Being an online retailer, you must have heard about data regulations such as GDPR (EU’s General Data Protection Regulation), which regulates how customers’ data should be collected and used, and for what purposes.
That said, it is no surprise that it may affect your business and the way you interact with your customers – “but how?”, you might ask yourself. This is what this article looks at: how GDPR and ecommerce are related, what GDPR compliance means for the retailer, what it takes to be compliant, and how to use it to the advantage of an online business.
Data regulation generally refers to a set of laws meant to protect data from internal and external threats and securing it from being compromised or corrupted. As the amount of data being created and stored is constantly increasing, data protection is becoming indispensable. Depending on where an individual and/or a website is located, different laws apply to the data one gets in contact with, depending on the continent, region and state. Here are a few examples:
China’s Standing Committee of the National People’s Congress published the first draft of its Personal Information Protection Law (PIPL) is for public comment since October 2020. Uniting existing Chinese data privacy laws under one umbrella, the PIPL also adds several significant new developments to the protection of personal data in China. The PIPL will reinforce the new rights gained by data subjects residing in China, regardless of their nationalities, such as the right to deletion and the right to withdraw consent for data collection.
An expansive review of Australia’s Privacy Act 1988 is expected to be completed in 2021. In response to the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry report, the Australian Government announced on 12 December 2019 that it would conduct a review of the Privacy Act.
On 17 November 2020, the Digital Charter Implementation Act (DCIA) was introduced by the Canadian Minister of Information, Science, and Economic Development. Should it be passed, the DCIA will replace Canada’s current data protection law for the private sector, the Personal Information Protection and Electronic Documents Act (PIPEDA).
The most famous data regulation is still EU’s GDPR. Below, we deep dive into how it affects ecommerces and companies.
The General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR), both data regulation laws from the EU, affect how website owners must obtain and store cookie consents from their visitors from the EU. When users open a webpage and the banner that pops up says “this website uses cookies”, it’s because sites use the collected cookies from those specific users to personalize content and ads, provide social media features, and analyze the traffic. Find out more about cookie consent here.
GDPR implementation stems from the increasing amount of data that’s being collected, transferred, managed, and used in this day and age. It isn’t, though, the first data regulation in the EU: the region already had its Data Protection Directive in place, enacted back in 1995; it is, today, outdated and not entirely applicable to the digital age, which led to the creation of GDPR.
If you were running an ecommerce business when the GDPR came into effect, you’ve probably done your fair bit of complying and are familiar with it. But if you’re just starting out as a budding ecommerce entrepreneur and are still wrapping your head around GDPR, it is just fine to feel overwhelmed.
There is no point in sugarcoating it – being GDPR-compliant is a lot of work. But it’s also extremely important and certainly not something you can just sweep under the rug and hope it’ll go away. Failure to abide by GDPR can result in pretty hefty fines and penalties, up to 4 percent of a company’s annual turnover. Case in point: just recently, a Polish retailer was hit with the biggest GDPR fine yet of €650,000.
For website owners, the two primary aspects to be aware of are: how to manage and store personal data, and the cookies and tracking in use on the website.
To meet the requirements, make sure to have a thorough and compliant setup for getting and securely storing the consents to the cookies on the website. It’s recommended to complete an overview of how the business currently stores and collects data, focusing on the consent given. This is especially important if the company uses marketing methods abroad, such as posts on social media and website ads.
Make sure to configure and present the cookie banner from a shopper’s perspective, where the message to them is simplified and easy to read and understand. GDPR provides maximum importance to consumer consent, so companies are required to get explicit consent about the type of data that they will collect as well as how they will process it.
The collection and use of data through websites (including online stores) are the responsibility of each site owner. It means that only the owner company or the authorized entity operates and is responsible for the data collected through the owned site.
As an online retailer, you need to think about how and why you are collecting user data – is it for marketing? What are the other purposes of collecting those data?. To answer to those and other questions, here are a few considerations that must be taken into account by online retailers or ecommerce owners:
Without understanding the current practices of your business, it will be impracticable to make notable changes to comply with the GDPR. If you collect any customer data, you must ensure that it is secure. Even if you work with third parties, you need to be assured that the information collected is protected against external threats and mishandling. Before making any remarkable change, prepare a plan on how to manage personal data requests.
The European Council has already made it easy for customers to issue complaints against non-compliant websites. So, you need to develop simple systems for users to request and communicate with you about their essential data. Moreover, your customers must be able to request a copy of their data or its complete removal without any complication. The cookie consent includes providing your web visitors with a comprehensive view of what they agree to while submitting their data.
According to GDPR, it’s required in specific situations to identify and report a “supervisory authority” within 72 hours of data violation, in case it happens. Furthermore, companies need to notify the customer after becoming aware of a breach in certain situations. Being able to discover and report a breach immediately is a big leap for many businesses dealing with European countries. However, you need to take this as a responsibility to discuss with your security teams about your company’s capability of detecting and working through a data breach.
Your website visitors must give their approval when it comes to storing or processing their data, and they must be able to withdraw at any time. Whether you ask individuals for personal information to fulfill the order, for third parties, or for marketing purposes – you must put a separate checkbox for each request and explain it with simple language. That means no more pre-checked boxes; make sure to deactivate all opt-ins.
With GDPR, you can’t ask consumers to provide the personal information that are not relevant to a product offered in your online store. Therefore, you should ask and collect user data only when it is essential to give your offer. In case of an investigation, you will need to prove that this personal information is necessary.
Moreover, don’t forget to check your existing databases: if you keep any non-obligatory personal details, you will need to delete it. Besides, if your website has a pop-up or section where the customer is asked to create an account for 10% off or other data collection points, all these fields have to mention explicitly what their information will be used for.
In order to meet Webmaster Guidelines provided by Google, online stores should have full HTTPS coverage over the whole website including the checkout page. Now, this guideline also falls under the GDPR regulation since sites that use HTTPS process customer data over an encrypted connection. Hence, the whole ecommerce website must have an SSL certificate in order to comply with General Data Protection Regulation.
A Data Protection Officer may help you assure that your business best complies with the GDPR. It is possible that you may have missed some important points in the online resources which are left unclear, so it’s also recommended to consult a lawyer who has expertise in this area; discussing with a specialist is the only way to assure that you’re fully prepared.
The process of complying with GDPR can be costly and time-consuming, depending on your existing procedures and infrastructure. Nevertheless, you must clarify all the steps you need to take before spending your valuable money. All the tips mentioned above are just the start of working towards GDPR compliance in your business, but they will certainly provide you with a great base to start with. Once you have implemented proper solutions to meet the GDPR requirements, you need to start working on the procedures to respond quickly and protect your customer’s rights. If you are transparent and following best practices, you won’t have to face the massive penalties that come with GDPR.
Setting up an online store is a real opportunity to start a successful business. The main advantage is the reduction of the interaction at the physical level (representing a benefit in the current social context) and the development of a virtual interaction, which will be achieved quickly and efficiently.
In this way there is the possibility of direct identification of the potential buyer, but also of its complete and correct information on all aspects, from the organizational level, to the delivery methods, means of payment and so on. An important aspect of shaping an online business is the need to protect the data of people who have direct access to the services provided. Thus, when we open an online store, we must take into account the provisions on personal data protection.