EasyCart is designed to handle a lot of personal information (PI) for users who visit, shop, and ultimately purchase.  As countries implement more data protection policies, it is important we clearly state what data is stored, saved, and utilized so you can better build a policy and terms for your website and specific country legal needs.

We are providing this information so that you may better know what data is stored and used within the EasyCart system.  It is ultimately up to you to build a policy and terms that use this information as you need to meet your own personal requirements and situation.  EasyCart does not imply our software will work for every situation and need and this information is provided strictly as informational purposes, not as a legal means, and may change or be altered at anytime.  We make every effort to best provide accurate information when available.

Evolution of Personal Information

In 2018, the European Union’s General Data Protection Regulations (GDPR) released standards for personal information handling that used to be considered fairly benign.  This shift required companies to revisit how they handle personal information and also WHAT personal information is being used.  This includes any information that can ??directly or indirectly? identify a person, including real names and screen names, identification numbers, birth date, location data, network addresses, device IDs, and even characteristics that describe the ??physical, physiological, genetic, mental, commercial, cultural, or social identity of a person.? This conceivably could include any piece of information about a person that isn??t anonymized.

In 2020, the United States released the California Consumer Privacy Act (CCPA) released its standards for personal information and expanded a little on the GDPR.  Under the CCPA, personal information is ??information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.? This includes a host of information that typically don??t raise red flags but which when combined with other data can triangulate to a specific individual like biometric data, browsing history, employment and education data, as well as inferences drawn from any of the relevant information to create a profile ??reflecting the consumer??s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.?

Who it applies to?

While we know that EU’s GDPR applies to any company that does business within the EU, either offers goods/services (paid or for free) or is monitoring the behavior of individuals in the EU… California’s CCPA is much different.

CCPA is a bit larger scale and currently applies to companies with annual revenue over $25 million or has over 50,000 people that it collects data on.  Companies do not have to be based in California or have a physical presence there, or even based in the United States to fall into this category.  This for most users will mean they do not need to worry about the CCPA, however, more national trends may soon include this for everyone… so worth following and gearing up.

What do you need to do?

If you are a small or mid sized business selling under $25 million annually or do not have 50,000 people you collect information on, then there is not much you need to do to actually comply.  If you do have over this figure, you likely have a legal team and/or are already aware of what is needed by working with professionals.  Typically you will need to have a clear link on your footer or site that allows people to delete and opt out of any data collection at any time.  This will be difficult for many individual companies who know that data like this can be stored across multiple systems, terabytes of data, and no clear path to just remove.

More importantly, all sites really should contain a data policy that is available on their site showing specifically what data is collected and how it is used by your company.  If you sell to third parties your lists, what other companies may have access to users data, and if users are not able to clearly get access to this information you can be sued under the CCPA.  This is a particularly important element and something all companies should start implementing as it is implied that this policy could easily become a federal law and required by all businesses and companies doing business online.

What data does EasyCart store?

While a wordpress website with EasyCart does not store full credit card information, it important to all companies using this setup to understand what data IS actually stored and used.  This data is considered personal information and identifiable information.  Much of this information is used for payment API systems, shipping API systems, Tax API systems, and fraud detection systems and is considered normal data collection for any eCommerce site.  This information should be useful for building a policy around your company that users can clearly see.

• Usernames & Encrypted passwords are saved with users who opt to save their account information on your website during checkout and account creations.
• Email addresses are saved with all user orders and accounts.
• Billing addresses are required on all orders placed for payment purposes.
• Shipping addresses are optional depending on company and product setup and used in a variety of shipping and tax calculation processes.
• Order history and order data saved per user can contain personal information including product, option and other cost associated data.
• IP information is saved on order processing to help payment processors develop and implement fraud protection processes.
• Cookies and session data is often stored and used for ecommerce tracking, and can include a personally identifiable signature to tie a user to their shopping cart, account, and purchasing history.
• In some payment processing, the last 4 digits of a credit card and also the expiration date are saved and used in order management for authentication and verification of terminal orders.
• EasyCart implements several tracking code systems such as Google Analytics and Facebook Pixel which indirectly will collect user information such as order data, location, and page flow tracking.  This information is not saved directly within the EasyCart system, but is directly implemented and passes personal information to those systems.
• Third party applications such as Quickbooks, ShipStation, MailChimp, Stamps.com, Bluecheck and other extensions vary on what data is processed or stored, but should be considered a pathway to data collection with all information above processed to these third party systems to handle their unique applications.  If you install or implement a third party extension or connection with EasyCart, then it can be assumed that all data we collect is passed or shared to those platforms.

Keep in mind that peripheral data can always be collected on top of what our software or EasyCart collects as it integrates into a WordPress website… therefore, other plugins, themes and WordPress itself can and most likely will collect more data.  You should reference all of those companies, plugins, themes, and related software for what data collection is returned on their part as well.

Next Steps?

Now that you know what the data protection policies are and general guidelines for each, you should begin building a company policy and strategy surrounding your particular needs.  We highly recommend all online ecommerce sites build and implement an easy to access policy statement that outlines what data they handle, how they handle it, and with whom they share data with.  The above information should help formulate part of that policy with regards to EasyCart.

Businesses and online companies would be further ahead of the game to implement a plan to allow users to remove their data as it is becoming more and more evident that users will have a full right to control and manage that data.  It may be as simple as developing a link on your footer or site to allow users to ‘Opt Out’ and request their data removal or usage report.  While this may be a larger struggle for companies to build, it is clear that the future will head more and more in this direction.

EasyCart is providing this information to the best of our knowledge and is not claiming to be a legal authority or fully compliant solution but strives to follow best practices where it can.  As more information and companies fall into these regulatory rules, we will continue to monitor and build systems for our users.  For more resources and legalities, it is always important to consult with a legal professional should you need.

Further Resources:

General Data Protection Regulation:  https://gdpr.eu/

California Consumer Privacy Act: https://oag.ca.gov/privacy/ccpa