GDPR: How Jilt is complying and helping our users comply

The General Data Protection Regulation (GDPR), the European Union’s new online privacy and data protection regulation has far-reaching effects. If you collect any information from any user in Europe, you’re subject to the GDPR. At Jilt, we take your privacy and data rights seriously, so we’ve worked hard to make sure that we’re in full compliance with the regulation and taken steps to make it easier for our users—shop owners, managers, and consultants—to comply.

Below is an overview of what GDPR is, what it means for you, and what we’re doing. For even more information, read our GDPR page which has additional details on the steps we’ve taken to comply and how we’re helping store owners comply when they use Jilt.

Disclaimer: EU data protection laws, including the GDPR, are complex. This guide should not be considered legal advice. Please consult a legal professional for details on how the GDPR impacts your business.

What is GDPR?

GDPR is the new European law that regulates how companies can collect, process, store, and use data. It essentially enacts a much stricter set of privacy and data ownership regulations, and it comes online across Europe today. You may have heard of it from the countless emails you’ve received recently from every app you’ve ever used and from scary-sounding headlines like “No one’s ready for GDPR” in The Verge.

Anyone who does business with citizens of the EU is affected by the GDPR, and most companies are attempting to comply even if they don’t have many customers in Europe.

At Jilt, we’ve been hard at work since the start of the year to make sure we’re in compliance and that our users have the tools they need to be in compliance while using Jilt for eCommerce email marketing.

First, two important definitions—the GDPR defines two types of data users:

  • Data controllers: A data controller is a person or business who controls how personal data is used. Jilt is a data controller with respect to the data we collect from our users (like your payment information and email address). Store owners are also data controllers of their customers’ data.
  • Data processors: Data processors are any people or businesses who process personal data on behalf of a controller (processing can be as benign as simply storing the data). Jilt is a data processor for our users, which includes the data we store and analyze for your shop and your customers, such as sending emails.

What is Jilt doing to comply?

Because Jilt is both a data controller and a data processor, and because we want to help our customers (shop owners and managers) comply as data controllers, we’ve been reviewing compliance from every angle. Again, you should read the full list of things we’ve done over on our GDPR page (because it’s a lot!), but here it is in brief:

How does this affect eCommerce email marketing?

As a store owner, you’re a data controller, and that means you’re required to comply with the GDPR, too. Compliance is your responsibility, but we know it’s also a big burden, especially for small business owners. We’ve tried to make it as easy as possible for shop owners to be in compliance while using Jilt, however the content of your emails, when you send them, and how your site is structured all affect your own compliance with the GDPR. We’re also not lawyers, so none of this should be construed as legal advice.

That said, when it comes to the eCommerce email marketing and the GDPR, here are some things you should know.

There are six lawful reasons for when you can process personal customer data (which, remember, can include anything from storing data to analyzing it to using it for the purpose of, say, sending an email to a customer):

  • Processing the data is necessary for the performance of a contract
  • Processing the data is necessary for legal obligations
  • Processing the data is necessary to protect the vital interests of the subject
  • Processing the data is necessary in order to perform a public interest
  • You as a controller have legitimate interest to process the data
  • You have consent to process the data

You may have reason to use almost all of these lawful bases for processing your customers’ data. For example, you could use the legal obligations basis in order to store tax compliance information, or you may use the performance of a contract basis so that you can fulfill an order. In addition to listing the information you collect and how you use it, your store’s privacy policy should detail the legal basis you’re utilizing to process it.

The “consent” basis has received a lot of attention from most organizations, and you may have read about every type of action with your store requiring consent, but this isn’t accurate. The ICO (the UK’s data protection regulatory office) says:

The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.

Indeed, it further clarifies that all the lawful bases for processing have equal weight, saying:

No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.

So, select the most appropriate basis for processing data and don’t default to consent. Shopify clearly and concisely describes the potential issues with eCommerce stores using consent instead of other types of lawful bases in this video (the link should start you at the right spot, but the relevant portion begins around ~10:00).

Remember, though, when using any valid basis for processing other than consent, you still need to provide notice, with the ability to opt out of processing. A cookie notice on your site & an updated privacy policy may be sufficient notice for certain types of processing, but others may require additional steps. It’s also important not rely on more than one type of legal basis for processing data. That can create confusion for users and create legal issues (you can’t “switch” from one basis to another after you’ve already collected & processed data).

Are abandoned cart recovery emails GDPR compliant?

This is the most common GDPR-related question we get. And that makes sense. On the surface, it seems like abandoned cart recovery emails might be a no-no under GDPR since you’re not asking for consent to send them. But as we noted above, consent is only one of six lawful reasons to process data.

The general industry opinion (and this was confirmed by both our internal analysis and our outside independent legal counsel) is that abandoned cart recovery emails fall under the legitimate interests basis, as long as they come with notice, and provide the ability for recipients to opt out. To learn more about this, review our GDPR page, which describes how we’re helping shop owners comply with the notice & opt-out requirements within WooCommerce, Easy Digital Downloads, and Shopify.

For other emails you can send with Jilt, such as post-purchase follow ups, your basis for processing could be either legitimate interests or consent, depending on the email content and when you send them. For example, it’s likely that a post-purchase email asking “Did you receive your order?” would be OK to send under a legitimate interest basis, whereas a post-purchase email offering a discount off a future purchase would require consent. It’s up to you to make sure your use is in compliance with the GDPR, but check out our GDPR page for more details on how to determine which basis to use to make sure your emails comply.

What should shop owners do to comply?

Our best advice is to talk to a legal professional. Every business is different and the GDPR is massive, complex, and often confusing. A legal professional will be able to give you the best guidance for your business about compliance. That said, with the big caveat that none of this should be construed as legal advice, here are some things you should definitely be doing in order to assist with compliance:

  • Review & update your privacy policy and Terms of Service (you can use our Privacy Policy and Terms of Service as examples, or consider using Termly or Shopify’s Privacy Policy generator
  • Add a cookie notice & statement to your site (we recommend OneTrust or another plugin/service for this)
  • Include a link in your privacy policy to our Privacy Notice for Visitors to our Users’ Stores, which details for your customers how we process their data
  • Update to the latest version of the Jilt plugin (WooCommerce and EDD—Shopify users: don’t worry, you are automatically using the latest version) and enable the notice & consent feature
  • Request and review our sample legitimate interests assessment and use them as a starting point for your own assessment (get in touch with us from the app dashboard to request this)

What’s next?

Much of the real-world impact of the GDPR is yet to be seen, but there are likely to be adjustments and changes made as regulators interpret and clarify aspect of the laws. This is to be expected with any regulation as complicated and far-reaching as the GDPR. We’ll be keeping a close eye on any changes and will adjust our resources and tools appropriately. In the meantime, make sure bookmark our GDPR resource page, as we’ll be constantly updating it. And of course, if you have any questions, please get in touch.