BackIntroduction to B3

How does the GDPR affect you?

The General Data Protection Regulation (GDPR) affects any B3 merchants who are based in Europe or who serve European customers. While B3 is working hard to make sure that it complies, and allows its merchants to comply with the GDPR as of May 25, 2018, it is important to note that the GDPR will also require you to take action independently from the B3 platform.

B3 wants to help place merchants in the best possible position to comply with the law. This article includes questions you should consider to help you assess your obligations to make sure that you have set up your store in a way that complies with the law.

That said, this is not legal advice. The GDPR is a complicated regulation, and it will apply differently to different merchants. You should consult with a lawyer to figure out what you specifically need to do.

Collecting personal data

The GDPR protects the fundamental rights of individuals within the European Union in relation to the processing of personal data.

Examples of personal data include:

  • Name
  • Address
  • Email address
  • Social media account
  • Digital identifier such as an IP address or a cookie ID.

Think about the following questions:

  • Are you collecting personal data from customers in Europe? Most websites are available to residents of Europe, and will fall under the GDPR.
  • Do the channels or payment gateways you use collect and process data in accordance with the GDPR? You should follow up with them to make sure.
  • Do you have a list of all of the types of personal data that you collect from your customers, and all of the ways in which you use this data? Article 30 of the GDPR requires you to maintain a current map of your data practices.

Privacy notice

The GDPR (and particularly Articles 12 to 14) requires that you provide specific information to individuals whose data you are processing, generally in the form of a privacy notice or privacy policy.

You can use B3's privacy policy generator to get you started. You can find it in your settings under Checkout or settings -> GDPR.

Think about the following question:

  • Do you have a privacy policy on your site that includes all of the information that you are required to provide under the regulation? At minimum, does it include how customers can get in contact with you about privacy questions and how customers can exercise their rights, for example the rights to erasure (deletion) or rectification (modification or correction) of their data and the right to access it?
  • Does your privacy policy include how B3 may use your customers' personal data for automated risk and fraud scoring? The GDPR requires you to disclose when you (or your service providers) use their information in connection with automated decision-making. B3 uses your customers’ personal information to block certain transactions that appear to be fraudulent through automated decision-making. B3's Privacy Policy Generator includes this information.

Appointing a Data Protection Officer

A Data Protection Officer (DPO) oversees how your organization collects and processes personal data. If your business’s core activities include large scale online tracking, the GDPR requires that you appoint a DPO and provide contact information for the DPO in your Privacy Policy.

The GDPR includes specific tasks that a DPO needs to do, such as conducting data protection impact assessments when your organization changes how it collects and processes personal data. The DPO can be an internal person who has expertise in the GDPR and data protection requirements, but you can also consider working with an consultant or firm to serve as an external DPO.

Think about the following questions:

  • How many people are affected by tracking technologies on your storefront? These can include behavioral advertising apps, or even retargeting apps. Whether or not the number of people affected is “large scale” is a legal decision, and you should consult with a lawyer depending on your circumstances.
  • Should you voluntarily appoint a DPO? Even if you are not legally required to appoint a DPO, if your presence in Europe is large enough, you may wish to do so voluntarily to make sure that you adequately protect your customers’ data.

Customer consent

Under the GDPR, you might need to obtain consent to process the personal data of your customers or change how you currently obtain that consent.

For example, you might need to obtain consent from your customers if you are sending your customers marketing messages, or if you are using online advertising or retargeting apps.

Where you need to obtain consent, the GDPR says that it must be:

  • Freely given: it must be entirely voluntary, and should not be bundled with other goods or services.
  • Specific: it must be tied to clearly explained use cases.
  • Informed: it can only be given if the data subject is provided enough information about the personal data that will be collected and used.
  • Unambiguous: it must be demonstrated by an affirmative act by the merchant (that is, not simply by continuing to use the services).

This means that the customer needs to be given detailed information about the particular use case, and some affirmative action needs to be taken by the consumer to show consent.

Finally, if you offer your customers the opportunity to provide consent, the GDPR also requires that your customers have a way to withdraw consent. This can often be accomplished through an unsubscribe functionality. If you have questions about when and how you should obtain consent for collection of personal data, or the extent to which your customers should be allowed to withdraw their consent, then you should speak with a lawyer familiar with data protection laws.

However, consent is only one of many legal bases in the GDPR that can justify processing of personal data. You might also process personal data to fulfill contractual requirements, or if you are required by law to process data.

Some European regulators have suggested that if you at first ask for consent and your customer declines or agrees but then withdraws their consent, then you may no longer be able to rely on any other legal basis to process personal data. As a result, you should only rely on consent where you do not intend to (or need to) rely on another legal basis to process personal data.

Think about the following questions:

  • For each different way that you use or process your customers’ data, what is the legal basis for doing so? Are you processing based on their consent? Are you processing to fulfill a contractual obligation to the customer? Are you processing to further your legitimate business interests? You should record the legal basis as part of your map of your data practices.
  • Where you are relying on consent, is the consent you are getting bundled with the goods or services you are offering? For example, statements like by purchasing these goods, you agree to our use of your personal information may no longer be allowed under the GDPR.
  • Are you providing enough details about how you will be using the personal data at issue to make sure that the customer’s consent is informed?
  • Is the customer’s consent recorded and stored somewhere?
  • Do you require consent to send marketing communications to your customers? Even if you do not need consent under the GDPR, local laws may or may not require you to obtain consent to send marketing communications to your customers. Speak with a lawyer about the specific requirements that might apply to your store.
  • If you believe you require consent to send marketing communications, then is the marketing consent checkbox for your store unchecked by default? Consider setting your storefront up so that the marketing consent checkbox presented to customers is not pre-checked by default to ensure that your customers have to act affirmatively to provide consent.