GDPR stands for General Data Protection Regulation (GDPR) and is a new set of rulings introduced by the European Union (EU) to provide better privacy controls and data protection to people located inside the European Union.

The GDPR officially went into effect on May 25, 2018. Any Etsy seller that is based in the EU, or any non EU seller with customers or potential customers in the EU will now need to ensure that they are compliant with this new regulation.

Essentially, this means that you'll need to ensure that:

  1. All EU user data that you have collected and stored has been for legitimate business reasons and you are taking measures to keep this data secure.
  2. All EU users that you contact have opted into any marketing lists that you maintain.
  3. You have a process in place to respond to requests from EU citizens to remove their data fully from your systems.
  4. You have clear, publically available policies in place that explictly outline how you will comply with GDPR regulations.

Let's go through these points in a little more detail to see how they need to be addressed from an Etsy seller perspective.

Secure and valid storage of EU user data

For this requirement, if you hold any contact data for Europeans you'll need to ensure that there is:
a) a valid reason why you are storing their data and
b) enough security and protection around their data to prevent data breaches

Keeping user data scattered about in unsecured locations is no longer acceptable - if you are directly responsible for a data breach, fines from the EU can now possibly apply. You'll need to do a full security audit of all places you store customer data and ensure that they are password protected, encrypted if possible and not available to be accessed by anyone outside of your business.

Contact list opt-in

All EU users that you now contact will need to have explicitly opted into this. If you keep hold of customer emails and send them marketing emails at any time without them formally agreeing to this, then you will now be in breach of EU regulation. For any lists you already have, if you do not know if or how the user has opted in (i.e. you added their contact details to a list without their express permission or you don't know how you got hold of the email address), you will need to remove their data from your systems to be compliant.

User deletion policy

You are responsible for complying with any deletion requests from your EU users. To ensure that you can do this, you'll want to take some time to document all the places where you store user data - from the spreadsheet you might be maintaining for shipping dates, to the online handmade inventory software you are using to manage your stock levels.

As a starting point, you'll want to be looking for systems you use for your business like:

  • Any spreadsheets, word docs or applications (cloud-based or located on your own machine) where you collate detais like email addresses, phone numbers and physical addresses.
  • Any tracking programs you use that store identifable information about users (i.e. retargeting software)
  • Email programs you use, offline and online copies of both
  • Mailing list software that you use to send out newsletters
  • E-commerce software and platforms (i.e Etsy, Shopify, WooCommerce)
  • Inventory software (i.e. Craftybase)
  • Shipping software (i.e. Shipstation)
  • Any other third party software you use in which user data is transmitted and stored.

From here, you'll need to know how to remove the user's data from all of these systems in a timely manner - it's worth doing a quick "fire drill" with a made-up deletion request to ensure that you can action this. Most software will provide you with methods to remove or edit data, however if they don't you'll want to get in touch with them to see what their deletion policy is, or alternatively reassess your use of this software in favour of a product that has clearer deletion policies.

Craftybase provides full capabilities to permanently remove user data and is fully GDPR compliant

Updating your Privacy Policy

Over the last couple of months, it seems every company on the planet has been updating their privacy policy for GDPR compliance. As a Etsy seller, you'll also need to review your privacy policy and make changes where necessary to ensure that you are also compliant.

For further details about how to write good privacy policies, you'll want to read this article by Etsy's legal team:
Etsy Seller Handbook: How to write on-point privacy policies