Introduction
This article will help you setup your database to comply with European Union's General Data Protection Regulation (GDPR). When you enable GDPR Mode, users will need to opt-in to having their personal information stored in your database. New users will need to opt-in to create accounts, and existing users will need to opt-in to access their accounts.Important Note: Please contact us at support@configio.com if you have any questions or concerns regarding this feature.
Enabling Marketing Email Opt-In by Country
Log into your administrative console and navigate to Settings -> Setup -> Countries and States. You will see an Edit Icon on each Country.
Selecting it allows you to edit the Require Email Opt-In value. For each relevant Country, check the box and select the Update Button.
Now, whenever a customer selects that Country as part of their account address, they will be asked to opt-in to marketing emails.
Adding Privacy Policy Links
You can add a link to your privacy policy to your page footers. Go to Settings -> Setup -> Shopping Cart Help & Layout. You will see an Edit Icon on each page.
Clicking Edit allows you to edit the page footer. Insert text. Use the link tool to link to your privacy policy and select the Ok button.
Select the Save button.
Repeat this for each page that you want to contain a link to your privacy policy. You may decide that the product search, create account, login, payment, process order, money request, disclaimer, and other certain pages are the only ones that need a link, and that decision is yours.
First Note: If you do not have a publicly accessible privacy policy URL, you can create a Web Content page.
Second Note: Your privacy policy should include information about cookies.
Third Note: You can also provide the direct HTML of the link to Configio Support, and they can add it to the footer of every page.
Asking for and Requiring Addresses on Account Creation
Each time a customer creates an account, you can ask them for their address, and you can require them to submit it in order to create the account. Go to Settings -> Setup -> Configuration. Turn ON the configuration titled "Ask for address when creating an Account" and click the Save button.
Repeat this for the configuration titled "Require Address to create an Account."
Disabling Guest Checkout
It is a best practice to not allow for Guest Checkout because these customers will not be able to request their information to be forgotten. Minors must be approved before they can be registered as participants, and Guest Checkout does not allow for users to log back into the site after their pending participant has been approved. Go to Settings -> Setup -> Configuration. Turn OFF the configuration titled "Enable Anonymous/Guest Checkout" and click the Save button.
Customizing Messaging Configurations
There are several configurations related to messages displayed to users regarding the feature. Go to Settings -> Setup -> Configuration. Search for "personal." Review the default values in the System section, make changes as necessary, and select the Save button.
In particular, the value for the "Save personal information opt-in checkbox label" should reflect "I agree to your privacy policy," etc. Also the "Save personal information opt-in info message" should reflect that the privacy policy is available in the footer, etc. Additionally, the Associated Opt In and Opt Out warning configs should be adjusted with terms that make the most sense for you.
Turning On the Primary Configuration
Go to Settings -> Setup -> Configuration. The primary configuration is titled "Turn on to enable GDPR mode (General Data Protection Regulation (EU)." Search for it, turn it ON, and click the "Save" button.
Making Age Related Configurations
There are several configurations related to data about minors. Search for "minimum age" and make the following changes. Turn OFF the configuration "Ignore minimum age required to create an account config when in admin." Set the configurations "Minimum Age Required to create an Account" and "Participant minimum age pending state" to what your primary locality recognizes as the minimum age of an adult. Select the "Save" button.
Requiring Birthdates for Accounts
You must require birthdates on accounts. This is handled by an Account Form Question. Navigate to Settings -> Assignments -> Forms, search for your Account Form. and select the Edit Questions icon.
If you already are asking the birthdate question, select the Edit Icon. If not, select "Add New Question."
Then select "Birthdate."
If you are editing an existing question or if you are adding a new one, ensure that "Required" is selected and click the "Save" button.
Requiring Birthdates for Participants
You must require birthdates on participants. This is handled by ssystem configurations. Search for "birthdate," turn ON the configurations titled "Require Birthdate to create a participant" and “Ask for Birthdate when creating a participant,” and select the "Save" button.
Adding Contact Information to Verify Minors
Customers who create participants that are in a pending state due to their age will see a message. The message will contain contact information so that they can notify you to get their participant verified.
That information is from the Print Email and Print Phone configurations. If you want to include contact information in the message, then ensure those configuration have good values. Go to Settings -> Setup -> Configuration. Search for "print." Review the values for Print Email and Print Phone, make changes as necessary, and select the Save button.
Creating Email Messages
There are five types of email messages related to this feature. Below is a list of them with their descriptions.
Account My Information Request: This email is sent to GDPR Managers when account data is requested.
Participant My Information Request: This email is sent to GDPR Managers when participant data is requested.
Participant My Information Request: This email is sent to GDPR Managers when participant data is requested.
Account Forget My Information Request: This email is sent to GDPR Managers when account data is requested to be forgotten.
Participant Forget My Information Request: This email is sent to GDPR Managers when participant data is requested to be forgotten.
Forget My Information Complete: After personal information has been forgotten from the database, this email is sent to the Administrator who submitted the request.
Participant Forget My Information Request: This email is sent to GDPR Managers when participant data is requested to be forgotten.
Forget My Information Complete: After personal information has been forgotten from the database, this email is sent to the Administrator who submitted the request.
To create them, go to Settings -> Assignments -> Email Messages. Select the "Add New Email" button.
Select the type, input a title, and select the Save button.
Create the email message and select the "Save" button. See the Creating Email Messages article for more information.
Making an Administrator a GDPR Manager
GDPR Managers receive messages when there are requests for information or when there are requests for information to be forgotten. To make an Administrative User a GDPR Manager, go to Settings -> Setup -> Users. Select the Edit Icon.
Check "GDPR Manager" and click the Save button.