GDPR Compliance

This is one in a series of topics to help Magento merchants and developers understand the implications of the General Data Protection Regulation (GDPR). The information is intended for informational purposes only and should not be construed as legal advice. Consult with your legal counsel to determine whether and how your business should comply with any legal obligations.

The General Data Protection Regulation (GDPR) is legislation that regulates data protection and privacy for all individuals in the European Union and the European Economic Area. The legislation also applies to the export of personal data outside the EU. The GDPR was adopted in April 2016, and became enforceable on 25 May, 2018. Business that are not based in the EU, but engage in global commerce are required to comply with the regulation. The GDPA defines personal data as follows:

Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

All organizations that process personal data must disclose the following:

  • The type of data that is collected
  • The purpose for collecting the data
  • The method that is used to collect the data
  • How long the data is retained
  • Whether or not the data is shared with others

GDPR and CCPA

If your business is required to comply with both the GDPR and the California Consumer Privacy Act (CCPA), you can leverage some of the work from your GDPR compliance program for the CCPA. Although the regulations have some similarities, a few differences include:

  • The definition of personal information differs for each regulation.
  • The GDPR requires consumers to opt in before their personal data may be used for certain purposes; CCPA provides consumers with the right to opt out.
  • The CCPA has additional data inventory and mapping requirements.
  • The regulations have different privacy policy requirements.

Businesses that comply with GDPR might have additional obligations under the CCPA. To learn more, see the CCPA Fact Sheet.

Best Practices

  • Examine the current privacy policies for all of your Magento stores to ensure that they align with any applicable legal requirements (including, but not limited to GDPR and CCPA).

  • Update your Google settings to ensure that they align with your legal obligations regarding the use of personal data.

  • Maintain transparency, and keep thorough documentation.

  • Visit the Magento website to learn how Magento helps merchants comply with applicable legal obligations.

  • For data flow diagrams and database entity mapping, see the Personal Information Reference.