Magento 2 GDPR save
How to make Magento 2 GDPR save? There is lot confusion about this topic and GDPR is highly discussed this days. Here are some hints about it and useful tips.
Magento 2 GDPR save
Magento is not GDPR save! On 25. Mai the General Data Protection Regulation (short GDPR) should be implemented. The general idea behind it is to save customers data and that no one should collect data without need. Magento 2 collects data, but I assume, that you do not need them. So don’t collect them!
Magento 1 had logging tables for various customer data like login and site calls which can be disabled in adminhtml. Magento 2 also collects that kind of data in customer_log and customer_visitor tables, but there is no option to disable it.
Disable logging
If you can’t argue why you collect this data and do not inform your customers about it, this would be punishable. Both tables track information when a customer logs and for each session id the last visit timestamp. This tables are a bit nondescript and you may forget about it.
The best idea is to stop collecting customer data that is not needed. Because Magento 2 has no option to do this, you need to stop it programmatically. Luckily, there is a free module for this: Yireo DisableLog2
It uses two plugins for Magento\Customer\Model\Logger and Magento\Customer\Model\ResourceModel\Visitor and stop further saving of data in an implemented around function. This is quite easy, but effective.
Tips
There are many other things to consider. It is important to ask users for their approval to store data every time a form is sent. Examples are:
- contact form
- customer registration form
- checkout form (last step)
For each checkbox it is important, that it is not marked checked. There has to be an active action from a customer to activate it. This checkbox also needs to be required to submit the form data. Beside this, you need to adept your privacy policy site and inform your users about tracking and cookies. A working cookie notice banner is obvious.
Conclusion
By making GDPR save, you learn a lot about collecting data from Magento 2. It is a good idea to stop collecting unnecessary data and take responsibility for doing so. GDPR is needed if you have customers from the EU, which I think nearly every Magento 2 shop has.