-
Notifications
You must be signed in to change notification settings - Fork 340
GDPRCompliance
Replacing the previous 1995 EU Data Protection Directive, GDPR was developed in recognition of the increasing need to protect the rights and personal data of each individual EU resident.
ElasticSuite contains a tracking module that consolidate all browsing data in ElasticSearch indices.
In the future, these data wil be used to build exciting features that are in our roadmap like :
- Automated search result optimization
- Better customer interest knowledge
- Recommandations
- Search analytics
At the same time, those data may be considered personal from the GDPR point of view.
We wrote this guide to help you to make your ElasticSuite installation compliant with GDPR :
-
Customer information and user consent for tracking
-
Personal data management
One of the key point of GDPR is to give an accurate information about data collected by your service. Magento does provide a sample cookie information page (privacy-policy-cookie-restriction-mode CMS page) used to inform customers on cookies and tracking.
This page should be modified to add cookies used by ElasticSuite to track user behavior :
Cookie name | Cookie lifetime | Description |
---|---|---|
STUID | 1 hour | This cookie identify unique browsing session. |
STVID | 365 days | This cookie identify unique returning visitor . |
Cookie name and lifetime can be changed in Stores > Configuration > Smile ElasticSuite > Tracking > Session Configuration
GDPR compliance requires that you collect user consent before you start to collect data. Most website will implement their own mechanism to collect this consent.
Our work on ElasticSuite was both to bring a default implementation and to allow it to be customized easyly.
Magento is shipped with a very basic mechanism that allow to collect user consent before placing cookies. You can enable this feature by setting the Cookie Restricion Mode to Yes in Stores > Configuration > General > Web > Default Cookie Settings.
With our default implementation, nothing is collected by the tracker module before the user allows cookies to placed set on its device.
There is much reason for a merchant to develop its own consent mechanism (granularity, UX, ...). We designed the feature to be easy to customize.
The default consent script and its configuration params is injected in the page through a simple layout (Smile/ElasticsuiteTracker/view/frontend/layout/default.xml
) :
<block template="config.phtml" class="Smile\ElasticsuiteTracker\Block\Config" name="smile.tracker.config">
<arguments>
<argument name="userConsentScript" xsi:type="string">Smile_ElasticsuiteTracker/js/user-consent</argument>
<argument name="userConsentConfig" xsi:type="array">
<item name="cookieRestrictionEnabled" xsi:type="helper" helper="\Magento\Cookie\Helper\Cookie::isCookieRestrictionModeEnabled" />
<item name="cookieRestrictionName" xsi:type="string">user_allowed_save_cookie</item>
</argument>
</arguments>
</block>
The default JS script use to detect user consent (Smile/ElasticsuiteTracker/view/frontend/web/js/user-consent.js
):
define(['jquery', 'mage/cookies'], function ($) {
return function(config) {
return config.cookieRestrictionEnabled == false || $.mage.cookies.get(config.cookieRestrictionName) !== null;
};
})
It allows any developers to :
- Write its own JS detection script
- Replace the default one by it in the layout
All data stored in the ElasticSuite behavioral indices are anonymous and not problematic regarding GDPR.
For logged in customer, we are storing the list of their session ids and visitor ids in the MySQL database (elasticsuite_tracker_log_customer_link). Those information allows us to reconciliate behavioral data with an existing customer what is more problematic regarding GDPR since it make allow to identify.
To be fully compliant with GDPR, ElasticSuite provides differente mechanisms that can be used to manage customer data :
-
An anonymization delay for customer personal data
-
The ability to anonymize all data related to a customer
This feature can be enabled in Stores > Configuration > Smile ElasticSuite > Tracking > Tracking Anonymization. The default anonymization delay is 365 days.
When this feature is enabled, the link between customer and tracking data are removed after 365 days. Once this link is removed tracking data become anonymous again and can only be used for analytics purpose.
GDPR grant customers the right to ask all their personal data to be deleted. You can do this by deleting the customer account.
If you plan to implement GDPR in a more granular way, we provide a way to delete the link between the customer and its tracking data by using the \Smile\ElasticsuiteTracker\Api\CustomerTrackingServiceInterface::anonymizeCustomerData($customerId)
method.
This way, data kept in the indices are anonymous and not considered as personnal anymore.
-
User's Guide
-
Developer's Guide
-
Releases
- Magento 2.3.x
- Magento 2.2.x
- Magento 2.1.x
- ElasticSuite 2.5.15
- ElasticSuite 2.5.14
- ElasticSuite 2.5.13
- ElasticSuite 2.5.12
- ElasticSuite 2.5.11
- ElasticSuite 2.5.10
- ElasticSuite 2.5.9
- ElasticSuite 2.5.8
- ElasticSuite 2.5.7
- ElasticSuite 2.5.6
- ElasticSuite 2.5.5
- ElasticSuite 2.5.4
- ElasticSuite 2.5.3
- ElasticSuite 2.5.2
- ElasticSuite 2.5.1
- ElasticSuite 2.5.0
- ElasticSuite 2.4.6
- ElasticSuite 2.4.5
- ElasticSuite 2.4.4
- ElasticSuite 2.4.3
- ElasticSuite 2.4.2
- ElasticSuite 2.4.1
- ElasticSuite 2.4.0
- ElasticSuite 2.3.10
- ElasticSuite 2.3.9
- ElasticSuite 2.3.8
- ElasticSuite 2.3.7
- ElasticSuite 2.3.6
- ElasticSuite 2.3.5
- ElasticSuite 2.3.4
- ElasticSuite 2.3.3
- ElasticSuite 2.3.2
- ElasticSuite 2.3.1
- ElasticSuite 2.3.0
- Magento 2.0.x