GDPR - Consent, Legitimate Interests and Magento

By Paul Honey


GDPR - Consent, Legitimate Interests and Magento

Is email an important marketing channel for your business? If you want to contact people after 25 May 2018 when the European General Data Protection Regulation (GDPR) comes into force, it’s time to prepare. We’ve written this article to look at the options for lawfully processing personal data under GDPR and techniques using the Magento platform to address the issue of consent.

Understanding GDPR and its application

GDPR has not been designed to put an end to direct or highly targeted marketing. The aim is to ensure that organisations use personal information in the way they have stated they will use it, that the information is kept safe, that it is not kept for longer than necessary and that individuals have control over their data.

The regulation applies to residents (not citizens) of the European Union, regardless of your company’s location. Brexit will not put an end to GDPR as the UK government has indicated that it will implement equivalent or alternative legal measures after Brexit.

When GDPR is introduced, data protection in Europe will be more stringent than in other parts of the world, but since much of the data protection around the world is based on the European model (the current Data Protection Directive is now 20 years old) it’s fair to assume that the rest of the world is heading in the same direction.

Some key GDPR terms

  • Data Subject – the person whose personal data is being controlled
  • Personal Data – information that identifies an individual, including IP addresses and location data
  • Sensitive Personal Data – special categories of data including genetic data, biometric data or data relating to criminal convictions, for example
  • Data Controller – the person or people who bear the primary responsibility for compliance
  • Data Processor – any entity that processes personal data under the controller’s instructions

About Consent

You’re probably aware of one lawful basis for processing personal data under GDPR – that of Consent. But what does Consent really mean?

The table below highlights relevant GDPR text with a plain English and practical view on the requirements.

GDPR Requirement In plain English

Rec.32; Art.4(11), 6(1)(a), 7
“Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of his or her personal data. Consent must be given by a statement or a clear affirmative action.

A clear and positive action is required by a user to signify their consent – not a pre-filled tick box or silence.

Rec.32; Art.6(1)(a)
“Consent” must be specific.

Obtaining consent doesn’t mean the customer has agreed to an open ended set of processing activities. Consent must be limited to a specific context.

Rec.32, 42; Art.4(11), 7(1)
Consent must be “informed”. In order for consent to be informed:

  • The nature of the processing should be explained in an intelligible and easily accessible form, using clear and plain language which does not contain unfair terms; and
  • The data subject should be aware at least of the identity of the controller and the purposes for which the personal data will be processed.

Companies should take necessary steps to ensure that users are clearly informed of the purposes for which their personal data is to be used.

Rec.32
Consent must take the form of an affirmative action or statement. Consent can be provided by any appropriate method enabling a freely given, specific and informed indication of the data subject’s wishes.

For example, depending on the circumstances, valid consent could be provided verbally, in writing, by ticking a box on a web page, by choosing technical settings in an app, or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data

Silence, inactivity or pre-ticked boxes do not equal valid consent. Companies must seek active consent.

Art.7(2)
If consent is given in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. If the data subject is asked to consent to something that is inconsistent with the requirements of the GDPR, that consent will not be binding.

Consent should not be buried in T&Cs or privacy policies. The user should be presented with a clear plain language description of what they are consenting to.

Rec.42, 65; Art.7(3)
Data subjects have the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject must be informed of the right to withdraw consent. It must be as easy to withdraw consent as to give it.

The company should make it easy for users to withdraw their consent either via the website, via the phone or email.

Rec.111; Art.49(1)(a), (3)
In the absence of other safeguards, transfers may take place if the data subject has explicitly consented to the transfer, having previously been informed of its possible risks. This does not apply to public authorities in the exercise of their powers.

The company should make sure this is the case if the website is hosted outside the European Economic Area, or their data is processed by a system hosted outside the EEA e.g. email broadcast system.

Rec.171
Where an organisation has already collected consent from data subjects (prior to the GDPR Effective Date) it is not necessary to collect that consent a second time in consequence of the GDPR, provided that the initial consent was compliant with the requirements of the GDPR.

Historic consent is unlikely to be considered compliant unless it meets all the standards of the current GDPR consent requirements.

An alternative to consent – Legitimate Interests

While Consent is at the heart of data protection law, it is not the only route to GDPR compliance. There are, in fact, six lawful bases for processing personal data under the GDPR.

The other five relate to fulfilling contracts, complying with laws and statutory obligations, protecting lives, carrying out public authorities’ tasks and lastly, the one which is of most interest to marketers and which we will explore here, that of having Legitimate Interests in processing personal data.

“If Consent is difficult, look for a different lawful basis” advises the Information Commissioner’s Office, the enforcer of data protection regulation in the UK, in its helpful and well written Guide to the General Data Protection Regulation. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

‘Legitimate Interests’ allows you to use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is compelling justification for processing their data. Worth noting though is that consent should already be in place for you to market to these people and the notion of the ‘Soft opt in’ is covered by the ICO.

These Legitimate Interests can be yours or those of third parties. And they can include commercial interests, individual interests or broader societal benefits.

While Legitimate Interests may appear to be the GDPR’s saving grace for many marketers, it’s worth bearing in mind that Consent trumps Legitimate Interests as a lawful basis. Darren Wray, author of the The Little Book of GDPR, https://www.amazon.co.uk/Little-Book-GDPR-Getting-Compliance/dp/1522021140 acknowledges that while the Legitimate Interests approach has advantages, he emphasises that Consent is a far more secure and defined route, particularly when it comes to marketing activity. “If your Legitimate Interests approach is ever challenged, it could result in lists that have been created on that basis being deemed unusable” he warns.

To use legitimate Interests as a lawful basis for contacting people, some preparation work is necessary. And fortunately this has been well documented and clearly set out by the Data Protection Network in its recently published Legitimate Interests Guidance. https://www.dpnetwork.org.uk/dpn-legitimate-interests-guidance/

This guidance has really helped us to understand what Legitimate Interests are and where they apply. To use Legitimate Interests as a basis for processing personal data, individuals must be told about those legitimate interests and there is also an obligation to tell individuals about their right to object.

To rely on Legitimate Interests, you must first carry out a three-stage test, the Legitimate Interests Assessment (LIA) to ensure that there is a balance between the interests of the Controller and the individual. This is an essential part of the concept of Legitimate Interests.

The LIA consists of three stages to identify the Legitimate Interest, carry out a Necessity Test and carry out a Balancing Test to make sure that the rights and freedoms of the individual do not override the Controller’s Legitimate Interest.

Templates for these three stages and tests are set out in the Data Protection Network’s guidance as templates. We’re using these templates to document the Legitimate Interests process.

The Magento interpretation of GDPR consent requirements

Many Magento based businesses send general newsletter updates and will also process customer data (often in a third party email system) to process customer data into segments. These segments can then be used to tailor specific email communications to be more relevant to the user. Additionally customer data is often used to set up triggered email sequences such as abandoned basket emails, birthday emails, emails to lapsed customers, etc.

Another common Magento enhancement is the personalisation of ecommerce content, based on a customer’s previous purchase or browsing history. Base Magento functionality for Related Products, Up-Sells and Cross Sells can be enhanced by a number of extensions and technologies that can use personal data to tailor the products being displayed. Some technologies take personalisation even further and skew content panels and other areas of the site.

The following examples show how email marketing and personalisation consent can be obtained in a GDPR compliant manner.

From a user’s perspective

A clear and positive action is required by the users to signify their consent – not a pre-filled tick box or silence. Within Magento there are two areas in which users are used to managing this type of consent.

The examples illustrate a radio button mechanism that uses a technique analysed by Stephen M. Fleming in ‘Overcoming status quo bias in the human brain’ – very simply condensed… Ask the users to actively select an option rather than present them with a prefilled option., which in the case of GDPR would have to be the ‘No’ option.

My Account/Newsletters or Account Creation Step

Along with any site wide newsletter signup options, the My Account/Newsletters screen can be modified to allow GDPR compliant consent as shown in the screen below. Users can be directed to this section of their account to manage their consent preferences.

Manage my consent area in My Account / Account Creation Step

gdpr_01.jpg

Checkout

The checkout has long been viewed as the perfect place to collect emails. For many years companies have prefilled the “subscribe to newsletter” tick box. This will no longer be appropriate.

See screen shot for an example of a Magento Checkout GDPR Consent Mechanism.

gdpr_02.jpg

Tools to manage consent

To be GDPR compliant from a recording of consent perspective, and to be able to demonstrate and access this data in a readily available mechanism, we recommend the following.

A GDPR grid view in Magento is an ideal way to manage this. In this example, a grid view is constructed clearing clearly showing;

  • Customer name
  • Email address
  • Marketing email consent status – yes or no
  • Marketing email consent obtained – the date and time the consent was obtained
  • Marketing email consent status mechanism – which link was used to obtain this consent i.e. via My Account, via Checkout or via email
  • Marketing email consent version – versioning the consent text and logic allow companies to store specific versions of consent related language and logic so that they know exactly what the user consented to.
  • Personalisation consent status – yes or no
  • Personalisation consent obtained – the date and time the consent was obtained
  • Personalisation consent status mechanism – which link was used to obtain this consent i.e.via My Account or via Checkout
  • Personalisation consent version – Versioning the consent text and logic allow companies to store specific versions of consent related language and logic so that they know exactly what the user consented to. This needs to be a process embedded into the website change control process so that language/screens are versioned and archived for future reference

The standard Magento grid view functions of filtering, exporting, searching and updating should meet most use cases and access to this screen should be controlled to appropriate personnel as it is sensitive data.

gdpr_03.jpg

Keeping consent data in sync

Changes to the data for consent status need to feed several processes. For example a change in email consent status needs to feed any downward processes and applications e.g. a third party email broadcast system. Likewise a user initiated unsubscribe action from a marketing email needs to update the user’s email consent record. Similarly consent for personalisation would need to govern any technology used to alter the site content based on user behaviour.

Google Analytics, GDPR and Magento

Google Analytics (GA) is the dominant analytics package for Magento and with respect to GDPR there are several areas that companies should review to make sure they don’t fall foul of GDPR issues with respect to storing personal data. It should be noted that it is also with Google’s terms of service mandates that personally identifiable data is not stored within a GA account. Google may suspend/delete an account and the loss of associated analytics data would obviously be problematic.

Techniques used that may need to be reviewed from a compliance perspective include storing email addresses, or other persona data in custom variables, capturing personal data on forms/events, and using names in URLs.

Hosting and storage of data.

Data should be securely stored in a location complaint with GDPR. Most companies in the UK will host with hosting companies within the EEA, but care should be taken that you understand where the physical locations of any cloud based services are and that they comply with GDPR. If data is stored outside the EEA, then explicit customer consent, with an acknowledgment that they understand the risks is required.

We hope this article has will help with your GDPR compliance. However, GDPR is not the only regulation that will affect us. PECR (the Privacy and Electronic Communications Regulations) is on the way and that’s a whole other issue that we’ll be covering soon.