GDPRCompliance

Replacing the previous 1995 EU Data Protection Directive, GDPR was developed in recognition of the increasing need to protect the rights and personal data of each individual EU resident.

⚠️ This guide is applicable to all ElasticSuite version from 2.5.9. If you are using an older version and can't upgrade, you need to disable the user tracking to stay GDPR compliant (Stores > Configuration > Smile ElasticSuite > Tracking > Global Configuration > Enabled).

How is ElasticSuite affected by GDPR

ElasticSuite contains a tracking module that consolidate all browsing data in ElasticSearch indices.

In the future, these data wil be used to build exciting features that are in our roadmap like :

• Automated search result optimization
• Better customer interest knowledge
• Recommandations
• Search analytics

At the same time, those data may be considered personal from the GDPR point of view.

We wrote this guide to help you to make your ElasticSuite installation compliant with GDPR :

• Customer information and user consent for tracking

• Personal data management

Customer information and user consent for tracking

One of the key point of GDPR is to give an accurate information about data collected by your service. Magento does provide a sample cookie information page (privacy-policy-cookie-restriction-mode CMS page) used to inform customers on cookies and tracking.

This page should be modified to add cookies used by ElasticSuite to track user behavior :

Cookie name	Cookie lifetime	Description
STUID	1 hour	This cookie identify unique browsing session.
STVID	365 days	This cookie identify unique returning visitor .

Cookie name and lifetime can be changed in Stores > Configuration > Smile ElasticSuite > Tracking > Session Configuration

Customer information and tracking consent

GDPR compliance requires that you collect user consent before you start to collect data. Most website will implement their own mechanism to collect this consent.

Our work on ElasticSuite was both to bring a default implementation and to allow it to be customized easyly.

Default user consent implementation

Magento is shipped with a very basic mechanism that allow to collect user consent before placing cookies. You can enable this feature by setting the Cookie Restricion Mode to Yes in Stores > Configuration > General > Web > Default Cookie Settings.

With our default implementation, nothing is collected by the tracker module before the user allows cookies to placed set on its device.

Customize user consent detection implementation

There is much reason for a merchant to develop its own consent mechanism (granularity, UX, ...). We designed the feature to be easy to customize.

The default consent script and its configuration params is injected in the page through a simple layout (Smile/ElasticsuiteTracker/view/frontend/layout/default.xml) :

<block template="config.phtml" class="Smile\ElasticsuiteTracker\Block\Config" name="smile.tracker.config">
    <arguments>
        <argument name="userConsentScript" xsi:type="string">Smile_ElasticsuiteTracker/js/user-consent</argument>
        <argument name="userConsentConfig" xsi:type="array">
            <item name="cookieRestrictionEnabled" xsi:type="helper" helper="\Magento\Cookie\Helper\Cookie::isCookieRestrictionModeEnabled" />
            <item name="cookieRestrictionName" xsi:type="string">user_allowed_save_cookie</item>
        </argument>
    </arguments>
</block>

The default JS script use to detect user consent (Smile/ElasticsuiteTracker/view/frontend/web/js/user-consent.js):

define(['jquery', 'mage/cookies'], function ($) {
    return function(config) {
        return config.cookieRestrictionEnabled == false || $.mage.cookies.get(config.cookieRestrictionName) !== null;
    };
})

It allows any developers to :

• Write its own JS detection script
• Replace the default one by it in the layout