Data Protection and Privacy

On May 25, 2018, a new landmark privacy law called the General Data Protection Regulation (GDPR) came into effect, impacting every retailer conducting business in the European Union (EU).

The GDPR expands the data privacy rights of EU citizens and places new obligations on merchants who handle EU-based personal data. Salesforce B2C Commerce is here to help our merchants prepare for the GDPR. The GDPR replaces the patchwork of national data protection laws currently in place with a single set of rules. Merchants established in the EU who process personal data fall under the purview of the GDPR. The GDPR also extends to merchants established outside the EU if they are transacting business in the EU by, for example, offering goods or services or monitoring the online behavior of EU data subjects

All Commerce Cloud merchants should be aware of the following:

The GDPR is not just for EU-based organizations - If you think the GDPR doesn’t apply to you, take a closer look. If your brand does business in the EU, offers goods or services to EU shoppers, collects data, or monitors EU data subjects, you fall within scope of the regulation.
Merchants need to understand the impact of the GDPR on their business - Merchants are responsible for assessing the scope of the GDPR within their own companies and taking action to ensure compliance.
The GDPR requires a partnership between Salesforce and our merchants - Salesforce looks forward to working with and listening to our merchant’s GDPR needs to better understand the impact of the law.

GDPR is not the only data protection and privacy regulation that can require you and your company to keep individuals' personal data secure and private. We've listed some other regulations that are important to many companies collecting and processing their shoppers' data.

California Consumer Privacy Act (CCPA)
Personal Information Protection Act (PIPA), Japan
Privacy Act, Australia
Personal Information Protection and Electronic Documents Act (PIPEDA), Canada

As new data protection and privacy solutions are launched, Commerce Cloud will provide specific documentation to help merchants understand how these new features can be used to help with compliance. This will cover existing tools and also extend to new release items.

For more information, visit the Salesforce GDPR Resources and the Salesforce Privacy websites.

Various regulations can include principles that are similar to one another. So we give you guidance on some of the common privacy principles.

Data Deletion: Delete Personal Data. Get guidance on deleting personal data as you comply with various data protection and privacy regulations. We give you examples of common shopper requests and things to consider. That way, you can determine how to best comply with the regulations that apply to your company.
Consent Management: Track Shopper Consent. Track your shoppers’ approval for how your company interacts with them. To help you assess your compliance with various data protection and privacy regulations, we give you examples of common shopper requests. And we provide details to help you determine the best way to comply with the regulations that apply to your company.
Restriction of Processing: Restrict How to Process Personal Data. Prevent the processing of your shoppers’ data when situations require you to do so. We give guidance on how to restrict forms of data processing. That way, you can work toward complying with the laws that are important to your company.
Data Portability: Give Shoppers Their Data when They Want It. Export shopper-related data when shoppers request it, so that you can work toward complying with various data protection and privacy regulations. We give you examples of common shopper requests and things to consider when you evaluate your compliance with the regulations that apply to you.

Browser-Based Local Data Storage

B2C Commerce uses various cookies and session storage objects on users' and shoppers' local machines. The details of how they are used and how long they persist are documented here. In some cases, for example, when you receive a request for data deletion, you should inform shoppers of session data that might remain on their computers.