GDPR Compliance for Zencart
GDPR Compliance is a must.
To comply with GDPR, your users must
- give Explicit Consent for you to use their data for the purposes you intend,
- have Access to their information and
- have the Option to remove their information.
Zencart has Consent and Access in place (possibly needing some settings to be made in admin) and the Option to Remove exists in the sense that the user must inform you that they want to have their data removed, but there is not the clear guidance that GDPR demands.
Please note: this package is built for Zencart v1.5.5.
Additional work is required on earlier versions and additional charges will be shown when you select your Zencart version.
GDPR Compliance may seem like a headache, but JSWeb have built a package to ensure your Zen Cart website covers the legal requirements of the legislation.
Explicit Consent. Your Privacy Statement must explain exactly what you intend to do with the user's data, If you do not already have your Privacy Statement as mandatory reading, then go to admin>configuration>Regulations and turn on the Privacy page. Content is added via admin > tools > Define Pages Editor...define_privacy.php and this is where you should add your GDPR policy. We cannot write your policy for you, but we can offer an example which has been approved by trading standards.
Access to their information. Customers can access and edit their data through "My Account". However, Guest Checkout users think they do NOT have an account. Not offering Guest Checkout may well be the only sensible solution here to remain compliant with GDPR.
Option to remove their information. Users cannot delete their account themselves, and deleting the account does not delete orders made by that account - which is good, because by law you need to keep 7 years of historical order data for tax reasons. That need for retention should be explained as part of your GDPR policy.
Our service adds a Delete My Account option on the customer's My Account page, enabling them to send you an email so you can then manually delete their account. We have also built in an automatic process which will delete the account 30 days after the request is made. This does NOT delete past orders.
What About Existing Client Data
Activating your Privacy page and making it mandatory to accept it on account creation is fine for new customers. However, GDPR requires you have specific consent to hold existing data, so to ensure you are compliant, we have added a Review and re-accept option on the MyAccount page. This links to a page which holds a copy of the define_privacy.php (so you only ever need to apply updates in the one place via Define Pages Editor) and includes Accept and Decline buttons. Choosing Accept allows the user to continue and stores the date of Acceptance in the database - this will be displayed in the individual Customer data page in admin.
Clicking Decline will log the user out of their account and record the date they declined in the database. After 30 days, the account details (but NOT past orders) will be deleted automatically.
Of course, the vast majority of returning customers are not going to go to their My Account page unless directed, so we've created a popup that appears when logging in to their account the first time after the site has been configured for GDPR.
Assuming that they accept the privacy statement, they will never see that popup again...unless in the future you change that Privacy Statement which means people will have to re-accept.
Doing this means that you don't really have to worry about sending emails out to your entire clientbase asking them to go and update their acceptance...although I'd say it's actually a good opportunity to let them know you're on the ball in respect of GDPR.
We cannot write your privacy statement for you and you must take your own legal advice on what is appropriate for your business. GDPR requires that the Privacy Statement must be clear and separate from the general Terms & Conditions - and it makes sense to have clear links to it from either the header or footer of your site if you do not already have that.
We are covering the practicalities of the user being able to apply their rights in accordance with GDPR and enabling you to easily comply with those rights. The actual management of the data itself is down to you, but we can obviously help if it comes to you needing mass deletion of redundant data. Should that be the case, please get in touch at https://my.jsweb.uk/submitticket.php
- You can modify the wording of the popup
- You can specify the email address to which the Delete requests are sent.
- Should you need to modify your privacy statement and require people to re-consent, you can reset so that the popup shows again
- The date of acceptance (or otherwise) displays in the customer 's individual page and the customer listing.
- There is a sortable and "searchable by email" display of all those who HAVE accepted
- A cron task will be configured to run daily at midnight (or as often as you wish) which will identify those people who have either requested account deletion or who have Declined to accept the Privacy statement and not changed their mind within 30 days, and to automatically delete all references to them in the database, except for any historic orders which must be retained for legal reasons for 7 years.
NOTE: This is a service offered by JSWeb. If you are comfortable with editing and merging php files we are happy to provide the files at a discounted price, but it is important to note that the files are based on Zencart155f and may well need considerable work to apply to older versions and customised sites. However, should you self-install there is no warranty and should things not quite work and you need our help to resolve it then we will be happy to assist but our time will be billed at our hourly rate.