The E.U.’s new data protection law goes into effect on May 25. Many businesses here in Europe and elsewhere have ignored it. That is a mistake. Failure to comply could result in an eye-watering fine of $20 million. If your company does business or communicates with any consumer in Europe, you should comply, or at least attempt to comply.
The law — General Data Protection Regulation, or GDPR — is an insane set of regulations that make life difficult or even impossible for small businesses. The basic rules are scary. They make me wonder how any company can stay in business.
The requirements are:
- Tell E.U. consumers who you are, what data you collect, why you collect the data, how long you intend to keep the data, and which third parties will receive it.
- Obtain consent from E.U. consumers before collecting any of their data — implied consent is not enough.
- Let E.U. consumers access their data, download their data, and delete their data.
- Inform E.U. consumers if a data breach has occurred.
So what does this mean for an ecommerce company?
First, the law is retrospective. You have to apply it to data you already have. Thus you must either delete all data from E.U.-based customers and prospects or contact them to obtain their explicit permission. In this communication, you must inform them how they can access, download, and delete their data. You must keep a record of which consumers reply with consent and delete the data of everyone else within a reasonable timescale. (I have no idea what that timescale is.)
If you have already obtained permission from consumers to hold the data, all you have to do is tell them how to access, download, and delete it — with no need to wait for a reply.
It may be more cost effective to delete all existing data from E.U. consumers.
Tell consumers who you are
This is probably best done in a privacy policy with a link to and from your terms and conditions. The terms and conditions should disclose the name of your company and set out the legal terms of doing business. The privacy policy should explain what data you hold. It could also review how the consumer can access, download, and delete the data.
Obtain consent
Analyze your site to determine the data you collect about a consumer and when you collect it. It is likely much more than you realize. At each point, you must obtain consent. This has to be done by the consumer ticking a box — not pre-filled — or clicking on a button.
The most obvious place is the checkout. Include a simple checkbox saying that the customer agrees to your terms and conditions. You may already have this. Customers expect it.
But what about product reviews, contact us forms, account registration, newsletter opt-in, and website analytics? You collect consumers’ data from each of these and you need their consent.
The most bizarre, for me, is the contact us form. You must collect a visitor’s email to reply, but you must obtain consent to collect the email. Apparently, you must obtain their explicit consent. Filling in the contact form is, apparently, implicit.
Moreover, if a consumer sends an email without visiting your site, how do you obtain consent to keep his message, let alone keep his email address, to reply? Can you have a correspondence history if you do not have explicit consent?
Access, download, delete
The GDPR implies that every E.U. customer must register. Does this mean that there is no more guest checkout? Indeed, merchants may have to require registration for product reviews or, again, contact us forms. How else can a consumer access the data?
Does your ecommerce software allow users to download or delete their account? WooCommerce, which I use for Kulture Shock, does not. It is being worked on. Even when the facility is there, what happens if a customer deletes his account before you ship his goods?
Data breaches
In the event of a data breach, you must inform all affected E.U. consumers within 72 hours. This assumes you detect the breach and know who has been affected.
To minimize the risk of a data breach, keep your site current with all security patches. Likewise, make sure your host is keeping its environment up to date. And be diligent in keeping secure all of your software, extensions, and APIs.
But even then you could be hacked. I have no idea how the E.U. expects a small business to detect a breach within 72 hours.
Impossible to comply?
It may be difficult, at best, to know if all of your APIs and plugins are compliant. For example, consider cart abandonment software, which enables merchants to email anyone who places items in the basket but did not complete the purchase.
Say a consumer in Europe placed items in the basket and then left your site. You have captured her data and, using the abandonment software, you have communicated with her. She therefore knows you have her data. Where is her explicit consent? How can she access this data and delete it? Are you violating the GDPR?
There are many other concerns. I have only scratched the surface in this post. The GDPR was apparently put together by people who have no real idea or concern about small businesses. A detailed U.K. government PDF document — “Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now” — highlights many of the necessary steps.
As smaller ecommerce merchants, all we can do is attempt to meet the rules. One hundred percent compliance seems impossible.