You don’t need to delete old orders just make sure if customers ask you to delete their account (“right to be forgotten”) from your website then you just need to anonymise transaction data. We have used the following extension for that sole purpose.
for M1
https://www.scommerce-mage.com/magento1-gdpr-compliance.html
for M2
https://www.scommerce-mage.com/magento2-gdpr-compliance.html
Great find!
Thanks for the link. I will try that one.
@tappelwrote:... Using Google Analytics or Facebook or whatever for tracking customer behaviour is still allowed without express consent.
Hi Tappel
This is not my understanding (but I can be wrong - it's a complicated subject).
Within Google Analytics you can pinpoint a specified customer by going to "Audience" > "User explorer". Click on one of the "Client ID", check the time and the value of the order. After that, you can find all personal data about that person in Magento admin.
Therefor is my take on Google Analytics data that it is personal data. And you need expressed consent for the GA cookie - and also be able to anonymise the order.
Best,
Magnus
@sherrie Is magento 2 going to be updated to offer real GDPR compliance any time soon? I mean we're missing many check boxes when taking customer info. and some tools to delete data on both backend and frontend. I know there are some extensions (2 actually) that will fulfill this new obligations but it will ideally need to be built in Magento as it's right now the cookie policy consent section... thanks for your answer and consideration!
So sorry for the delays in response here.
@Brake6: As for Magento 1.x, the M1 mappings are provided in addition to M2: https://magento.com/gdpr
Are there Magento product features to help with compliance? To assist merchants with their GDPR compliance efforts, Magento has made data mappings available for the Magento software, so you are able to identify the locations of where information is stored in our application. These mappings are available for Magento 1.x and Magento 2.x and cover Magento Commerce cloud, on-premise as well as Magento Open Source.
I would definitely recommend giving our FAQ a thorough look-through:
https://magento.com/sites/default/files/Magento-GDPR-FAQs.pdf Please do let me know if you have questions that are not answered there.
@baghulia: I'm told there are numerous tools on the roadmap to enable merchants to have more control over customer data, cookies, etc.
These guys have a couple of GDPR extensions for magento, might be worth checking out: https://www.ecomus.co.uk/gdpr-extension
They basically include a consent and a cookie extension, they can also give lots of good advice of GDPR.
Cookies: The ICO state:
"You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent and consent must be actively and clearly given.
Users should be able to disable cookies, and you should make this easy to do."
You are allowed essential cookies, but not non-essential (3rd Party) cookies.
Ecomus GDPR Cookie Extension for Magento 1 allows for 3rd party cookies to be disabled while keeping essential cookies running.
https://www.ecomus.co.uk/gdpr-cookie-extension
Consent: The ICO state:
"Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
Make it easy for people to withdraw consent and tell them how.
Keep evidence of consent – who, when, how, and what you told people."
Ecomus GDPR Consent Extension for Magento 1 manages the consent required for compliance with GDPR
https://www.ecomus.co.uk/gdpr-consent-extension
In the UK at least you have to keep records for 6 years for tax purposes.
We aim to write an extension to delete a customers data after 6 years (or however long you want to set).
Possibly might include anonymising the data sooner depending on the legal advice we are given.
This is something that you as a merchant should do, this should not be put in the hands of customers as it could have legal implications.
We would suggest having a section that says 'If you want to receive a copy of your data or have us remove your data then please get in touch', the ICO then give you 30 days to reply.
Get in touch for further info - info@ecomus.co.uk
You should not delete orders, you need these for the tax man.