7 Steps to a GDPR Ready eCommerce Website
We summarized the GDPR implications for eCommerce in our blog post, “The GDPR eCommerce Countdown to May 25.” But what should you do if you still aren’t compliant? Here are some GDPR compliance steps (based on conversations we’ve had with our customers) that you should consider in the near-term and long-term.
(Note: Keep in mind that Yottaa is a technology company, not a law firm. So please do not interpret this as legal advice.)
Short Term: Options to Avoid Fines and Assess the Situation
1. Determine the Financial Significance
If you don’t know already, now is the time to measure how much revenue comes from EU traffic to your eCommerce site. Especially before you invest the time and resources in auditing your systems and becoming GDPR compliant. Your approach to GDPR could be very different based on the amount of revenue involved.
2. Block EU visitors
If you can’t be assured of compliance from your 3rd parties or internal systems, you should consider blocking EU visitors from accessing your eCommerce site after May 25. This is a drastic step, and will likely lose you some customers. But the alternative is a fine that may exceed your total EU sales today. Many retailers we’ve spoken to are planning to simply block traffic until they are 100% confident in the GDPR compliance of all their data, including information tracked by their 3rd party partners.
3. Audit your current data collection
Anything on your website that captures or uses shopper data needs to be documented and evaluated. This includes both your own systems (eCommerce platform, CRM, etc.) and 3rd party technologies that set cookies and collect shopper data on your website. Start gathering a full inventory of all technologies on your site, and understand how they are using personally identifiable information. Then go to each 3rd party vendor and request a summary of their GDPR compliance status and use of shopper information.
Long Term: Options for Delivering a Richer Site in a GDPR World
4. Data Approval – All or None
Once you are confident in your GDPR compliance, create a landing page that forces shoppers to either approve or decline your request to use their data. Most retailers are making the decision “all or nothing” – either shoppers approve of every way that you collect and use their data, or they decline. If they approve, the shopper will go back to using your complete site. If they decline, they will be blocked. This is the fastest way to begin serving the portion of EU shoppers that aren’t concerned about data privacy.
5. Data Approval – Rich Site or Basic Site
The next evolution is to provide a shopping experience for shoppers that deny permission to use their data. This means building a stripped-down version of your website that does not track or use shopper data. No more personalized content beyond what is necessary to purchase (shipping address, session ID, etc.), which could mean a large number of blank spaces on your page. But at least these shoppers can still shop and buy your products. Albeit through a generic experience free of cookies and 3rd party technologies.
6. Customized Site based on Data Selections
Eventually, you want to allow shoppers to opt in and out of specific data collection and 3rd parties. Imagine a shopper going to a landing page and selecting from a list of data permissions that they can accept or decline. Then they are directed to a view of your website that only shows the features and 3rd party technologies (e.g. ratings, reviews, recommendations) that they approved.
The problem with this approach is that once a shopper opts out of a feature, they may not realize the impact until they get to a shopping experience full of blank space. And they won’t remember that it’s because they opted out of the wrong data. They will just think that your site looks terrible. Fortunately, Yottaa can help you motivate shoppers to reverse their decision to opt-out, so they can begin shopping on the best version of your website. Learn more about how Yottaa can enable “in-line permissions” below.
7. Seamless and GDPR Compliant Shopper Experience
The ultimate long-term solution is to stop tracking shopper data altogether, and allow shoppers to browse freely until they want to use technology that gathers their data or adds cookies. This approach allows you to avoid forcing shoppers to a landing page with opt-in selections.
In this scenario, the shopper can easily grant permission for data sharing within the shopping experience as desired. This is preferable to other alternatives because it doesn’t present a cumbersome shopping experience that will drive shoppers away. And it recognizes the fact that shoppers won’t understand the pros and cons of approving the use of their data until they can see how it will improve their experience.
How can Yottaa help?
Retailers that use the Yottaa eCommerce Acceleration Platform have access to capabilities that advance you on the path to GDPR compliance. Here are a few places to start.
1. Reroute Traffic based on Country of Origin
Yottaa is able to identify a shopper’s country of origin based on IP address, and can redirect or block those shoppers from reaching your eCommerce site if your site is not yet GDPR compliant.
2. Visibility into EU Traffic and 3rd party Technologies
The Yottaa reporting interface allows you to view the portion of your traffic that originates from the EU, so you can evaluate the impact of GDPR on your business. As you progress to becoming compliant, Yottaa also gives you visibility into all 3rd party technologies that are loading on your web pages, so you can identify vendors that are likely tracking shopper data and must be GDPR compliant.
3. Block (By-Pass) Non-Compliant 3rd Party Technologies
4. Visibility into 3rd Party Compliance and Crowd Behavior
After May 25, we will be expanding our 3rd party knowledge base to include the 3rd party technology GDPR compliance status, and see which 3rd party technologies are most frequently approved/declined by shoppers across all Yottaa customers. This should allow you to quickly identify which 3rd parties on your site are compliant, and predict how many shoppers will likely decline permission for a 3rd party technology that you are evaluating for your site.
5. In-line Approval of 3rd Party Technologies
As shoppers begin denying permission to use their data, the functionality of the shopper experience will become limited. For example, technologies for fit and sizing, live chat, and product reviews will no longer appear on the product detail page. In these instances, we recommend the best practice of presenting an icon of the missing eCommerce technology on the page. When the shopper attempts to engage with this feature, they can make an in-line decision to approve or deny data permissions.
Yottaa customers can deliver in-line shopper approval by utilizing APIs and script sequencing capabilities of the Yottaa eCommerce Acceleration Platform. For example, assume a shopper has denied the data permissions required to use “live chat.” The shopper would still see a live chat icon on the product detail page, but once they attempt to engage with the feature, they would receive a prompt: “You will share essential data to support live chat functionality. Do you want to continue?” If yes, the Yottaa platform would no longer block the 3rd party, allowing the shopper to interact with the live chat technology as originally intended.
GDPR is hard for retailers to understand, and compliance won’t be fun. But the experience will be even worse for shoppers, who will wake up on May 25 to find functionality removed or websites completely blocked. As a result, many global retailers are expecting EU traffic and conversion rates to drop significantly over the next few months. And expect global retailer forecasts for 2018 to suffer as well, assuming this takes awhile for the industry to figure out.
If you are a Yottaa customer, call your Customer Success contact so we can help you integrate the Yottaa platform into your GDPR planning. If you are not a customer, reach out today and see how Yottaa can can help. Retail success over next the 12 months will be defined by those companies that achieve GDPR compliance without disrupting sales. And it also presents a great opportunity for compliant retailers to start winning customers away from competitors that are less prepared.