Merchants serving webstores to shoppers in the European Union (EU) and collecting their data must comply with European Union General Data Protection Regulation (GDPR), which was approved in 2016 and will become effective on May 25, 2018. After that date, organizations found to be in non-compliance will potentially face heavy fines. If you operate in the EU, it is important to prepare for GDPR compliance.
This regulation is designed to protect the data privacy of all EU residents and requires website operators, among other requirements, to consider any applicable notice and consent requirements when collecting personal data from shoppers (e.g. using cookies).
If you're wondering if this regulation affects you, please note that GDPR not only applies to organizations located within the EU, but it also applies to organizations located outside of the EU, if they offer goods or services to EU shoppers. It is therefore safe to presume that it broadly applies to all companies processing and collecting personal data of persons residing in the European Union, regardless of the company’s location.
This post will help you understand how Oracle Commerce Cloud (OCC) can be utilized to help comply with certain GDPR requirements.
General Preparation Checklists
There are several resources available that provide an overview of the legislation, its impact, and guidance on how you can prepare organizations to comply. We recommend reviewing the following resources to get a basic overview and understanding of GDPR:
However, given that GDPR covers many special considerations surrounding the management of EU personal data, including consent management, it is important to consult legal counsel to get professional guidance if you believe your websites and commerce operations may be subjected to these requirements.
Managing Shopper Consents
When working with Commerce Cloud sites, consent is a major area of focus to consider while ensuring that data collection practices are aligned with GDPR. In particular, you may need to obtain shopper consent to capture and use Personal Information (PI) on Commerce Cloud merchant sites for specific use cases where no other legal grounds are available.
The UK Information Commissioners Office (ICO) provides guidance that consent needs to be:
Commerce Cloud Sites and Consent
You will need to determine which types of data processing activities are needed for your site(s) and decide which safeguards need to be put in place given your particular business needs. Oracle Commerce Cloud cannot provide legal advice and, as such, cannot mandate a particular set of consents that need to be captured or the mechanisms used to capture them. However, Oracle Commerce Cloud will develop and provide a flexible set of tools that can be used and customized by merchants to help comply with certain GDPR requirements.
In the 18B release, Commerce Cloud will provide sample code for cookie consent plus OOTB profile properties and widget support for profile personalization support, including recording the dates on which consent was granted. We’ll provide full technical detail on how to use this in a future blog post which you and/or your partner can utilize. You may wish to implement other types of consent using custom profile properties.
Right to Be Informed
You will need to ensure that you provide shoppers with concise, transparent, intelligible, and easily accessible language which describes the purpose for and use of each specific type of data processing and associated consents.
Right of Access
Under GDPR, individuals have a qualified right to access their personal data. For shopper profile data, Commerce Cloud provides access to all data stored via APIs and this can be exposed in storefront widgets. A forthcoming blog post will describe the changes to out-of-the-box widgets that will be provided in the 18B release of Commerce Cloud so that partners and merchants can prepare.
Right to Rectification
Under GDPR, an individual is entitled to have incorrect data corrected and where appropriate, add to incomplete data. Commerce Cloud is implementing functionality to enable shoppers to amend data held about them through out-of-the-box and custom widgets. Furthermore, you can use Commerce Cloud APIs to update shopper data.
Right to Erasure
Under GDPR, individuals may request that an organization erase their personal information. An organization needs to comply with this request unless there is a highly compelling reason to retain the information. An organization must also erase personal information if an individual withdraws consent for its collection, as long as there is no other legal reason to retain the data.
In commerce terms, PII data is generally held in the user’s profile (e.g. name, address details, credit card number) and on the user’s orders (e.g. names, billing address, shipping address). A forthcoming blog post on profile deletion and order redaction will provide details on the capabilities that will be provided in Commerce Cloud.
Right to Restrict Processing
Under GDPR, an individual is entitled in some circumstances to block processing of the individual’s data, such as; when the individual contests the accuracy of the personal data, when the processing is unlawful, or when the data is no longer needed for processing, but is required for legal reasons.
Commerce Cloud is adding functionality to enable shoppers to revoke individual data processing consents. Associated data can be deleted using Commerce Cloud APIs by merchant staff.
Right to Data Portability
Under GDPR, individuals are entitled to obtain personal data concerning them in a structured, commonly used, and machine-readable format.
You will need to determine how to meet this requirement, since you are likely to have shopper data in a variety of systems. Data from OCC can be queried from existing APIs and combined with other data that you hold about the shopper.
Right to Object
Under GDPR, an individual has the right to object to the processing of his or her own data in particular circumstances, including objecting to direct marketing. Commerce Cloud provides an out-of-the-box profile property that records whether a shopper has provided email marketing consent. If they wish, merchants can implement custom profile properties to record more granular consent.
Rights in Relation to Automated Decision Making and Profiling
Under GDPR, individuals have the right not to be subject to a decision based solely on automated processing which results in a legal or similarly significant effect. While Commerce Cloud has no automated decision functionality, merchants should still determine if their processes and data use practices could be captured by this clause.
Unless you were already gathering GDPR-ready consents prior to the 25th of May 2018, you may want to consider whether, in addition to starting to capture consent for all new shoppers, you also need to refresh and capture consent for existing shoppers. This would then update the GDPR consent for shoppers who have registered with you prior to GDPR going into effect.
It will be up to you to determine how to capture consent dependent on the types of consent that you feel are appropriate for your business and how and when you want to message the change to your shoppers. For example, you could use any of the following Commerce Cloud functionalities:
Using existing Commerce Cloud APIs, it will be possible to determine how many shoppers have provided each type of out-of-the-box consent(s) captured using custom profile properties.
All merchants offering goods or services to EU shoppers will need to comply with GDPR by May 25, 2018 or risk facing steep fines. Be proactive and ensure you are prepared for this regulation.
In our upcoming 18B release, planned for prior to the GDPR effective date, Commerce Cloud intends to provide sample code for cookie consent, as well as consent related profile properties and profile personalization support widgets, which handle recording the dates on which consent was granted. We also plan to provide technical details on how to use this in a future blog post. Merchants may wish to implement other types of consent using custom profile properties.
If you think you are affected by GDPR, we recommend talking about the regulations with your organization’s legal counsel, as well as any partner(s), and putting a GDPR adherence plan in place to ensure you meet the May 25, 2018 deadline. You may also want to share that plan with your OCC CSM. We will be sending additional GDPR notices and providing other help material as GDPR-related features are released.
Disclaimer: The information in this document is not intended and may not be used as legal advice about the content, interpretation or application of laws, regulations and regulatory guidelines. Customers and prospective customers should seek their own legal counsel about the applicability of laws and regulations to their processing of personal data, including through the use of any vendor’s products or services.