All merchants are required to complete the following actions:
- Enable eCom's feature to request permission to enable cookies
- Sign our Data Processing Agreement
- Notify customers after any data breach
CCPA affected merchants are required to:
Depending on your eCom store you may also need to:
Cookies can contain personal data, so in order to be compliant you need to enable a cookie bar that requests permission from customers to enable cookies. To do so:
- Open your Lightspeed eCom Back Office > Settings.
- Click Web extras.
- Scroll to COOKIE LAW and from the dropdown list, select Confirmation is required for cookies.
- Click Save.
This will add a cookie bar at the top on your eCom homepage:
- Customers can opt in to cookies by clicking Yes on the cookie bar.
- Customers can opt out of cookies by clicking No on the cookie bar.
- Login to your eCom Back Office and click Content.
- Use the text editor to add content or make changes. For more information about the text editor, click here.
- Click Save.
- A list of all personal information you collect from customers.
- Why you are collecting personal information.
- How you use personal information.
- Instructions on how to revoke permission for cookies. This is done by clicking No on the cookie bar at the top of the privacy page.
As Lightspeed is helping eCom store owners in the processing of personal data, we are required by law to enter into a Data Processing Agreement (DPA) with our merchants using eCom stores affected by privacy laws.
Signing the DPA is fully to your benefit as it creates specific rights for you in relation to Lightspeed’s processing activities. Also, it clearly describes all the obligations that Lightspeed has towards you. Once you've signed the DPA, it is effective immediately and is legally binding. If you haven't received the DPA from us yet, it's important that you contact us to sign it as soon as possible. This will ensure that you're compliant with privacy laws and avoid fines from the privacy authorities.
It's also important to note that Lightspeed shares its personal data with many integration partners. This allows them to pull the data they need to build their integrations and Lightspeed to offer the best business solution to its merchants.
To request a DPA and for more information, please contact our integration partners directly.
Under privacy laws, a data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed."
If the data breach relates to data Lightspeed is processing on behalf of you as a processor, we will always notify you within 36 hours after discovery. It is then your responsibility as a Lightspeed eCom merchant to make an assessment whether or not you should be notifying the supervisory authorities, your customers and your employees.
If you've determined that the data breach is likely to result in a high risk to the rights and freedoms of your customers and/or employees, you'll need to:
- Notify the supervisory authorities within 72 hours after discovery.
- Notify the affected customers and/or employees ("data subjects") as soon as possible and include the following information:
- a description of the nature of the breach.
- the name and contact details of your data protection officer or other contact point;
- a description of the likely consequences of the breach.
- a description of the measures that you've taken or have proposed to take to address the breach, including, where appropriate, measures to mitigate its possible adverse effects
If any of the following conditions are met however, communications to each individual customer and/or employee wouldn't be required:
- You've implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.
- You've taken subsequent measures which ensure that the high risk to the rights and freedoms of your customers and/or employees is no longer likely to materialize.
- Communicating to your customers and/or employees would involve disproportionate effort. In such a case, you'll be required to send a public communication or similar measure whereby they'll be informed in an equally effective manner.
When affected by the CCPA, you're required to have a page titled Do not sell my personal information.
Enable this page by:
- Log in to your eCom back office and click Content.
- Click 'Do not sell my personal information'. If you can't find this page, click Add page and enter Do not sell my personal information as the title.
- Make the page visible by activating the switch beside VISIBILITY.
- Enter the page content.
- Click Save.
If you use Google Analytics with your eCom store to track information, according to privacy laws, customers can choose not to be tracked by Google Analytics, so some modification to Lightspeed eCom is required. For more information, click here.
If you had newsletter subscribers before May 25, 2018, you may need to confirm that they still wish to be subscribers.
Subscribers actively added
Take no action if you're sure all subscribers have actively subscribed by entering their email or by selecting a checkbox during checkout.
Subscribers passively added
If some customers were added manually to the list of newsletter subscriptions or have been added without actively subscribing, it is recommended that you:
Doing so will ensure that any new customers who subscribe in the future are guaranteed to be active subscribers.
- Send the email using any mailing tool that you use to send newsletter subscriptions.
- The email should contain a link to your website with instructions on how to resubscribe.
After you email your subscribers, you will need to archive them.
NOTE: You cannot unarchive a customer.
- In Lightspeed eCom, click Marketing > Newsletter.
- Select the checkbox in the column headers to select all your subscribers.
- Click X items selected > Archive selected newsletter subscriptions > OK.