, you can select the button in the site settings to clear all previous agreements. Once this is done, your customers will all be directed to their profile after logging in to their account where they will be prompted to review and agree to the new policy. (see below).

 You can clear all site users acceptance of your privacy policy by selecting the button “Clear Privacy Acceptance for All Users” in Site Settings > General Info. Select this option with caution. It should only be used when you want all your current customers to be prompted to review and accept a new or updated Privacy Policy you have made available. 

Explicit Consent available for B2B, B2C and Information Sites

In most situations, you will only enable Explicit Consent in your B2C and Informational Sites. That is due to the fact that typically you will have a prior agreement with your B2B customers that can cover the privacy policies and what they consent to ahead of time. We made the changes to all three types of sites because we know that there are unique situations where B2B sites are used for customers where no prior agreements have been discussed and consented to.

Right to be Forgotten

Your customers have the right to “be forgotten.” You may hear from your customers that they would like to have their personal information removed from the website. GDPR allows them this right, but only when the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed. In an online store you will probably feel the existing structure of your data is important and that certain information is still needed for financial history and reporting purposes. In this case, you should anonymize the identifying information in the user account (last name, email, address, tax id numbers, etc) by first removing any information that is not required by Pressero so that you can save the changes, and then for the required fields consider adding to, or replacing the data with a passphrase or hash tags. When you are done, delete the user account. Basically, you want to be sure that whatever method you choose, there is no way to recover that users record or be able to re-identify them.

Right to Access

Your customers have the right of access which means you are required to provide them with a copy of the personal data you have for them upon request. In addition to most of their information already being available to them when they log in to the website and view their Profile and Order History, there are two main areas you will find useful to fulfill this request. The first would be to do a User Export which should contain all the information contained in their User Profile, including the new fields added for Explicit Consent (date/time the privacy policy and the consent to contact were agreed to). Once downloaded you can remove all other users information and send them a saved PDF. The other would be to create a report in the Report Writer filtering for that one customer to collect all order history for them.

Important Pressero Features to Consider:

  • If you enable Explicit Consent on your website, you might not be able to use some features available to you.
  • Shared Users (B2B) - because each user should give their own consent and have access to their own profile information.
  • Guest Checkout (B2C) - because a guest user is wanting to order, but not to create an account with you. The way Pressero handles guest users is to create an account for them in the background and send them a password to use the next time they want to order. The customer is not giving you explicit consent to create this account.
  • Impersonation - either for admin users, or for site users (B2B) with permission to impersonate other site users, unless explicit consent has been received.
  • Create New Users - Pressero allows admin users to create new accounts either manually through admin, or via excel import. You should not create new accounts for your users without explicit consent to do so. This is also true for B2B sites where you have the option of giving permission to a site user to create and manage users accounts.

Questions and Answers:

Question: Where can I learn more about GDPR?
Answer: Here is a link to the government website: https://www.gdpreu.org/ that has all the legal details. If you do an online search you will find a lot of helpful information and examples of how others have handled these new regulations. It is highly suggested that all organizations and companies that work with personal data appoint a data protection officer or data controller who is in charge of GDPR compliance.

Question: I do not want to enable Explicit Consent, but how can I keep customers from other countries from creating an account on my website?
Answer: Limiting the countries shown on the Country dropdown selector when a visitor is creating a new account, adding/editing an address on the site, or using a shipping estimator on the product page, can be done by adding some code to the head section of your site. Select here for full details on how to do this.

Question: With new European Union data-protection regulations under GDPR, it is now required to add a notice to the site, informing visitors that the site uses cookies. How can I do this with a Pressero site?
Answer: A script that adds this notice can be generated from various third-party sites and added to the head content section of your site. Select here for full details on how to do this.