By Dyann Bradbury, Senior Director of Corporate Compliance, Digital River
E-commerce businesses from both the United States and the European Union (EU) are under mounting pressure from consumers to protect their data. This heightened desire for data privacy and protection has spurred a rapidly-evolving patchwork of global e-commerce regulations, ranging from the right to erasure to data portability requirements. With new rules set to go into effect in less than two years, companies are going to find themselves under even more scrutiny to maintain flexible and transparent protocols for handling consumer data. For brands that falter and neglect the privacy desires of online consumers, the stakes will be high and the outcomes costly. Steep fines. Penalties. And loss of customer trust.
As the regulatory landscape for e-commerce transforms, here are some compliance situations businesses should be prepared for:
A Consumer’s Right to Erasure
In 2016, the EU parliament approved a new regulation bolstering data protection measures for individuals in the EU – the General Data Protection Regulation (GDPR). A facet of the regulation is called the “right to erasure,” which includes the notion that individuals can request to have their personal data erased from a company’s databases without undue delay. This includes personal data collected by the company, personal data transferred to third-parties (unless this proves impossible or involves disproportionate effort) and even data stored outside the EU. When you consider the interdependent relationships between brands, retailers, partners and other affiliates, it is not hard to imagine how businesses will find themselves in these data crosshairs. Being unprepared to handle requests to erase a consumer’s personal data from a company’s network could now land brands in a legal mess they won’t want to be a part of.
"Today more than ever, businesses must take data privacy management a step further and factor it as a necessary cost of doing business Uniformity and Control across the EU"
The ripple effect of the GDPR will reach every corner of the global retail market. Another part of the regulation calls for data portability, allowing an individual to request transfer of personal data from one processing system to another in a commonly-used format. Non-compliance with certain articles contained within the GDPR can result in fines of 20 million Euros, or 4 percent of total global revenue, whichever is greater; both penalties levy potentially devastating consequences. Though the GDPR will not be enforced until 2018, looming uncertainty following Brexit and other events that keep the global e-commerce marketplace in flux gives businesses all the more reason to begin preparing now for the upcoming changes.
Differing Laws across State Borders
When e-commerce transactions cross international borders, the legal requirements for how companies handle consumer data gets muddied. This is further complicated in countries like the United States, where compliance is managed differently from state to state. California, for instance, has instituted laws requiring companies to be more prescriptive about the user data they collect. The state requires merchants to disclose the type of data being collected, the third-parties they might provide that information to, and their online tracking practices. Connecticut and Massachusetts have similarly stringent laws protecting consumers and requiring companies to safeguard consumer data.
What’s at Stake for Business Owners?
As with most regulatory compliance situations, the stakes for businesses vary. Depending on the type and severity of a regulatory infraction, a legal penalty could result in hefty fines, delays in payment processing or civil lawsuits. While legal consequences for noncompliance are defined in black and white, impacts on customer relationships caused by noncompliance are grayer and perhaps even more devastating. This is why it is critically important for brands to establish a reputation as a trustworthy company that respects and responds to consumer privacy concerns.
In today’s business scene where data protection laws are scaling up, companies must tune into the changing e-commerce compliance landscape. Businesses that are out of compliance today will struggle to catch up while those that already have implemented efficient data privacy systems and processes will be at a significant competitive advantage. Brands that have relied on their own ad-hoc best practices or even their own sense of right and wrong to manage customer information can no longer play data privacy by ear. Taking data privacy seriously has always been the right thing to do. Today more than ever, businesses must take data privacy management a step further and factor it as a necessary cost of doing business.