The world of e-commerce is witnessing changes every day. Whether it is in privacy laws, marketing trends, or market demands, people in this industry must stay alert to the changes to keep their brand alive and successful.
Many of the changes that occur, and also the ones that bring on the biggest challenges, are related to consumer data. Not adjusting your brand to the latest laws, rules, and demands in terms of consumer data can be the death of it, both in terms of reputation and financially.
Data Protection Today
Take, for example, the latest scandal involving Facebook and the Cambridge Analytica breach. The scandal revolved around the Facebook data of 87 million users that were used for advertising during elections. This prompted mass legal action from almost a million users for misuse of personal information in Wales and England.
Today when highly sensitive data is often misused, handed to third parties, or unlawfully used for purposes such as advertising, the laws change every day to protect consumers. This is why it is recommendable for e-commerce businesses to stay on top of changes in the subject of data protection. Unless you do, you run the danger of breaking some serious laws, enraging consumers, and paying costly fines.
Understanding personal data
According to the Federal Trade Commission, personal data is:
‘’Information that can be used to identify a person and even get in contact with them’’.
This is a very broad definition that can be further explored and expanded – and it definitely is in countries’ regulations and laws that are updated frequently. The things that are considered personal data are defined by the law that governs your business. For an e-commerce business to comply with such regulations and laws, they need to first understand personal data and what it encompasses. Osano has described this quite accurately:
‘’The definition of personal data varies depending on which law you’re reading. But it’s important to know how to recognize which data is considered “personal” under the law that governs your organization.’’
Personal data includes things like IP addresses and other device identifiers, as well as phone numbers that users share when they sign up or order something from your e-commerce store. This also includes things like financial data, health data, credit rating data, and any other information that can be used to facilitate theft or identity fraud. Finally, any information, any at all, collected online from children under the legal age is deemed as sensitive personal data.
Most laws and countries include names of people, government identification, payment method number and details, health insurance data, etc. In some countries, personal data laws also cover things like usernames and passwords for different online accounts.
Data security around the globe
Laws that protect data are put in place to keep the personal information that people share online safe and secure. At this point, the United States has no nationwide laws covering the exact topic. Some degree of personal data protection is provided under the US Privacy Act, the Health Insurance Portability and Accountability Act, and the Safe Harbor Act. Still, they aren’t very focused on the topic of consumer data protection.
In Europe, an individual can request Google or other search engines to remove news articles about them. This is not as easily done across the Atlantic where the right to free speech or the US first amendment is highly praised and the constitution protects freedom of expression. In the US, people cannot easily remove negative information about them from online search engines, not if they are accurate.
However, the newest EU regulations that were put in place in May of 2018 have also affected other markets to a certain extent. This applies not only to countries within the Union but also to people who sell on the market. So, if you have even one internet user that is based in the European Union, your website has to comply with their data protection regulations.
What does this mean for your e-commerce business?
It means that no matter where you’re based and what legislation you’re operating under, you still need to keep other regulations in mind. Not only are e-commerce businesses expected to comply with the local rules, but they also have to put measures in place to comply with other countries’ regulations (as long as they want to get users and customers from those countries.
By far, the General Data Protection Regulation (GDPR) from the European Union is the most comprehensive law that retailers across the world have faced so far. This regulation defines different kinds of personal data, requests specific action on behalf of retailers, and even sets some consequences for those who break these rules.
Latest changes in data privacy laws across the globe
Naturally, the laws and regulations differ in different parts of the world. 2020 alone brought several big developments in terms of privacy data. In January, the California Consumer Privacy Act or CCPA came into force in the US.
For those e-commerce businesses that skipped this news, disobeying the latest regulations and laws has brought on big troubles already. Not to mention, they started losing their reputation with consumers who weren’t happy with the safety they are offered.
A bit later, the Court of Justice at the EU ruled that the European Commission’s adequacy decision in terms of the Privacy Shield between the EU and US was invalid. This was the so-called Schrems II case and the decision put an end to free data flow between the EU and the US.
As we slowly pace ourselves through 2021, the shadows of these two big developments change the e-commerce business every day. Right now, the CJEu’s Schrems II ruling of last year proves to be a big change. Legitimizing transfers of personal data obtained from the EU these days is more than a paperwork exercise.
Now, let’s move to other parts of the world.
China’s response to the GDPR
While this is happening between different parts of Europe and the US, China is working to adopt its first data protection legislation very soon. The main focus of this omnibus legislation is on cross-border transfers.
In October 2020, China’s Standing Committee of the National People’s Congress published their first draft of the PIPL (Personal Information Protection Law). It was published for public comment and united the existing privacy laws under a single umbrella, as well as included new developments to personal data protection in the country. These include steep fines, the increased need for data protection officers, extraterritorial applicability, etc.
The situation in the UK after the GDPR
The United Kingdom lost its privileges for free data flow in Europe for quite some time there. As soon as the transition period from its exit from the EU came to an end, the country had to adopt changes into the national legislation. The GDPR no longer applied at this point. Still, the requirements were almost instantly adopted through the Data Protection Act of 2018.
Brexit made this a third-party country, so they had to apply for an adequacy decision from the Commission before they could transfer data across borders freely. Right now, the Commission is set to allow free flow of data between the UK and the EU, but only once they confirm that the first offers an adequate level of protection in terms of personal data.
New laws and laws under review in 2021
A significant number of new privacy data protection laws are under review or being enforced since the beginning of 2021. In September of 2020, Latin America’s first big data protection law, Brazil’s LGPD, came into force after a long series of delays and setbacks. Singapore also amended its PDPA and introduced increased penalties for those who do not comply with the laws, as well as mandatory data breach notifications, etc.
This year, we expect a review of the Australian Privacy Act of 1988 in response to an Inquiry report by the Australian Competition and Consumer Commission.
If the Digital Charter Implementation Act from 17th of November of 2020 is passed in Canada, this will replace the current data protection law for the private sector, PIPEDA.
We have yet to wait for CPRA’s provisions to be enforced, some of which are expected to start in 2023, so the United States is also facing grand changes in the months and years that follow.
The regularization within the GDPR has changed how the online world operates across the globe, including those immersed in the e-commerce business. In a way, these detailed regulations set by the Union have forced other countries to take steps to further define and protect personal data to keep the data flow running.
In November of 2020, the European Data Protection Board published recommendations for the rules that businesses, including those in e-commerce, should follow to transfer personal data from the EU to other countries. To bring these decisions in line with the GDPR, the Commission released a set of new clauses and a draft that implements such decisions and updates.
Combine this with the ruling in the Schrems II case, and you can expect many international companies to be impacted by these changes. Right now, if you are reaching a target market that goes beyond your legislation’s borders, you need to be extra careful about collecting, processing, and keeping personal information safe.