General Data Protection Regulation (GDPR) took effect on the 25th of May, 2018, and Moda guarantees that we comply, completely, with all the changes approved and implemented.
Essentials of GDPR for eCommerce
1. Get consent: the user must agree to be included in your marketing campaigns.
If the user has consented to the message and communication channel that you are offering, then you can continue to do as you always have. But if there was no consent, then you cannot send them marketing materials or advertise to them. If you don’t have explicit, unambiguous consent from the visitor to get these kinds of marketing messages, then you won’t be able to send them messages—or else face heavy fines.
Note! Emails collected using 3rd party apps or on the checkout of your store won't have a consent record in Moda, because per European GDPR law, consent may only be collected via 1st party web form. Basically, we can't confirm that customers have given their consent if they weren't collected by us.
2. Provide adequate protection: you must protect the user’s personal data adequately.
If a user does consent to your storing and processing their personal data (through personalized marketing or advertising messages, for example) you have the obligation to make sure that that data is adequately protected. When it comes to exactly what “personal data” is, according to the GDPR the definition is pretty broad: any data that can be used alone or in combination to link to or point to a person.
This includes the visitor’s:
- physical address
- demographic data (age, location, etc.)
- email address
- IP address
According to the GDPR, businesses are supposed to appoint a Data Protection Officer (DPO), who is responsible for ensuring adequate security for personal data.
It simply states that DPOs are required for companies that process large amounts of personal data, so smaller eCommerce stores should be in the clear.
However, it’s still very important that you have someone in your organization who is in charge of data protection.
3. Delete, correct, or restrict when asked: if the user requests you to delete, correct, or restrict the personal data you have, you must comply quickly.
The last of the 3 essential areas of the GDPR for eCommerce concerns user requests to have their personal data deleted, corrected, or restricted.
The GDPR allows, at its core, for European citizens and residents to have more complete control over how their personal data is used.
For that reason, if an EU subscriber or shopper whose personal data you have asks you to erase or change it in any way, you have to do so within a reasonable amount of time.
If a user asks you to change or delete their personal data, it’s best to do it sooner rather than later.
With that, you’ll have nothing to worry about for this part of GDPR.
How Moda is helping merchants be GDPR-ready
Moda makes sure that all eCommerce merchants using our marketing automation platform are fully covered. We have done in the following ways:
- GDPR-ready consent and re-consent
- Right to be forgotten - complete removal of user data so that the customer or subscriber is not identified IN ANY WAY. This option is available if your client insists on it or if you request your account and data to be removed.
- GDPR-ready privacy and cookie policies
With huge fines and other serious consequences, it is very important that eCommerce merchants understand what these rules mean for their business and how they can prepare for them.
By using Moda, you agree not to import or send to any email address which:
- A.You do not have explicit, provable permission to contact in relation to the topic of the email you’re sending.
- B.You bought, loaned, rented or in any way acquired from a third party, no matter what they claim about quality or permission. You need to obtain permission yourself.
- C.You haven’t contacted via email in the last 12 months.
- D.You scraped or copy and pasted from the web
What should I do if my contacts don't have consent record? European customers must have consent due to GDPR law and EU regulations, which state that contact must be opted-in in order to receive emails. So, you can send communication to these contacts at your own risk. US regulations do not require any legal form of consent, so a simple subscription box on checkout is enough in order to treat contact as a legal subscriber, and a consent record isn't that needed. However, these contacts must be able to unsubscribe from your marketing campaigns.
Under the General Data Protection Regulation (GDPR), an organization must be able to justify each type of data processing activity it conducts, using one of six lawful bases of processing.
In email marketing, which involves the processing of contacts’ personal data (such as email address and name), consent often makes sense as the lawful basis used to justify the data processing.
Organizations using consent as a lawful basis for data processing need to be able to prove consent was freely given, and be prepared to share a record of consent with regulators, if asked.
Additionally, data subjects must be able to withdraw consent at any time.
Who must comply with the CCPA?
Most CCPA requirements apply to “businesses” — companies that collect consumers’ personal information (on their own or using vendors) and use the information for their own purposes. These businesses determine “the purposes and means” of processing personal information. The CCPA applies to any “business” that:
- Handles California residents’ personal information
- Is “doing business” in California (e.g., engaging with individuals located in California though an ecommerce or interactive website or application)
- Satisfies one or more of the following thresholds:
- Has annual gross revenues of $25 million
- Obtains, sells, or shares personal information of 50,000 or more California residents, households, or devices annually
- Derives 50 percent or more of its annual revenues from “selling” California residents’ personal information (i.e., sharing or giving access to personal information to third parties for those parties’ own purposes)
The CCPA also imposes limited requirements on “service providers” — companies that process consumer personal information on behalf of a business. Businesses disclose personal information to service providers for a specific business purpose pursuant to a written contract. The CCPA requires service providers to process personal information only as necessary to provide their services.
What is classified as personal information under the CCPA?
The CCPA defines personal information very broadly to include information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. In practice, this broad definition means that information such as contact information, transaction data, Internet Protocol (IP) addresses, mobile device identifiers, clickstream data, and order details may be within the scope of the CCPA’s definition of personal information, and subject to the CCPA’s requirements.
What do I need to do to prepare?
The CCPA is a complex law. This article provides the key obligations under the CCPA for the benefit of our customers but does not take into account all individual circumstances that may apply to your business. Please contact your legal counsel for specific advice. If the CCPA is applicable to your business, you should consider the following:
- Information regarding a consumer’s right to access, opt-out (if the business sells personal data), right to deletion, right of non-discrimination for invoking CCPA rights, and the right to designate an authorized agent
- Two or more methods for submitting access and deletion requests, including a toll-free number (however, certain businesses that operate exclusively online are exempt from the toll-free number requirement)
- A list of the categories of personal information it has collected about consumers in the preceding 12 months
- A list of the categories of personal information it has sold about consumers in the preceding 12 months (or if the business has not sold consumers’ personal information in the preceding 12 months, the business should disclose that fact)
- A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months (or if the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business should disclose that fact)
Consumers have the right at any time to opt-out of the sale of their personal data to third parties.
If the consumer is less than 13 years old, then a parent or guardian's affirmative consent (opt-in) is required before selling his or her personal information.
If the consumer is between 13-16 years old, then affirmative consent is required before selling his or her personal information.
Consumers have the right at any time to opt-out of their personal data being sold by a third party who has purchased the consumer's personal data from a business. The third-party must stop selling upon receipt of the opt-out request unless a subsequent express authorization is provided by the consumer.
Access and deletion rights
Make available to consumers 2 or more designated methods for submitting requests for information required to be disclosed and/or deleted, including, at a minimum, a toll-free telephone number and a web address (if the business maintains a website).
A business must implement processes to verify a California resident’s identity before providing an individual with the right to access or delete personal information.
Once a request is received from a California resident and their identity is confirmed, complete the following as applicable:
- Right to access: access disclosures must include, among other things, the (i) categories of personal information collected about that consumer (in the preceding 12 months), (ii) categories of sources from which the personal information is collected, (iii) business or commercial purpose for collecting or selling personal information, (iv) categories of third parties with whom the business shares personal information; and (v) specific pieces of personal information it has collected about that consumer.
- Right of deletion: erasure requests must be completed by the business and its direct service providers. A number of exceptions exist, however, such as where the information is necessary to complete a transaction, provide goods or services requested by the consumer, comply with a legal obligation, or protect against and prosecute fraud and other illegal activity.
Consumer requests must be addressed within 45 days of receiving the request, by mail or electronically (in a usable format that allows the consumer to provide it to another entity) or through a user account (if the requestor has an active account).
Response time may be extended by an additional 45 days (during the first 45 days) if reasonably necessary (based on complexity and the number of requests) and if the requestor is notified of the extension (detailing the reasons why).
The request process must be free of charge.
Businesses are not required to carry out more than two requests in a 12-month period.
What is Moda's role under the CCPA?
Moda has no direct relationship with the individuals whose personal information is stored within our systems. Moda serves as a service provider, while our customers are the businesses because we process end-user information on behalf of our customers.
What is Moda doing to help customers comply with the CCPA?