How to Convert in Ecommerce in the GDPR Era

01st Feb 2018 – How to Convert in Ecommerce in the GDPR Era
2. Incentives, incentives, incentives. It’s already an ecommerce best practice to usher folks away from guest checkouts, and into registration.
Of course, this doesn’t seem like anything new. Europe has always had rules about how one can process the data of its citizens.
And GDPR definition of personal data is strict. It means any piece of information that can identify someone. So name, id number, location data, email, phone, address, company, etc—all require that you ask for consent. Even (most) cookies count as personal data and require user permission to run.
If you already have someone’s email, and their explicit, active consent to use it for promotions and alerts…
In plain English:

GDPR: Why it matters

No more pre-checked “Contact me with the latest” boxes.
A few things you can do…
No more.

The Lowdown on Personal Data

So let’s discuss how these new standards will influence how you market in Ecommerce.
Some persistent cookies you may be running, and that may require consent:
Do they submit their name and address and payment information? Did you collect their email address in exchange for a coupon? Have you stored their shopping cart across sessions? Automated personalized recommendations for them? Tracked their location to point them to their nearest brick-and-mortar location, or to list prices in their preferred currency?
They may fall into the exception of: “assessing the effectiveness of a delivered information society service…for example by helping to measure to the numbers of end-users visiting a website, certain pages of a website or the number of end-users of an application.”
For a brief explanation of this concept, we can turn to GDPR’s Article 23. It calls for data collectors to only hold and process data that’s necessary to complete their duties.
GDPR, or the General Data Protection Regulation, is the EU’s broadest sweeping piece of legislation on data privacy since the 90s. It defines and solidifies the rights individuals have to their data trail online.
Most of them will fit the criteria of “authorizing the technical storage or access which is…enabling the use of a specific service requested by the end-user.”
So basically: if it doesn’t serve the user, it shouldn’t be sitting in your database.
“What if, when I collect the email addresses, underneath the form, I write something like this?”
And with that extra step, the digital marketing landscape is changing for the better. As we turn to implement GDPR, we’re turning towards a greater concern for our user’s privacy. Towards a stronger email list, of customers who actually want to hear from us. And towards a higher set of expectations as to what it means to market decently, and transparently.

Cart Abandonment Campaigns

These are the questions GDPR demands we start acting on.
Many ecommerce best practices—using cookies to personalize an experience, or following up with an email after a cart has been abandoned—are now going to require straight-forward, unambiguous, and active consent.
So, as you probably have before: separate your check out process. Collect the email first. Ensure proper consent to be contacted by the user. Then move on to credit card information, shipping information, etc.
(Psst…we wrote a much more substantive article on how to solicit explicit consent on forms. Read it over here.)
Your session cookies are probably okay. As long as they stay on a browser, and retain information only until a browser session ends—they’re unlikely to identify an individual.
So there are no work arounds with this one. Stop collecting data you don’t need—it’ll comply with GDPR, keep you sane, and keep your users happy.
[By submitting my email, I confirm the right to be contacted about offers and promotions by COMPANY NAME].
This is actually good news. All sorts of studies have shown a higher completion rate on shorter forms. If you’ve been lazy about auditing your form fields on your check-out process—GDPR gives you an excuse to act.
They have to see your statement soliciting consent, it has to be written in clear-as-day English, and they have to check the box themselves before you have the “OK.”
Consent cannot be implied.
1. You can make checking the consent box a mandatory step before moving on to the next stage of checkout.
It may be possible that some require user consent, whereas others do not. The particulars will be determined by the new ePrivacy Regulations—once they’re approved. For now, we have draft 15333, which makes some exceptions for common Ecommerce cookies.
Even these come with gray areas. For example, you might be okay on product recommendations—if they’re generated based only on data stored during a particular user session. And if they’re based on mass, anonymized consumer data, and product popularity.
Unless they consent to be contacted—ABOUT the things you want to contact them about.
Now I know what you’re thinking…you sneaky marketer.
If 99% of your customers are purchasing for themselves—do you need to include the company name in your form?
How many additional potential customers are going to drop out right here, and abandon their carts—because they don’t want to sign away their inbox—just to buy a shirt?
Then, finally, can you contact them to complete their purchase.
But, with the implementation of GDPR, we’re entering a new landscape of data privacy and security law. One which greatly restricts how we collect, use, and store personal data throughout the customer lifecycle.

And IF you (or likely, your automation software), can match this email address, to an email that’s abandoned a cart…

But here’s the silver lining: not all cookies can personally identify a user, and some cookies are singled out as an exception to the rule.
But GDPR makes things clearer, and stricter and expands the legislative scope. Now, if you’re based in the EU, store data in the EU, or collect ANY personal data, from ANY EU citizens—you have to follow the new rules.
Data touches every step of the buying process for Ecommerce customers. So for marketers, collecting, and using, data appropriately needs to be a concern—every step of the way.
The important note here is to make sure you’re getting GDPR-qualifying consent, the first time you collect their emails. If your registrants aren’t actively consenting to hear from you about alerts—you don’t get to contact them with alerts.
For example: storing the number users visit a certain item page? (without any tie to the individual users themselves). Fine.
When’s the last time you’ve called a customer?

(Excessive) Data Collection

These micro-moments of data collection and storage are all par for course in the Ecommerce landscape right now. And for good reason! A lot of them are good for user experience and lead to higher conversion rates.
Or to try and get visitors onto your email list with a popup, like the folks at Modcloth:
This is only such a big deal because, now, how you ask permission has changed.
You Might Want to Rethink Your Cart Abandonment Campaign
Exceptions to the obligation to obtain consent to make use of the processing and storage capabilities of terminal equipment…For instance, consent should not be requested for authorizing the technical storage or access which is necessary and proportionate for the legitimate purpose of enabling the use of a specific service requested by the end-user. This may include the storing of cookies for the duration of a single established session on a website to keep track of the end-user’s input when filling in online forms over several pages, authentication session cookies used to verify the identity of end-users engaged in online transactions or cookies used to remember items selected by the end-user and placed in shopping basket. Cookies can also be a legitimate and useful tool, for example, in assessing the effectiveness of a delivered information society service, for example by helping to measure to the numbers of end-users visiting a website, certain pages of a website or the number of end-users of an application. This is not the case, however, regarding cookies and similar identifiers used to determine the nature of who is using the site.
Now, all of us (I hope) have privacy policies. Most of us mention our site uses cookies if our site uses cookies.
No more; “by entering this site you accept the use of cookies.”
In full:

Cookies

If you’re working in Ecommerce, take a second to inventory how you use data. From the moment someone lands on your site, to the second they click “purchase”—how much do you know about them?
But in general: if your cookies are tied to a User ID, or ANY unique identifier, across sessions—they can potentially be attributed to a specific site visitor without their permission. And that could get you in trouble with GDPR.
These campaigns may become increasingly important.
That potentially “determines the nature of who is using the site.”

Arguably, the biggest change GDPR will bring for marketers has to do with how we collect, store, and use personal data.

But ask yourself first: what will this do to your overall conversion rate?
Remember what GDPR says about consent-getting? Not only do users need to be consent to be contacted to comply with GDPR—they need to explicitly, and *actively* consent.
Your persistent cookies—the ones that store data over several browser sessions—those are tricky.
A huge part of GDPR is “privacy by design.” And a huge part of privacy by design is something called “data minimization.”
And the number of customers you’re losing here: will it be fewer than the number of folks you win back over on your cart abandonment campaign?
GDPR is very clear: just because you have someone’s email, doesn’t mean you can use it to contact them.
Identifying the behavior of one user who visits that page, across separate browser sessions—not fine.
So we’ve already dropped this piece of bad news: Cookies are considered personal data under GDPR.
Back in the good old days—it was best practice to separate your checkout process into steps. To collect an email first thing, so, if your customer abandons their cart, and doesn’t end up buying—you can follow up, send them a quick set of reminder emails—perhaps offer them a discount.
A big “no” to that.
For example, keeping track of what a user has added to their cart throughout a browser session (but no longer). Or holding onto their wish list (for as long as the session they’re browsing lasts).

  1. Customer log-in data, address, and payment information
  2. Persistent shopping carts (across sessions)
  3. Product Recommendations (resulting from specific user data)
  4. Custom user interfaces / Personalizations (i.e. “Welcome back, Joanne! Continue shopping?”

But the second this data becomes personally identifying, we’re entering dangerous territory.
Modcloth
So at this point, you’re at a crossroads. Kill your persistent cookies altogether, or only start using them once you ask for consent—and someone gives you the okay.

To sum it up…

Users now have to explicitly, affirmatively, and unambiguously give you permission to use their personal data.
You have to make a tough choice here.
No more: “by downloading this piece of content you agree to be contacted about other offers and promotions.”