In 2018, the General Data Protection Regulation came into force. In 2020, we still see that many of our Magento 2 customers hardly comply with GDPR.
Today we’ll tell you (a) what GDPR means to us and (b) what you should assess in Magento for not to get fined.
What is GDPR?
The EU’s General Data Protection Regulation (GDPR) is an updated regulation in EU law on data protection and privacy for all individuals within the European Union. The expected regulation affects any online business even if it’s not located in one of the European countries.
What does it mean for a US business?
In case you do business in the US but offer goods and services to EU citizens, your company has to comply with the new requirements as well.
Even if data processing is conducted by a third party, you need to make it transparent. This means you are obliged to receive clear consent from your EU customers for collecting and processing their personal information. In addition, the individuals have a right to get their data deleted or anonymized on request.
The logic is at the set of rules by which EU individuals should grant permission to utilize their personal information for a number of reasons in return for the provided services. To find more information on GDPR, refer to the European Commission’s Website.
What does GDPR mean to Amasty?
Amasty is a law-abiding company that fully meets the requirements of personal data protection. We'll continue taking care of our customers’ personal data safety and security.
We commit to fully comply with new legislative requirements and therefore, are making all the changes requested by the law.
To date, we’ve:
- revised our Privacy Policy to lead the dialogue on specific policies dealing with the EU’s General Data Protection Regulation
- run an email campaign in which we informed our EU users about the need for the repeat subscription
- made a number of minor changes on our official website
- added ‘consent checkboxes’ and ‘remove/anonymize settings’ to all our extensions related to customers’ data collection.
What should you know about Magento 2 and GDPR?
According to GDPR, a Magento site owner, as well as any EU-level company, can only process personal data under certain conditions where the processing data should be:
(1) transparent for site users
(2) dedicated to a legitimate purpose and
(3) limited in time required for the purpose fulfillment.
Besides, the processing should be established on one of the legal grounds stated in Article 6 of the GDPR.
The GDPR’s purpose is to ensure that an individual understands what he or she is consenting to. In this, Article 4(11) of the GDPR stipulates that a user consent of the data collection means any:
freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
The consent should be freely given in the clear language in your Privacy Policy and require for checking a box or signing a form. In this, if you are to process personal data of a child based on the consent, then you need to avail of the parents’ permit for that.
Within the EU’s General Data Protection Regulation, you need to:
(1) determine your role (data controller; data processor)
(2) provide your site users with transparent information about the personal data collection
(3) give the personal data being processed on the user’s request
(4) delete the personal data from the site database on the user’s request or when it’s no longer required for the processing purpose
(5) respect the user’s right to correct and object to the incorrect personal data.
Thus, demonstrating your Magento 2 store compliance with GDPR and keeping records are the top-priority tasks for not getting fined.
Why should you assess Magento extensions connected with your account?
Magento called for reviewing areas of your business services related to data processing. Why?
As all Magento Marketplace extensions are developed by 3rd parties, they may store personal data in other locations than the Magento core. And the data can be further sent to external services.
Thus, some 3d-party extensions (like Customer Attributes by Amasty) can store your users’ private data. And in case you collect data from individuals in the EU, you need to:
(1) state this fact in your Privacy Policy and
(2) remove/anonymize the information on the request of an EU individual.
GDPR-ready Magento extensions by Amasty
This regulation affects most of the businesses that are tightly connected to the web. Hence, the vast majority of e-commerce stores serving customers from the European Union are obliged to follow the new rules to avoid penalties and other claims from the legislative.
That’s why we at Amasty made sure that all our customers would receive updates to their Magento 2 extensions in order to comply with the EU’s GDPR requirements.
#1. GDPR
And we will begin right from the specially designed extensions called GDPR. The module provides customers with mostly the same functionality depending on the version of the Magento Commerce platform. This includes:
- the ability to create, adjust and manage the privacy policy documentation;
- the privacy policy compliance checkbox on the registration and checkout pages;
- the configurable cookie policy bar to either inform visitors or collect their consents;
- enhance customers’ accounts with the ability to download all data, anonymize it or request to delete the profile.
In other words, these GDPR extensions for Magento 2 can become a universal solution for most of the businesses operating within the European Union.
#2. FAQ and Product Questions
For this useful knowledge base extension, we’ve added the consent checkbox. When it is flagged a user can ask a question using a name and email. When not, a store visitor won’t be able to submit a question. Near the checkbox, you can provide the consent text and a link to the privacy policy documentation:
#3. Blog Pro
This popular blogging solution for the Magento platform is now equipped with a special option. It allows you to enable or disable the name and email display for comments to posts or use the privacy policy compliance checkbox to publish a comment:
#4. Customer Group Catalog
As this module allows to replace the price block with a custom form, it was necessary to provide it with a consent checkbox. With the new functionality, a user can’t submit a request without providing consent to the privacy policy:
Plugins with privacy policy consent checkboxes
Also, we implemented the support for the privacy policy consent checkbox into the following extensions:
- Abandoned Cart Email for Magento 2
- Custom Form for Magento 2
- Hide Price for Magento 2
- Out of Stock Notifications for Magento 2
For most of the extensions above, you will have the ability to provide a consent checkbox with a custom text and a link to the existing privacy policy page. Moreover, the Abandoned Cart Email module now contains the GeoIP database to exclude the European Union’s customer emails from further processing.
What about personal data protection in other countries?
Data protection laws apply not only to the EU but also to other countries. Below, we’ll overview the CCPA (California Consumer Privacy Act) and LGPD (Lei Geral de Proteção de Dados).
California Consumer Privacy Act
The California Consumer Privacy Act of 2018 , also known as CCPA, was developed to give customers control over their personal information. According to this act, consumers that are residents of California state have the following rights:
- to know what personal information is collected, how it will be used and spread;
- to delete personal information;
- to restrict the sale of personal data;
- to avoid discrimination based on your data.
Also, like the GDPR, this law foresees that businesses should inform users about collecting personal data and explain this transparently in the current privacy policy.
What companies fall under the low?
The CCPA applies to:
- companies that do business in California and earn $25 million or more annually;
- firms that buy, receive, or sell personal data of at least 50 000 California residents;
- businesses that get half or more of their annual revenue from selling California residents’ personal information.
It’s important to notice that companies don't have to be based in California to fall under the law.
What happens if I do not comply with the law?
If your website doesn’t comply with CCPA, you’ll be fined up to $7,500 per record. Fortunately, you will have 30 days after the first abuse report to solve the issues.
How to make Magento 2 CCPA compliant?
We offer the CCPA extension that helps you make Magento 2 store compliant with this law. Watch our open webinar about this and more data protection plugins.
The Brazilian General Data Protection Law
The LGPD or Lei Geral de Proteção de Dados is a new law that came into force on August 15, 2020. At first sight, it looks similar to GDPR, but it has several important differences.
#1. Legal basis for processing data
Unlike GDPR, LGPD includes the list of 10 legal bases for processing personal data. They are provided in Article 7 of the law.
#2. Data protection officers
The law obliges all organizations that process personal data in Brazil to hire a DPO. At this point, LGPD is more stringent than the GDPR that requires to have a DPO in specific cases only.
#3. Amount of the fine
Compared to GDPR, the fines under the LGPD are less severe. The maximum fine for a violation is 2% of your annual revenue or 50 million reals (about €12 million) when a penalty for violation of the GDPR can reach up to €20 million or 4% of annual revenue.
Why is LGPD important?
Brazil is one of the biggest global markets that has 140 million internet users . If you want to interact with people from this country safely and avoid government penalties, make your store LGPD compliant.
How to make Magento 2 LGPD compliant?
We’ve developed a separate solution for this market - LGPD extension . It includes all the features that will make your store LGPD-compliant.
How can I implement a privacy policy on my Magento 2 website?
To implement a privacy policy on your Magento 2 website, create a comprehensive policy, prominently link it on your site, ensure compliance with privacy laws, use clear language, update it regularly, consider a cookie consent banner, and train your team on privacy and data protection.