Configure Consent Requests

You must determine which types of data processing activities need consent, how to get permissions, and how to add details to your site’s terms and conditions.

This section applies to OSF. This section applies to Open Storefront Framework (OSF).

You must also define the GDPR-based shopper profile properties and to determine the next steps in the shopper’s experience when consent is given or revoked. Retail Digital Commerce does provide a set of tools that you can use and customize to assist with compliance of some of the GDPR requirements.

You can ask consent for various data processing types at different points in a shopper’s visit. Examples of data processing types include, but are not limited to, processing orders, sending marketing material, enabling third-party data sharing, creating cookies, or personalizing the shopper’s experience. You can capture consent when a shopper logs in, during the order checkout process, or when you work within the shopper’s profile. Additionally, the Receive Email Updates checkbox that is displayed on these pages allows you to request email consent.

When a shopper creates an order, your policy may be to consider that the shopper is inherently giving permission to use their personal data for the purpose of processing the order. It is up to you to provide any necessary disclaimer text or to customize order consent requests. To do this, you can customize widgets and profile properties.

If you prefer to request separate consent to capture data for order processing, and the shopper does not give consent, you must determine what actions occur. For example, you might prevent profile registration or guest checkout. Once you have determined the workflow, you should create the necessary customization.

Understand consent properties and cookies

The following table describes properties and cookies provided by Retail Digital Commerce for managing various types of consent:

Consent For Property/Cookie Description
Personalization requireGDPRP13nConsent

This site-level property indicates if the shopper must provide consent when they register on your site. When consenting, the shopper is allowing you the right to perform personalization.

For additional information, refer to the Manage personalization consent section.

Personalization GDPRP13nConsentGranted

This profile property tracks a shopper’s consent status.

For additional information, refer to the Manage personalization consent section.

Personalization GDPRP13ConsentDate

This profile property tracks the date that the shopper provided consent.

For additional information, refer to the Manage personalization consent section.

Personalization and Site GDPRCookieP13nConsentNotRequired

This cookie is placed on a shopper’s browser if your site does not require consent, or if the shopper’s locale is identified as a non-GDPR country.

For additional information, refer to the Manage cookie-based consent section.

Personalization and Site GDPRCookieP13nConsentGranted

This cookie is placed on a shopper’s browser if the shopper has given their consent.

For additional information, refer to the Manage cookie-based consent section.

Site requireGDPRCookieConsent

This site-level property identifies if the shopper is required to accept the cookies used on your site.

For additional information, refer to the Manage cookie-based consent section.

The following sections describe how to use these properties and cookies. Note that this documentation is not intended as legal advice for the GDPR. Please refer to your legal counsel for guidance.

Manage Personalization Consent

You may want to obtain a shopper’s consent to perform profile-based personalization. For example, if you use audiences, or the product recommendations widget, you may need to collect the personal data stored in a shopper’s profile.

You can collect profile data consent at shopper registration or order checkout by using the GDPR-based profile properties to indicate the need to display consent checkboxes. Configure personalization consent using the following widgets and elements:

  • The customerProfile widget
  • The shopperDetail widget
  • The checkoutRegistration widget
  • The login-registration element
  • The contact-login-for-managed-contacts element

Note that these widgets will contain the necessary consent fields by default when you set your environment to require the GDPR consent.

To indicate that your site needs consent to use the shopper’s personal data, use the Retail Digital Commerce Admin API updateSite endpoint to set requireGDPRP13nConsent to true. By default, this field is set to false. For example: 

PUT /ccadmin/v1/sites/siteUS  HTTP/1.1

{
  "properties":
  {
    "requireGDPRCookieConsent":  true,
    "requireGDPRP13nConsent":  true
  }
}

Then, when a shopper accesses your site, they are presented with a checkbox asking if they would like to see relevant, or personalized, data. Additionally, they will be presented with the Receive Email Updates checkbox.

A shopper’s consent status is stored in the GDPRP13nConsentGranted property of their profile. The date that the shopper provided consent is stored in the GDPRP13nConsentDate property.

You should work with your legal team to determine the actions required for various configurations. For example, if your site uses audiences and you have set the requireGDPRP13NConsent flag to true, shoppers must provide consent. If a shopper does not provide consent, the non-consenting shopper cannot be a member of any of your audiences that use shopper profile data. You may want to indicate to the shopper that this will occur if they do not consent.

Once a shopper has provided initial consent, you can determine what, if any, situations require the shopper to provide new or additional consent. By default, shoppers who have given consent will not be presented with additional consent requests unless you configure your storefront as such.

The following example shows how you could modify the Shopper Details and Customer Profile widget templates to require GDPR personalization consent:

<div class="row col-md-12" data-bind="visible:$parent.site().
    requireGDPRP13nConsent">
  <div class="form group">
    <div class="checkbox" id="CC-customerProfile-edit-personalizationConsent-
            checkbox">
        <label for="CC-customerProfile-edit-personalizationConsent">
          <input type="checkbox" name="personalization-Consent"
                data-bind="checked: GDPRProfileP13nConsentGranted"
                id="CC-customerProfile-edit-personalizationConsent">
          <span data-bind="widgetLocaleText: 'personalizationConsentText'"
                id="CC-customerProfile-edit-personalizationConsent-text"></span>
        </label>
    </div>
  </div>
</div>

Note that you can add text that is appropriate for your environment by editing the widget’s resource file.

For information on audiences, refer to Define Audiences. For information on customizing the product recommendations widget, refer to the Product Recommendations.

Manage Cookie-based Consent

Cookie-based consent requests are made when you want to obtain consent from shoppers to use cookies that contain personal data during their site visits. Additionally, you can use cookie-based consent requests while creating personalization consent. For example, by setting the requireGDPRCookieConsent site property you can set the consent for receiving cookies. By setting the requireGDPRP13nConsent property, you can set personalization consent.. The need to request consent is based upon the locale of the shopper, and whether the cookie consent property is set to true.

Use the Retail Digital Commerce Admin API updateSite to set requireGDPRCookieConsent to true. By default, this field is set to false. For example: 

PUT /ccadmin/v1/sites/siteUS  HTTP/1.1
{
  "properties":
  {
    "requireGDPRCookieConsent":  true,
    "requireGDPRP13nConsent":  true,
   }
}

The following table displays the possibilities when you set the requireGDPRCookieConsent property to true. When you set the property to true, your consent dialog is displayed to the shopper when they visit the site:

Shopper Response Effect
Gives consent If the shopper gives consent, the GDPRCookieP13nConsentGranted cookie is placed on their browser. No cookies are deleted from the shopper’s browser.
Does not give consent If the shopper does not give consent, Oracle Retail Digital Commerce cookies that contain personal data will be deleted from the shopper’s browser, with the exception of cookies that are identified within the necessaryCookies property list in the widget JSON. No further cookies are added to the browser.
GDPR not applicable If the GDPR is not required, a GDPRCookieP13nConsentNotRequired cookie is placed on the shopper’s browser.

Note:

It is important to be aware of the cookies that your site uses, and, in particular, which cookies are deployed by third-party software. For a list of Retail Digital Commerce cookies, refer to Cookies used in Retail Digital Commerce.

If you have customized any of the following widgets, you may want to update to the latest default widget to get the new fields, or update your customized widgets to include the GDPR consent and profile personalization consent code elements. For information on upgrading customized widgets, refer to the Upgrade deployed widgets section in Design Your Store Layout :

  • customerProfile widget
  • shopperDetail widget
  • checkoutRegistration widget

You can configure your personalization services, such as the audience feature, to look for the presence of the GDPRProfileP13nConsentGranted cookie on the shopper’s browser and then perform the actions required for your site configuration. Refer to the Manage personalization consent section for information.

Configure Consent for Account-based Commerce

If your environment is configured with business accounts, as described in the Configure Business Accounts, you may want to configure profile properties that enable consent requests for account-based contacts. It is up to you to determine what types of consent to gather. For example, you may want to allow some accounts to grant consent on behalf of their contacts.

For example, you could configure your site to recognize when an account-based contact logs in for the first time and present them with various consent requests. Once you have consent, contacts who have visited before are not presented with additional consent checkboxes unless you configure it otherwise.

By default, when an account-based contact logs in, the Contact Login element of the Header widget checks to see if this is the contact’s first login. If it is, the contact is presented with a checkbox for consent to receive marketing emails, and a checkbox for personalization consent if the site has been configured to require consent.

Note that should it be necessary, you can provide agents and delegated administrators with the ability to use the getMember and updateMember endpoints in the Admin REST API to update a shopper’s consent properties. Administrators may also use the updateProfile endpoint to update an account-based shopper’s consent properties. For information on configuring custom properties, see Manage Shopper Profiles.