Zen Cart custom software development, Zen Cart modules, Zen Cart Expert eCommerce with Zen Cart!

My GDPR Statement

Here's what I did to comply with the GDPR.

PLEASE NOTE: If you are reading this to get ideas on what you should do, remember (a) I am not a lawyer, and (b) your situation could be different from mine. Please consult your own counsel.

My scenario

  • I am based in the United States
  • I don't use tracking cookies.
  • I don't use AdSense. My web properties are about my business and helping your business, not advertising for someone else.
  • I don't require date of birth for order processing.
  • I am using Zen Cart to process orders in my store, MailChimp for email newsletters, Wufoo for forms processing, Salesforce for CRM, YouTube for video display, WordPress for my blog.

Changes I Made to My Store

Here's what I did in my store. My store is powered by Zen Cart, which uses cookies in a minimal way.
  • In includes/templates/MY_TEMPLATE/common/tpl_main_page.php, I modified the call to Google Analytics so that IP anonymization is used. I changed
      ga('send', 'pageview');
    
    to
      ga('set', 'anonymizeIp', true);
      ga('send', 'pageview');
    
  • Under Admin > Configuration > Define Page Status, set Define Privacy Status and Define Conditions of Use both to 1. This adds a link to your privacy page to your Information sidebox.
  • Update the Conditions of Use define page (Admin > Tools-Define Pages Editor) to state that a condition of use is agreement to the privacy policy.
  • Turn off collection of gender and DOB using Admin > Configuration > Customer Details, Email Salutation = false; Date of Birth = false.
  • Under Configuration > Regulations, turn on both settings (Confirm during checkout, confirm during account create.)

What I did for my privacy policy:
  • Update the privacy policy. I used the privacy policy template provided by Shopify.
    • I changed the text that starts with "we use Shopify" since I am using Zen Cart.
    • I added a link to PayPal's privacy policy.
    • Rather than posting my email and address I used a contact form.
    • I changed the Canadian spelling of "behavior." :)
  • I have a website which is separate from my store, so on that site, the privacy policy points to the store privacy policy.
  • I *do not* use Facebook pixel or any other tracking or retargeting mechanism, so I didn't need to make a statement like that.

Here's what I did *not* do:
  • I did not use Javascript to block the website until you affirmatively accept my use of cookies. I don't use a tracking cookie, the cookies from Zen Cart are required to make the site operate, and the cookies used by Google analytics are statistical 3rd party cookies which provide no PII. Some experts interpret GDPR/EU Privacy Law as meaning that, in cases like mine, affirmative consent is not required, and that's what I am relying on. Please note that some experts disagree, with this interpretation; you will have to decide for yourself if they are truly correct or if they are scaremongers trying to sell you services.
  • I did not send yet-anther-email announcing my privacy policy update. My privacy policy is linked on my store's Information sidebox and in my site's footer, and if people want to read it they can.
  • I did not unsubscribe people from my newsletter until they re-opted in; they have already opted in once.