If you’re running an eCommerce business in the U.S., it’s very possible you’ve only heard of Europe’s GDPR in passing. It’s time to change that because it has the power to affect your website, store and the very way you interact with customers. Even American businesses need to know how the GDPR + eCommerce are linked.
The European Union passed the General Data Protection Regulation (GDPR) in 2016 — a law that heavily scrutinizes (and potentially penalizes) websites for the ways they collect the data of European citizens. Enforcement begins May 25, and it will affect every website that gathers the information of individuals from European Union (EU) countries.
American websites that store and process such data are NOT exempt.
The good news is that it isn’t too late to learn more about these regulations and to protect your business. Here are four considerations for GDPR and eCommerce, and some suggestions on how to prepare for the worst (so you don’t end up losing money).
Your website could be heavily fined for not complying
Failure to comply with the GDPR can get costly. Organizations that are caught violating these regulations could be forced to pay up to four percent of their annual global turnover — or 20 million euros “for the most serious infringements,” including “not having sufficient customer consent to process data.”
If that doesn’t scare you a bit, this might: Management consulting firm Oliver Wyman is projecting that $6 billion USD in penalties will be levied against non-compliant companies in the first year of GDPR enforcement. Nobody wants to be included in that projection, but it’s an inevitability if businesses don’t take serious steps to prepare.
The fines will be substantial, no matter how you cut it.
Processing the information of European customers without their agreement could seriously harm your business. Although it remains to be seen how enforcement will pan out, who would want to risk it?
Obtaining the correct type of consent is crucial
And what constitutes sufficient customer consent (so you can avoid paying the fines mentioned above)? According to article 4 of the GDPR:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
Furthermore, the customer data your website collects is classified as either “personal” or “sensitive personal” by the EU, and this classification is tied to consent as well. For instance, ”explicit” consent is required in order to process sensitive personal data.
Unless the user directly clicks (or “opts in”) to accept your outlined terms and policies, you have not established explicit consent.
If you gather the following information about your customers:
- Race, ethnicity, or gender
- Religion, philosophy, or overarching beliefs
- Biometric or genetic data
- Sexual orientation or sex life
… you must make sure they are absolutely aware of it.
Data that falls outside these parameters requires “unambiguous consent.” A couple examples of this include:
- A user submits their email address to receive blog updates, or
- A web surfer puts in their personal information on your site to receive a free copy of an eBook
Both of these cases fall under the “unambiguous consent” umbrella.
Understand the information your site gathers so you can avoid violating consent clauses of the GDPR, because these infractions could end up being the biggest hit to your bottom line.
Shift to clickwrap for GDPR + eCommerce
Legally-conscious webmasters have recently started to phase out browse-wrap in favor of more concrete forms of consent. Doing so pleases the American legal system as well as safeguards companies from GDPR and eCommerce penalties.
The solution for many has been clickwrap, a method of consent which forces the user to click a link/button before using the website or purchasing a product.
Check out how it’s been implemented on the American Airlines website:
By forcing customers to act before being allowed to proceed, American Airlines is doing their best to ensure consent.
Facebook does this too but in a slightly different way. In Facebook’s case, the very act of creating an account constitutes a user’s agreement with their policies.
If users are never forced to acknowledge and consent to the policies on your website, you’re leaving yourself open to litigation. It just takes one disgruntled customer to bring a hailstorm of legal proceedings down upon you.
When deciding between the browsewrap and clickwrap methods, consider this (even if clickwrap seems annoying). And with GDPR enforcement closing in, it’s better to be safe than sorry.
Retool your legal policies for GDPR + eCommerce
Transparency is at the heart of the GDPR. Letting consumers know the ways their data is being processed, who is processing it and how to get this information altered or even erased are key tenets of this legislation.
Policies are no longer simply a tool to cover your bases in the event of a lawsuit.
Even the best-written legal policy has the potential to put a well-caffeinated adult to sleep. Don’t fall asleep on the implications of GDPR + eCommerce though, because it could come back to haunt you and your business. Even if you don’t deal with European customers for the time being, taking the necessary precautions can still be beneficial.
The above content should not be construed as legal or tax advice. Always consult an attorney or tax professional regarding your specific legal or tax situation.