By Geoff Scott
Most entrepreneurs running ecommerce stores are experts on their product, understand key areas of digital marketing, and have a vision for how they’d like to develop their business into the future. However, website security and legal compliance are often more tertiary matters – noted, but (generally) neglected. This is a big mistake.
As Facebook, Google, Amazon, and other tech giants continue to make highly visible (and widely criticized) ethical errors, now is not the time to neglect things like user privacy and safe data collection practices. Doing so will inevitably lead to legal trouble. Embrace the following four strategies for legally protecting your website, however, and you’ll be able to comply with the law and avoid getting fined as well.
Way #1: Familiarize Yourself with the Legal Landscape
If you’ve read any news regarding internet privacy over the past year, you’ve likely noticed a swath of acronyms and foreboding titles like “The ePrivacy Regulation.” Understanding the scope of these and how they apply to your business are big steps toward legally protecting your website.
Here are the three primary pieces of privacy legislation for you to be aware of as an online business owner today:
The GDPR firmly puts the EU at the forefront of online user privacy worldwide, specifically by demanding companies become more transparent with how they use and handle the personal information of customers and people who navigate their websites. Anyone who targets EU consumers is affected by the GDPR.
Allowing users access to this data is no longer a nice gesture, it’s the law. Violating the GDPR’s stringent policies can cost a company up to 4% of their annual global turnover or 20 million euros (whichever is greater).
The ePrivacy Regulation is a critical update of the 2002 ePrivacy Directive. It addresses user privacy rights regarding online communication (messaging systems, apps, etc.), while also taking into consideration how things like bluetooth and other forms of technology have become integrated into our daily lives (and how to protect our privacy while using such devices).
Similar to the GDPR, the ePrivacy Regulation applies to anyone who markets and sells their products/services to members of the EU. It works in conjunction with the GDPR to cover all aspects of digital privacy, and helps set a precedent for further pro-user legislation across the globe.
The CCPA is a huge step for the United States in terms of online privacy rights for Americans. It applies to anyone who conducts business with Californians, and places certain regulations on data collection that bear a strong resemblance to those established by Europe’s GDPR.
Many companies and lawyers project that the CCPA is only the first of many incoming U.S. privacy laws on the horizon. Making sure your business is prepared for these laws (ones that have been passed, and ones that are being discussed) is the only surefire way to avoid lawsuits in the future.
Way #2: Cover Your Bases – Employ Every Relevant Legal Policy
Depending on the product you sell and the types of information you collect, you’ll need (or are advised to have) a:
- Terms & conditions (highly recommended in Europe & U.S.)
- Return/refund policy (Depends on business model)
Privacy policies are a legal requirement for ecommerce businesses in Europe and the U.S., so having one is naturally a huge part of safeguarding your website (from fines and lawsuits to user backlash). Yours should be easy to access, written in plain English, and make it explicitly clear how your company processes user data.
- what user data is stored
- how long data is kept
- why you store specific types of data
- how users can access their data (which includes the opportunity to delete or alter it if they want)
- Descriptions of third-party service providers you share information with
- Your address and contact information (making it explicitly clear where the business is physically located)
- An effective date regarding revisions that are implemented at any point
Terms & Conditions
The main tenets of a T&C include:
- Limiting your legal liability when errors appear on your website
- Limiting your liability for offensive user-posted content
- Mentioning the relevant governing law to which your site adheres
- Pointing out your copyright and trademarks
Cookie policies are already legally required for European businesses, and will become a growing fixture for American ones (thanks in part to the recently passed CCPA). Cookie policies outline:
- What cookies are (in easy-to-understand English)
- Which types are employed by your website
- Descriptions that clearly explain the types of cookies your website uses
- Descriptions of which cookies your third-party providers use
- A brief explanation about why cookies are being used on your site (generally, to improve the user experience)
- Clear instructions that lets users know how they can opt out of cookie collection
Having a return policy in place, even if you don’t accept returns under any condition, can still be beneficial for your business. Customers appreciate the transparency, and you have something concrete to point to in the event a dispute arises regarding a purchase.
It can also yield positive financial results. One poll found that 91% of consumers take a company’s return policy into consideration when buying something online, so be sure to consider this when deciding to implement your own or not.
In some states, specific laws regarding returns dictate how businesses put their own together. For other states, it’s up to the retailer to decide. Figuring out what’s best (and legal) for your own website will help safeguard you from litigation, and encourage customers to make purchases as well. A definitive win-win scenario.
Way #3: Get Proper Consent for ALL Data Collection
Your website policies aren’t truly effective if the user never encounters them at any point during their time on site. This is where user consent comes in.
There are five legal grounds for processing data other than consent (meaning that if one of these conditions is met, then you do not need consent to legally process the information). They include:
- Legitimate Interest. As long as your processing doesn’t impact the rights and legal freedoms of your users, you can do so without their consent. This would include areas like fraud prevention, market research, and internal administration practices (payroll, for instance).
- Contractual Necessity. If it’s 100% necessary to gather user data to fulfill a contract, it’s also legally acceptable (such as processing a credit card and user contact information to generate an account for them).
- Vital Interest of the User. If data collection could determine the life or death of a user, it is legally condoned.
- Legal Obligation. Compliance with the law is another legal grounds for processing without consent (a subpoena, for example).
- Public Interest. Only really applies to governmental entities – data can be processed if it’s for the good of the public in some way.
If your processing practices don’t fall under one of the previously listed categories, you need user consent before doing so.
Requirements for Legal Consent Requests
The concept of user consent has changed with the implementation of the GDPR. For it to hold up in court, it must be:
- Freely given: Your user must choose to give consent; not be tricked into doing so.
- Informed: It must be perfectly clear to your user why you are asking for consent, so that they can grasp the full extent of the data you plan on collecting.
- Unambiguous: Your users must be fully aware that they are consenting to the collection of their data.
- Specific: You should make every consent request specific as possible. For instance, asking users to accept cookies should not be lumped in with a newsletter sign-up.
- Affirmative (Opt-in) Action: A manual action must be performed by your users in order to obtain their consent. Pre-checked boxes are not acceptable, however unchecked boxes are okay if they are then checked. Other acceptable forms of affirmative action include clicking radio button and setting user preferences.
Explicit vs. Unambiguous Consent
There are two types of consent, and which you need to process data is determined by the type of information you’re collecting from your users.
If you collect sensitive personal information from EU citizens (which includes things like political/religious beliefs, biometric data, ethnic background, and more), only a written or oral agreement (“explicit consent”) counts as true consent.
Checking a box that has a clear written statement of intent counts as an example of explicit consent. Note how the following example requires a user to manually check the unchecked box, provides a clear statement as to what they’re agreeing to, and links to relevant policies to make things transparent for their users:
If you only plan on collecting personal information (like email addresses, names, location data, IP addresses, etc), unambiguous consent is acceptable. Similar to explicit consent, it requires an affirmative action to be deemed legitimate. However, statements regarding what you’re collecting don’t need to be as blatantly obvious.
This particular signup form requires the user to type in their email and hit the subscribe button. However, it doesn’t explicitly state that the user is signing up for a newsletter, so it’s not considered explicit consent.
Way #4: Understand your Plugins & Third-Party Services
Running a successful ecommerce business today is nearly impossible without the help of third-party services and plugins. However, while such services and plugins are largely positive in nature, they can work against you if you’re not careful.
Here are three actionable steps you can take to make sure your third party providers are worthy of your trust:
When exploring the content of their policy, be sure they answer the following questions:
- What types of data do they plan on collecting from your users?
- Do they collect data from all of your users, or only certain demographics?
- Will they use it temporarily, or will it be held on indefinitely? (if the latter, be very wary of letting them gather the data of your users)
- Do they keep this data for themselves or share it with others?
Every service and plugin you incorporate into your business could potentially cost you money and energy in legal fees, so be sure to invest the time and energy necessary so you can avoid them to the best of your ability.
- Reach Out for Clarification
If you start to get weighed down with legal jargon while evaluating the privacy policies of third-party providers, it never hurts to contact them and clear things up. In addition to asking the previously listed questions, some potential ones you could mention include:
- At what point (if ever) do you intend on accessing the personal information of our users?
- How will you go about accessing this information?
- Have you taken steps to comply with major privacy laws like the GDPR, the CCPA, and CalOPPA? (if they don’t know what you’re talking about, it’s definitely a bad sign)
You can also consider sending each third party service provider a due diligence questionnaire to fully assess what data they are storing and what they plan to do with such information. It may seem severe, but so are the penalties for letting these companies abuse the data of your users
- Negotiate Your Contract (if possible)
You don’t need to simply accept the terms of a contract established by a third party service provider whom you haven’t entered a contractual relationship with yet. You are well within your rights to negotiate the terms, in order to ensure their compliance with data security regulations and the law.
- Audit Their Data Collection Practices
Once you’ve come to terms and are working with a variety of third party providers (Google Analytics, PayPal, Gravity Forms, etc.), don’t become complacent. With an understanding of their collection practices, you should monitor each provider to be sure they stick to the rules laid out in their privacy policies.
Depending on your resources, consider implementing an annual, bi-annual, or quarterly audit system. Audits can be handled by your own team (ideally comprised of tech savvy individuals), or you could outsource this work. Making sure third parties practice what they preach ultimately falls on you, so it’s important to incorporate these checks into your business.
In many ways, starting a website and turning it into a full-time business has never been easier. However, paired with many of the conveniences ecommerce business owners enjoy today is a growing number of privacy laws that have the potential to financially cripple them if not adequately addressed.
Thankfully, pro-user legislation like the GDPR and CCPA will eventually benefit not only online consumers, but also the businesses that serve them. A more transparent online world is good for everyone, and will help ensure users keep trusting the websites they visit (and buying stuff). Some companies may get hammered by these new laws, but if you legally safeguard your website with transparent policies, proper data collection practices, and work exclusively with trusted third parties, yours won’t be one of them.
Geoff Scott is a Payments Consultant at Motile LLC, where he strives to connect users across the internet with processing solutions for their businesses. He also loves Thai food, craft beer, and an exhilarating game of squash when the opportunity arises.