Announcements, GDPR, Industry News

GDPR: Important Platform Changes

GDPR: Important Platform Changes

 

As announced earlier, we are gearing up towards compliance with the European Union’s General Data Protection Regulation (GDPR) and will be making a few changes to the platform accordingly.

There are four important changes you should take note of:

  1. Changes to our SuperSite, PartnerSite and Control Panel
  2. API changes to OrderBox
  3. GDPR Protection
  4. Some TLDs may display WHOIS information

Changes to our SuperSite, PartnerSite and Control Panel

SuperSite & PartnerSite

1. Data Transfer and Marketing Consent on SuperSite:

New checkboxes have been introduced to the storefront that are shown to EU users. These will be shown when a new user selects a country from the European Economic Area and indicates that their account will be associated with that region. The other condition is when the user is an existing one and logs in to select an EEA country contact to associate with the domain name purchase; the checkbox will be shown before transaction completion.

Please find a brief understanding of these checkboxes below:

  1. Your Terms of Service & acknowledgment of your Privacy Policy.
    • You are solely responsible for providing your customers with a Privacy Policy that accurately describes what data you collect from your customers and how you store, use and share or disclose such data and what choices your customers have with respect to such data.
  2. Receiving marketing emails from you by providing your customers with the opportunity to opt out of receiving such emails.
    • If a customer opts out of receiving marketing emails, that customer’s email preference will be sent to you in the customer sign up email. You must exclude all customers who opted out from your marketing email campaigns.
    • PLEASE NOTE: While we have currently provided you with the functionality to allow your customers to opt-out of receiving marketing emails, it is solely your responsibility to determine whether it is appropriate for you to rely on this opt-out solution or if you are required to obtain opt-in consent from your customers through alternative means.
  3. For new sign-ups, the interfaces will collect consent from the customer to allow personal data transfers outside the EEA for processing because our platform servers are located in the USA.
  4. If a customer selects an EU country during the purchase flow, an EU VAT ID box will be displayed to the customer.
  5. For customized Supersites, this code will be pushed into the site’s code bank, you will need to accept these code changes and check the integrity of your design and form changes. For your reference, here are the files that will be modified from our end:
    • misc/login/includes/customer_signup.html
    • misc/signup/signup_form.html
    • misc/login/includes/customer_signup.html
    • legal/legal/legal.html
  6. If you are using our API to send user sign up forms to the platform, please use the API methods here to send the consent you collect to OrderBox. You can also log this on a local DB to manage the opt-in based marketing for new customers.

2. Consent on PartnerSite:

If a new reseller selects an EEA country from the country drop-down menu during sign up, three consent check boxes will be displayed to the reseller:

  1. Agreeing to your Terms of Service & acknowledging the Privacy Policy
  2. Receiving marketing emails from you
    • Your customer’s email preference will be sent to you in the Reseller sign up email. You must exclude these users from your marketing email campaigns
  3. For customized PartnerSites, this code will be pushed into the site’s code bank, you will need to accept these code changes and check the integrity of your design and form changes. For your reference, here are the files that will be modified from our end:
    • legal/reseller_legal/reseller_legal.html
  4. Consent from the customer to allow personal data transfers outside the EEA region for processing because the platform servers are located in USA.

3. Screenshots
You can find screenshots of the above-mentioned SuperSite, PartnerSite and Control Panel changes here.

Control Panel

1. Enabling/Disabling GDPR Protection: Customers from all EEA countries using the OrderBox customer control panel will be given an option to enable or disable the GDPR Protection, which masks the customer’s WhoIs data to comply with the GDPR requirements, from their control panels. However, by default GDPR Protection for EEA customers will be enabled.

 

2. You will need to upload your GDPR compliant Privacy Policy: We are introducing a new feature, which allows you to upload a privacy policy on SuperSites, PartnerSites and Control Panels. If the GDPR applies to you, it is your responsibility to ensure that you have a GDPR compliant privacy policy. As an organization and service provider, we have updated our privacy policy which you can find here

3. There are a few tools available in the market that can help you draft a GDPR compliant Privacy Policy and make it GDPR compliant at a minimal cost:


API changes to OrderBox

For all LogicBoxes partners using the API, we will be making some changes to a few domain registration API calls which you will need to incorporate in your existing domain registration setup. We have documented these API changes in detail here.

GDPR Protection

In our previous email, we explained how we intend to comply with the GDPR in terms of our WHOIS output. You can read it once again on our blog here. Starting next week, you’ll see that the data on WHOIS for domains owned by EEA registrants is getting masked. This masking process is automated, will be ongoing and will be completed across all relevant domains on the platform. Our goal is to complete this process within the next week itself, however there is a possibility of a spillover.

Some TLD Registries may display customer WHOIS information

GDPR Protection will not be available for new and existing registrations  for certain TLDs. As of May 17, 2017, these TLDs are : .AU, .BR, .CA, .CN (2nd and 3rd level), .DE (2nd and 3rd level), .EC (2nd and 3rd level), .EU, .RU (2nd and 3rd level), .UK (2nd and 3rd level), .US, .ECO, .JOBS, .NGO/.ONG, .NYC and .TEL.

These TLD registries may not mask registrant personal data completely and may display some personal data in the WHOIS. Where we are the registrar on record, we will send an email to the registrants of those domains informing them that their personal data could be displayed in the WHOIS. If you are a registrar of such domain names under your management, we recommend that you reach out to your registrants to inform them about this exception.

Sale of .ES domain names after May 25, 2018

The .ES registry is an exception to the list mentioned above.  Currently, the .ES registry does not accept masked data and has not committed to masking personal data. The .ES registry also places a restriction on registrants modifying their contact details or selecting a different contact as the registrant contact for a registered .ES domain name.

In light of this restriction, effective May 25, 2018 we will stop new sales of .ES domains on the OrderBox platform. Please note, however, domains already purchased will continue to remain un-masked in WHOIS searches.

How does GDPR Protection differ from Privacy Protection?

  1. By default, personal data of EEA customers will be masked under “GDPR Protection.”
    • However, Privacy Protection will remain an optional purchase for EEA  registrants.
    • GDPR Protection will only mask an EEA registrant’s data, it will not forward any emails to the registrant.
  2. For all non-EEA registrants, Privacy Protection remains the default domain data protection service.
    • With the purchase of Privacy Protection, GDPR Protection will be turned off and data will be masked with the paid plan of www.privacyprotect.org
    • Privacy Protection can be turned off in the customer’s control panels & API (verification link is NOT sent on email)
    • Privacy Protection remains beneficial for customers interested in having emails forwarded to them (e.g., for customers who are interested in sales opportunities for their domains, transfer requests, and fielding other communications) without publicly displaying their personal data.
    • The email address displayed on WHOIS will be [email protected]
    • Parties interested in contacting the domain owner can fill out a form on the website and contact the domain owner through a forwarding service
  3. Notwithstanding the foregoing, access to the personal data of domain name registrants inside and outside the EEA may be granted when such access is necessary for technical reasons such as for the facilitation of transfers, or for law enforcement when it is legally entitled to such access.

Sample GDPR Protection Screenshot:

  • Click here to see a sample screenshot of how the GDPR Protection placeholder data will be displayed in the WHOIS response.

 

Our teams are working around the clock to ensure that the OrderBox platform will be GDPR compliant by May 25, 2018. We will keep you updated on our progress and inform you of any proposed changes and when they will happen. If you, or your customers, have any additional questions, please do not hesitate to contact us at [email protected].

Neha Mestry
Neha Mestry
Neha is the face behind the entire content strategy on our blog. While perfectly defining the word ‘reserved’, she can make you a doodle for anything possible. Any. Thing. Ever.