Here are some GDPR compliance steps that you should consider in the near-term and long-term.
1. Determine the Financial Significance
If you don’t know already, now is the time to measure how much revenue comes from EU traffic to your eCommerce site. Especially before you invest the time and resources in auditing your systems and becoming GDPR compliant. Your approach to GDPR could be very different based on the amount of revenue involved.
2. Block EU visitors
GDPR compliant eCommerce
If you can’t be assured of compliance from your 3rd parties or internal systems, you should consider blocking EU visitors from accessing your eCommerce site after May 25. This is a drastic step, and will likely lose you some customers. But the alternative is a fine that may exceed your total EU sales today. Many retailers we’ve spoken to are planning to simply block traffic until they are 100% confident in the GDPR compliance of all their data, including information tracked by their 3rd party partners.
3. Audit your current data collection
Anything on your website that captures or uses shopper data needs to be documented and evaluated. This includes both your own systems (eCommerce platform, CRM, etc.) and 3rd party technologies that set cookies and collect shopper data on your website. Start gathering a full inventory of all technologies on your site, and understand how they are using personally identifiable information. Then go to each 3rd party vendor and request a summary of their GDPR compliance status and use of shopper information.
Long Term: Options for Delivering a Richer Site in a GDPR World
4. Data Approval – All or None
Once you are confident in your GDPR compliance, create a landing page that forces shoppers to either approve or decline your request to use their data. Most retailers are making the decision “all or nothing” – either shoppers approve of every way that you collect and use their data, or they decline. If they approve, the shopper will go back to using your complete site. If they decline, they will be blocked. This is the fastest way to begin serving the portion of EU shoppers that aren’t concerned about data privacy.
5. Data Approval – Rich Site or Basic Site
The next evolution is to provide a shopping experience for shoppers that deny permission to use their data. This means building a stripped-down version of your website that does not track or use shopper data. No more personalized content beyond what is necessary to purchase (shipping address, session ID, etc.), which could mean a large number of blank spaces on your page. But at least these shoppers can still shop and buy your products. Albeit through a generic experience free of cookies and 3rd party technologies.
6. Customized Site based on Data Selections
Eventually, you want to allow shoppers to opt in and out of specific data collection and 3rd parties. Imagine a shopper going to a landing page and selecting from a list of data permissions that they can accept or decline. Then they are directed to a view of your website that only shows the features and 3rd party technologies (e.g. ratings, reviews, recommendations) that they approved. The problem with this approach is that once a shopper opts out of a feature, they may not realize the impact until they get to a shopping experience full of blank space. And they won’t remember that it’s because they opted out of the wrong data. They will just think that your site looks terrible. Fortunately, Yottaa can help you motivate shoppers to reverse their decision to opt-out, so they can begin shopping on the best version of your website. Learn more about how Yottaa can enable “in-line permissions” below.
7. Seamless and GDPR Compliant Shopper Experience
The ultimate long-term solution is to stop tracking shopper data altogether, and allow shoppers to browse freely until they want to use technology that gathers their data or adds cookies. This approach allows you to avoid forcing shoppers to a landing page with opt-in selections.
In this scenario, the shopper can easily grant permission for data sharing within the shopping experience as desired. This is preferable to other alternatives because it doesn’t present a cumbersome shopping experience that will drive shoppers away. And it recognizes the fact that shoppers won’t understand the pros and cons of approving the use of their data until they can see how it will improve their experience.
GDPR is hard for retailers to understand, and compliance won’t be fun. But the experience will be even worse for shoppers, who will wake up on May 25 to find functionality removed or websites completely blocked. As a result, many global retailers are expecting EU traffic and conversion rates to drop significantly over the next few months. And expect global retailer forecasts for the 2018 to suffer as well, assuming this takes awhile for the industry to figure out.