Unless you’ve been living under a rock, you know that GDPR i.e. General Data Protection Regulation is coming on 25th May 2018. Although this regulation comes from the European Union, all companies around the world should feel concerned.
We started receiving some questions from our customers around the impact on GDPR on OneStepCheckout: ” what should I do?”, “Do I need to change anything?”
To help you get your head around the topic, we’ve compiled what you need to know in a nutshell.
How GDPR is affecting your Magento Checkout
“Do I have to do anything with my Magento Checkout to be GDPR compliant?”
Explicit consent on checkout before data is processed
You are no longer allowed to pre-tick any agreement check boxes for your customers or ask the consent after the data collection has already been done.
This includes any newsletter, cart abandonment subscriptions, terms & conditions or any other agreements on your checkout page.
OneStepCheckout allows you to :
* pre-tick newsletter subscription ⇒ You should disable that from OneStepCheckout settings.
* pre-tick terms & conditions ⇒ You should disable that from OneStepCheckout settings.
Additionally there might be a need for extra consent for guest users or explaining the matter in your site GDPR terms on how and when their data is to be saved to Magento database tables when using your site as guest or reaching checkout as guest.
Due the way Magento works some data might be needed to be stored (personal and/or address related data) to give out rates for shipping, limit payment method availability or calculate tax information on checkout page. Ideally you need a clear consent on such actions before customers enter the checkout or parts of your sites that allow such data collection.
Regarding Data Processing, your Magento checkout IS NOT IMPACTED whether you are using the native / default Magento Checkout or a One Page Checkout.
You, the merchant are the “Data Controller“. You are the one who chooses which fields you want to display in your checkout page i.e. what data you want to collect.
The personal information you collect through our checkout form goes directly into your Magento database (back-end). Detail explanation on how and what is stored in Magento database is available here: Magento 1 Magento 2
Your Magento checkout or OneStepCheckout is just the interface. It means that we don’t see, nor store any of your data, and thus we are not your Data Processor.
Your “Data Processors” would be solution providers and services such as:
- external services on your checkout like IP address detection, external payment, shipping or data collection extensions
- any log files related to those extensions and Magento in general that can collect data without merchant knowledge and any services that might have access like log aggregation services, site developers outside of your company
More information about Magento and GDPR
Looking at Magento more widely than just checkout, the teams at Magento have done a great job putting together a couple of articles to explain the regulation and the impact on the Magento Ecosystem. Read Magento’s articles about GDPR.
Key highlight is that, whether you are a merchant, agency or solution provider, all the efforts is focused on informing your customers and setting up systems and process so you know where and how to store the data and how you should be managing it.
More resources about GDPR from members of the Magento Ecosystem:
- [English]: Is your business prepared for GDPR by Redbox Digital. It’s funny, short and sweet, definitely worth a read!
- [Dutch]: Magento 2 en GDPR by Guapa
- [French]: Le RGPD pour les clients de Magento by Agence D’n’D
- [General]: The Ultimate GDPR Checklist: 8 Things Everyone Needs to Do Before May 2018 by Computer Business Review
Want to share more resources you found useful ? Let us know and we can add them to the list.