SetuBridge Offers GDPR Guide for Merchants

SetuBridge Offers GDPR Guide for Merchants

LOS ANGELES — SetuBridge Technolabs has released a GDPR compliance guide for online merchants.

While the company’s focus is on those using the popular Magento series of e-commerce shopping carts, the rules and compliance measures apply to all sites beginning on Friday, May 25, whether they feature e-tail functionality or not.

The GDPR, or the General Data Protection Regulation, is a data protection law that passed in the EU Parliament in 2016, bringing data protection and privacy control to individuals using any website. It takes into account the extracting, handling and processing of personal data by sites and requires every website to take a careful and thorough analysis of how it handles private information to be sure it complies with all regulations stated in the GDPR.

The GDPR applies to both E.U.-based and the other organizations based outside the E.U. that cater to E.U. audiences or track the behavior of individuals in the E.U. Noncompliant sites can be fined up to €20M (~$23,668,100) or four percent of the company’s annual revenue, making non-compliance simply not worth it for companies of any size.

Based on the GDPR, SetuBridge has summarized the actions Magento Merchants can take in order to make their e-commerce site GDPR-ready.

1. Add cookie consent and opt-out control for site visitors
A cookie notification popup needs to be integrated on the site to alert visitors that it or a third-party service requires a cookie to work. Site visitors must give consent by accepting before you inject any third-party service on your site. A link should be there to your privacy policy page which explains which third-party services are accessing cookies and for what purpose they are added. Users should have the option to opt-out here as well.

2. Checkboxes on for customer consent. To ensure transparency, it is important to have unticked checkboxes on the registration and checkout pages to let users know their personal information will be stored for registration and order processing.

3. Privacy and Dataflow. It is important to track the complete data flow to know what and where at each point in the flow the data is stored. This complete flow should be well explained and updated in your privacy policy and/or terms of use pages. Do make sure they all comply with GDPR norms. You should include when customer data will be captured, what purpose it will be used for and if any third party will access this data and for what reason.

It is advisable to consult a legal firm to get your privacy policy updated to comply with GDPR norms.

4. Authentic data collection. It is important to only collect data from the user that is relevant for the business to function. In case of inspection, your business must be able to justify that the collected data is necessary. It is also crucial to check if any old dataset contains unnecessary non-obligatory information which will have to be deleted. This directly impacts on how Magento handles order quote tables because it stores users’ personal data even if the transaction doesn’t go through. They all should have been deleted frequently if they are not in use anyway. Also, visitor log tables should have been deleted by configuring log deletion frequency.

5. Customer data can be deleted. This ensures customers should have the option to request account deletion from logged in account area, which should delete all associated personal information directly from the database. Implement a secure way (i.e. email confirmation) for users to request account deletion which should delete the data related to their transaction, orders, shipping details, subscription status, etc. These details should be completely removed from their records.

6. Data portability. To abide by the regulation, which also suggests customers must have access to what information about them has been stored and this must be responded to within a month, it will be worthwhile to have the option in the customer account area to extract all the information stored for the customer in the CSV format or a machine-readable format. A feature can be implemented which allows the user to access all of his account data stored in a database which should be available to download with security validation. Information can include transactions, orders, addresses, personal account info, subscription data, or any data with a third-party extension.

7. Ability to remove or anonymize personal data. Your site needs to have the ability for customers to delete or anonymize their personal records, orders, and quotes records from the database by logging into their account, with an additional security layer to verify the user’s account authority.

8. Data flow. It is important to track the complete data flow. What and where at each point in the flow the data is stored. This complete flow should well documented and privacy documents should be updated to justify when and why data is either being collected by you or by any third party from your sites.

9. Third-party integration. While you make sure you comply with the regulations, it is equally important to inspect and check whether the third-party extensions and other integration also make appropriate use of the data and have strict compliances with the regulation.

10. Data encryption and database view/action control. To ensure the personal data is secure and safe, encryption of stored data is highly recommended. The access right to your data might sound very naive, but it is a very important aspect to consider. Stringent access control rules and rights can protect your data from unauthorized access. In case of the site being operated by multiple persons, individual rights should be set up and restrictions should be put in place to restrict unauthorized access to individual’s personal data. Admin back-office panels should be restricted to limited IP addresses and should be placed on hard-to-guess unique server paths.

“It’s all about clarity of process and how individuals’ data should be used and treated by online portals in the service and e-commerce industry,” a company spokesperson concludes.

Magento or Magento 2 store owners seeking assistance in making their site GDPR-ready can contact SetuBridge via email at sales@setubridge.com.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More News

Missouri Republican Behind FOSTA-SESTA Renews Attack on OnlyFans

Rep. Ann Wagner, the Missouri Republican legislator who was the original architect of FOSTA-SESTA, has renewed her call for federal action against OnlyFans.

Idaho Legislature Passes Republican Age Verification Bill With Full Democratic Support

The Idaho legislature has passed the state’s version of the age verification bills being sponsored around the country by anti-porn religious conservative activists.

Pre-Nom Period for 2024 XBIZ Creator Awards Ends Monday

The deadline for pre-nomination entries for the 2024 XBIZ Creator Awards is Monday, March 18 at 11:59 p.m. PDT.

Rep. Alexandria Ocasio-Cortez Partners With Anti-Porn Lobby NCOSE

Democratic New York Rep. Alexandria Ocasio-Cortez issued a press statement last week prominently highlighting her partnership with religiously-inspired anti-porn lobby NCOSE, an organization that seeks to criminalize all sex work and eradicate adult content, and that has an extensive, well-documented history of championing state censorship and opposing LGBTQ+ rights.

Age Verification Trade Group Weighs In on UK Consultation

The Age Verification Providers Association (AVPA) filed earlier this month its response to U.K. media regulator Ofcom's consultation soliciting feedback on the regulation of adult websites under Part 5 of the Online Safety Act.

WIPO Rules in Favor of Clips4Sale, Orders Transfer of Infringing Website

A World Intellectual Property Organization (WIPO) panel has issued a decision ruling against a Russia-based website operator accused of infringing on intellectual property belonging to clip site Clips4Sale.

Indiana Governor Signs Controversial Age Verification Bill Into Law

Indiana’s Republican governor, Eric Holcomb, has signed into law the state’s version of the age verification bills being sponsored around the country by anti-porn religious conservative activists.

India Censors 18 Social Media Platforms as 'Obscene'

The conservative Hindu nationalist government of Narendra Modhi has blocked 18 social media platforms in India, claiming they “promoted obscenity and vulgarity under the guise of ‘creative expression.’”

ECP Marks Anniversary of Aylo Acquisition With Emphasis on Trust, Safety

Aylo and Ethical Capital Partners released statements on Thursday commemorating the first anniversary of ECP's acquisition of technology and media company Aylo, owner of a large portfolio of adult online entertainment properties.

Pornhub Blocks Access in Texas Over Age Verification

Aylo has blocked access to Pornhub in Texas as of Thursday morning, following the decision by the United States Court of Appeals for the 5th Circuit upholding the state’s controversial age verification law.

Show More