Guide for GDPR for Magento 2

Make your store compliant with the latest EU's GDPR and other legislative requirements. Create and manage privacy policy documentation, add consent checkbox to the registration and checkout pages, and send email consent requests.

• Collect consents with privacy policy
• Create multiple consent checkboxes
• Display Cookie Policy popup
• Track privacy policy related activity in the actions log
• Approve or deny requests to delete users' accounts
• Automatically delete personal data
• Compliance with WCAG 2.1 level AA requirements (for Luma and Hyvä Themes)
• Google Consent Mode V2 support

NEW: Now the module content is available in the German language! Backend and frontend settings are translated according to the selected locale. The sample files with the content of the privacy policy and cookie descriptions can be found below:

german_sample_files.zip

To configure the extension, you need to adjust GDPR and Cookie settings separately. First of all, please go to Stores → Configuration → Amasty Extensions → Personal Data Protection.

Expand the General tab.

Enabled - set to Yes display the consents on the frontend.

Display Privacy Policy Popup on First Visit - enable the option to display Privacy Policy popup when a new customer opens the website.

If you've just installed the extension, the Privacy Policy template is the following:

Just replace the highlighted text with the data corresponding to your website by visiting the Privacy Policy section in the backend.

Moreover, the option allows you to display a popup with a new version of Privacy Policy to those users who have not accepted the policy yet with the notification about the updates. See how it works:

Country Restrictions - select the customer location option to display the Privacy Policy Popup on the frontend.

You can enable the Privacy Policy Popup for All Countries, EEA Countries, or Specific Countries selected in the list below.

Please note that notifications of Privacy Policy changes (if enabled) will be sent only to customers from locations where the Privacy Policy Popup display is permitted.

Log Guest Consent - activate this option to log all consents given by guest visitors. Guest data will be displayed in the 'Consent Log' grid.

Log Auto-Cleaning - enable the automatic Consent and Action Logs cleaning.

Log Auto-Cleaning Period (Days) - the records that were saved for a longer period than the specified here will be automatically removed from Consent and Action Logs.

You can display or hide the following sections in the customers' accounts:

Allow Downloading Personal Data - set to Yes to let a customer download personal data in a CSV file.

Allow Anonymizing Personal Data - enable the option to let customers anonymize their personal data.

Allow Deleting Account - switch to Yes if you want a customer to be able to delete account.

Allow Opting Out from Given Consent - if enabled, the section Given Consent will be added to customer account for customers to be able to opt in or opt out from given consent.

Download Fields with Filled Values Only - if enabled, the fields with empty values will be skipped in downloaded files.

Display Data Protection Officer Information - if enabled, customers will be able to get information about your Data Protection Officer added to a separate section at their accounts.

Section Name - specify the frontend title for the extra tab.

Data Protection Officer Email - enter the email to which emails will be sent for Data Protection Officer.

Data Protection Officer information - provide any information you want to with the help of the editor.

In the customer's account the new tab called Privacy Settings is added:

From this page, customers can:

• download all their personal data in the CSV format;
• anonymize their personal information;
• request for account removal;
• opt-in or opt-out from optional consent;
• see the contacts of the DPO.

Guest visitors have also some options to manage their personal data. Guests can't delete their accounts (as they don't have ones), but other options are available for them.

To get the info, guests should go to the Orders and Returns page.

Find a particular order and scroll down.

Here a guest visitor can download the data collected during the particular order processing or anonymise it.

In this section you may configure an Automatic Personal Data Deletion for customers that stopped using your website. You can set up the time interval from the last customer's order in days, and after it expires the extension will automatically create a deletion request on the 'Delete Requests' grid.

Delete Personal Data of Abandoned Customer’s Accounts - set to Yes to activate an automatic personal data deletion option.

Abandoned Customer’s Accounts Automatic Deletion Period (Days) - specify the particular number of days after which personal data will be removed.

When a customer asks to delete personal data and the request is approved, the extension deletes their account, subscriptions, and the data in orders, invoices, shipments, and credit memos. Given disabled, it could cause problem for a store owner as these should be stored for a specific period of time.

The feature keeps personal data untouched in orders, invoices, shipments and credit memos for the set period after deleting customer’s account. When the period expires, the personal data in the documents will be automatically deleted.

Deletion of Personal Data in Recent Documents - choose Delete to remove data or set to Don't Delete to keep personal data untouched in documents.

Prevent Data Deletion Period (Days) - if you've chosen not to delete data, specify the particular period to keep the data. When the period expires, all the data will be removed.

Anonymization/Deletion of Personal Data for Orders in Specified Status(es) - if the option is set to Don't Allow for Statuses, a customer won’t be allowed anonymizing and deleting their personal data if the order is now in one of the specified statuses. A store admin won't be able to approve a request for personal data deletion as well.

Order Statuses - select the order statuses to which the feature will be applied.

This option allows you to send an email to customers about changes to the Privacy Policy with information about the changes. Thus, customers will be able to agree to the changes without having to read the entire privacy policy again.

Enabled - set to Yes to send automatic email notification upon the updates in privacy policy

Email Sender - select sender address.

Email Reply To - Specify the email address for customer's replies or leave blank to use the sender address.

Email Template - select the template of the Privacy Policy. You can choose a basic one, which is created automatically, or create your own template of the Privacy Policy.

Automatic informing of clients about changes in Privacy Policy.

Track and manage the status of automatic mailing about Privacy Policy changes.

The extension supports two types of email notifications. These are:

• Anonymization Notifications
• Deletion Notifications

Customers are able to anonymize their personal data. After anonymizing, they will get an email with the new credentials for login their account. For Anonymization Notifications you may specify:

• Email Sender
• Email Reply To
• Email Template

Proceed to Deletion Notifications.

Here you may separately configure notifications for your managers and customers.

For managers it is possible to Notify Manager on Deletion Request and specify:

• Email Sender
• Send Email To
• Email Template

For Customer’s Approval Notification and Customer’s Deny Notification you can preconfigure:

• Email Sender
• Email Reply To
• Email Template

To give your customers the opportunity to regulate their cookie usage, please go to Stores → Configuration → Amasty Extensions → Cookie Consent.

 composer require amasty/gdpr-cookie 

Expand this tab to configure the basic setting of the extension.

Cookie Bar Style - choose the cookie bar type suitable for your store:

• Classic bar. It can be displayed either on top or in the footer of the page. It contains cookie policy text and buttons.

• Side Bar. Pop Up with Toggles contains additional info about each cookie group and a customer can easily adjust the consent within the first interaction.

• Pop Up. It is displayed in the center of a page.

If customers accept all cookies regardless of a bar type, the cookie bar automatically disappears.

If they want to find extra information or allow specific cookies by clicking Custom Cookies (button name is customizable), they will see the following popup:

Thus, they can click the toggles and accept the particular cookies only.

From this popup, they can also find extra details about each cookie type by clicking More Information in the popup and see the info:

The extension also adds a special link to the store footer so that customers could find information about cookies and revoke prevously given consents any time. The data is also displayed in the pop-up.

The GDPR extension is compatible with Google Consent Mode V2. You can find the amasty/module-google-consent-mode package for installation in Composer suggest (Note: the compatibility is available as a part of an active product subscription or support subscription).

The extension uses Geo IP Database to detect site visitors' location. Please, go to Stores → Configuration → Amasty Extensions → Geo IP Data.

You can get the databases automatically or import your own data.

Hit the Download and Import button to make the extension download the updated CSV dump file and import it into your database automatically.

To import the files from your own source, use the Import option. Path to the files should look like this (the part 'var/amasty' should be replaced with your folders’ names):

var/amasty/geoip/GeoLite2-City-Blocks-IPv4.csv 
var/amasty/geoip/GeoLite2-City-Blocks-IPv6.csv 
var/amasty/geoip/GeoLite2-City-Locations-en.csv

You can enable IP forcing, which makes it possible to set a specific IP address that will be used instead of the visitor's real IP address when determining geolocation. The feature is useful while configuring or testing the extension.

Enable Force IP - set to Yes to replace the real IP address.

Force IP Address - specify the address to use instead of a real one.

With the extension, you can download, delete or anonymise customers' data from the admin panel. For example, if a customer can't log in to an account and asks you to anonymise the data, you can easily do it.

Proceed to Customers → All Customers and choose a particular one.

In the Personal Data dropdown you can choose the appropriate action to be done with a customer's data. For example, click Anonymise and confirm the action. Check the result.

To manage all the existing cookies, go to Customers → Cookies.

With the extension you can easily track and sort all cookies on a separate grid by its ID, Name, Group, Description and the Lifetime.

To view or change the configuration of a cookie, click Edit in the Action column.

To delete cookies, tick them and choose Delete option in the Actions dropdown menu.

To create a new cookie, hit the Add New Cookie button.

Cookie Name - specify the title of the cookie.

Description - fill in some information about the usage of the cookie.

Cookie Lifetime - set the lifetime of a cookie that will be displayed to customers on the Cookie CMS page.

Cookie Group - assign the cookie to a particular group.

To arrange cookies into essential and optional categories, go to Customers → Cookie Groups.

With the extension you can manage all your cookie categories in a handy grid.

On the grid the ID, Cookie Group Name and Description are displayed. Also you can see if each group Is Essential and Is Enabled.

To configure any group, click Edit in the Action column.

To delete several groups in one click, tick them and choose Delete option in the Actions dropdown menu.

To create a new category, click Add New Group.

Enabled - choose Yes to activate the group.

Is Essential - set to Yes to make the group obligatory. In this case the customers will have to allow this cookie group to get access to the website.

Cookie Group Name - specify the title of the cookie group that will be displayed to the customers on the frontend and on the grid in admin panel.

Description - fill in the information about the usage of the group so that the customers could decide whether to allow this group or not.

Assigned Cookies - select the cookies to include in the group.

Save the configuration.

Here customers can choose which cookie categories they allow to process:

The extension adds a ‘Cookie Settings’ link to the footer so that the customers can easily reset cookie usage conditions any time they need:

To find the list of all consents and customers data, go to Customers → Cookie Consents.

You can find all needed info in one place. The grid allows to track consents by customer Name, Email, IP Address, Website, Consent Type, Date and Consent Status. This data can be useful for different consents analysis.

The module contains the number of grids needed for efficient GDPR management.

With the extension it is possible to create multiple independent checkboxes on a form with their own settings. Please navigate to Amasty → Personal Data Protection → Consent Checkboxes grid to view and manage all checkboxes.

On the grid you can see each checkbox settings.

To remove them in bulk, tick the necessary ones and choose the Delete option in the Actions dropdown.

To create a new one, hit the New Checkbox button.

Checkbox Name - specify the title of a checkbox for internal use.

Checkbox Code - set the code of the checkbox.

Enabled - switch to Yes to activate the check on the frontend.

Confirmation Required - if enabled, a customer will have to give the consent to submit an action.

Hide the Checkbox after User Gave the Consent - if enabled, the system will always log consents to the checkbox. Moreover, the checkbox will be also added to customer account under the section 'Given Consent' to opt in or opt out from consent. The checkbox will be displayed again in case you introduce changes to the privacy policy. If the option is disabled, an admin can choose whether to log the consents or not.

Log the Consent - if enabled, customer’s consent will be saved in the ‘Consent Log’ grid.

Checkbox Position - define the checkbox position among other checkboxes on the frontend. The feature helps to set the order of several checkboxes in case they are displayed in one place. 0 is the highest priority.

Checkbox Location - select the pages and forms to which a particular checkbox will be applied.

Checkbox Text - provide the content of the checkbox. You can use the <a> tag in the text and also the {link} variable to insert the privacy policy link into the checkbox text. Example: I have read and accept the <a href=“{link}”>privacy policy</a>.

Consent Link Type - choose the type of the link: it can be either GDPR Privacy Policy link or link to any CMS Page. If the second variant is chosen, select the page to which link will direct customers.

This is how checkboxes are displayed on the registration page:

If a customer clicks on any policy, a CMS page will be displayed in a popup. For instance, click on the Terms & Conditions link:

Countries Restrictment - it is possible to adjust each checkbox visibility according to a customer location. Enable the checkbox for All Countries, EEA Countries or provide Specified Countries in the list below.

Collect and track all customer consents in one grid. Here you will also see if a customer has revoked optional consents at Account Privacy Settings.

See each Customer Name, Remote IP Address, Email, Checkbox Location, Policy Version, Websites and a customer Action.

To delete consents in bulk, just tick the necessary ones and choose the Delete options from the Actions dropdown.

You may also apply multiple filters to sort out specific consents.

To check customers’ actions, go to Customers → Personal Data Protection → Action Log.

On the grid you can see all actions performed by store users and admins regarding privacy policy consents and the GDPR-related account management.

Filter the data by the following actions:

When a customer requests for account removal, the request appears on the special grid. Please, go to Customers → Delete Requests.

On the grid you can see all incoming requests. You can approve or deny any request:

• Select the requests you want to reply;
• Choose the appropriate option from the Actions dropdown menu;
• Hit the Submit button.

To manage the privacy policy documentation, please, go to Customers → Privacy Policy.

On the grid you can manage the existing privacy policy documents: create, update, and delete them. For your convenience, the inline edit is available:

Hit the Add New Policy button to create a new privacy policy document.

Comment — specify the privacy policy title;

Policy Version — set the privacy policy version;

Policy Status — change the privacy policy status;

Policy Content — fill in the privacy policy text using the WYSIWYG editor.

When the privacy policy document is ready, hit the Save button to return to the grid. Also, you can state the version as Draft if it is not completely ready.

This is how the privacy policy document looks for store visitors:

To place a link to your Privacy Policy to any store CMS page/block, please, complete the next steps:

1. Create a CMS page and add the 'Amasty Privacy Policy' widget to this page. The widget will automatically display an active Privacy Policy text.

2. Choose any existing CMS page/block to which you want to add a link to a Privacy Policy. Then, via the 'Link to CMS Page' widget, place to this page a link to a CMS page (with a Privacy Policy text), created on the previous step.

3. Check how the link displays on the frontend:

To insert a widget in Magento 2.4.3, you need to do some extra steps.

Step 1. Click the Edit with Page Builder button

Step 2. Expand the Elements tab and drag the HTML Code element.

Step 3. Click Edit.

Step 4. Insert the widget.

Then choose the Amasty Privacy Policy widget and save the changes.

To manage all existing cron tasks, please, go to System → Cron Tasks List.

Here, you can see all the existing cron tasks and their statuses. Run cron tasks and generate their schedule by clicking the ‘Run Cron’ button. Also, delete tasks in bulk, apply filtering and sorting options when it is needed.

The PWA add-on helps you maintain compliance with the GDPR requirements and ensure an even and fast shopping experience for customers browsing from tablets and smartphones.

The add-on helps you collect, store and manage all the necessary consents. It provides a smooth and fast interaction with the website for customers shopping from mobile devices, improves responsiveness and the overall client experience. You can place the checkboxes on registration or checkout pages. The text of the policies will appear in a nice pop-up window without redirecting users to a new page.

GDPR extension is compatible with the number of other Amasty extensions.

Apart from the possibility to insert a FAQ widget into the Privacy Settings tab, the integration with the FAQ and Product Questions extension lets you add multiple checkboxes to the Ask a Question form.

If you have both extensions installed, you can choose this form while creating a checkbox.

Get consents for Privacy Policy while registering using a popup generated by Social Login.

Add checkboxes to custom forms generated by Amasty Custom Form extension.

Display a Cookie Bar and a Privacy Policy popup on Blog Pro pages.

Additionally, equip comment forms with the necessary checkboxes.

Equip Out of Stock Notification forms with checkboxes.

Collect consents on the last step using the integration with the One Step Checkout extension.

Use statistics on accepted and rejected cookie groups.

To view visualized cookie reports on accepted and rejected cookie groups proceed to:

Amasty → Consent to the Use of Cookies → Cookie Content Log.

The data is displayed in the form of a graphical report, which contains information on all existing cookie groups on the site, indicating the number of accepted and rejected cookies for each group.

You can also upload statistics as a report in the following formats: CSV or EXCEL XML.

The Premium package includes an advanced all-in-one cookie popup. Using this type of bar, customers can see all the information about cookies in details without visiting additional pages.

How to set up an advanced pop-up:

Amasty → Cookie Consent → Configuration → Cookie Bar Customization → Cookie Bar Style → Upgraded.

Pop-up contains all the necessary information, which is displayed in three tabs:

1. The text for the tab Consent is set by the admin in the Notification Text setting.

2. In Details tab displays groups of cookies created by the administrator in the Cookie Groups grid with an indication of the number of cookies in the group:

Accept Cookies - the user agrees with all groups of cookies.

Allow Selection - the user agrees to a custom selection of cookie groups with which he agreed through toggles.

Decline Cookies - the user rejects all cookie groups except Essential.

3. The text in About tab is set by the admin in the 'About' content setting.

Accept Cookies - the user agrees with all groups of cookies.

Custom Settings - redirects the user to the Details tab.

Decline Cookies - the user rejects all cookie groups except Essential.

It is possible to customize the upgraded popup design. For this, you can specify the following settings:

• Notification text
• ‘About’ content
• Background Color
• Policy Text Color
• 'About' content Text Color
• Tab Color
• Tab Color on Hover
• Links Color
• Cookie Group Title Text Color
• Cookie Group Description Text Color
• Cookies Quantity Color

Also, you can customize the appearance of the 'Accept', 'Decline', 'Custom Settings', and 'Allow Selection' buttons. The following settings are available for customization:

• Button Name
• Sort Order
• Button Color
• Button Color on Hover
• Text Color
• Text Color on Hover

Here is the sample of customization:

To ensure correct tracking of custom cookies with Google Analytics 4 and avoid possible issues, please go to Content → Design → Configuration → Choose the needed store view → HTML Head → Scripts and Style Sheets field and paste the following script:

<!-- Google Tag Manager -->
<script>
require(['jquery', 'mage/cookies'], function ($) {
    const callGTM = () => {
        const gtmId = 'YOUR GTM ID'; // Insert your gtm id here

        (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
        new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
        j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
        'https://www.googletagmanager.com/' + 'gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
        })(window,document,'script','dataLayer', gtmId);
    }

    const isGoogleAnalyticsCookieAllowed = () => {
        const disallowedCookieAmasty = $.mage.cookies.get('amcookie_disallowed') || '',
            allowedCookiesAmasty = $.mage.cookies.get('amcookie_allowed') || '',
            googleAnalyticsCookieName = '_ga';

        return !((disallowedCookieAmasty.split(',').includes(googleAnalyticsCookieName) ||
            !allowedCookiesAmasty) && window.isGdprCookieEnabled);
    }

    $('body').on('amcookie_save amcookie_allow', () => {
        if (!isGoogleAnalyticsCookieAllowed()) {
            return;
        }

        callGTM();
    });

    if (!isGoogleAnalyticsCookieAllowed()) {
        return;
    }

    callGTM();
});
</script>
<!-- End Google Tag Manager -->

* What is the difference between CCPA and GDPR?

* How to translate the privacy policy text?

* How do I restore anonymized data to process the incoming orders?

Find out how to install the GDPR extension via Composer.

Rate the user guide

from 3 votes (Details)       1 visitor votes 0 visitor votes 0 visitor votes 0 visitor votes 1 visitor votes