What Is GDPR? How Does GDPR Affect My Ecommerce Business?
Editor’s Note: This article was originally published on July 27, 2020. Justine Jenkins updated it as of the current publish date to reflect the latest data and insights.
Author’s Note: If your business is already GDPR-compliant, skip ahead to the section called “Ecommerce and GDPR: 2 years on.” For those of you who are new to selling into the United Kingdom (UK) or European Union (EU) or starting a new job in ecommerce, keep reading to learn more about the General Data Protection Regulation (GDPR).
I’ll admit, GDPR is not the most interesting topic to read about. But not knowing about it runs the risk of accruing severe fines—which can be as high as four percent of your global turnover or up to €20 million within the EU and £17.5 million within the UK—whichever is greater.
For those of you thinking, “I’m not based in the UK or EU so the GDPR doesn’t apply to me,” I hate to break it to you, but regardless of where you’re based—even if you sell to just one UK or EU customer or collect just one UK or EU customer’s personal data—you must be GDPR-compliant.
But before we get into the rules and regulations, it’s confession time. I’m not a lawyer (sorry Mum!). In all seriousness, though, while I will offer you some best practice tips, they should only be used as guidance. If you’re new to selling into the UK or EU or are worried that you might not be GDPR-compliant, then you’ll need to consult a lawyer.
What is GDPR?
GDPR stands for General Data Protection Regulation and has been a cornerstone of business management and consumer law throughout Europe since May 25, 2018.
It was designed to protect the privacy of EU citizens by regulating how companies across the world process and use customers’ personal data.
The GDPR radically changed the definition of personal data. It now includes any information that relates to an identified or identifiable living individual.
In other words, if you were to piece together the information you have about a person, and it could be used to identify them—whether directly or indirectly—then it’s construed as personal data. Think names, photos, home addresses, email addresses, location data, computer IP addresses, cookie IDs, among others.
How does GDPR impact my ecommerce business?
The GDPR means that customers within the EU and UK now have more control over how their personal data is collected, stored, and used.
- How do you collect and use customer data?
- Are you and the systems you’re using storing this data securely?
- How will you enable and support your customers’ rights to control their personal data?
For GDPR and ecommerce, there are also two especially important customer rights to know about:
- Right to access: Customers have the right to know how their data is collected and why.
- Right to be forgotten: When asked, you must erase all information you have about a person. It must also be as easy for someone to withdraw their consent as it was to give.
GDPR post-Brexit: Has anything changed?
Now that the UK has officially left the EU, you may be wondering whether this changes things when marketing to customers in the UK.
Spoiler: it does, but only slightly.
The UK now has its own version of the GDPR, and while it’s largely the same as the EU version, there are a couple of key differences.
In the EU, the age of valid consent is 16 years, while the UK’s GDPR cites a lower age of 13 years.
Within the UK, citizens’ personal data may also be used and shared if it’s in the interest of national security or immigration services. In other words, personal data must be made readily available to official personnel if it’s requested.
Another nuance to be aware of is that because the two GDPRs are now separate, you may also need to double up on a few key things, such as having a representative in both the UK and the EU and separate Standard Contractual Clauses (SCCs) for both regions.
As the two GDPRs are similar, many of the best practices remain the same as before, which I’ll walk you through in a moment. This article also has a great summary of how the UK GDPR differs from the EU version, so it may be worth a read afterward, too.
Need more Brexit guidance? Check out Klaviyo’s Brexit marketing resources hub.
GDPR best practices for ecommerce businesses
In truth, you probably don’t need to make drastic changes to your business to be GDPR-compliant—but the responsibility still lies with you to review your systems and practices. Here are some golden rules to live by.
1. Add consent checkboxes to ambiguous signup forms
As a writer, my mantra is “content is king.” But have you heard about the new one: “consent is king?”
You’re now only allowed to collect personal data from consumers who have given you explicit consent—which must be freely given, specific, informed, unambiguous, and easy to withdraw.
This means adding consent checkboxes to any signup forms that don’t clearly state what your customer is signing up for and why you need their information.
Your newsletter subscription forms don’t require consent checkboxes because it’s clear that your customer is signing up for a newsletter. But this doesn’t mean you can then use this information to target them on social media—unless you’re using separate channel-specific opt-ins.
Also, your consent boxes can’t be pre-checked. Your customers must do the ticking! Here’s an example from YuMOVE of a GDPR-compliant signup form in action:
2. Only collect data you really need
Given your increased level of responsibility for collecting and storing data, it’s important that you’re only collecting the data you really need.
If you want to market to your customers via email, knowing their first name and email address should be enough.
Then, as you build relationships with your customers, you’ll have natural opportunities to collect even more information to further personalize the experience you create for them with your brand.
You also need to be clear and transparent on why you’re collecting information. If it’s to improve customers’ shopping experiences through personalized product recommendations—say so.
3. Use double opt-in
Double opt-in is a process whereby every new subscriber is asked to confirm their subscription to your chosen email list. Only those who have successfully confirmed will be added to it.
Using double opt-in for all your emails is standard good practice, but it’s also a vital ingredient of GDPR compliance.
4. Include unsubscribe links in every email
Just like double opt-ins, including unsubscribe links in your emails is just good practice. But as the GDPR asks for it to be as easy to withdraw consent as it is to give, unsubscribe links are a must.
It doesn’t have to be boring, though! Why not showcase your brand’s personality with your unsubscribe text? Here’s an example from Chubbies Shorts:
Just as long as it doesn’t disguise anything, you’re free to have a little fun with it if this suits your brand’s voice.
5. Be careful with win-back campaigns for UK and EU customers
Using cart abandonment flows in your email marketing is generally considered okay under the GDPR.
Providing you’re only sending a recommended two or three cart abandonment emails, as opposed to say 50 in 30 days, you can often argue there’s a legitimate interest for these customers to hear from you.
While browse abandonment emails are fine if your customers have already consented to receive emails from you, or if there is a clearcut case for legitimate interest.
This is where segmentation proves useful as you can set up separate flows for your UK and EU customers versus the rest of the world. Or you can set up rules to only send browse abandonment emails to customers who have consented to receive them.
6. Streamline your record deletion process
UK and EU customers have the “right to be forgotten,” which means if they contact you asking you to delete any information you have about them, then you have one month to respond to these requests.
To keep things slick, you’ll need a clear process to show who looks after GDPR deletion requests within your company.
Your customers must be able to easily find out and understand what data is being collected and why you’re collecting it.
Include information on how you’re adhering to the GDPR, what third-party systems or tools you’re using, what data you’re collecting and why, and how customers can contact you with “right to be forgotten” requests.
GDPR ecommerce checklist
As a refresher of everything you’ve just read, take a look at the GDPR ecommerce checklist below.
Ideally, your answers to each of these questions should be yes. If not? You’ve still got a little more work to do.
Data collection and consent
- Are you aware of the personal data you’re collecting and storing?
- Is this data stored securely?
- Have you added consent checkboxes to ambiguous signup forms and are they unchecked by default?
- Are you using separate checkboxes for different types of consent?
- Are you only collecting customer data you really need?
- Is it clear and transparent to your customers why you’re collecting this data?
- Have you double-checked that all your tools and systems are GDPR-compliant?
- Have you adapted your processes to reflect the lower age of valid consent within the UK following Brexit?
- Are you using double opt-in?
- Have you included unsubscribe links in all your emails?
- Are you using the recommended two or three cart abandonment emails in your flows?
- Have you collected the appropriate consent to use browse abandonment emails for UK and EU customers?
- Have you documented your record deletion process internally?
- Are your staff aware of data privacy laws and are they trained on your internal processes?
GDPR and ecommerce: 2 years on
It’s now been over two years since the GDPR came into force and the dust is starting to settle.
But it wasn’t always smooth sailing. When it was first announced that GDPR was coming, there was an uproar within the industry.
Understandably, ecommerce managers and business owners across the continent spent sleepless nights worrying about gargantuan fines, or the lost email leads they were facing.
Take The Economist, for example. When the GDPR hit, the world-renowned magazine waved goodbye to a whopping 80 percent of its email list.
There were also multiple reports of businesses like Unroll.Me, NPR.org, and various US news sites blocking their websites from EU visitors rather than changing their processes to adhere to the new regulations. Most of these websites remain hidden and with no end in sight, either.
Two years on, the Information Commissioner’s Office (ICO) has suspended GDPR investigations because of the coronavirus outbreak and it’s unclear when they will resume their investigations. Interestingly, the ICO already issued fines totaling nearly €50 million in the first quarter of 2020 alone, suggesting there’s still more work to be done for businesses to be GDPR-compliant.
But it hasn’t all been doom and gloom. There are several positive changes the GDPR has brought to fruition. And because of sensationalist headlines hogging the spotlight, these success stories are not getting near enough the amount of attention they deserve. Until now.
Businesses like The Economist have successfully built their email lists back up following the initial heartbreak. Mere months later, email subscriptions were down by just three percent. That’s a fantastic recovery and suggests the initial worry was exacerbated a little, not to mention the magazine now knows the people who are on its email list want to be there—hooray for higher open rates and clickthroughs!
It’s important to remember that being GDPR-compliant isn’t about checking boxes to adhere to government regulations and laws. It’s about showing your customers how you’ll keep their data safe. It shows you’ve got their backs.
And who wouldn’t want to buy from a brand that has safety, security, and trust at the core of everything it does?
Perhaps unsurprisingly then, 62 percent of UK consumers now say they feel more comfortable sharing their data with these laws in place, while 57 percent agree that they prefer the more personalized forms of marketing as a result.
This is where I’d argue those GDPR-shy businesses mentioned earlier got it monumentally wrong. And where there are clear gaps for ecommerce marketers like you to swoop in and support customers who are open to more personalized experiences—but who have been left to the wayside by others.
While you might need to work a little harder than before to get your customers to sign up for your emails, a renewed focus on personalized, reader-centric marketing should result in long-lasting brand loyalty.
Another positive outcome of the GDPR was that it prompted other privacy laws around the world like the Privacy and Electronic Communications Regulations (PECR) and the California Consumer Privacy Act (CCPA).
And finally, following Brexit, the GDPR is also still in effect within the UK—although under the new name of “The Data Protection, Privacy and Electronic Communications (Amendments, etc) (EU Exit) Regulations 2019,”—or the UK GDPR for short.
I’d also happily wager that this won’t be the last we hear of data privacy law in the UK and beyond, either. But I’ll save those riveting predictions for another day.
Is GDPR the ultimate trade-off?
Ultimately, with more and more countries around the world recognizing the importance of data privacy, customers on a global scale feel much more comfortable about sharing their precious data.
While you’ve needed to make tweaks to processes and policies to become GDPR-compliant, it isn’t just about checking boxes to adhere to regulations.
It’s about supporting your customers and protecting their privacy while elevating their experiences through personalized marketing, which they’re now happier to receive from brands—like yours—that they trust and can connect with on a deeper level.Back to Blog Home