All Collections
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)

Find out all you need to know about GDPR

Ira avatar
Written by Ira
Updated over a week ago

General Data Protection Regulation (GDPR) took effect on the 25th of May, 2018, and Omnisend guarantees that we comply completely with all the changes approved and implemented.

Looking at the GDPR for eCommerce especially, there are lots of questions and concerns that merchants have at the moment. If you’re on Omnisend, there’s no need to worry. Huge new laws can seem very scary, but Omnisend is making sure the way you collect and store personal data is GDPR-compliant.


Essentials of GDPR for eCommerce

1. Get consent: the user must agree to be included in your marketing campaigns. 

If the user has consented to the message and communication channel that you are offering, then you can continue to do as you always have. But if there was no consent, then you cannot send them marketing materials or advertise to them. If you don’t have explicit, unambiguous consent from the visitor to get these kinds of marketing messages, then you won’t be able to send them messages—or else face heavy fines.

Note! Emails collected using 3rd party apps or on the checkout of your store won't have a consent record in Omnisend, because per European GDPR law, consent may only be collected via 1st party web form. Basically, we can't confirm that customers have given their consent if they weren't collected by us.

2. Provide adequate protection: you must protect the user’s personal data adequately.

If a user does consent to your storing and processing their personal data (through personalized marketing or advertising messages, for example) you have the obligation to make sure that that data is adequately protected. When it comes to exactly what “personal data” is, according to the GDPR the definition is pretty broad: any data that can be used alone or in combination to link to or point to a person. 

This includes the visitor’s: 

  • name

  • physical address

  • demographic data (age, location, etc.)

  • email address

  • IP address

According to the GDPR, businesses are supposed to appoint a Data Protection Officer (DPO), who is responsible for ensuring adequate security for personal data.

It simply states that DPOs are required for companies that process large amounts of personal data, so smaller eCommerce stores should be in the clear.

However, it’s still very important that you have someone in your organization who is in charge of data protection.

3. Delete, correct, or restrict when asked: if the user requests you to delete, correct, or restrict the personal data you have, you must comply quickly.

The last of the 3 essential areas of the GDPR for eCommerce concerns user requests to have their personal data deleted, corrected, or restricted.

The GDPR allows, at its core, for European citizens and residents to have more complete control over how their personal data is used.

For that reason, if an EU subscriber or shopper whose personal data you have asks you to erase or change it in any way, you have to do so within a reasonable amount of time.

If a user asks you to change or delete their personal data, it’s best to do it sooner rather than later.

With that, you’ll have nothing to worry about for this part of GDPR.

How Omnisend is helping merchants be GDPR-ready

Omnisend makes sure that all eCommerce merchants using our marketing automation platform are fully covered. We have done this in 5 important ways:

  1. Easy-to-export customer profiles

  2. GDPR-ready consent and re-consent 

  3. Right to be forgotten - complete removal of user data so that the customer or subscriber is not identified IN ANY WAY. This option is available if your client insists on it or if you request your account and data to be removed. 

  4. GDPR-ready privacy and cookie policies

With huge fines and other serious consequences, it is very important that eCommerce merchants understand what these rules mean for their business and how they can prepare for them.


What should I do if my contacts don't have a consent record? European customers must have consent due to GDPR law and EU regulations, which state that contact must be opted-in in order to receive emails. So, you can send communication to these contacts at your own risk. US regulations do not require any legal form of consent, so a simple subscription box on checkout is enough in order to treat contact as a legal subscriber, and a consent record isn't needed. However, these contacts must be able to unsubscribe from your marketing campaigns.

Want to go deeper into GDPR? Check our blog article on GDPR for eCommerce 

Did this answer your question?