Technology

How do data regulations impact my ecommerce store?

Sorana Gheorghiade
Sorana Gheorghiade July 27, 2021
How do data regulations impact my ecommerce store?

Being an online retailer, you must have heard about data regulations such as GDPR (EU’s General Data Protection Regulation), which regulates how customers’ data should be collected and used, and for what purposes.

That said, it is no surprise that it may affect your business and the way you interact with your customers – “but how?”, you might ask yourself. This is what this article looks at: how GDPR and ecommerce are related, what GDPR compliance means for the retailer, what it takes to be compliant, and how to use it to the advantage of an online business.

What is data regulation?

Data regulation generally refers to a set of laws meant to protect data from internal and external threats and securing it from being compromised or corrupted. As the amount of data being created and stored is constantly increasing, data protection is becoming indispensable. Depending on where an individual and/or a website is located, different laws apply to the data one gets in contact with, depending on the continent, region and state. Here are a few examples:

China’s Standing Committee of the National People’s Congress published the first draft of its Personal Information Protection Law (PIPL) is for public comment since October 2020. Uniting existing Chinese data privacy laws under one umbrella, the PIPL also adds several significant new developments to the protection of personal data in China. The PIPL will reinforce the new rights gained by data subjects residing in China, regardless of their nationalities, such as the right to deletion and the right to withdraw consent for data collection.

An expansive review of Australia’s Privacy Act 1988 is expected to be completed in 2021. In response to the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry report, the Australian Government announced on 12 December 2019 that it would conduct a review of the Privacy Act.

On 17 November 2020, the Digital Charter Implementation Act (DCIA) was introduced by the Canadian Minister of Information, Science, and Economic Development. Should it be passed, the DCIA will replace Canada’s current data protection law for the private sector, the Personal Information Protection and Electronic Documents Act (PIPEDA).

The most famous data regulation is still EU’s GDPR. Below, we deep dive into how it affects ecommerces and companies.

What is GDPR?

The General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR), both data regulation laws from the EU, affect how website owners must obtain and store cookie consents from their visitors from the EU. When users open a webpage and the banner that pops up says “this website uses cookies”, it’s because sites use the collected cookies from those specific users to personalize content and ads, provide social media features, and analyze the traffic. Find out more about cookie consent here.

GDPR implementation stems from the increasing amount of data that’s being collected, transferred, managed, and used in this day and age. It isn’t, though, the first data regulation in the EU: the region already had its Data Protection Directive in place, enacted back in 1995; it is, today, outdated and not entirely applicable to the digital age, which led to the creation of GDPR.

If you were running an ecommerce business when the GDPR came into effect, you’ve probably done your fair bit of complying and are familiar with it. But if you’re just starting out as a budding ecommerce entrepreneur and are still wrapping your head around GDPR, it is just fine to feel overwhelmed.

There is no point in sugarcoating it – being GDPR-compliant is a lot of work. But it’s also extremely important and certainly not something you can just sweep under the rug and hope it’ll go away. Failure to abide by GDPR can result in pretty hefty fines and penalties, up to 4 percent of a company’s annual turnover. Case in point: just recently, a Polish retailer was hit with the biggest GDPR fine yet of €650,000.

How do GDPR laws affect a business in general?

For website owners, the two primary aspects to be aware of are: how to manage and store personal data, and the cookies and tracking in use on the website.

To meet the requirements, make sure to have a thorough and compliant setup for getting and securely storing the consents to the cookies on the website. It’s recommended to complete an overview of how the business currently stores and collects data, focusing on the consent given. This is especially important if the company uses marketing methods abroad, such as posts on social media and website ads.

Make sure to configure and present the cookie banner from a shopper’s perspective, where the message to them is simplified and easy to read and understand. GDPR provides maximum importance to consumer consent, so companies are required to get explicit consent about the type of data that they will collect as well as how they will process it.

Why is this important for me—the online retailer?

The collection and use of data through websites (including online stores) are the responsibility of each site owner. It means that only the owner company or the authorized entity operates and is responsible for the data collected through the owned site.

As an online retailer, you need to think about how and why you are collecting user data – is it for marketing? What are the other purposes of collecting those data?. To answer to those and other questions, here are a few considerations that must be taken into account by online retailers or ecommerce owners:

1. Review your processes and make a plan

Without understanding the current practices of your business, it will be impracticable to make notable changes to comply with the GDPR. If you collect any customer data, you must ensure that it is secure. Even if you work with third parties, you need to be assured that the information collected is protected against external threats and mishandling. Before making any remarkable change, prepare a plan on how to manage personal data requests.

2. Develop an easy process for your customers to communicate

The European Council has already made it easy for customers to issue complaints against non-compliant websites. So, you need to develop simple systems for users to request and communicate with you about their essential data. Moreover, your customers must be able to request a copy of their data or its complete removal without any complication. The cookie consent includes providing your web visitors with a comprehensive view of what they agree to while submitting their data.

3. Understand how do you deal with a data breach

According to GDPR, it’s required in specific situations to identify and report a “supervisory authority” within 72 hours of data violation, in case it happens. Furthermore, companies need to notify the customer after becoming aware of a breach in certain situations. Being able to discover and report a breach immediately is a big leap for many businesses dealing with European countries. However, you need to take this as a responsibility to discuss with your security teams about your company’s capability of detecting and working through a data breach.

4.Redesign consent forms

Your website visitors must give their approval when it comes to storing or processing their data, and they must be able to withdraw at any time. Whether you ask individuals for personal information to fulfill the order, for third parties, or for marketing purposes – you must put a separate checkbox for each request and explain it with simple language. That means no more pre-checked boxes; make sure to deactivate all opt-ins.

5. Assure the customer on the legitimacy of collected data

With GDPR, you can’t ask consumers to provide the personal information that are not relevant to a product offered in your online store. Therefore, you should ask and collect user data only when it is essential to give your offer. In case of an investigation, you will need to prove that this personal information is necessary.

Moreover, don’t forget to check your existing databases: if you keep any non-obligatory personal details, you will need to delete it. Besides, if your website has a pop-up or section where the customer is asked to create an account for 10% off or other data collection points, all these fields have to mention explicitly what their information will be used for.

6. Make sure to have an SSL Certificate

In order to meet Webmaster Guidelines provided by Google, online stores should have full HTTPS coverage over the whole website including the checkout page. Now, this guideline also falls under the GDPR regulation since sites that use HTTPS process customer data over an encrypted connection. Hence, the whole ecommerce website must have an SSL certificate in order to comply with General Data Protection Regulation.

7. Appoint a Data Protection Officer and Consult a Lawyer

A Data Protection Officer may help you assure that your business best complies with the GDPR. It is possible that you may have missed some important points in the online resources which are left unclear, so it’s also recommended to consult a lawyer who has expertise in this area; discussing with a specialist is the only way to assure that you’re fully prepared.

A final note on data regulation and ecommerce

The process of complying with GDPR can be costly and time-consuming, depending on your existing procedures and infrastructure. Nevertheless, you must clarify all the steps you need to take before spending your valuable money. All the tips mentioned above are just the start of working towards GDPR compliance in your business, but they will certainly provide you with a great base to start with. Once you have implemented proper solutions to meet the GDPR requirements, you need to start working on the procedures to respond quickly and protect your customer’s rights. If you are transparent and following best practices, you won’t have to face the massive penalties that come with GDPR.

Setting up an online store is a real opportunity to start a successful business. The main advantage is the reduction of the interaction at the physical level (representing a benefit in the current social context) and the development of a virtual interaction, which will be achieved quickly and efficiently.

In this way there is the possibility of direct identification of the potential buyer, but also of its complete and correct information on all aspects, from the organizational level, to the delivery methods, means of payment and so on. An important aspect of shaping an online business is the need to protect the data of people who have direct access to the services provided. Thus, when we open an online store, we must take into account the provisions on personal data protection.

Keep reading: Related stories
Technology

Harnessing AI for Ecommerce and Retail: Insights from Uri Levine and Zack Kass

In the fast-paced world of ecommerce and retail, staying ahead requires not just keeping pace with technology but…

Thalita Uba
Thalita Uba
Strategy

Decoding Composable Commerce: The Hidden Pitfalls of Unlimited Freedom

So far in our decoding composable commerce series, we’ve uncovered the revolutionary approach to digital commerce technology known…

Kristin Schepici
Kristin Schepici
Strategy

Decoding Composable Commerce: Choosing the right solution for your business

Welcome to part 2 of the Decoding Composable Commerce series. Our first article explored the transformative power of…

Kristin Schepici
Kristin Schepici
Strategy

Decoding composable commerce: Identifying the reality amidst the hype

Imagine a world where businesses have the agility to adapt rapidly, the scalability to grow exponentially, and the…

Kristin Schepici
Kristin Schepici
Institutional

VTEX is the only vendor rated top 5 for all use cases in the 2023 Gartner Critical Capabilities for Digital Commerce Report

Making a platform migration decision is hard. In a world filled with buzzwords and marketing jargon, cutting through…

Mihai Popa
Mihai Popa
Technology

The importance of a privacy policy for an ecommerce business

There are a lot of discussions these days about privacy and personal data protection laws, but how does…

Helena Frias & Renan Sancho
Helena Frias & Renan Sancho
Technology

Platform migration myth-busting: 4 things IT gets wrong

Because of its complicated nature and series of detail-oriented steps, migrating to a new ecommerce platform can be…

Gabriela Porto
Gabriela Porto
Operations

5 benefits of SaaS and a cloud commerce ecosystem

Despite the popularity of cloud computing, many established companies are still using their old-school, on-premise technologies. Unfortunately, those…

Kristin Schepici
Kristin Schepici
Technology

How to avoid common Black Friday ecommerce malfunctions

Nothing says consumerism like Black Friday. And in light of the most recent health crisis, nothing says mass…

Sorana Gheorghiade
Sorana Gheorghiade
See More