Ecommerce companies typically store lots of personally identifiable information (PII), so how can you make compliance easier without compromising analysis?
With the deadline for GDPR compliance looming, I wanted to expand on my previous article on GDPR and Google Analytics to focus on ecommerce.
Firstly, who does this apply to? GDPR is European Union legislation that applies to any company trading in Europe: so if you sell online and deliver to European Union member countries, the regulations apply to you. It’s essential that you understand how your online business is collecting and storing PII.
Splitting PII from anonymous data points
Your goal should be to maintain two separate data stores: one that contains customer details, from where you can look up what a specific customer bought, and one that contains anonymous data points, from where you can see performance and trends.
The data store for the customer details will typically be your ecommerce back-end and/or CRM (see below). This will include name, email, address, purchase history, etc. It will link those with a customer number and orders numbers. If a customer wants the right of access all the relevant details should be in this store.
We use Google Analytics as the anonymous data store (although you may have a different ecommerce analytics platform). There you can store data which only refers to the customer record. These are called pseudo-anonymous data points under GDPR: they are only identifiable to a customer if you can link the customer number or order number back to your ecommerce back-end.
Pseudo-anonymous data points you can safely send to Google Analytics include:
- Order number / transaction ID
- Order value / transaction amount
- Tax & shipping
- Product names and quantities
- Customer number
- Hashed email address (possibly a more flexible to link back to the customer record)
If a customer exercises their right to removal, removing them from the ecommerce back-end will be sufficient. You do not also have to remove them from your Google Analytics, since the order number and customer number now have nothing to refer to.
You do still need due process to ensure access to Google Analytics is limited, as in extreme circumstances a combination of dimensions such as products, country / city and browser, could identify the customer.
Try Littledata free for 30 days
Isn’t it simpler to just have one store?
Every extra data store you maintain increases the risk of data breaches and complexity of compliance – so why not just analyse a single customer data store?
I can think of three reasons not to do so:
- Marketing agencies (and other third parties) need access to the ecommerce conversion data, but not the underlying customer data
- Removing a customer’s order history on request would impact your historic revenue and purchase volumes – not desirable
- Your CRM / ecommerce platform is not built for large scale analysis: it may lack the tools, speed and integrations needed to get meaningful insights
Beware of accidental transfers
There are a few danger areas where you may inadvertently be sending PII data to Google Analytics:
- Customer emails captured in a signup event
- A customised product name – e.g. ‘engraving for Edward Upton’
- Address or name captured in a custom dimension
Our PII audit check is a quick, free way to make sure that’s not happening.
Multiple stores of customer details
GDPR compliance becomes difficult when your customer record is fragmented across multiple data stores. For example, you may have product and order information in your ecommerce database, with further customer contact details in a CRM.
The simplest advice is to set up automatic two-way integrations between the data stores, so updating the CRM updates the ecommerce platform and visa-versa. Removing customer records from one system should remove them from the other.
If that’s not possible, then you need clear processes to update both systems when customer details change, so you can comply with the right to rectification.
Conclusion
GDPR compliance need not require changing analytics tools or databases, just a clear process for separating out personally identifiable information – and training for the staff involved in handing that data.
I hope this brief overview has been helpful. For further advice on how your ecommerce systems comply, please contact us for a free consultation.
Littledata has experience with every major analytics platform and a wide range of custom setups. However, as a number of global companies are concurrently prepping for compliance, we highly recommend that you get in touch sooner rather than later!
Amazing Article
How is a hashed email address safe to send to a third party vendor and stored indefinitely? This is still PII and only pseudo-anomynized, since you are still able to link it back to the actual user email if needed.
Hi Duy,
If the hash is made based on data to what you are the only one having access, a third party will not be able to unhash it. There are standards in Google Analytics about how to hash an email address. You can read more: https://support.google.com/analytics/answer/6366371?hl=en
Hello Edward,
Thanks for the great article. I wonder about removing analytics on my websites. If you combine IP (from server logs) and Analytics Data (from Google Analytics) you will have location, device, IP. IP can be a personal data – http://curia.europa.eu/juris/liste.jsf?num=C-582/14&language=EN. I think having Analytics will require consent from users.
Hi Jack,
Google Analytics is providing the option to anonymize the IP in order to be compliant with the legislation in some countries and GDPR. You can read more about IP anonymization here:https://support.google.com/analytics/answer/2763052?hl=en