This was originally published in Internet Retailer.
The regulatory environment for brand owners and retailers that do business online is getting stricter thanks to changes going into effect during the next couple of years in the European Union (EU), as well as existing regulations in the U.S. Companies that adapt quickly can turn these changes into a competitive advantage. Several specific changes that apply to online business are close at hand as a result, including data portability requirements, “right to erasure” provisions, and a rapidly-evolving patchwork of regulation that changes from country-to-country across the globe and from state-to-state within the U.S.
As we grapple worldwide with the implications of the incredible amount of personal data generated every day, consumers are pressuring brands and legislators alike for more control over their information. This only becomes more complicated as more and more businesses pivot towards subscription models, where customer-brand relationships are longer-term and more fluid, and involve more uses of personal data and consumer behavior information. Neglecting the privacy desires of these consumers puts brands at risk of everything from fines and penalties to a loss of trust with their customers, which in the most extreme of cases could lead to being put out of business. Here are compliance obligations for which organizations should start preparing.
Consumer desire for control
In 2016, the EU parliament approved a new regulation bolstering data protection measures for individuals in the EU. The General Data Protection Regulation (GDPR) is intended to give individuals greater control over their personal data and simplify the regulatory environment for brands operating online by providing uniformity across the EU. Though this regulation will likely not be enforced until 2018, and there is looming uncertainty for how the recent events of Brexit will impact regulations for the United Kingdom, it is not too early for brands that do business in the EU to start preparing.
The ripples caused by this legislation will reach every corner of the global retail market. Part of the regulation calls for data portability, allowing an individual to request transfer of personal data from one processing system to another in a commonly-used format. Non-compliance with certain articles contained within the GDPR can result in fines of 20 million euros, or 4 percent of total global revenue, whichever is greater.
The right to erasure
The “right to erasure,” found within the GDPR, gives an individual the right to have their personal data erased without undue delay. This includes personal data collected by the company, personal data that has been transferred to third-parties — unless this proves impossible or involves disproportionate effort — and even data stored outside the EU. Both brands and retailers, as well as the companies that facilitate the exchange of customer data, can find themselves in the crosshairs.
U.S. laws differ state-to-state
While the U.S. has not passed a sweeping privacy/data protection law for online retailers on a national level, state governments have implemented their own data protection measures. California law, as an example, requires websites that collect user data to communicate the type of information being collected, the types of third-parties they might provide that information to, and their online tracking practices. Connecticut and Massachusetts also have stringent laws protecting consumers’ data and requiring companies to safeguard that data.
The risk of noncompliance
The penalties for noncompliance can vary depending on the type and severity of the violation, ranging, for example, from very high fines and delays in payment processing to civil lawsuits. Data protection laws are now scaling to the point where companies that haven’t been in compliance will struggle to catch up, giving significant competitive advantage to those that have done the work to implement efficient data privacy systems and processes.
Maintaining a reputation as a company that respects and responds to consumer privacy concerns is becoming more critical to brands every day. If done correctly, using consumer data to tailor online shopping experiences can strengthen the relationship between a brand and its customers. Yet, as the connection between a brand and its customers becomes more personal, it also becomes more complicated; and those that have relied on their own ad-hoc best practices, or even their own sense of right and wrong to manage customer information can no longer play data privacy by ear. Brands and retailers that conduct online business must take their role as custodians of personal data seriously. It’s no longer just the right thing to do — it’s the price of doing business in some of the world’s most desirable global markets.
Dyann Bradbury is senior director of corporate compliance at Digital River, a leading global provider of cloud-based ecommerce solutions that specializes in building and managing online businesses across more than 240 territories and countries.