Welcome to the Oracle CX Blog:
The latest in customer experience strategy, technology,
and innovation.

Overview for OCC Customers - Preparing Your Commerce Cloud Sites for GDPR



Merchants serving webstores to shoppers in the European Union (EU) and collecting their data must comply with European Union General Data Protection Regulation (GDPR), which was approved in 2016 and will become effective on May 25, 2018. After that date, organizations found to be in non-compliance will potentially face heavy fines. If you operate in the EU, it is important to prepare for GDPR compliance.

This regulation is designed to protect the data privacy of all EU residents and requires website operators, among other requirements, to consider any applicable notice and consent requirements when collecting personal data from shoppers (e.g. using cookies).  

If you're wondering if this regulation affects you, please note that GDPR not only applies to organizations located within the EU, but it also applies to organizations located outside of the EU, if they offer goods or services to EU shoppers. It is therefore safe to presume that it broadly applies to all companies processing and collecting personal data of persons residing in the European Union, regardless of the company’s location.

This post will help you understand how Oracle Commerce Cloud (OCC) can be utilized to help comply with certain GDPR requirements.

General Preparation Checklists

There are several resources available that provide an overview of the legislation, its impact, and guidance on how you can prepare organizations to comply. We recommend reviewing the following resources to get a basic overview and understanding of GDPR:  

However, given that GDPR covers many special considerations surrounding the management of EU personal data, including consent management, it is important to consult legal counsel to get professional guidance if you believe your websites and commerce operations may be subjected to these requirements. 

Managing Shopper Consents

When working with Commerce Cloud sites, consent is a major area of focus to consider while ensuring that data collection practices are aligned with GDPR. In particular, you may need to obtain shopper consent to capture and use Personal Information (PI) on Commerce Cloud merchant sites for specific use cases where no other legal grounds are available.

The UK Information Commissioners Office (ICO) provides guidance that consent needs to be:

  • Unbundled: Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
  • Active opt-in: Pre-checked opt-in boxes are invalid. Use unchecked opt-in boxes or similar active opt-in methods (e.g. a binary choice given equal prominence).
  • Granular: Give granular options to consent separately to allow for different types of processing where appropriate.
  • Named: Specifically name your organization and any third parties who will be relying on consent. Even precisely defined categories of third-party organizations will not be acceptable under GDPR.
  • Documented: Keep records to demonstrate what the individual has consented to, including what the individual was told, and when and how the individual consented.
  • Easy to Withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means simple and effective withdrawal mechanisms must be in place.

Commerce Cloud Sites and Consent 

You will need to determine which types of data processing activities are needed for your site(s) and decide which safeguards need to be put in place given your particular business needs. Oracle Commerce Cloud cannot provide legal advice and, as such, cannot mandate a particular set of consents that need to be captured or the mechanisms used to capture them. However, Oracle Commerce Cloud will develop and provide a flexible set of tools that can be used and customized by merchants to help comply with certain GDPR requirements.

It will be the responsibility of each merchant to assess the legal and operational implications of GDPR on your business and implement changes to any website(s) as necessary. This may include changes to site functionality, terms and conditions and privacy policy.

In the 18B release, Commerce Cloud will provide sample code for cookie consent plus OOTB profile properties and widget support for profile personalization support, including recording the dates on which consent was granted. We’ll provide full technical detail on how to use this in a future blog post which you and/or your partner can utilize. You may wish to implement other types of consent using custom profile properties.

Right to Be Informed

You will need to ensure that you provide shoppers with concise, transparent, intelligible, and easily accessible language which describes the purpose for and use of each specific type of data processing and associated consents.

Right of Access

Under GDPR, individuals have a qualified right to access their personal data. For shopper profile data, Commerce Cloud provides access to all data stored via APIs and this can be exposed in storefront widgets. A forthcoming blog post will describe the changes to out-of-the-box widgets that will be provided in the 18B release of Commerce Cloud so that partners and merchants can prepare.

Right to Rectification

Under GDPR, an individual is entitled to have incorrect data corrected and where appropriate, add to incomplete data. Commerce Cloud is implementing functionality to enable shoppers to amend data held about them through out-of-the-box and custom widgets. Furthermore, you can use Commerce Cloud APIs to update shopper data.

Right to Erasure

Under GDPR, individuals may request that an organization erase their personal information. An organization needs to comply with this request unless there is a highly compelling reason to retain the information. An organization must also erase personal information if an individual withdraws consent for its collection, as long as there is no other legal reason to retain the data.

In commerce terms, PII data is generally held in the user’s profile (e.g. name, address details, credit card number) and on the user’s orders (e.g. names, billing address, shipping address). A forthcoming blog post on profile deletion and order redaction will provide details on the capabilities that will be provided in Commerce Cloud. 

Right to Restrict Processing

Under GDPR, an individual is entitled in some circumstances to block processing of the individual’s data, such as; when the individual contests the accuracy of the personal data, when the processing is unlawful, or when the data is no longer needed for processing, but is required for legal reasons.

Commerce Cloud is adding functionality to enable shoppers to revoke individual data processing consents. Associated data can be deleted using Commerce Cloud APIs by merchant staff. 

Right to Data Portability

Under GDPR, individuals are entitled to obtain personal data concerning them in a structured, commonly used, and machine-readable format.

You will need to determine how to meet this requirement, since you are likely to have shopper data in a variety of systems. Data from OCC can be queried from existing APIs and combined with other data that you hold about the shopper.

Right to Object

Under GDPR, an individual has the right to object to the processing of his or her own data in particular circumstances, including objecting to direct marketing. Commerce Cloud provides an out-of-the-box profile property that records whether a shopper has provided email marketing consent.  If they wish, merchants can implement custom profile properties to record more granular consent.

Rights in Relation to Automated Decision Making and Profiling

Under GDPR, individuals have the right not to be subject to a decision based solely on automated processing which results in a legal or similarly significant effect. While Commerce Cloud has no automated decision functionality, merchants should still determine if their processes and data use practices could be captured by this clause.

Refreshing Consent

Unless you were already gathering GDPR-ready consents prior to the 25th of May 2018, you may want to consider whether, in addition to starting to capture consent for all new shoppers, you also need to refresh and capture consent for existing shoppers. This would then update the GDPR consent for shoppers who have registered with you prior to GDPR going into effect.

It will be up to you to determine how to capture consent dependent on the types of consent that you feel are appropriate for your business and how and when you want to message the change to your shoppers. For example, you could use any of the following Commerce Cloud functionalities:

  • Use the bulk password reset capability to force all shoppers to change their passwords and at the same time provide consent (if the Change Password page includes consents).
  • Put a custom widget on the homepage requesting shoppers provide consent or direct them to the Account page to provide consent.
  • Implement an email marketing campaign driving shoppers to the Account page to provide consent.

Using existing Commerce Cloud APIs, it will be possible to determine how many shoppers have provided each type of out-of-the-box consent(s) captured using custom profile properties.


All merchants offering goods or services to EU shoppers will need to comply with GDPR by May 25, 2018 or risk facing steep fines. Be proactive and ensure you are prepared for this regulation.

In our upcoming 18B release, planned for prior to the GDPR effective date, Commerce Cloud intends to provide sample code for cookie consent, as well as consent related profile properties and profile personalization support widgets, which handle recording the dates on which consent was granted. We also plan to provide technical details on how to use this in a future blog post. Merchants may wish to implement other types of consent using custom profile properties.

If you think you are affected by GDPR, we recommend talking about the regulations with your organization’s legal counsel, as well as any partner(s), and putting a GDPR adherence plan in place to ensure you meet the May 25, 2018 deadline. You may also want to share that plan with your OCC CSM. We will be sending additional GDPR notices and providing other help material as GDPR-related features are released.

Disclaimer: The information in this document is not intended and may not be used as legal advice about the content, interpretation or application of laws, regulations and regulatory guidelines. Customers and prospective customers should seek their own legal counsel about the applicability of laws and regulations to their processing of personal data, including through the use of any vendor’s products or services.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.