General Data Protection Regulation (GDPR)
EU General Data Protection Regulation (GDPR) is an update to regulations for the processing of data and private information online. This will apply to online stores based in the European Union or those that do extensive business in Europe. GDPR places the responsibility on businesses to give individuals more control over their personal data. If your online store violates the regulations, you could face fines. GDPR goes into effect starting May 25th, 2018.
Disclaimer: The information in this article is for guidance only and does not constitute legal or professional advice. Always consult a qualified lawyer on any specific legal problem or matter. BigCommerce disclaims all liability with respect to the information in this document.
Is my Business Affected?
GDPR applies to you if your online store is based in the European Union or your store targets shoppers in the European Union. To be more certain if GDPR applies to your business, contact a legal professional.
How BigCommerce is Compliant
As an ecommerce platform, BigCommerce is compliant with GDPR. BigCommerce provides the following features that make it compliant:
- Continue to meet requirements of the Privacy Shield program and will action all Data Subject Access Requests submitted to firstname.lastname@example.org, within the required 30 days.
- Deleting customer data from the BigCommerce Control Panel will remove Personal Data associated with that customer within 14 days.
- Customers can correct or update their data when they log in to their account.
- Make data portable. Customer data can be exported into the CSV format by the Bulk Import Export tool.
- In the event that any data breach involves BigCommerce, we will report the event to you without undue delay.
- The BigCommerce security team ensures data that transits to our platform is protected at every stage.
While BigCommerce meets these requirements, any add-ons to your store, such as third-party apps, custom code, or payment gateways, are not included in this consideration.
Suggested Actions for GDPR
There may be some steps your business will need to take to make your store fully compliant.
Check your Apps and Integrations
Any apps that you use with your online business will also need to be compliant. If the app or integration does not explicitly say their product is compliant, you will have to reach out to the vendor directly to confirm if they meet GDPR requirements for compliance.
Explicitly ask for Consent in Sign-up
Report Security Breaches
Take steps to make sure your customers' data is secure, and if there's a breach, disclose it to the Supervisory Authority within 72 hours.
To learn more about security and privacy, join our Security & Privacy Community Group. Our security team will answer questions about security issues and how to make sure you are compliant.
Who is my Supervisory authority?
- The Supervisory Authority is based on which country you are based in. A list of Data Protection Authorities (DPA) can be found here.
How do I make sure shoppers get the notification to accept cookies?
- Under Miscellaneous Settings, there is a privacy section that allows you to turn on the EU cookie notifications and customize the text of the notification.
Is the Abandoned Cart feature GDPR compliant?
- The abandoned cart feature is compliant as long as you provide your customers an easy way to opt-out. In all the abandoned cart emails that your customers receive, they will find a link that they can click if they want to unsubscribe. Their choice will be automatically recorded in the "Receive ACS/Review Emails" field under the Customer Details page.
Are apps from the App Marketplace GDPR compliant?
- BigCommerce is not responsible for making sure apps are compliant with the legalities of specific jurisdictions, it is the responsibility of the individual app developer to ensure their product meets these requirements. If you are unsure if one of your apps is GDPR compliant, reach out to the app developer directly for answers. BigCommerce is planning on making it easier to see if an app is GDPR compliant from the app marketplace in the future.
Can I offer a double opt-in for newsletters?
- Double opt-in signups are not required for GDPR compliance. While BigCommerce collects newsletter sign-ups that can be shared with third-party apps, it does not utilize double opt-in or contains a native newsletter feature. Check with your email marketing provider to see if they have this feature.
Where can I get more information?
- For more answers about how BigCommerce meets GDPR compliance, join our Security & Privacy Community Group. For questions about your individual business situation, contact a legal professional for the best support.