All merchants are required to complete the following actions:
- Enable eCom's feature to request permission to enable cookies
- Sign our Data Processing Agreement
- Notify customers after any data breach
Depending on your eCom store's you may also need to:
Cookies can contain personal data, so in order to be compliant you need to enable a cookie bar that requests permission from customers to enable cookies. To do so:
- Open your Lightspeed eCom Back Office > Settings.
- Click Web extras.
- Scroll to COOKIE LAW and from the dropdown list, select Confirmation is required for cookies.
- Click Save.
This will add a cookie bar at the top on your eCom homepage:
- Customers can opt in to cookies by clicking Yes on the cookie bar.
- Customers can opt out of cookies by clicking No on the cookie bar.
- Login to your eCom Back Office and click Content.
- Use the text editor to add content or make changes. For more information about the text editor, click here.
- Click Save.
- A list of all personal information you collect from customers.
- Why you are collecting personal information.
- How you use personal information.
- Instructions on how to revoke permission for cookies. This is done by clicking No on the cookie bar at the top of the privacy page.
As Lightspeed is helping eCom store owners in the processing of personal data, we are required by law to enter into a Data Processing Agreement (DPA) with our GDPR-affected eCom stores users. If you have an eCom store established in the European Union, you should have received the DPA by email.
Signing the DPA is fully to your benefit as it creates specific rights for you in relation to Lightspeed’s processing activities. Also, it clearly describes all the obligations that Lightspeed has towards you. Once you've signed the DPA, it is effective immediately and is legally binding. If you haven't received the DPA from us yet, it's important that you reach out to firstname.lastname@example.org and sign it as soon as possible. This will ensure that you're compliant with the GDPR and avoid fines from the privacy authorities.
It's also important to note that Lightspeed shares its personal data with many integration partners. This allows them to pull the data they need to build their integrations and Lightspeed to offer the best business solution to its merchants. Because of the data-sharing nature of our partner integrations, GDPR-affected Retailers that have integrated their eCom stores also need to enter into a DPA with our partners.
To request a DPA and for more information, please contact our integration partners directly.
- Notify the supervisory authorities within 72 hours after discovery.
- Notify the affected customers and/or employees ("data subjects") as soon as possible and include the following information:
- a description of the nature of the breach.
- the name and contact details of your data protection officer or other contact point;
- a description of the likely consequences of the breach.
- a description of the measures that you've taken or have proposed to take to address the breach, including, where appropriate, measures to mitigate its possible adverse effects
If any of the following conditions are met however, communications to each individual customer and/or employee wouldn't be required:
- You've implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.
- You've taken subsequent measures which ensure that the high risk to the rights and freedoms of your customers and/or employees is no longer likely to materialize.
- Communicating to your customers and/or employees would involve disproportionate effort. In such a case, you'll be required to send a public communication or similar measure whereby they'll be informed in an equally effective manner.
If you use Google Analytics with your eCom store to track information, according to GDPR, European customers can choose not to be tracked by Google analytics, so some modification to Lightspeed eCom is required. For more information, click here.
If you had newsletter subscribers before May 25, 2018, you may need to confirm that they still wish to be subscribers.
Subscribers actively added
Take no action if you're sure all subscribers have actively subscribed by entering their email or by selecting a checkbox during checkout.
Subscribers passively added
If some customers were added manually to the list of newsletter subscriptions or have been added without actively subscribing, it is recommended that you:
Doing so will ensure that any new customers who subscribe in the future are guaranteed to be active subscribers.
- Send the email using any mailing tool that you use to send newsletter subscriptions.
- The email should contain a link to your website with instructions on how to resubscribe.
After you email your subscribers, you will need to archive them.
NOTE: You cannot unarchive a customer.
- In Lightspeed eCom, click Marketing > Newsletter.
- Select the checkbox in the column headers to select all your subscribers.
- Click X items selected > Archive selected newsletter subscriptions > OK.