GDPR Website Checklist
Return to axis vMerchant & GDPR Frequently Asked Questions »
GDPR introduces the concept of freely given consent that is both specific and informed. Your website may not be GDPR compliant, depending on how you obtain consent and how you ensure that the visitor to your website is informed about the consent that they are providing.
The following points all apply to anyone capturing individual's details - not just eCommerce websites but CMS and Static websites can capture this information too via, for example, enquiry forms.
Users must opt-in
This point may seem an obvious one but you cannot assume that anyone is happy to receive marketing communications unless they have given their consent.
In other words, if you ever intend to contact any customer about anything other than the specific orders that they have placed, you must get their permission first.
Required Action »
Some older websites, and template-based websites powered by axis diplomat systems without the eBusiness Mailing List module, may not include an opt-in option in their checkout. axis vMerchant is being modified to file any orders from checkouts without an opt-in to treat them as if there was an opt-in option but it was not selected.
The axis diplomat eBusiness Mailing List module is now standard for all axis diplomat 2016 systems with Software Assurance and the axis vMerchant module.
Clients with both axis vMerchant-based websites and static/CMS-based websites should also review their enquiry and/or newsletter subscription pages to ensure that it is clear what the user is consenting to.
Users must take a postitive action to opt-in
It must be clear to the user that they are opting in and they must make a conscious decision to do so. Essentially, this bans opt-in boxes that are pre-ticked and "reverse logic" opt-outs. See Examples below.
Required Action »
Some older websites may include an opt-in that is pre-selected by default, or an opt-out option. This would normally only have been implemented at the client's request at the time. If this is the case, please discuss your requirements with our Customer Services department.
Separate Opt-Ins from other Confirmations
You should not bundle the consent for future contact into other consents, such as accepting terms and conditions.
Required Action »
Websites that bundle consent are effectively sites without an opt-in (see above). In addition, you should review the CMS content on your site to ensure that it does not imply that accepting terms and conditions also means consenting to future communications.
Easy to Withdraw Consent
It must be as easy to withdraw consent in the future as it to give it. Generally, this means not only ensuring that every email communication contains an unsubscribe link but also that your website should provide a means for people to withdraw consent without waiting for your next marketing email.
Required Action »
axis vMerchant websites powered by axis diplomat systems with the eBusiness Mailing List module can provide an unsubscribe page; we recommend that you ensure that the site's overall navigation provides a clear link to this page (such as in the footer navigation).
Providing unsubscribe links from your marketing emails will depend on the technology that you use to send your emails: Emails sent from axis diplomat on systems with the eBusiness Mailing List module can include links to the Unsubscribe page.
Ensure that your Policy Documents (such Terms & Conditions, Privacy Policy and Cookie Policy) are updated
You should ensure that the various policy documents accessible via your website are updated for any required
GDPR changes - for example, making it clear what you do with information received, how long you will retain it and where it may be stored.
Required Action »
If you are using an axis vMerchant or CMS-based website, you should review your policy documents. If you have a static website and cannot update content yourself, please discuss your requirements with our Customer Services department.
Third Party Service Providers
You should verify the GDPR position regarding any third party service providers that you use and, especially, tracking applications. It is possible that these applications track users in a way that they have not consented to and so you should check with the individual service providers. Other service providers should be checked, such as review management companies and
Payment Service Providers (PSPs).
Required Action »
The most commonly used tracking service, Google Analytics, does not pass personal information to Google. For other 3rd party service providers, you should contact them to ensure that their service provision falls within the requirements of GDPR. You may also to update your policy documents to make it clear to users how you will use their data.
Examples
Example 1
BAD - This is an opt-out rather than an opt-in
Example 2
BAD - This does not require a positive action to opt-in
Example 3
BAD - This is an implicit opt-in
Example 4
GOOD - They are only opted-in if they specifically choose to do so
and if they do nothing, they are not opted-in