Introduction
GDPR was first introduced three years ago and major changes in enforcement that impact online businesses have now arrived. In Q2 and Q3 2021, IRP Commerce has seen more government enforcement in relation to GDPR, resulting in practical changes IRP Merchants must make to offer the consumer privacy.
We have been working with the EU Data Commissioner to ensure that the IRP Commerce Cloud as a privacy-first platform provides a route for IRP Merchants to be compliant. The UK has its own official resource for everything that is required for a website to be GDPR-compliant within the UK. These recommendations mirror the EU requirements and legislation. For more information, see Guide to the UK General Data Protection Regulation.
Ongoing changes to the IRP Commerce Cloud will help IRP Merchants to manage GDPR compliance.
This article outlines what IRP Merchants must do to remain compliant:
	- Firstly we describe how cookies are categorised on IRP Merchant sites.
- Secondly we describe the steps that IRP Merchants need to take now to be GDPR-compliant.
Note: In a separate article we provide updates on how marketing tracking is affected by GDPR – see GDPR-Compliant IRP Tracking - Update for IRP Agencies, Merchants and Service Providers.
 
 
Cookie categorisations on IRP Merchant sites
Cookies are text files with small pieces of data that are sent from a website and then stored on the customer’s web browser. They are used to identify the computer and enable a company to track a user’s session. 
Data stored in a cookie is created by the server upon your connection. This data is labelled with an ID that is unique to you and your computer. When the cookie is exchanged between your computer and the network server, the server reads the ID and knows what information to specifically serve to you.
There are two types of cookie:
	
		
			| Cookie Type | Description | 
	
	
		
			| First-Party Cookies | First-party cookies are directly stored by the website (or domain) you visit. They allow businesses to operate websites and to provide a personalised and convenient website experience. These cookies should be private between the user and the website. However analytics companies have until now masqueraded third-party cookies as first-party cookies – this is being tackled by these changes. A first-party cookie sent and read from a site that a user visits is not a breach of privacy and is necessary. | 
		
			| Third-Party Cookies | Third-party cookies are created by domains that are not the website (or domain) that you are visiting. These are usually used for online advertising purposes and placed on a website through a script or tag. A third-party cookie is accessible on any website that loads the third-party server’s code, which is a legitimate risk to privacy. | 
	
For GDPR, the next important piece is the categorisation of cookies; this determines whether or not a website is GDPR-compliant:
	
		
			| Cookie Type | Description | 
	
	
		
			| Strictly Necessary Cookies | These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by the user which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. IRP Commerce Cloud cookies all fall into this category. | 
		
			| Performance Cookies | These cookies allow companies to count visits and traffic sources with Google Analytics so we can measure and improve the performance of sites. They enable companies to know which pages are the most and least popular and see how visitors move around the site. These are not necessary. | 
		
			| Functional Cookies | These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. | 
		
			| Targeting Cookies | These cookies may be set by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. | 
	
By default, cookies have to be disabled (except for strictly necessary cookies). This gives the user the option to consent to each category of cookie if they wish.
It is important that the cookies are categorised correctly. This is handled through the OneTrust portal. When OneTrust is set up, the only two cookies that are allowed as strictly necessary are as follows:
	
		
			| Cookie Type | Description | 
	
	
		
			| User Settings Cookie | This cookie is used to determine the customer’s browser settings (including location) and ensures that the website functions as it should for them so that they can browse, add products to their basket, use the checkout and so forth. | 
		
			| irp-st-cdn-set | This is used by our security and intrusion detection systems, specifically around detecting valid users of the site. A valid user who is generating several requests will have the same cookie on each request. Users who are generating different IDs from the same location almost invariably are bots, which we examine and determine whether they are good or bad, allowing us to whitelist/blacklist appropriately. | 
	
 
Steps IRP Merchants need to take now to be GDPR-compliant
Failure to comply will lead to fines for Merchants within the EU. However UK retailers are also at risk of individual actions.
IRP Commerce will help Merchants who use OneTrust free of charge because we have run through the setup a number of times and are confident that this solution will not cause any performance issues with the website, unlike some other solutions we reviewed.
IRP Commerce has been assisting Merchants with the rollout of cookie consent mechanisms to ensure that the end customer has the ability to opt in to third-party cookies if they wish to, or continue only with strictly necessary cookies.
The process for getting set up with OneTrust is as follows – note that your Customer Success Manager or Account Manager will normally carry out these steps on your behalf:
	- Sign up for a OneTrust account and select the ‘Cookie Consent’ module.
 OneTrust have a package at £30 per month that will cover basic EU GDPR compliance without impacting site performance. You can set up a OneTrust account from the following URL – OneTrust has given us a code so that we can see which Merchants have signed up. Note that an account takes 24 hours to activate.
 https://www.onetrust.com/products/cookie-consent/
 Referral code: IRPCOMMERCE
- Once logged in, enter your domain and scan your site.
 OneTrust will scan the entire site for all cookies and, using their database, will categorise them into the correct categories. OneTrust will then generate a script for adding to your website.
- Add the published OneTrust script to your IRP site.
 This is straightforward to do using IRP Admin.
- Test your site with the script implemented.
 It is important to test the OneTrust widget on mobile and desktop to ensure that everything is loading correctly and that nothing is going to impact performance or sales.
- Test the cookies to ensure only strictly necessary cookies are being loaded on site load.
 When reviewing cookies it is important to review the length of time cookies are stored for and when they expire. There are restrictions on this; if a cookie has an expiry of more than 2 years it may be necessary to contact the company who controls the cookie and have the expiry date reduced.
- Update your cookie page with all content required for a GDPR-compliant cookie policy.
 OneTrust provide a script that you can embed in your cookie page that will pull in all website cookies and display them by category. OneTrust is very customisable and you can configure the branding to match your website – for a good example, see Newbridge Silverware. Your Customer Success Manager will be happy to assist once the Merchant has signed up to this service.