How to add GDPR Compliance?

[bobchristenson]

I haven't seen anything in the queue yet regarding making recurly (and this library) compliant with the GDPR. Based on my other integrations we probably just need an 'agree' checkbox for EU customers with links to their policies.

What I don't know (and Recurly support didn't clarify for me) is how we pass this 'agree' data in the form over to them, what data they want, and how they store it.

Is this being worked into this PHP library at all?

FWIW, I'm using this library inside the Drupal Recurly Module and have posted an issue there was well.

[rachelquick]

Recurly will be GDPR compliant by the upcoming deadline. You are the controller of your customer data and involvement in GDPR is your responsibility. We advise you to consult with your own legal counsel on issues relating to GDPR.

[bobchristenson]

Thanks Rachel...good to know that Recurly will be compliant. I feel like I must be missing something, though because you say "You are the controller of your customer data and involvement in GDPR is your responsibility"...but we're not the controller of Recurly subscription data...we don't store ANY of it. It's all stored on Recurly...so I'm not exactly sure what that means.

The PHP API makes it so we can build the forms to collect the data, but then we pass all of it to Recurly via the API during form submit. We store nothing.

So, while it's great that you'll be compliant, as a developer I need to know exactly what data we need to collect in our forms (and then how to pass that data, via the API over to Recurly). For us to be compliant by the deadline, we need some lead time and info on exactly (technically) what changes are happening in this API that allow us to pass the data over to Recurly....

Am I misunderstanding something?

[rachelquick]

Within the terms of GDPR, you are legally the Controller of your customer data. The Controller is the principal party that collects users’ consent to use their data, manages consent-revoking, enables right-to-access, etc. Using this definition, your company serves as the Controller.

Recurly.js allows you to embed secure billing information forms into your webpage, so you can include any checkboxes or links for consent as needed - the overall design, collection of additional data, and look and feel are your own. Again, I encourage you to work with legal counsel to define the impact for your business.

[bobchristenson]

Thats a good step towards clarification, thanks . But let me use an example of the information I'm looking for:

First, we don't use the embedded forms...we build them in PHP and pass the data via the API, so we're using 'our forms', not 'embedded recurly forms'. This means that we can build a form to collect any data we need to collect (the actual form isn't the problem or determining what we need to collect isn't my question).

Let's say, as an example, we determine we need to collect a 'consent' checkbox on our Recurly forms. The user checks the box in order to submit the form. When that data is stored, we want to store a date that box was checked along with confirmation that it was checked. Again, doing all that is no problem.

My question is this: How do we take that data we collect in the form and store it on Recurly's servers? If we can determine what we need to collect (and thereby it sound like we can collect anything), how do we tell Recurly where to store it?

Are there custom fields we can create that I din't know about? (and if so, I'm assuming the API has a standard way to tell that data to be stored in those custom fields)? I'm looking for information on how we pass this custom data to recurly via the api and how we designate where it's stored on Recurly's servers, etc.

I thought this was a simple question, but I'm obviously not understanding something with regards to what Recurly offers regarding storing custom data like this via the API.

[rachelquick]

At this time Recurly does not support storing addition, ad-hoc data (Although something we are currently exploring). You would need to track this outside of Recurly.

Also, I would suggest using Recurly.js for any fields that are collecting credit card data. Recurly.js will minimize your PCI scope: https://docs.recurly.com/docs/pci-dss-compliance

[bobchristenson]

OK, thanks...that's a good step in the right direction: Whatever we choose to implement cannot be stored on Recurly's servers. It has to be stored elsewhere.

From what I thought I've read, this data should always be stored together with the rest of the data the user is submitting in the form. Without the ability to store any GDPR consent on Recurly, we basically have to split the data into 2 places (thereby separating their consent from the data they submitted when giving that consent)...doesn't seem like that's good.

Even though I don't like the answer...I think I've got it now. Thanks.

[bobchristenson]

One follow up question here: A big component of the GDPR (as I understand it) is telling the users how their data is stored, secured, and used. By making users, outside of Recurly, collect GDPR consent, you're basically making us vouch for how Recurly stores, secures, and uses that data.

I guess my simple question is: How can we vouch for how you secure the data and what you do with it?

The bare minimum would be that we need to be able to link to a page on Recurly that has you stating how your practices work in regards to GDPR. Can you provide that link so we can put it in our consent form?

[rachelquick]

You can link your users to recurly.com/legal. This page will be updated with GDPR information closer to the May 25th deadline.

[bhelx]

Closing this issue since it's not directly related to this library. Please reach out to support@recurly.com if you have further questions.