How does GDPR affect my Magento Checkout?

GDPR and your Magento checkout

Unless you’ve been living under a rock, you know that GDPR i.e. General Data Protection Regulation is coming on 25th May 2018. Although this regulation comes from the European Union, all companies around the world should feel concerned.

We started receiving some questions from our customers around the impact on GDPR on OneStepCheckout: ” what should I do?”, “Do I need to change anything?”

To help you get your head around the topic, we’ve compiled what you need to know in a nutshell.


How GDPR is affecting your Magento Checkout

“Do I have to do anything with my Magento Checkout to be GDPR compliant?”

Explicit consent on checkout before data is processed

You are no longer allowed to pre-tick any agreement check boxes for your customers or ask the consent after the data collection has already been done.
This includes any newsletter, cart abandonment subscriptions, terms & conditions or any other agreements on your checkout page.

OneStepCheckout allows you to :
* pre-tick newsletter subscription ⇒ You should disable that from OneStepCheckout settings.
* pre-tick terms & conditions ⇒ You should disable that from OneStepCheckout settings.

gdpr newsletter setting in the checkout backend

Additionally there might be a need for extra consent for guest users or explaining the matter in your site GDPR terms on how and when their data is to be saved to Magento database tables when using your site as guest or reaching checkout as guest.

Due the way Magento works some data might be needed to be stored (personal and/or address related data) to give out rates for shipping, limit payment method availability or calculate tax information on checkout page. Ideally you need a clear consent on such actions before customers enter the checkout or parts of your sites that allow such data collection.


Data Processing

Regarding Data Processing, your Magento checkout IS NOT IMPACTED whether you are using the native / default Magento Checkout or a One Page Checkout.


Data Controller

You, the merchant are the “Data Controller“. You are the one who chooses which fields you want to display in your checkout page i.e. what data you want to collect.

The personal information you collect through our checkout form goes directly into your Magento database (back-end). Detail explanation on how and what is stored in Magento database is available here: Magento 1   Magento 2

Data Processor

Your Magento checkout or OneStepCheckout is just the interface. It means that we don’t see, nor store any of your data, and thus we are not your Data Processor.

Your “Data Processors” would be solution providers and services such as:

  • external services on your checkout like IP address detection, external payment, shipping or data collection extensions
  • any log files related to those extensions and Magento in general that can collect data without merchant knowledge and any services that might have access like log aggregation services, site developers outside of your company


More information about Magento and GDPR

Looking at Magento more widely than just checkout, the teams at Magento have done a great job putting together a couple of articles to explain the regulation and the impact on the Magento Ecosystem. Read Magento’s articles about GDPR.

Key highlight is that, whether you are a merchant, agency or solution provider, all the efforts is focused on informing your customers and setting up systems and process so you know where and how to store the data and how you should be managing it.


More resources about GDPR from members of the Magento Ecosystem:

Want to share more resources you found useful ? Let us know and we can add them to the list.


Thien-Lan WeberAbout Thien-Lan Weber

Thien-Lan is the Chief Marketing Officer at OneStepCheckout. She's a Marketing expert with 20 years experience across Europe and Asia Pacific including Accenture, Clarins, Johnson & Johnson, eBay and PayPal.

Thien-Lan loves connecting people and helping retailers get the most out of eCommerce. As such, she recently joined the board of ExtDN (Extension Developer Network).

She grew up in Paris, holds a Master of Science in Management from HEC Paris and is back to France after 16 years living in different parts of the worlds, the latest destination being Oslo where she joined OneStepCheckout.