There’s been a lot of fud going around regarding GDPR compliance for ecommerce stores so I decided to take the time to concisely summarize the actions that I’ve taken towards becoming compliant myself.
Now there are literally hundreds of GDPR posts out there that can be found on Google but none of them tell you flat out what needs to be done.
Instead, they either regurgitate the GDPR document which is borderline unreadable or they scare the cr@% out of you so you’ll pay for their consulting services:)
Well this post will tell you what you need to do without the lawyer speak…
Disclaimer: I am not a lawyer nor am I an expert on GDPR. All of the information here is gleamed from discussions with colleagues and lawyers. As a result, please take everything in this post with a grain of salt. In other words, this article is for informational purposes only.
I recommend that you seek legal and other professional counsel to determine your own GDPR needs.
Get My Free Mini Course On How To Start A Successful Ecommerce Store
If you are interested in starting an ecommerce business, I put together a comprehensive package of resources that will help you launch your own online store from complete scratch. Be sure to grab it before you leave!
In a nutshell, you need to include the following…
- Your contact information
- What information you collect and how and why you collect it
- What you do with the data and who else gets to see it
- What your visitor’s rights are under the GDPR
Deciding how to collect data and what to do with your existing data is where the main confusion lies. As a result, this is where I will be focusing my efforts for the remainder of this post.
Step 2: Fix Your Post Purchase Email Optins For EU Visitors
95%+ of our customers are from the United States but we do get our fair share of buyers from the UK. In general, when someone purchases from our store, we automatically send them a multi-step post purchase autoresponder sequence.
There is no checkbox. There’s no optin. If you’ve made a purchase, then you’re going to get the sequence.
With the GDPR however, you will now need to get explicit consent to send your EU customers a post purchase sequence.
The easiest way to do this is to have a checkbox during checkout which asks whether they would like to be added to your store’s newsletter.
This checkbox needs to be unchecked by default.
If a customer makes a purchase and has checked the box, then you have consent to send them future correspondence via email.
There are a few caveats here however.
Let’s say you incentivize the customer to check the checkbox by offering them a free ebook, discount or giveaway WITHOUT saying that they’ll be signed up for your general newsletter.
Then guess what? You are only allowed to deliver them their freebie with no additional correspondence!
As a result with your checkbox, you have to make it clear that they are on your ongoing newsletter and that they can unsubscribe at any time.
Step 3: Adjust Your Regular Email Optins
A popular practice with ecommerce stores is to give out coupons or free giveaways in return for an email address. Then once the email is obtained, the customer is placed on an automated pre purchase sequence.
However with the GDPR, you are only allowed to email the customer about the coupon or the free giveaway and that is all.
You must obtain consent for any future correspondence.
The simplest way around this is to state clearly that the EU customer will be placed on your company newsletter once they optin for the coupon or giveaway.
In a nutshell, you must inform the EU customer that they will be placed on a recurring newsletter once they optin.
A common question is whether you need to place an explicit checkbox on your email form for consent. And as far as I know, a checkbox is NOT needed.
I asked several people in the know about this exact point. In addition, I painfully read the GDPR doc and no where does it explicitly state that you NEED to have a checkbox.
Instead, the exact language in the doc is that you need to clearly communicate how you will be processing subscribers’ personal data.
Consent must be given by a subscriber and cannot be bundled with unrelated actions. Therefore as long as you explicitly state that you will be emailing them on a recurring basis going forward, you should be good.
Another common question is whether double optin is required for email newsletter signups. Once again, there’s nothing in the GDPR that states that you are required to use double optin.
As per the GDPR, you simply need to be able to prove the compliant consent. And entering personal information into an email signup form and clicking “submit” can be considered consent, as long you are explicit in informing the customer what they are signing up for.
That being said, double optin is probably a good practice to follow.
Step 4: Clean Up Your Existing List. Send Re-Engagement Emails Only If Necessary
I don’t know about you but I’ve been receiving hundreds of emails from stores asking me to re-optin to their list and I’m from the United States!
There is absolutely no need to do this for non EU subscribers and these companies are purging a large portion of their list for no reason whatsoever.
Whether or not you need to send a re-engagement email depends on several factors. And you need to ask yourself the following questions…
- Can you prove that your EU subscribers opted into your list? – If you transferred emails from one provider to the other or purchased an email list, then chances are you don’t have this information.
However if someone from the EU opted into your list, it should be tracked in your email marketing provider’s database. You need to check.
- Did you clearly explain how you’d use subscribers’ data and what content you can send them? – Using the example in step 2, I was automatically placing EU customers on a post purchase sequence when they made a purchase.
I did NOT clearly explain to them that I was going to do this. As a result, I need to explictly send a re-optin email to these people.
- Can your subscribers unsubscribe at any time? – As far as I’m concerned, this is par for the course. If you are using any legit email provider, an unsubscribe link is required by law.
If you answered yes to all 3 questions above, then you don’t need to do anything as long as there’s a record of this in your email marketing database. But for most of you, you’ll most likely have to re-optin all of your EU customers who are subscribed to your post purchase sequence.
For my store, I simply segmented all of my EU customers and sent them the following email.
If you would like to continue to receive our emails, please confirm your subscription by clicking the button below:
YES! I would like to continue receiving emails from Bumblebee Linens
By confirming your subscription with the link above, you will continue to receive:
- Updates of the latest newsletter
- Coupons and promotions
- New product announcements
Anyone who doesn’t re-optin is deleted from our database.
Note: This wasn’t a big deal for our store because we don’t get that many EU customers
Step 5: Don’t Make Non EU Folks Jump Through Hoops
A lot of shopowners I know are now putting in checkboxes all over the place to ensure consent no matter who the customer is. But the problem is that you are reducing your conversion rate for every checkbox you add.
Instead of making a blanket change to your site, you might want to consider treating EU customers differently.
For example for your post purchase email sequence, you may want to only display the checkbox for EU customers only. After all, you already know they are from the EU because they entered all of their delivery address information on your checkout form.
A simple “if” statement will prevent this checkbox from being shown to US customers.
The same goes with any other form on your site. After all, there’s no reason for your conversion rate to suffer especially if the EU is just a small percentage of your overall business.
For our store, I don’t send post purchase email sequences to EU customers altogether. I also don’t currently run retargeting ads to EU customers because the shipping is so high and we don’t get that many EU customers to begin with.
Use your own judgement.
My Personal Take On The Penalties For GDPR Infringement
Everyone is absolutely terrified about the fines associated with violating the GDPR. After all, the penalties are like 20 million dollars or 4% of your revenues or something ridiculously crazy like that.
First off, EU officials have indicated that fines would likely be a last resort for enforcement.
Here’s an excerpt from a recent blog post from the U.K.’s information commissioner Elizabeth Denham.
It’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm,” she said.
The ICO’s commitment to guiding, advising, and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.
While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.
The GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.
Here’s how I interpret this statement.
They will implement the fines only if you are willfully violating the GDPR. But if you are making your best effort to comply, you will probably get several warnings before anything drastic happens.
Again, this is my own interpretation and please take it with a grain of salt.
If you take the necessary steps to understand and follow the GDPR regulations, then you have nothing to worry about.
- How To Build An Email List – 2 Simple Tweaks That Doubled My Signups
- 3 Ways To Use Dynamic Push Notifications To Increase Sales For Your Online Store
- The Abandoned Cart Email Sequence That Recovers 19% Of My Sales (Without A Coupon)
- The Best Online Shopping Websites Use These 9 Pages To Improve Customer Trust And Bounce Rate