Prepare your ecommerce marketing for the EU’s GDPR

One of the most far-reaching changes affecting the ecommerce world in 2018 will be the European Union General Data Protection Regulation (GDPR). This new and unified approach to personal data protection gives EU citizens a lot more control over who has access to their data. The good news is that it won’t be implemented until May 25, 2018, so you still have time to learn and prepare! And we’re here to help you.

Adopted on April 27, 2016, the GDPR affects not only European companies, but every company that processes data of EU nationals (or could process their data in the future). So that’s basically every company in the world regardless of its location.

A new regulation that pretty much every company has to follow and that comes with severe fines of up to 4% of global turnover or 20 million euro (whichever is greater). Proper scary stuff.

In all likelihood, you probably don’t have to make drastic changes unless you run all custom software: from the one that runs your site, to email marketing, to popups and A/B testing.

If you rely mostly on SaaS products – like Shopify for your ecomm store, Klaviyo for email marketing, Optimizely for A/B testing, WisePops for popups and the like – the changes you have to make are not that drastic. But since visitors have a lot more rights going forward, it makes sense to look at what exactly changes and how.

Key Areas of GDPR

Definition of Personal Data

Perhaps the biggest change in the GDPR is redefining what personal data is. Under the new regulation, personal data is defined as any information that can be used to directly or indirectly identify a person.

This far-reaching definition includes:

  • a name
  • a photo
  • an email address
  • bank details
  • posts on social networking websites
  • medical information
  • computer IP address
  • random code that is assigned to users to track them for analytics and A/B testing
  • and more!

Going forward, the bulk of information collected when someone visits your website is considered personal information and thus, it falls under the GDPR. This is the big one – everything else that is under the GDPR concerns personal data and with this new definition, 99% of data collection falls under the GDPR. This is why it’s such a big change.

User Consent

The next big change is user consent. With this new regulation, withdrawing consent has to be as easy as giving it.

Meaning that if you use the prototypical automatic notice of “If you continue to use XYZ you agree to our Terms and Conditions,” you also have to have one hovering somewhere on the page the whole time a visitor from Europe is on your site, declaring the opposite or, in other words, taking away consent.

Additionally, the GDPR bans the use of legalese and long, illegible language in the Terms & Conditions. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent using clear and plain language.

Data Subject Rights

Europeans have three key data rights: access, to be forgotten, and data portability. Currently, there are similar rules in existence, but the new regulations are a lot tougher and give consumers a lot more control.

Right #1 – Right To Access

Europeans have the right to know if their data is being processed, how it’s being done, and for what purpose. Upon request, data controllers (that’s you) have to be able to provide a copy of that personal data, free of charge, in an electronic format.

For example, when a European customer asks, you have to provide a list of all the ways that her/his data is being used. That means that you have to be able to provide a list of every tool you use that accessed their data. So GA for analytics, Facebook pixel for ads and retargeting, Klaviyo for email marketing, and the like.

This is not so much a problem for you as it is for software providers. Software companies must build functionality into their products that offers a way to check if a certain customer’s data was processed or not.

Right #2 – Right To Be Forgotten

Also known as Data Erasure. This one means that when a customer asks, her/his data has to be deleted from ALL the tools and software you use. And again, withdrawing consent has to be as easy as giving it in the first place.

Right #3 – Right To Data Portability

Europeans have the right to request all their personal data from a company be provided in a “commonly used and machine readable format.” And once the data is obtained, they have the right to take that and give it to another company.
In theory, a customer could ask for their data (things like buying history) and take it to a competitor. Or vice versa, you could theoretically leverage the data your customers have with a competitor to better entice them to buy from you.

Additionally, there’s the right for Breach Notification. That means that notification of data breaches become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first becoming aware of the breach.

Same applies for data processors like Klaviyo. We have the responsibility to notify our customers (that’s you!) “without undue delay” after first becoming aware of a data breach.

This is actually good for both consumers and companies that rely on third-party providers to run their business. This way companies can’t downplay data breaches and by law, they have to let everyone know about such breaches. This one is truly great all around.

Final Thoughts

At first glance, the amount and scope of changes in the new European privacy regulations are mind boggling. They range from redefining what personal data is, to making data consent work both ways, to ensuring the three consumer rights – access, to be forgotten, and data portability.

The changes are big indeed, but the good thing is that most businesses relying predominantly on third-party software have little to worry about. The most extensive changes have to be made by the software makers. All you have to do is click the right button when the request for data comes in.

This also means that you have to communicate directly with all your software suppliers to make sure that they are going to support all the needed new “features,“ or simply switch to a new provider that does.

The European Union General Data Protection Regulation brings about a lot of change, but by understanding and preparing yourself for what’s to come, it’s not nearly as scary as it first seemed.

For more information, check out these helpful links:

List of European Union Data Protection Authorities

European Data Protection Supervisor

Full text of the GDPR

Official European Union GDPR website

Ott Niggulis
Ott Niggulis is a freelance writer who focuses on business, marketing and CRO. Marketing is a numbers game, and he loves numbers.
Showing 6 comments
  • José

    Hi Ott, thanks for your post.
    I’m wondering about cart abandonment emails.
    Those emails imply processing a personal data, like email (at least).
    In theory, the store owner should ask permission to the client / user for sending him those kid of emails.
    What are your thoughts?
    Thanks.

  • Joe

    I agree we need clarification on this process.

  • Ott

    With cart abandonment, it all comes down to having consent from the user to send emails to them. Now, the tricky part is that you must ask for, and get, consent for specific purposes. In late 2017 the Article 29 Working Party of GDPR cautioned that “data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes.”

    That means that you can’t ask for, and get, consent to send “emails” to customers, but rather ask for permission to send marketing emails, shipping updates and the like. You CAN bundle asking consent for multiple purposes into the same form though.. as long as it “allows users to give specific consent for specific purposes” and “the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose.”

    Plus, whenever you do ask for consent, you have to have a system in place that allows you document giving and taking away consent. When the regulators come, they will ask to see documented permissions to send emails . If you can’t prove that you have consent, you’re in trouble.

    And thirdly, whatever solution and/or company you use for sending abandonment emails, they also have to fully GDPR compliant as they have direct access to your customers’ personal data. Any entity or company or plug-in that has access to personal data has to be GDPR compliant. And it’s on you, the merchant, to make sure to only use services that are fully compliant.

  • Chris

    Hi Ott,
    I’m glad Klaviyo has finally published something on this. Obvious question, but I take it Klaviyo is GDPR compliant — the article does not mention this?
    Also, does Klaviyo store a record of user consent that is gained, such as from double-opt in emails?

    • Alicia Thomas

      Hi Chris, Klaviyo is preparing to be GDPR compliant, and will be GDPR compliant prior to the May 25th effective date of the regulations.
      Business owners who are marketing through Klaviyo are considered Data Controllers under the terms of GDPR and need to make sure that their handling of their customers’ Personal Information is also compliant.

  • Glenn

    Hi Ott and others,
    As we are considering using Klaviyo (great product by the looks of things) at the moment for our business I’m curious about all the website behavioral tracking data and how ‘personal’ that is? For our ecommerce site, they will be expressing their interests by simply viewing certain products & categories which for us may not be overly sensitive information (we sell calendars) but on other sites maybe so?
    Also, Kalviyo collects a vast array of data and so when a website user requests a copy of that data in the “commonly used and machine readable format” may I assume that Klaviyo has such a mechanism for delivery of the same (or will have soon!)? Our burden as digital marketers is to be able to supply that data from multiple sources in a short time and so does it have to make sense to the user or is a raw data dump enough?
    Lastly, when the user asks to be forgotten, does Klaviyo wipe all the tracking data from its database or does it anonymize it?

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt

Start typing and press Enter to search