General Data Protection Regulation (GDPR) and Ecwid stores
The General Data Protection Regulation (GDPR) is a European privacy law that took effect on May 25, 2018.
The GDPR is not limited to European companies. The regulation includes every company that can potentially process EU nationals’ data – so that’s basically every company in the world regardless of its location.
The GDPR gives people more rights over their personal data. Specifically, it provides the right to access, correct, delete, and restrict processing of consumer data, and sets strict guidelines for user consent. If you collect or store any information that can be linked to an individual, that counts as personal data. You can read the full text of the GDPR to learn more.
Steps to take when preparing for the GDPR
According to the GDPR, Ecwid merchants must comply with the regulation if they are based in the EU or sell to EU customers.
Ecwid collects and processes personal data in a compliant manner. However, it is your responsibility to comply with GDPR requirements when you collect and process personal data from your EU customers. Under the new regulation, personal data is defined as any information that can be used to directly or indirectly identify a person. This includes: a name, a photo, an email address, an IP address, bank details, posts on social networking websites, medical information, and even random codes that are assigned to users to gather analytics, conduct A/B tests, and more.
We recommend the following:
Get clear consent before collecting any data
You must obtain consent to process your customers’ personal data. Prepare a clear privacy policy specifying why you collect personal data, explaining what data is retained, and offering a right to withdraw consent.
To require your customers accept your terms of service before checkout, enable Require consent to terms and conditions at checkout in your Ecwid admin, Settings → Legal, Customers’ consent section. This feature ensures all orders include a confirmation of consent: the “I agree with Terms and conditions” checkbox on the cart page. As it is impossible to place an order without agreeing to Terms and Conditions, the fact that an order is placed is the confirmation of consent.
Get clear consent before sending promo emails
You must obtain clear consent to send out non-order related emails to customers. With Ecwid you can add a sign-up option above the Checkout button in your store. This way you will capture such consent and then build a list of customers who agreed to receive your promo emails.
To add the sign-up option for your promo emails to your store’s checkout:
- In your Ecwid admin, go to Settings → Legal.
- Scroll down to the Customers’ consent section.
- Enable Request customers’ approval for your marketing emails at checkout.
- (optional) Press Edit to change the text displayed for the sign-up option and/or to preselect the sign-up option.
Clearly show in forms what fields are optional or required
Ecwid clearly shows what fields are required and what fields are optional for filling out:
Get clear consent for tracking store visitors via cookies
You should ask your store visitors for consent to track their actions in your storefront via cookies. Ecwid allows merchants to add a special banner to gather such consents.
To add the cookie consent banner to your storefront:
- In your Ecwid admin, go to Settings → Legal.
- Scroll down to the Customers’ consent section.
- Enable the Cookie consent banner. If you're using Ecwid's New-Gen Instant Site, you will be redirected to the site editor for that.
Once enabled, the cookie consent banner will appear on the storefront with the option to accept, partially accept, or decline (refresh the page to see it):
Visitors can always change their cookie decision later.
Learn more about cookie notifications in your Ecwid store →
Provide customers with the right to access their data
You must provide your customers with a copy of their personal data – when they ask for it – in an easily readable and portable format. You can access the customers' personal data right in your Ecwid admin.
To obtain personal data of a customer:
- In your Ecwid admin, go to Settings → Legal.
- Scroll down to the Customers’ personal data section.
- Click Get customer data.
- Enter the customer’s email address into the field:
- Click Submit.
After that you will receive a message to the email address under which your store account is registered. This message will contain personal data of the customer available for download in .zip format (the link is valid for 10 days).
Provide customers with the right to delete, edit, restrict certain data uses
Along with access requests, Ecwid can help delete personal data that it stores on your behalf.
To delete personal data of a customer:
- In your Ecwid admin, go to Settings → Legal.
- Scroll down to the Customers’ personal data section.
- Click Delete customer data.
- Enter the customer’s email address into the field:
- Click Submit.
After you press Submit all the personal data associated with this email will be deleted permanently in 7 days. Also, Ecwid will notify the app developers from Ecwid app market (if you use apps from there) that the customer has requested deletion of personal data.
If you need to cancel the scheduled deletion of data, click the Cancel link next to it:
Basic requests (e.g., a customer asks you to delete their order) can also be quickly managed inside your Ecwid admin.
Data breach notifications
Ecwid acts as a Data processor while our merchants (you) act as Data controllers. If your website is experiencing a data breach of any kind, you might be required to notify affected customers. Under the GDPR, a notification must be sent within 72 hours from the time you become aware of the breach. Data processors are also required to notify users as well as the Data controllers, immediately after becoming aware of a data breach.
Related articles
Legal pages in your Ecwid store
Adding Terms & Conditions to your e-commerce site
Setting up your store to comply with German laws
Cookies used in your Ecwid store