Ecommerce and the GDPR – a guide for companies
Table of contents
Introduction to the GDPR for Ecommerce
The European ecommerce market generates billions of dollars in annual revenue, and growth continues to accelerate. The European Union (EU) currently has the world’s second-largest economy and a population of nearly 450 million people, with internet access at over 80 percent.
Ecommerce giants like Amazon and Alibaba have set their sights on the EU, as have many smaller players. The regulatory challenge facing big and small ecommerce companies alike is the General Data Protection Regulation (GDPR).
Companies that would process the personal information of EU residents need to comply with the GDPR. To sell things to consumers, especially online, requires collecting and processing personal information. As do web analytics, marketing and other business functions.
The companies that win in this market will be those that understand that GDPR compliance and putting privacy first is not an onerous business roadblock, but a competitive advantage.
How the GDPR affects EU consumers
The GDPR provides EU consumers with protection and control over how their personal data is collected, used or sold. As noted, in ecommerce, personal data is collected for everything from website visitor analytics to purchase transactions and shipping. It doesn’t matter if a company is based in the EU or not. It only matters if the consumers/the company’s customers reside there for the GDPR to apply. This is known as the “extra-territorial effect”.
Under the GDPR, consent for personal information processing must be obtained from consumers before their data can be collected, and per Art. 5 (1) lit. c GDPR, data can only be collected and processed as much as is “reasonably necessary”.
This is called an “opt-in” model. There is also an “opt-out” model, such as is used in the California Consumer Protection Act (CCPA), wherein consumer consent does not need to be obtained to collect personal information. It only has to be obtained before the personal information is sold, or, in some cases, shared.
EU consumers and consent
Consent for data processing is an important part of the GDPR, and for consumers’ consent to be considered valid, it must be “freely given, specific, informed and unambiguous”. Further clarifying the “freely given” part, it must also be voluntary. Art. 7 and Recital 32 of the GDPR cover valid legal consent in more detail.
Even if EU consumers have previously given their consent for collection and processing of their data, under the GDPR’s Art. 7(3), “The data subject shall have the right to withdraw his or her consent at any time.”
Data protection and management and the GDPR
Art. 25(1) of the GDPR also requires data to be protected by design and kept secure. It reads, in part:
“…the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”
In addition to keeping consumers’ personal data safe once collected, companies must also delete it when requested to by the consumer (subject to certain other legal requirements). This is covered under Art. 17, the “right to be forgotten”. Companies must also be able to prove that they did delete the data.
These requirements also apply to third parties to whom a company has provided consumers’ personal data. For example, a company that handles fulfillment of goods ordered on behalf of the company that sold them. It is therefore important to have privacy agreements in place with all contractors and third parties to ensure it’s clear how consumers’ personal data is to be protected, used, stored, and deleted.
Does the GDPR apply to my company?
Because the GDPR applies to any company collecting and processing consumers’ personal data, it is important for companies to know and have recorded what data they collect, where, and how, as well as how it’s used and stored. It is also common for data to be collected and processed by different departments of a company, as well as by third parties, which can make data subject access requests (when consumers ask for this information about their data, or for a copy of it) tricky to fulfill.
Under Art. 15 of the GDPR consumers have the right to request from companies what data they have collected from them, who has access to it, and information on how it’s used. If website visitor data, payment processing data, CRM data, etc. are held by different departments, that requires a lot of coordination to gather and provide a consumer with their data in the required timely fashion. That requirement is within a month of receipt unless there are particular circumstances requiring an extension or rejection of the request. This can also introduce more chances for omissions or errors.
If the consumer is in the EU and their personal data is being processed, the GDPR applies to the sale of both physical and digital goods and services, and to many types and sizes of businesses. It applies even when there hasn’t yet been a transaction and you’re simply monitoring visitor behavior on the website.
A partial exception can exist for small companies. Under Art. 30, companies with under 250 employees are not required to maintain records of their data processing. However, they must comply with the rest of the law.
It is widely noted that the GDPR came into effect in May 2018, which is not entirely accurate. The GDPR was adopted on April 14, 2016 but became enforceable on May 25, 2018. The data protection authorities like the Information Commissioner’s Office (ICO) in the UK are responsible for enforcement, and the size of fines can be substantial for refusal to comply or unintentional violation.
- Less severe (e.g. noncompliance): up to two percent of global annual revenue or up to €10 million, whichever is higher
- More severe (e.g. large data breach): up to 4 percent of global annual revenue or up to €20 million, whichever is greater.
Large tech and ecommerce companies like Google and Amazon have been hit with fines from multiple countries. Google was fined €50 million in March 2020 by the Commission Nationale Informatique & Libertés (CNIL), the French Data Protection Agency. It was also fined €7 million by the Swedish Data Protection Authority (SDPA) in the same month. Google’s smallest fine to date was €28, levied by Hungary against Google Ireland. Amazon’s largest fine to date is €746 million, levied by Luxembourg’s National Commission for Data Protection in July 2021.
Enforcement doesn’t just affect giant tech companies, either. Small ecommerce and offline businesses have been fined smaller amounts for not adequately protecting data they collected, or for collecting data without an adequate legal basis for it, among other reasons. For a small business, however, even comparatively small fines of a few thousand Euros could be ruinous.
Making ecommerce GDPR-compliant
Companies selling via their own websites must account for the data privacy and security of every service they use if consumers’ information is collected via those services. This includes any adtech, shopping carts and payment processing, and content management. It also likely means the necessity of confirming privacy compliance with the third party companies used to provide those services, as most companies do not build all systems they use themselves. Any physical paperwork is also subject to the same privacy and security requirements as digital data.
- Conduct an information audit to determine what information the company processes and who has access to it.
- Have a legal justification for data processing activities. (User consent is one legal basis.)
On a more granular level, there are additional considerations for specific types of ecommerce services. As always, companies should consult legal counsel with privacy law and GDPR expertise to ensure each service is being compliantly handled.
Ordering, payments and fulfillment services
Many companies use third-party services, apps and tools to handle customers’ ordering, payments and fulfillment. These services tend to fall under the guidelines for the performance of a contract, in Art. 6(1b) of the GDPR. The contract here is the agreement that the customer is buying/bought something from the company, and the company will fulfill that purchase.
Carrying out activities for the performance of a contract is a separate legal basis, so does not also require users’ explicit or ongoing consent, which is a separate legal basis. Companies do not need to get customers’ explicit consent to collect and share relevant information with third-party services in these instances.
The relevant information is that which is needed to complete the purchase and fulfillment process, e.g. credit card billing and shipping. Companies do still need to ensure that they clearly inform customers what data is collected, how it is shared, with whom and under what circumstances. These functions also must be carried out in a compliant manner, and any third parties services/companies also need to be GDPR-compliant in their operations. Ecommerce is very much an ecosystem and not an active single entity and should be considered as such.
Sales, marketing and customer support
Prospect and customer data is collected and used by sales, marketing and customer support teams to acquire customers, to communicate with them and to ensure their use of and satisfaction with the product or service purchased. This information can be stored and accessed from a number of systems, which tend to range in sophistication depending on the size and maturity of the company. They could include spreadsheets, social media or analytics tools, email marketing services, a CRM, etc.
Consumers’ personal information stored in such systems must be securely stored, with access to it controlled. The information must also be provided to customers (free of charge and in an “accessible” format), or deleted, upon their request. The more systems a company uses to store consumers’ personal information, the more care and effort will likely be required to provide an accurate copy of all relevant information, or delete it all.
Companies also need to be prepared for an audit of their security and data management practices. So maintenance of these processes and systems, updating and removing access by those who no longer need it and regular review and deletion of data held, are among the actions that companies need to take on a regular basis.
The GDPR requires that many companies have an appointed Data Protection Officer (more detail in Art. 37 and Art. 38). Part of that person’s role would include ensuring reviews and the security of systems and processes, as well as fulfillment of data subject access requests – when consumers request information about or a copy of the data the company has about them (Art. 15).
The GDPR ecommerce advantage
For a company starting from scratch, achieving GDPR compliance can be a fair bit of work, but thinking of it as a hassle is the wrong perspective. There is nothing required by the GDPR that is not just solid privacy and security guidance, good operational organization, and that centres great customer experience.
Compliance brings clarity, security and trust to ecommerce operations. Customers can easily see or learn what a company’s policies and practices are, and that the company has centred their privacy and the customer’s control over their data and the use of it. This makes consumers more likely to want to do business with a company, especially online where people don’t have the experience of walking into a store and talking to the proprietor in person. Or, even better, become a repeat customer who recommends doing business with that company to others.
Once a company achieves GDPR compliance, it also makes keeping up with the evolution of the law more straightforward. Technology and business are always changing and evolving, so companies should expect laws and their responsibilities under them to evolve as well for everyone’s security and protection.
For companies that aspire to expand fully globally, achieving GDPR compliance helps ensure that a lot of the work to achieve privacy compliance with other privacy laws around the world (like Brazil’s LGPD, California’s CCPA, etc.) is already done. From a growth perspective, who wouldn’t want access to the world’s second-largest economy?
Privacy is the new normal in business around the world, and especially online. Companies need to build trust with potential (and, ideally, repeat) customers when they can’t build relationships face to face. One of the best ways of doing that is to demonstrate a commitment to the privacy and security of consumers’ information.
Achieving compliance with the GDPR is also a smart way to do business, especially in ecommerce. It makes data management clear, organized, and more secure. It ensures responsibilities are known, and that teams work together to maintain and evolve privacy and security practices. This serves all companies well as they expand globally.