In the Administration panel, go to Add-ons → Manage add-ons.
Find the GDPR Compliance (EU) add-on and click Install next to it.
Once the add-on is installed, click on its name to open the add-on’s settings.
On the General tab you’ll find the following settings:
Cookie consent—determines if customers will be notified about cookies, and whether or not they’ll have to accept the use of cookies before being allowed to use the site.
None—customers won’t be notified at all that the web-site uses cookies.
Implicit—customers will see an unobtrusive pop-up notifying them that the web-site uses cookies. Depending on what pages the customers visit, cookies may be set on their devices without their prior approval.
Explicit—before a customer can enter the web-site, he or she will see the a page with the information that the web-site uses cookies. Customers must give their consent before they can proceed to see the site. That way no cookies are set on customers’ devices before the consent is given.
Note
The ability to ask for explicit consent for the use of cookies first appeared in version 4.8.1. Until then, store owners could only ask for implicit consent under Settings → Security settings in the administration panel.
The add-on’s settings also have the GDPR tab; there you’ll be able to choose where to show the notifications about personal data processing, and edit the texts of those notifications. We’ll do it later, in step 3.
Click Save.
The settings of the GDPR Compliance (EU) add-on have the GDPR tab. It contains the list of places where checkboxes for requesting consent will be displayed. For each place, you can choose whether or not you want a checkbox for requesting consent to appear.
Every checkbox for requesting consent is accompanied by a notice about personal data processing. The texts of these notifications and checkboxes can be accessed and edited separately from each other. These texts are in fact language variables, so the same rules apply when you translate or edit them.
The texts may have [email]
or [company]
in them. These are placeholders that will be automatically replaced with actual data when customers see the notifications.
If you only have one storefront (or if you use Multi-Vendor), the data for the placeholders will be taken from Settings → Company. If you have multiple storefronts in CS-Cart, then the data will be taken from the settings of the storefront that a customer visits:
[company]
will be taken from Company name.[email]
will be taken from User department e-mail address.We tried our best to make the default personal data processing notifications as informative as possible. However, we can’t guarantee that they fully comply with the GDPR, especially since the practices regarding personal data differ in every company. That’s why we ask you to review and edit these notifications as you and your lawyers see fit.
Hint
If you don’t want the notification to be too long, add a link to your Privacy Policy to all of them, and describe everything in the Privacy Policy. However, we can’t guarantee that this practice is GDPR-compliant, so you’d have to consult your lawyer regarding this.
Check the storefront. Make sure that the notifications about personal data processing appear in every place where you collect personal data.
For example, the add-on doesn’t automatically add notifications about personal data processing to forms created with Form Builder. That’s because the checkbox can be created via the Form Builder itself.
In that case the consent for personal data processing won’t be stored in the database, but rather in an email you receive, alongside the data that the customer may’ve provided via the form.
Test the workflow of granting consent. Register as a new customer and give consent for personal data processing in various places. If you completed the optional step 2, try using the buttons for requesting personal data or the removal of data.
Open your database to see the consent logs in the cscart_gdpr_user_agreements
table.
As an administrator, try exporting personal data and anonymizing a customer.
Note
Customers would have to contact you to request their personal data or anonymization. For example, they can do it via email that you provide in the notices about personal data processing in step 2.
The add-on by itself won’t make you GDPR-compliant. We recommend familiarizing yourself with the GDPR and looking into other measures that you may need to take.
For example, you may want to review and update your legal documents to address the requirements of the GDPR. For your online store, those documents could be:
terms_and_conditions_content
.Questions & Feedback
Have any questions that weren't answered here? Need help with solving a problem in your online store? Want to report a bug in our software? Find out how to contact us.