Hi,
We love the fact that CS-Cart has introduced a GDPR Compliance add-on and just thought we'd post some ideas on how it can be improved to better adhere to the GDPR laws.
- Allow the option of letting a user from within their customer account download their order history as XML (which would save them having to email or call the store owner). (GDPR Art. 20 - The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format). There is no need for this information to be only accessible by admin, it's easier if the user can access it themselves without troubling admin.
- Allow the option of letting a user from within the customer account choose to "Delete and Anonymize" their account. (GDPR Art. 17 - The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay). The only stipulation I would make is that ALL ORDERS must be marked as "complete" before they are allowed to take this step and possibly only then after a certain amount of days (say 30 in case there is a problem with shipping). The number of days could be configurable in the add-on and should be called the "Retention Period".
- Add an option to notify users that the site needs cookies to run (an overlay bar at the top or bottom of the page) and a button to allow cookies or disable cookies. A good example of this being implemented can be seen at https://www.civicuk.com/cookie-control- see how the tracking/analytical cookies are turned off by default and social cookies are turned off by default but they can be turned on if the user wants. However necessary cookies are turned on and can only be turned off by changing browser settings. Something like this would be amazing for CS-Cart.
- If using the option of Deleting / Anonymizing a users account (either an admin or a customer using option 2. above) then if the system is integrated with a 3rd party marketing service such as MailChimp, the user should also be unsubscribed and removed from these lists.
- An option to view the consent history log in the control panel.
- GDPR stipulates that you must ensure your data is up to date. An option to email all users every 12 months since they signed up asking them to login to their account and make sure their information is up to date would be useful. This could be achieved using a cron. The email would simply say something along the lines of "Has your information changed? Under the GDPR we are obligated to make sure your information is up to date so if anything has changed over the past 12 months, please could you login at [LINK] and update your information. If nothing has changed then you can safely ignore this email. Thank you [StoreName].
These changes would make the GDPR compliance by CS-Cart one of the best across all e-commerce platforms. If anyone has any other useful and relevant ideas to make this module even better please feel free to add to this list below. But lets try to keep it to things that are required under GDPR and not just personal wish lists.
Thank you.