E-commerce isn’t going anywhere. If anything, it’s going up.
Per the U.S. Census Bureau, e-commerce sales for 2022 reached $1.03 billion, an increase of 7.7% from the previous year. Out of the 331 million people in the United States, 268 million participated in some form of e-commerce. In case you’re curious, that’s 80% of Americans.
This is great for online retailers, especially when market forecasts predict that the number will continue to rise over the next few years.
But Uncle Ben said it best: “With great power comes great responsibility.”
E-commerce companies are required to maintain compliance with data privacy regulations anywhere they do business. Businesses must grapple not only with international privacy laws, but also with consumer expectations regarding data protection and reasonable data collection practices.
It’s a lot to deal with, especially when you want to focus on marketing and profit. But data privacy and security are essential components of your business’s success.
If this all sounds a bit overwhelming, that’s okay. You’ve come to a great place to start. Here is a quick primer on e-commerce data privacy.
What you need to know about data privacy laws
Brick-and-mortar stores only have to follow the laws and regulations in their jurisdiction, such as their city and state. But e-commerce businesses are on the hook not only for applicable laws in their headquartered jurisdiction but also regulations anywhere they have a consumer.
So if your business operates in Utah but has consumers who visit your site from the EU, you are responsible for complying with Utah’s Consumer Privacy Act and the EU’s General Data Protection Regulation, or GDPR.
This is especially complicated for U.S.-based e-commerce companies because the U.S. currently lacks a comprehensive federal privacy regulation. Instead, each state is responsible for enacting its own separate privacy acts, which has led to a plethora of different regulations.
Here are the state privacy laws to know:
- California Consumer Privacy Act (CCPA), as amended by CPRA
- Colorado Privacy Act (CPA)
- Connecticut Data Privacy Act (CTDPA)
- Utah Consumer Privacy Act (UCPA)
- Virginia Consumer Data Protection Act (VCDPA)
Additionally, Montana, Indiana, Iowa, Tennessee, and Texas have also joined their ranks—stay tuned for details on how their privacy laws will stack up.
It’s important to note that while many of these privacy laws are complimentary in some aspects, they are not the same. Many of them are also evolving with additional policies, such as California’s Privacy Rights Act (CPRA), which came into effect in 2023 and served to expand the state’s existing regulations.
Because e-commerce businesses must contend with so many evolving regulations, the best strategy for most companies is to create an agile, flexible policy based on industry best practices, rather than a program that simply follows the letter of current laws.
What are all these data privacy laws protecting?
Most privacy laws worldwide are based on the EU’s GDPR, which was the first comprehensive legislative update regarding data privacy since 2000. The GDPR is a rights-based regulation, which means that it is built around the concept that people have the right to control who has access to their own personal information and how that information is used.
As a result of this rights-based approach, the GDPR and subsequent legislations around the world reflect seven key principles that businesses must uphold:
- Lawfulness, fairness, and transparency: You must operate fairly and in accordance with the law, and must tell consumers exactly what types of information is collected, why it is needed, how it is used, who it is shared with, how it is protected, and how long it is stored.
- Purpose limitation: You may only use collected data for its originally-stated purpose. You can’t use that information for new use cases without obtaining consent from the subjects.
- Data minimization: You should collect the smallest amount of data possible for your stated goals and may not collect additional information just in case it is useful later on.
- Accuracy: You must keep personal data accurate and up to date.
- Storage limitation: You may only store personally identifying data for as long as it’s used. Otherwise, any unnecessary information should be deleted.
- Integrity and confidentiality: You must take appropriate security, integrity, and confidentiality measures to protect consumer information against exposure.
- Accountability: You must be able to demonstrate GDPR compliance with all of these principles. Otherwise, you may face fines, injunctions, and other penalties.
While regulations vary, most of them also emphasize consumer control, such as the ability of consumers to correct or delete personal information from a database or opt out of having their information sold, shared, or used for marketing purposes
How data privacy can affect your bottom line
Businesses that don’t comply with their legal obligations can face severe financial penalties. These vary by state and country. For example, the GDPR has two tiers of penalties. For minor infractions, the GDPR may fine businesses up to 10 million euros or up to 2% of a business’s entire global turnover of the preceding fiscal year, whichever is higher.
Let’s say that again: 10 million euros is the GDPR’s fine for minor violations.
For more serious violations, the fine can be up to 20 million euros, or up to 4% of a business’s total global turnover of the preceding fiscal year, whichever is higher.
It’s also important to consider that, in the U.S., because each state has its own privacy laws, businesses could face financial penalties from multiple states for their infractions. For example, in Virginia, fines can vary from $1,000-$5,000 per violation, and courts can also order additional relief to the plaintiffs in addition to civil penalties.
Now, not all businesses will qualify to be subject to these fines. While the GDPR applies to almost all businesses, Virginia’s policies, for example, only apply to businesses that collect data from at least 100,000 consumers. So if you’re unsure which privacy regulations apply to your business, you may want to consult a privacy expert who can walk you through the nuances of different privacy regulations.
It’s not just about the fines
In addition to regulatory fines, firms must also consider their liability regarding potential data breaches and how their policies may affect consumer trust.
In 2022, the average cost of a data breach reached $4.35 million and could take up to 280 days to contain. But beyond the upfront cost, a data breach can also lead to a loss of consumer trust. 81% of consumers say they would stop doing business with an online company following a data breach.
Data privacy and security plans are critical for firms that want to mitigate risk and avoid data breaches in the future. In this case, an ounce of prevention really is worth a pound of cure.
Data privacy is essential to maintaining e-commerce consumer trust
Even without the threat of data breaches, privacy programs are a critical part of creating a positive relationship between your business and the consumer. Consider that:
- 97% of consumers have expressed concern that businesses might misuse their data
- 84% of consumers are more loyal to companies with strong security controls
- 73% of consumers are more likely to share their personal data with businesses they trust
So how can an e-commerce business build a strong data privacy program? Let’s take a look.
Privacy Checklist
Check out our Privacy Checklist for tips and practical guidance to establish a sustainable compliance program.
Seven Steps to a sustainable data privacy program
When you’re starting a data privacy program for your e-commerce business, figuring out your first steps can be overwhelming. We’ve got you covered with a six-step roadmap! (And if you still have questions, it’s never a bad idea to reach out to a privacy expert for guidance!)
1. Identify which laws apply to your business
Where do you operate? Do you meet the size threshold for the states or companies you operate in? Are there other geographic markets you want to enter in the near future?
2. Identify what information you collect and why you need it
Is the information critical to your strategic goals? Are you collecting more than you need? Remember, with data minimization, businesses can’t collect information they don’t need, and they can’t save information for later, unspecified use. Take a cue from therapy and let go of what no longer serves you.
3.Get your data privacy and data security teams on the same page
How secure is your data storage system? While data privacy and data security are separate fields, they are intricately connected when it comes to the handling of consumer data.
4. Map your data
Data inventories track what data you have and how it interacts with your system—but they’re more than just that. Data inventories help you get a bird’s eye view of the data you collect and where that data may be vulnerable to exposure.
More specifically, a data inventory allows you to:
- Identify data that you have in your system, where its stored, and how its used
- To whom data is shared
- Map and analyze data workflows
- Establish oversight of data
- Improve privacy practices with vendors
Data inventories also support compliance with privacy regulations. GDPR requires a data inventory, more commonly referred to as a record of processing activity (ROPA), and while US-based regulations don’t technically mandate a data inventory, it is necessary to complete other requirements. (For example, privacy laws in the US require that you demonstrate a business purpose for using personal data—and this is hard to do with a data inventory backing you up.)
5. Update your privacy policy and notices
Privacy policies are internal documents that discuss how your company gathers, handles, and protects data. Not to be confused with a consumer privacy notice, privacy policies are critical to:
- Determining accountability
- Identifying business practices and expectations
- Guiding employees
- Building incident response plans in case of data breaches
- Achieving privacy regulation compliance
On the other hand, a privacy notice is your external, consumer-facing documentation of privacy practices. Your privacy notice should clarify:
- What data you collect
- How you use that data
- What rights consumers have regarding their data
- How they can take action on their rights
It might be tempting, once you’ve built out your privacy policy and notice, to assume you’ve met your obligation indefinitely. But we strongly urge you to think again.
Privacy is a moving target. In the US alone, new regulations are cropping up each year, meaning you have new compliance requirements to reflect in your privacy documents. Moreover, business is always changing. As your company’s products and services change, so does your marketing. So do your operational practices. And so does your data collection.
Your privacy documents should be updated continually to reflect these shifts.
(We don’t blame you if you think this sounds like a lot, but take heart. Working with a privacy expert can help you operationalize your privacy and build that much-needed eCommerce consumer trust.)
6. Evaluate your marketing practices
E-commerce companies do a ton of marketing. In fact, they spend up to 10% more on digital marketing than traditional brick-and-mortar stores.
As a result, they collect a lot of data—meaning, it’s even more necessary to have clear plans in place for managing that data. Consider, for example, cookie consent management. Cookies may be a controversial topic in marketing and privacy, but they are still a big part of the conversation. E-commerce businesses need to have the right tools and strategies in place for managing opt-ins and opt-outs so they don’t run into trouble with compliance regulations.
Another specific consideration for eCommerce companies: email marketing. Depending on the countries in which the user resides, there may be different regulations surrounding how email marketing is handled by companies. For example, in the EU and in Canada, contacts likely need to provide explicit consent to receive marketing messages.
The good news is that complying with privacy regulations can have a positive impact on marketing practices. Continuing with the example of email marketing, adhering to privacy best practices can decrease bounce rates and increase click-throughs.
7. When in doubt, talk to an expert
At Red Clover Advisors, we help simplify data privacy and build programs that work for your business. Contact us today to learn how privacy policies can help your e-commerce business stand out from the crowd (for the right reasons).