Merchants needing to set up their stores to adhere to the EU's General Data Protection Regulation (GDPR) can use 3dcart's GDPR Toolkit to facilitate the process.
The GDPR Toolkit offers the following functions for merchants to add on their stores:
- Add an automatic Cookie Acceptance popup to the store
(Vistiors must accept the cookie in order to access and shop your site.)
- Generates a link that Merchants can give to their customers to review their stored data
(i.e. orders, reviews, blog comments, product offers, etc)
Upon review of the data, customers can request to have this data deleted.
- A similar link allowing customers to request deletion of their records outright.
(No report of what is stored, but rather just an automatic delete of records)
- A running log for the merchant of these customer report and delete requests.
(So you can see when requests were made in case of dispute)
To enable and setup the GDPR Toolkit, use the following steps:
- Log into your 3dcart Online Store Manager
- Using the left hand navigation menu, go to Modules
- On the Modules page, use the search bar at the top to search for and locate the "GDPR" toolkit.
- Once the module appears, click on its "Settings" button
A popup window will appear with the following settings:
Mark this checkbox to enable policy acceptance checkboxes on various areas where an email address is required for use of the function. This includes:
If the site visitor does not mark the acceptance checkbox, then the function will not allow them to use it.
- The Customer Registration page
- Newsletter sign ups
- CRM Tickets
- Product Reviews
- Product Q&A
- Email a Friend
- Request Data Page URL
This URL can be posted or added somewhere on your site (or perhaps in your email communications) for customers to review their stored customer data. When reviewing their data, customers can also select to have their data deleted from the records. (See next section for a fuller explanation of the Data Report and Delete Functions)
- Request Data Removal Page URL
Similar to the URL described above, but rather than generating a report, this option allows the customer to delete their records outright. (See next section for a fuller explanation of the Data Report and Delete Functions)
- Enforce Use of Cookie Acceptance
If you have previously used the steps outlined in our EU Cookie Law Compliance knowledgebase article, (or have another alternate cookie popup) on the site, please be sure to remove that function so that it does not interfere with the GDPR Toolkit's automated popup.
- View Customer’s Requests Log
Lastly, this link will take you to your store's internal report of Data Report and Deletion reqquests to your site for reference and record keeping.
Once you have configured your settings on the popup, click save and you will be taken back to the Modules page with the GDPR module displayed. To complete the setup:
- Within the GDPR module, mark the "Enable" checkbox
- Click "Save" at the top right of the page to finish the set up.
Your store now has the GDPR toolkit settings enabled and ready for use.
Data Request and Removal Options
In the case of the Data Request URL; when they visit the page, the customer will enter their email address and receive a confirmation email and a link to confirm that they'd like to have the data compiled for them. Once the data is compiled, they'll receive an additional email with the URL where they can review said data.
The report will list for them any areas of the store that has their email address saved and stored including:
- Customer Records
- Blog interactions (comments and replies)
- Newsletter subscriptions
- Product related interaction records such as
- Make-an-Offer bids
- Product Reviews
- Waiting List records
- Product Q&A records
- Communication Logs from your Contact Us page (CRM)
- Any additional records matching to their email address
- Order history
On the report, the customer/visitor can then print the report or request that the stored data be deleted* from the store.
Delete Data Requests
In the case of the Data Deletion URL, the same process will occur with the visitor entering their email address and further confirming the request via an emailed link and acceptance button. The main difference however is that they will not receive any report of their data but rather the system will delete* it outright (although, the visitor will still get a confirmation email after everything is deleted).
*Important Information About the Deletion of Records
If the customer has unfulfilled orders (orders that have not been shipped or canceled), then the deletion request will not proceed until those orders are closed.
Furthermore, it should be noted that the orders themselves will not be removed from the store. Instead, they will be kept in the store's database (along with their country of origin data) for record keeping and accounting purposes.
However, all customer identifying information on the orders (email, billing address, shipping address, phone numbers, etc) will be removed and replaced with the phrase "gdpr-replaced" in its place. This is intended to let you adhere to GDPR policies while keeping your store's order information and subsequent business reporting intact.