General Data Protection Regulation (GDPR)

EU General Data Protection Regulation (GDPR) is an update to regulations for the processing of data and private information online. This will apply to online stores based in the European Union or those that do extensive business in Europe. GDPR places the responsibility on businesses to give individuals more control over their personal data. If your online store violates the regulations, you could face fines.

Is my Business Affected?

GDPR applies to you if your online store is based in the European Union or your store targets shoppers in the European Union. To be more certain if GDPR applies to your business, contact a legal professional.

As an ecommerce platform, BigCommerce is compliant with GDPR. BigCommerce provides the following features that make it compliant:

• BigCommerce takes action on all Data Subject Access Requests submitted to privacy@bigcommerce.com, within the required 30 days.
• Deleting customer data from the BigCommerce Control Panel will remove Personal Data associated with that customer within 14 days.
• Customers can correct or update their data when they log in to their account.
• Make data portable. Customer data can be exported into the CSV format by the Bulk Import Export tool.
• Requires consent to use data. You can easily add a checkbox to give your users the ability to view and agree to your privacy policy.
• In the event that any data breach involves BigCommerce, we will report the event to you without undue delay.
• The BigCommerce security team ensures data that transits to our platform is protected at every stage.

While BigCommerce meets these requirements, any add-ons to your store, such as third-party apps, custom code, or payment gateways, are not included in this consideration. 

There may be some steps your business will need to take to make your store fully compliant. 

Create a GDPR compliant Privacy Policy

Make sure you have a Privacy Policy page on your store. See the GDPR privacy policy template for an idea of what the page should include.

Enable Built-In Cookie Consent Settings

Cookie consent tracking will prompt your shoppers for their consent to use cookies and other technologies while shopping on your storefront. See Security and Privacy Settings for more information about built-in customer privacy settings.

Categorize Third-Party and Custom Scripts

Scripts that have automatically been installed by third-party apps and custom scripts you’ve manually added to the store can be categorized so they work in conjunction with the cookie consent tracking store settings. See Using Script Manager to learn more about script categories and how to categorize your scripts.

Check your Apps and Integrations

Any apps that you use with your online business will also need to be compliant. If the app or integration does not explicitly say their product is compliant, you will have to reach out to the vendor directly to confirm if they meet GDPR requirements for compliance.

Explicitly ask for Consent in Sign-up

For account sign-up forms, you can include a required checkbox for consent to your privacy policy. See Creating a Privacy Policy | Requiring Consent for Account Signup for instructions on how to do this for your store. 

Explicitly ask for Consent to Marketing Communications

GDPR generally requires that you obtain the prior affirmative consent of shoppers to send them marketing communications.  You should request such consent in a separate checkbox, rather than include the request in your privacy policy or other terms. At checkout you can enable a checkbox to request specific consent from shoppers to receive your communications.

Report Security Breaches

Take steps to make sure your customers' data is secure, and if there's a breach, disclose it to the Supervisory Authority within 72 hours.

To learn more about security and privacy, join our Security & Privacy Community Group. Our security team will answer questions about security issues and how to make sure you are compliant.

Who is my Supervisory authority?

The Supervisory Authority is based on which country you are based in. A list of Data Protection Authorities (DPA) can be found here.

How do I make sure shoppers get the notification to accept cookies?

Under Security & Privacy Settings, there is a privacy section that allows you to turn on the cookie consent tracking and customize the text of the notification.

Is the Abandoned Cart feature GDPR compliant?

The abandoned cart feature is compliant as long as you provide your customers an easy way to opt-out. In all the abandoned cart emails that your customers receive, they will find a link that they can click if they want to unsubscribe. Their choice will be automatically recorded in the "Receive ACS/Review Emails" field under the Customer Details page.

Are apps from the App Marketplace GDPR compliant?

BigCommerce is not responsible for making sure apps are compliant with the legalities of specific jurisdictions, it is the responsibility of the individual app developer to ensure their product meets these requirements. If you are unsure if one of your apps is GDPR compliant, reach out to the app developer directly for answers. BigCommerce is planning on making it easier to see if an app is GDPR compliant from the app marketplace in the future.

How can I link to my Privacy Policy during checkout for guests?

You can link to your Privacy Policy during checkout by checking Enabling Terms & Services in Checkout Settings. This will also show up for logged in shoppers. 

Can I offer a double opt-in for newsletters? 

Double opt-in signups are not required for GDPR compliance. While BigCommerce collects newsletter sign-ups that can be shared with third-party apps, it does not utilize double opt-in or contains a native newsletter feature. Check with your email marketing provider to see if they have this feature.

Where can I get more information?

For more answers about how BigCommerce meets GDPR compliance, see our Community Q & A. For questions about your individual business situation, contact a legal professional for the best support.