In eCommerce, many of the transactions that take place require that consumers provide their personal data, such as name and address. However, with the multiple cases of personal data misuse for reasons such as advertising or for handing over to third parties, many consumers are hesitant or uncomfortable about giving their personal data online. To help keep online personal information safe and secure, data protection legislation has been implemented by different countries, and states across the globe. It is therefore highly recommended that businesses keep well informed of data protection regulations to avoid facing legal consequences or paying heavy fines.
What is GDPR?
The General Data Protection Regulation (GDPR) is the primary legislation adopted by the European Union (EU) member states to regulate how companies protect EU citizens' personal data. It establishes the guidelines that companies need to follow when processing and moving consumer data. This legislation applies to countries in the EU, but more specifically to Web users in the EU. Its purpose is to provide a uniformed data privacy and security legislation that is consistent across the EU and that gives individuals in the EU greater control over their data. It also aims to reshape how organizations in the EU approach data privacy.
Who does it affect?
The GDPR affects any organization or company that does online business with Europeans and processes (accesses, collects, receives, stores) the personal data of individuals residing in the EU, regardless of the company's location. These companies are required to take the necessary steps to comply with the regulations.
Under GDPR legislation, there are two key entities that process data: the data controller and the data processor.
The Data controller is any individual or legal person that determines the purposes and means of processing personal data that it receives. This term refers to any organization or company that collects and makes use of customers’ personal data. In email marketing, this role is played by the email marketing service.
- Data processor is any individual or legal person who collects, processes and stores personal data on behalf of the Data controller. In email marketing, this role is commonly played by email service providers.
Nexway can act in the capacity of one or the other depending on the terms of the agreement signed between us and the customer during the onboarding process.
How does Nexway make you GDPR compliant?
Nexway Monetize is a GDPR-compliant solution and so at Nexway we ensure that our customers are on the right side of the law.
One of the main conditions of the GDPR is that EU residents have a say in how their personal data is collected, processed and stored and any organization or company that wants to process this data must have their express consent. This consent is the shoppers' approval (or non approval) to their personal data being collected and used.Some of the strategies implemented to align with this condition and ensure that consent is properly handled include the following:
Appoint a designated Data Protection Officer (DPO) to ensure that all regulations are followed and the shoppers/EU residents’ rights are upheld
Integrate consent collection means, along with the purpose for data processing, into all points throughout the customer journey (cart or checkout page, End-user portal, emails, etc.)
Make consent clear and actionable, as mandated by the GDPR
- Create a Consent service to help customers (vendors) manage their shoppers' consent
- Ensure that an "Unsubscribe" link is included in all emails, including marketing campaigns (customizable to fit customers’ brand)
What is consent management?
Consent management is the means of collecting and managing shopper consent for data processing, as required by the GDPR or any other data protection regulation. The consent has a direct relation to the processing purpose (the reason an individual's personal data is processed), for example marketing.When a customer signs up to use Nexway Monetize, they sign a data transfer agreement which clearly states how consent is to be managed and the respective roles and responsibilities of Nexway and the customer in the entire purchasing experience. At Nexway, we process personal data on behalf of our customers and by default operate under the principle that we are the single source of truth regarding shoppers' personal data unless explicitly stated otherwise in the data transfer agreement. This means that we collect and store all of the shoppers' personal data and any other information relating to their purchases in one place. Shopper consent is among the information stored.In Nexway Monetize, shopper consent is mainly used for marketing campaigns. At Nexway we can handle these campaigns and any other shopper-related emails for our customers but they can also do this themselves. Before any emails that are not strictly related to a purchased service or product are sent to a shopper we need to know if they consented to receiving emails. To make this consent information readily available to all the parties involved, we implemented the Consent Service.
Nexway Monetize Consent service
The Consent service is used to help manage consumer (shopper) consent. It collects and processes consent events to compute and provide consent status where it is required/needed. It collects events with user information from several sources that include the following:
- Shopping cart
The consent service is used each time a cart is validated during a purchase. When a shopper makes a purchase, they are prompted to consent to receiving emails with offers as part of marketing campaigns. The response ("Yes" if they check the consent box, "No" if they do not check the consent box) is then collected and sent to the Consent service.
- End-user portal
The shopper can subscribe to or unsubscribe from receiving marketing emails in their user account.
Shoppers can withdraw consent via an "Unsubscribe" link that is included in all emails they receive from Nexway.
- Customer Care
Shoppers inform their Customer Care representative of their desire to receive emails or withdraw their consent, who in turn updates the shoppers' profile with this information.
After collecting events the Consent service computes shopper consent status and organizes them according to the stores from which the corresponding purchases were made. This can be useful to customers and anyone mandated to act on their behalf to manage their emails and marketing campaigns. The consent service then makes the consent status available via API to the following:
- Nexway Center
Customers can consult the consent status of each shopper who made a purchase from their store.
- Nexway Customer (You)
Customers can request the consent status for individual shoppers or all the shoppers of their store via API.
- Marketing Campaign Managers
The tool or company that handles marketing campaigns on behalf of a customer can get user consent information from the consent service via API to ensure that only shoppers that gave their consent are sent emails.
To help us ensure that we always have the most current and up-to-date shopper information as the single source of truth relating to shoppers data, the Consent service can collect consent information directly from the customer and through marketing campaigns. For example, when a customer decides to handle their own emailing and marketing campaigns, Nexway provides them with a "Subscribe" and an "Unsubscribe" link to integrate into emails intended for shoppers. This ensures that Nexway's database is directly updated when a shopper uses these links to subscribe to or withdraw their previous consent and unsubscribe from the customer's mailing list. data to to always have up-to-date shopper information
See below for examples of how to retrieve consent status and send consent information (events ) to the Consent service.
To use the Consent service on Nexway Center, no specific configuration is required on your part as a customer.
If you want to use API to request consent status from Nexway or provide us with consent information for shoppers, please find the corresponding links and endpoints below.
You want to retrieve the consent status of shoppers who uses your store
- For a particular shopper
via Nexway Center
An end-user profile is generated for each shopper that completes an order on a store. You can retrieve their consent status (along with other personal data) from this profile, which lets you know if they have consented to receiving email offers or not. If a shopper wants to receive emails, there is a check mark next to their Consent Status.
Make an API request with the following:
- For all the shoppers who use your store
Make an API request with the following:
means the shopper wants to receive email offers
means the shopper does not want to receive email promotions, etc.
You want to include an unsubscribe link in emails intended for the shopper John Doe
Integrate the following link into the email:
- "Id" is the storeId of the store where the shopper made their purchase
- "userEmail" is the email address of the shopper
This link takes the shopper to a landing page that allows them to withdraw their consent from receiving emails.
Nexway will receive, by API, the new consent information if the user decides to unsubscribe from the mailing list.
You want to send a new subscription status to Nexway
A shopper did not consent to receiving emails during the purchasing experience but while activating a product license that you provide by email, they decide to subscribe to your mailing list using a link that you provide. Nexway does not have this new consent information. To ensure that Nexway has up-to-date information, send the consent information to us by API using the following: