Ecommerce is big business. Really big business. Across the entire world.

In 2020, retail sales in the US declined 10.5% while ecommerce sales grew 18%

Another statistic? 

Over 2.14 billion people are expected to spend $4.2 trillion purchasing goods or services online this year. 

As an ecommerce business owner, you probably know a lot about product lifecycles, inventory management, drop shipping, order fulfillment. But how much do you know about consumer data privacy law?

Privacy, please 

There is a lot of money in ecommerce, and the sensitive personal information ecommerce companies collect about their users is worth even more than their products. 

Where there’s money, there are bad actors—it’s not only bad actors that consumers worry about. These sites gather and process a lot of data, and it’s important that individuals feel trust in how that data is handled.

The massive uptick in ecommerce has resulted in a massive uptick in the number of cyberattacks as well. Since 2015, approximately 45% of Americans have had their sensitive data exposed in a data breach. Partially driven by COVID-related surges in online shopping, 37 billion records were compromised in 2020, a 141% increase over the previous year and the highest volume since 2005.

And according to the University of Maryland, a hacker attack happens every 39 seconds.

Hackers are modern-day pickpockets. Like the Artful Dodger character in Charles Dickens’ Oliver Twist, hackers are drawn to crowds of distracted shoppers with (virtual) money in their pockets and identity cards (sensitive personal information) in their wallets (online accounts). 

Also like pickpockets, hackers try to steal all your information without anyone noticing. On average, it takes 266 days to find and fix a breach. Sometimes it takes longer, even years. 

Because they are so expensive both financially and reputationally, it’s in your best interests to do all you can to prevent and limit breaches.

Consumer privacy rights advocacy is gaining ground

In response to the growth of a data black market and the increasingly negative effects of identity theft, consumer privacy advocates have spent the past decade successfully lobbying governments for comprehensive privacy regulations governing the collection, use, and sharing of consumers’ sensitive personal data.

The first of these laws, the General Data Protection Regulation (GDPR), was passed by the European Union in 2016 and went into effect in 2018. GDPR requirements strictly govern the collection and processing of personal data for organizations that operate in or collect information from citizens of the EU.

The GDPR isn’t the only privacy law out there. Many other countries have passed or are considering passing similar regulations. 

The United States doesn’t have a federal comprehensive privacy law, instead opting for a fractional approach that relies on states passing their own laws. California, Virginia, and Colorado currently have privacy laws on their books, and more than 30 states have data protection laws proposed or in the committee process.

But the GDPR, the grand elder statesman of consumer privacy protections, is still the most aggressive and comprehensive. Even if your e-commerce business isn’t subject to GDPR compliance, implementing processes that are GDPR compliant will ensure you are using privacy best practices and will increase your ability to adapt quickly to whatever new regulations come your way.

If your site is active in the U.S. only, the CCPA is the most comprehensive general data privacy bill to which it is currently subject, which mandates that businesses act with transparency about how they collect, use, and disclose personal information.

Additionally, because of these laws, consumers are increasingly becoming accustomed to seeing privacy notices, cookie banners, and opt-ins. Even if your company is too small to technically be subject to these laws, consumer expectations are changing. They are more used to cookie banners, privacy notices, and opt-ins and expect companies to have clearly articulated privacy policies that are communicated upfront. 

Privacy compliance checklist

Establishing good privacy practices can be overwhelming, but it doesn’t have to be hard. The recommendations below are common-sense steps to make your e-commerce company a privacy-friendly one. 

1. Improve your data security practices for both transactions and data collection

Whether your company is collecting data or acting as a data processor, you need to make sure the data that passes through your system, including data you share with vendors, is secure.

For example, since a user’s email address and password are protected categories of data, you should have SSL certificates on your site to encrypt data transfers, payment details, and user login information. And, hopefully, this goes without saying, but patches and software updates should be installed immediately.

Additionally, security measures like two-factor authentication for both customers and employees make it much harder for brute force and password guessing attacks to succeed.

Internally, you should implement the principle of least privilege, which gives employees access only to the minimum amount of data needed to fulfill their responsibilities. Least privilege can mitigate the damage from phishing attacks, negligent network access practices, and malicious internal actors.

2. Complete a data inventory

Also known as a data map, a data inventory tracks every data record through your system, start to finish. This process allows you to fully understand what data you’re collecting from your customers, why you’re collecting it, and what you’re doing with it—information that is critical to creating an accurate privacy policy, managing individual rights requests, and complying with various privacy laws.

Data inventories also help you see where your data is vulnerable to exposure. Whether due to poor cybersecurity or bad data collection practices (i.e. collecting too much data and storing it for too long), data inventories also help you see where your data is vulnerable to exposure.

3. Update your privacy policy

For a long time, companies could get away with posting generic privacy policies created from templates of incomprehensible legal jargon.

That is not the case anymore.

Every privacy law out there requires companies to update their privacy policies and post them in highly accessible parts of their website. These policies need to clearly and simply explain your actual data collection and processing practices (which you will know if you complete a data inventory) and include information about how users consent to data collection and processing.

Additionally, most privacy regulations require companies to give each individual the ability to correct or delete any of their personal information. Your privacy policy should detail how consumers can complete a data subject access request (DSAR, called an individual rights request in the US) to achieve those outcomes.

4. Set up and practice an incident response plan

The sad truth is that even the very best data privacy program can be hacked. The best way to limit the damage a hack can inflict on your company is to have an aggressive response plan.

To be effective, a breach response plan needs to be both aware of compliance obligations and informed by the needs of every department in your organization. The GDPR requires companies to report notifiable breaches to the Information Commissioner’s Office (ICO) within 72 hours of discovery.

Seventy-two hours is not a lot of time to compile everything needed for reporting a breach. Additionally, subject to your privacy policy, your business has obligations to notify consumers if their data has been exposed.

Managing all of those notifications and reporting requirements while simultaneously trying to re-secure data and communicate with stakeholders is very difficult to do if everyone doesn’t understand what they will be expected to do in the event of a breach.

5. Review your email marketing plan and cookie consent banners

Make sure that your email marketing campaigns comply with all privacy regulations and best practices. If your users trust you, they’re far more likely to give you accurate information and remain on your email list.

You should also make sure that your cookie consent banners are updated and accurate.

6. Make sure your website is PCI DSS compliant

Payment Card Industry Data Security Standard (PCI DSS) compliance isn’t just a technical solution. Everything from card readers to payment gateways is subject to these standards.

The good news is that if you accept payment through major processors like PayPal, Square, or Stripe, chances are good your site is already PCI DSS compliant.

But since any business that is processing, storing, or transmitting credit card details needs to make sure their processes protect customers from identity theft by carefully following PCI guidelines for transaction security, it’s smart to double-check.

Need help?

If you owned a brick-and-mortar store, you wouldn’t wait to install locks on the doors, cameras over the windows, and alarms in the building.

As an e-commerce business, the internet is your store. Don’t put building a privacy program that is compliant, easy for customers to understand, and works for your business on the back burner.

Facing privacy challenges head-on will provide added value to your customers, reduce your operational risk, and mark you as a leader in your industry. 

At Red Clover Advisors, we are privacy nerds. We specialize in helping businesses of all sizes harness the power of data privacy to exceed customer expectations and stand out from their competitors. We offer everything from fractional privacy executive services to risk assessments to strategy design, all at an affordable price.

No matter where you are in your privacy journey, we can make you better without breaking the bank. 

Interested in learning what we’d recommend for your company? Schedule a consultation with us today.