In this section:
- How to install and configure the CloudCart GDPR application
- Settings section
- Policies Section
- Data processing register Section
CloudCart Infrastructure is compliant with all GDPR regulatory requirements so that it can safely record, manage, and transmit data in secure (encrypted) environments. CloudCart has a PCI DSS Level 1 security certificate that verifies the level of security for data transfer and storage.
Аdditionally, оur team has developed CloudCart GDPR for online stores which aims to automatically implement much of the GDPR requirements.
Block Cookies with 'Prior Consent'
CloudCart GDPR enables you to block cookies from being placed on a visitor's computer until you have received explicit consent.
What is prior consent?
The GDPR and the European ePrivacy Directive require getting explicit consent before using cookies other than those necessary for the website to work properly. That means when a visitor comes to your website, you have to hold all your cookies until they agree to get them. You’ll show them the cookie banner and if they are opt-in, you send the cookies. If they remain passive or if they don’t agree, you have to keep blocking the cookies from getting into their computers.
There are many websites with cookie banners, but without prior consent installed. They are not ePrivacy and GDPR compliant, and thus risk fines. These banners will send tracking cookies as soon as the visitor lands on the website. They ask for consent, but since there is no blocking mechanism in place, they insert cookies even when visitors are passive or decline the consent request. Law-wise, these banners serve no purpose.
Prior consent tools allow you to block all the cookies other than those that must be injected straight into your visitor’s computer until they agree on that. With CloudCart GDPR, you can easily set it up and manage it through the admin dashboard.
Do I need prior consent?
Yes, if you track your users’ personal data by using tracking technologies, then you need to ask for prior consent. Hence, you need a tool for blocking the cookies before getting consent.
We have prepared a list of steps that you need to do to ensure that your company meets all GDPR requirements.
How to install and configure the CloudCart GDPR application
Sign in to your control panel and go to the Apps section to activate GDPR.
The app will automatically install several important documents that will handle the relationship with customers and visitors to your online store. They are:
Updated Terms and Conditions are compliant with the new GDPR requirements (the update in this document will be automatically filled in according to your online store data. You are required to make a review of the information entered and make changes if needed). If you think you do not need these terms and conditions, you can also use yours in case you have already updated them to the new regulations.
We use "Cookies" - this document is intended to inform the users of your online shop about all cookies that are installed on user's browsers. When you add records that are related to the installation of third-party cookies, the document will be automatically updated.
Declaration of consent to the processing of personal data - this document handles the relation between you and the customers and visitors to your online store and requires voluntary consent. If users have consented to this document, you will be able to apply marketing to them. The document should not be submitted for mandatory consent, otherwise, you will be in violation of the GDPR.
The Settings section contains two subdivisions - Sections in which the consent is given and Cookies.Sections in which the consent is given - The sections could be mandatory or optional checkboxes for consent from your customers and visitors to your online store. The sections are:
User Registration - This is the section where the users register their account, and you can require mandatory and optional consent with your policies. Our advice to you is not to require mandatory compliance with the Terms of Service in this section, and only if you'd like to add consent to the Declaration as optional. This section may be blank and this will not violate your compatibility with GDPR.
Contact form - This is the form that your customers could use to ask you questions and you will receive them in your email. In this section, you may not require consent to the Terms of Service, but you must request optional consent for a Privacy Statement. If you have more than one policy, you can sort the line with the Drag and Drop feature.
Completing an order - This is one of the most important sections of your store where you must necessarily ask your customers to agree to the Terms of Service and optionally request for consent with a Privacy Statement for the processing of personal data. If you have more than one policy, you can sort the line with the Drag and Drop feature.
Subscribed to the newsletter - This is a subscription form for the MailChimp newsletter. You may not require consent to the Terms of Service, but you must request optional consent for Privacy Statement. If you have more than one policy, you can sort the line with the Drag and Drop feature.
Request for consent for registered users after login - This option enables your current customers to get acquainted with and agree to your new Terms and Conditions and other policies if you have one. If you have more than one policy, you can sort the line with the Drag and Drop feature.
Cookies - This section allows you to manage the window for the Permissions bar and saving the cookies in user browsers. It will be automatically filled in with all the necessary texts as well as a description of all the cookies that your online store installs by default.
If you enable the option ‘Cookie wall’, a pop-up will show up instead of the standard bar for asking and giving consent.
In this way, the user is obliged to take action to continue browsing your site smoothly.
If you have third-party applications installed on your online store (like chat, tracing apps, etc.) which install cookies, you need to choose the category to which they belong and describe them. The categorization of cookies is:
Strictly Necessary Cookies - These cookies are necessary for the website to function and cannot be switched off in our systems by your customers.
Performance Cookies - These cookies measure the performance of your online store and its interaction with users. From the Edit button, you can choose whether or not to enable this type of cookie request by default.
If you turn on the "Default" button, it means that the request to install this type of cookies will be enabled by default, and if the customer does not agree to it, he needs to disable them by himself.
If you do not activate the "Default" button, the request for the installation of the selected cookies will be turned off by default:
Functional Cookies - Use this section to save cookies that are related to adding extra functionality to your online store. From the Edit button, you can choose whether or not to enable this type of cookie request by default.
Targeting Cookies - These cookies serve to identify, track, and target users. From the Edit button, you can choose whether or not to enable this type of cookie request by default.
The description of each one of these 4 categories is customizable.
The Policies section includes all documents related to your policy. From this section, you can add an unlimited number of documents that you could later assign as mandatory or optional for the user's consent.
IMPORTANT: The GDPR application records versions of changes to all Policies and saves a history of the consent of each user with each policy and their versions. For example: If a customer accepts Version 1 of your Terms and Conditions and subsequently there are changes in the terms of the Terms and Conditions, the system will record and show to you and to the customer which Terms of Service agreement they have agreed.
Data processing register Section
After installing the app on your online store, there will be a new section named "Exercise your rights!". In the Data Processing register section, you will receive all requests made by your users in "Exercise your Rights!".
In this section, a register is kept of the actions for accepting Policies by every customer and visitor of your online store. That means that every customer who has accepted a given Policy, which is part of a certain section, is kept in a safe environment and is shown here. The collected data is as follows:
- Тhe Policy the user has agreed with
- User names (if available)
- User E-mail
- Date and hour the Policy has been accepted
- Date and hour of the last action of the user (if a user has agreed with a given policy a second time).
- For example: to send a message through a contact form twice or to make two orders, etc.)
- User IP address
- An imprint of the device from which the user has given their consent.
- Section from which the consent has been made
This register’s purpose is to prove that certain Policies have been accepted in case of disputes. It cannot be manipulated, edited or deleted by third parties. This register is visible to the user of your online store as well, in the GDPR section.
In this section, you will be able to review the user's requests and accept or reject them respectively. For example, Your customer declares his desire to be "forgotten". In this case, you have the legal right to reject the application if it does not meet any of the following: http://www.privacy-regulation.eu/en/17.htm
Notification to the Supervisory Authority Section
This section is under development process. Once we enable it, you will be able to alert the Supervisory authorities about any issues related to the personal data of your customers.
"Exercise your rights!" Section
The "Exercise Rights!" section is activated when you install the app on your online store. The section will become visible to your customers at the bottom of the storefront at your online store. Clicking on it leads to a new section that is available to both registered and unregistered users who can exercise their rights.
Right of Correction - This section allows registered users to correct their personal data: Password, Delivery addresses, and Invoice Addresses
Right to data portability - in this section, every registered user can download a CSV file with information about his Personal data, Saved addresses, Completed orders, as well as track the status of all requests he has made.
Access to personal information - this section is accessible to unregistered users who will be able to request the personal information you have stored for their account by submitting an email. This request will be visible to you in the CloudCart GDPR Application in the Data Processing register section.
Right to deletion (right “to be forgotten”) – this section is available for non-registered users, who after providing an E-mail address will be able to ask for the deletion of the personal information you have stored for their profile. This request will be visible in CloudCart GDPR in the Data processing register section.
Please keep in mind that this app does not guarantee 100% that your company is and will be GDPR compliant. GDPR is, by its very nature, a regulation of action and is related not only to the technology we are introducing to you. If you need further consultation with a GDPR Specialist to help you implement the application, please contact firstname.lastname@example.org.
Is GDPR mandatory?
GDPR is mandatory for all websites in the European Union because the web servers and/or the websites themselves keep data about their visitors. Respectively, if your store is accessible to users, you need a GDPR message.
Can I make an Accept all button to let users agree with all terms and conditions related to GDPR upon a new order?
The CloudCart platform does not allow for the creation of such a button upon order completion because it is in violation of the general regulation of GDPR.