What is GDPR?

The new EU General Data Protection Regulation (GDPR) goes into effect May 25, 2018. GDPR expands an individual’s right to understand how their data is being used and the permissions they are granting, and applies to all eCommerce organizations selling to EU based shoppers. Companies that intend to use EU shopper information must now gain explicit permission from each shopper to do so. They must also be able to show shoppers exactly what personally identifiable information they are storing, and fulfill requests to delete that data.

The days of automatically checked permission boxes and pleading data ignorance are officially over.  

How will GDPR impact eCommerce?

GDPR holds online retailers responsible for all shopper data collected on their site. This is significant, because shopper data is used by almost every technology behind the eCommerce site – eCommerce platform, order management, CRM, payment processing, analytics, and every 3rd parties technology loading in the browser. Even if the retailer never takes possession of data tracked by 3rd parties (e.g. recommendation engine, analytics, advertising technology, etc.), the retailer is still responsible for ensuring GDPR compliance.  

If this sounds complicated, it is. Almost anyone within an eCommerce organization can add a 3rd party technology to the site with minimal oversight, thanks to broad adoption of tag managers. Not only are multiple departments or business units adding their own tags to the same page, but sometimes external parties (e.g. advertising agencies, SEM consultants) are adding 3rd party JavaScript to pages without the retailer’s knowledge. As a result, the average eCommerce website today uses 40 to 60 third party technologies, which will make it very challenging for a retailer to accurately inventory their use of shopper data.

Think we’re done? Not quite. Even if you get permission to use all shopper data, GDPR requires retailers to show shoppers the personally identifiable information that they are storing (if requested), and provide the option to delete all that data. Will every single technology on your site be able to do this? If you get that call from a shopper on May 25 requesting to see their data, will you be able to follow through?

How will GDPR impact online shoppers?  

Whether they realize it or not, shoppers today have become accustomed to seeing a more personalized experience that leverages their personal data. For example, retailers are able to deliver recommendations, personalized reminders, personalized discounts, and faster checkout by using this data. However, this is mostly invisible to shoppers, who likely haven’t been prompted to seriously consider all the ways that their data is being used. As a result, some shoppers may start denying permission for retailers to use their data when given the option.

Unfortunately, many shoppers won’t realize the implication of withdrawing permission when they make that decision. Many 3rd party technologies require shopper data to work effectively, and by withdrawing permission, shoppers could be blocked from using a site, or directed to a stripped down version with less features. Imagine a website with large white space areas where 3rd party technologies can no longer be served.  

In the long term, online retailers will want to provide a way for shoppers to reverse their decision to deny data collection once they see the impact. But in the short term, it will be challenging for retailers to give shoppers a check list of data usage that they can approve or deny. Let alone deliver a coherent experience based on those selections.

What happens if eCommerce companies do nothing?

You can choose to do nothing. But companies that infringe on individual privacy rights will be subject to fines of up to €20 million or 4% annual global turnover – whichever amount is higher. And individuals can seek compensation for material and non-material damages caused by a misuse of data. Large scale breaches could even inspire a line of class action lawsuits.  

What should you do?

The good news is that almost every technology vendor that supports eCommerce is sprinting to demonstrate compliance and help you comply with GDPR. But you can’t rely solely on your vendors, and there are some basic steps you should take now to advance your eCommerce operations toward GDPR compliance. For ideas on how to begin, read the next blog in our GDPR series “7 Steps for GDPR Friendly eCommerce.”