Important

You are browsing the documentation for version 1.6 of OroCommerce, OroCRM and OroPlatform, which is no longer maintained. Read version 5.1 (the latest LTS version) of the Oro documentation to get up-to-date information.

See our Release Process documentation for more information on the currently supported and upcoming releases.

Consent Management

GDPR Principles

The General Data Protection Regulation (GDPR) is a law on protection of personal data that affects companies based in the European Union and organizations that have operations and customers on its territory, regardless of the company’s location. In addition to putting new obligations on the companies collecting personal data, the GDPR gives individuals more power to access the information that is held about them. This includes giving consumers the right to get their personal data erased in circumstances where it is no longer necessary for the purpose it was collected, if the consent to process data is withdrawn, or if it has been processed unlawfully.

Not complying with the GDPR can result in disciplinary actions from relevant supervisory authorities.

Important

Learn more on data protection regulations in the official GDPR portal and the EU Commission web page, or see the ICO's Guide to the GDPR before you proceed.

GDPR Compliance in OroCommerce

Complying with the new data protection regulations, OroCommerce provides a flexible mechanism for collecting and managing customer consents.

In this respect, OroCommerce customers have the right to:

• Know what personal data is processed and stored in the application and how, and request this information at any moment.
• Request to modify their personal data if it is incorrect, outdated, or otherwise inaccurate.
• Reuse their personal data and export it to other systems or organizations.
• Revoke the consent to process their personal data and opt out of any email, telephone or other types of communication.

Getting Started with Consent Management

In the OroCommerce back-office, consents are managed by security policy officers (or other company-specific roles with the corresponding consent management permissions) who enable, configure and manage them in the application. Consents can also be localized and display the information in the required language.

You can create two types of consents in OroCommerce, mandatory and optional.

Mandatory consents restrict buyers in the storefront from proceeding to the checkout or creating RFQs, unless they accept these consents. An example of a mandatory consent is a buyer’s agreement to comply with the company’s terms and conditions, or their explicit permission to let the application process personal data for business intelligence purposes.

Optional consents do not restrict buyers from working with the application and are usually used to retrieve permissions to send them email newsletters, inform about upcoming sales or seasonal discounts, etc.

Once the consent is accepted by at least one buyer in the OroCommerce storefront, it becomes uneditable and unremovable from the system, and can be used as evidence should any legal requirements arise to provide it. Moreover, in this case, administrators cannot modify the content of the consent description in any way, and can only view the available consents.

You can view all consents accepted by your customer users in the Consents section of their pages under Customers > Customer Users.

By default, consents are disabled in OroCommerce.

To enable and configure consents in OroCommerce, take the following steps:

• Install the Customer Consent Management extension.
• Enable consents in the system configuration.
• Create a landing page with the text of the consent, and add it as a content variant of a content tree node.
• Create a new consent under System > Consent Management, define its properties, and link it to the content tree node.
• Add the consent to the list of enabled user consents in the system configuration to display consents in the storefront.
• (Recommended) Enable the Checkout with Consents workflow to restrict access to the storefront without consents.

Consents can be configured on two levels, global and website. However, you can add consents to the storefront on the website level only when consents are enabled globally.

Learn more on the configuration and localization of consents in OroCommerce in the following topics:

• Configure Consents
• Create Consents
• Add a Consent Landing Page to a Web Catalog
• Localize Consents
• View and Accept Consents in the Storefront
• Revoke Consents
• Explore the Checkout with Consents Workflow
• Add a Cookie Banner to the Website

Related Topics

• Data Protection in the OroCommerce Storefront
• Declined Consents as Contact Requests
• Build Reports with Accepted Consents