Admeet has put together a practical and easy to apply GDPR compliance checklist for e-commerce for the French market.
Legal documents needed to be GDPR compliant
Because you have a legal obligation to be transparent, you need to inform your website visitors about your company identity, the terms of your contract and how you intend to process their personal data.
Legal documents (not related to the GDPR)
To comply with your legal obligations and protect your business, you need to have three kinds of documents on your website:
- Information concerning the website publisher. As required by the Legal and Administrative information direction, the document needs to include your company name, the address of the registered office, the legal form of the company, the amount of the share capital, the name of the director or co-director, and if needed, the contact name of the person in charge.
- Information concerning intellectual property. Any work belongs to the one who created it, according to the code of the intellectual property. This is a principle you shall respect concerning your website. If you use content which are protected by copyright, you must mention it and obtain the owner’s authorisation.
- Information concerning applicable law and the competent jurisdictions. French authorities require a certain amount of formalism regarding online commercial activities. You have to take into account that French law may not be the only applicable law to your business. This complicates the drafting of legal notices indicating which law is applicable or which jurisdictions are competent. It is recommended that you add a clause in your General Terms and Conditions of Use and Sale which specifies in which market you are offering your services or products.
You will also insert a specific clause in your General Terms and Conditions of Use and Sale. It is a legal requirement that privacy policies and cookie policies are referred to in separate documents for more clarity.
- What kind of personal data do you collect;
- How do you collect it;
- What is the legal basis of your data processing;
- Where is the data stored;
- Who are the recipients of the data;
- With whom data might be shared.
But also the individual privacy rights and how to exercise these rights.
It is essential that the document has these eight categories of information:
- The identity and contact details of the data controller;
- The appointment or not of a Data protection Officer (DPO) and, if applicable, his contact details;
- The categories of personal data processed and their sources;
- The purpose of the processing, the legal basis used;
- The recipients of the personal data;
- The retention period or at least the criteria to define it, all by purpose of processing;
- Data transfer outside the European Economic Area (EEA) and the security measures in place;
- The rights of each person whose data is used, and how to exercise them.
This document makes your audience able to understand which sort of cookies are used, why, how to accept or reject them.
For all non-essential cookies, prior consent is required before cookies are placed on users devices.
How do you know if a cookie or a tracking technology is subject or not to the prior consent of your users?
- The identity of the data controller responsible for the data processing;
- What is a cookie, why is it used?
- The different categories of cookies used and their purposes and their owners. Remember this. You don’t need prior consent for essential cookies (those used to record the shopping cart for example). But you can’t place non-essential cookies before obtaining users consents.
- Cookie lifespan. Cookies can’t be stored forever on your users devices.
- Preference management with a cookie banner. Users must be able to give their free and informed consent before any non-essential cookies are placed on their device. This is why having a compliant cookie banner displaying clear and honest information is very important.
There are different categories of cookies:
- Essential cookies, to ensure the proper functioning and performance of the service;
- Functional cookies, to embed a video or to share contents on social networks;
- Statistical cookies, to measure and analyse the traffic on the site (Google Analytics, Matomo,…)
- Marketing cookies, to personalise online ads or do retargeting (Criteo, Google Ads…).
General Terms and Conditions of Use and Sale for your prospects and your customers (not coming from the GDPR)
To create a contractual relationship between your company and your clients, you need to display two legal documents on your website. Sometimes they are merged into one.
- General Terms and Conditions of Use. They define how to use the functionalities of your websites, whether or not they create an account. They are generally not mandatory, unless the website is a Marketplace or it contains a product or customer review.
- General Terms and Conditions of Sale. They govern all aspects of the transactions made by your clients, including delivery and return policies.
These documents are quite complex to write. They need to be adapted to the specificities of your business. This is why they should be drafted by a legal expert or a lawyer.
Optimise your cookie compliance with a cookie consent banner
You need a cookie consent banner to comply with your legal obligations such as defined by the GDPR and the ePrivacy Directive (which is expected to be replaced by a Regulation).
Users interact with a cookie banner that provides two functions:
- Collect and store their preferences;
- Scripts that manage the placement or rejection of cookies on their device based on the consent given.
What happens in case of an investigation by the CNIL?
If you don’t respect your legal obligations, your company may face two kinds of sanctions:
- Minor GDPR breaches. You may face a fine of up to 10 million euros or 2% of the company’s global turnover;
- Major GDPR breaches. You may face a fine of up to 20 million euros or 4 % of the company’s global turnover.
It is therefore very important to ensure your e-commerce website is GDPR compliant.
Consent to store banking and/or payment data
On an e-commerce website, it is most of the time required to pay with a credit card. This means as an e-commerce merchant, you have to collect several kinds of personal data that will be used to:
- Pay a service or a product offered online;
- Pay for a subscription users have taken out online;
- Reserve a service or a good;
- Use the payment solution provided by a third party.
Generally e-commerce companies ask users to store their banking data in order to simplify their next transactions. If this is the case, you will need to ask for the explicit consent of your clients if you wish to keep their banking and/or payment data.
What are the main points you should remember?
In France, it is mandatory to ask for the users consents before storing their banking and/or payment data. Legitimate interest is not a valid legal basis.
Obligation to secure the payment method
Paying online exposes consumers to risks. This is why the CNIL asks web merchants to report any fraudulent use that may affect the security of the clients payment cards.
The CNIL also recommends implementing payment method that have reinforced security.
The web merchant may, for example, mask a part of the card number, replace it with a meaningless number. The CNIL also recommends that any unauthorised access or use of the data be thoroughly traced.
You should avoid storing payment data on users devices such as their smartphones. If users wish to use their mobile, the CNIL recommends to take additional security measures.
Obligation to secure your website
You must absolutely preserve the confidentiality of the data flows. This is why your e-commerce website should be secured.
The CNIL recommends applying an updated SSL/TLS protocol to all of your pages. And communication ports should be limited.
For more details, you can refer to the checklist and security guide provided by the CNIL.
Obligation to secure users accounts
When users connect to e-commerce websites, they often are given the opportunity to create an account. This is a good idea, provided you respect the CNIL’s requirements.
- Authentification must be based on the creation of a complex password. At least 8 characters, including numbers, capital letters and lower case, and special characters.
- As much as possible, you should use a “Captcha” to protect your website from spamming and bots;
- The accounts should be temporised in case users make a mistake three times when entering their password. The accounts should be blocked if users fail to authenticate themselves 10 times.
- You should ask your users to regularly change their passwords.
- You should store passwords in a very well-secured database.
Remember those two essential rules:
- Passwords must be complex and be hard to guess;
- Account creations should be based on the creation of a secured password and on the use of a “Captcha”.
Conclusion : Are you ready to optimise your e-commerce website GDPR compliance?
Making your e-commerce website compliant means respecting several rules and obligations.
Some are required by the GDPR, some of them are required under other laws.
Being compliant is essential for the good functioning of your website, its visibility, and its profitability.
Data protection authorities are now more vigilant and carry out more investigations. Your clients and prospects are even more aware of their data protection rights. And they are more likely to exercise their individual privacy rights. Ignoring GDPR is no longer an option.
Fortunately, you can rely on compliance solutions that will take care of your GDPR compliance such as Admeet.