"Whose data is it anyway?" is the question is at the heart of both the European Union's General Data Protection Regulation (GDPR) and the state of California's digital privacy law AB375.
GDPR is in effect now and AB375 is scheduled to go online in 2020, but both assign stiff penalties for companies that use customer data without verified consent.
No matter where your business is headquartered, if you run an ecommerce site, you will certainly have customers either in the EU and/or in California, so these laws deserve your careful attention. While it's true that most small businesses might not attract the kind of scrutiny that a large commercial enterprise would, it is significant that Google, Facebook, and others have already racked up more than $9.3 billion in fines.
These laws are the first in a host of similar laws to come in the years ahead, and future laws will likely be variations on these two in their final forms.
Here are the basics of each and what you should know as an ecommerce site owner.
First, obtain a copy of the full GDPR details. Here are the 12 steps to follow, according to the EU Information Commissioner's Office:
Every person in your company - from leadership to the frontline - is responsible for being aware of the new data privacy rules.
Conduct an audit of what personal data you have access to currently and document it.
Be transparent. Plenty of companies are already using popups that cover a notice to site users about changes to data collection policies.
After you know what the GDPR recommends, establish how you will store data, when you will purge it, how users can delete it and how you will move it when necessary.
People will certainly want to know what data you have and how they can delete it. Create a GDPR letter. Train everyone on how to respond.
Make sure you know the law about your legal rights in using customer data. Include a summary in your data privacy notice.
Research how big companies are handling data consent.
Document the measures you are taking to verify the Data Subject's ages, and whether your processing requires parental or guardian consent.
Know your obligations in case of a data breach.
Evaluate and assess risks to Data Subject's rights when conducting project planning and business modeling.
Choose someone as your Data Protection Officer, who will take responsibility for keeping the company informed of changes.
There are many different governing bodies across the EU member state. Find out where your customers are and which authorities are relevant to you.
This California law has already come under fire from large tech companies operating in and around the state. Adjustments are expected in the law before it goes into effect in 2020. Refer to the Official CA State website for details. The following is merely an outline of the oversight guidance:
A. Ecommerce sites must provide a way for site users to easily communicate that they do not want their personal information sold, traded or used without permission.
B. Site users must be notified in advance what personal information is being collected and whether it will be sold or shared with third parties in any way.
C. Users must have a clear and easy pathway to opt out of data collection and sharing.
D. Site users have the right to request all of the personal information collected by a business be deleted
E. No matter what site users decide to do with their data, businesses must not restrict a class of users to a lower quality of service in any way based on that decision.
F. There are special provisions for the collection, storage and sharing of data concerning children younger than 16.
G. Site users must be able to access their data in portable form so that it can be transferred to another company easily at no charge.
H. Business may provide site users with a discount in exchange for the right to sell or share some of their personal data.
AB 375 will only apply to companies that do more than $25 million in annual business or hold the personal data of 50,000 people or earns at least half of their revenue from sale of personal data.
Many critics have pointed out that both of these data protection guidelines contain a great deal of undefined, contradictory and vague language, so you can expect that a great deal will be ironed out by consensus or by legal challenges in the years to come.