By Michael Ashton, our Senior Director of Platform Operations
The EU’s new privacy regulations come into force this year, on May 25th. The General Data Protection Regulation (GDPR) has a broader scope, more stringent punishments, and applies to more businesses than previous privacy legislation. At the very least, eCommerce businesses in the US and around the world should understand the implications of the GDPR and the risks of non-compliance.
The GDPR applies to data that could be used to identify individuals in the EU (including people who are not EU citizens). Data that isn’t covered by previous privacy regulations, including IP addresses, now falls into the category of personally identifiable information (PII).
“A person can be identified from information such as name, ID number, location data, online identifier or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. This even includes IP addresses, cookie strings, social media posts, online contacts and mobile device IDs.”
The penalties for non-compliance with the GDPR are harsh and include fines of up to 20,000,000 euros or 4% of global revenue, whichever is larger. Under the legislation, data protection authorities are given powers that include the imposition of corrective actions such as limitations on data collection activities and even a complete ban on data processing or the movement of data to other countries.
eCommerce retailers collect and process data that falls under this definition for fulfillment, payment processing, marketing, analytics, and other purposes.
Retailers located in the US may wonder whether the GDPR is something that they should be concerned about. The GDPR applies to all businesses that collect or process personal data from within the EU, including US businesses — something I’ll discuss in more depth later in this article.
If you aren’t sure about whether the GDPR applies to your business, you may want to seek legal advice. This article is a general guideline, not legal advice.
Which Businesses Are Covered By The GDPR?
A business isn’t covered by the GDPR just because its website can be viewed in the EU. But if a retail business specifically markets and sells to people in the EU, it is expected to conform to the requirements of the GDPR.
The GDPR applies to “processors” and “controllers” of personal data. A controller is a person or organization that collects personal information and decides what is done with it. eCommerce retailers are likely to fall under the definition of a controller. They collect data to sell and market products.
Processors process data on behalf of a third party. For example, a payment provider that uses data collected by an eCommerce merchant (the controller) would be considered a processor.
Under the GDPR, controllers may be liable for the actions of processors and are expected to have contracts and outsourcing agreements in place to govern the use of personal data. Controllers can’t shift their obligations under the GDPR onto processors by outsourcing.
What Does The GDPR Require?
The GDPR is a large and complex document, and we would urge eCommerce retailers to take a look at the official guidance because we can cover only some of the requirements here.
To collect and process personally identifiable information, an eCommerce merchant should have legal grounds under the GDPR to do so. There are several grounds that justify the use of PII, including compliance with a legal or contractual obligation, but the most pertinent ground for eCommerce retailers is consent.
The GDPR also grants data subjects the right to control data that personally identifies them. The rights of data subjects impose obligations on data controllers and processors, so this is the most important part of the GDPR for retailers to understand.
Right of access. Customers have the right to access personally identifiable information that retailers store and process.
Right to erasure and rectification. Customers can ask to have their data erased and retailers should comply within one month. This right is often called the right to be forgotten. The right to rectification allows customers to request that incorrect data is corrected. Both of these rights have exemptions, but eCommerce merchants are expected to have systems and interfaces in place so that they can handle requests efficiently.
Right to data portability. Customers have the right to use personally identifiable information collected by a business for their own purposes, including giving it to another business. The data should be presented in a structured, commonly used, and machine-readable format.
Breach notification. Data breaches should be disclosed to relevant customers within 72 hours of the breach becoming known to the retailer.
The most efficient way to handle PII rights under the GDPR is to provide forms so that customers can make requests and systems that can gather the necessary data in the required format. There are WordPress plugins to help WooCommerce users comply with the GDPR, but they shouldn’t be relied on to provide full compliance.
GDPR and US-Based Retailers
As I mentioned earlier, US-based eCommerce retailers might be wondering whether EU legislation imposes any obligations on them. If you don’t target EU customers, then you are free to ignore the GDPR. But if you do sell in the EU or process the PII of EU citizens for other reasons, you should consider the cost of complying and the potential cost of not complying.
If your business has premises in the EU, then EU regulators can directly sanction you. This may also be the case if the business stores and processes data in an EU-based data center. This isn’t just a theoretical risk: EU member states have aggressively pursued US companies for privacy issues and in the wake of the recent revelations about Facebook, they are likely to be more aggressive in the future.
Under the GDPR, businesses without a physical presence in the EU that regularly handle personal data covered by the GDPR are required to designate a representative in the EU to whom relevant communications can be addressed.
How can the EU fine US-based businesses without a physical presence in the EU? At the time of writing, it’s not yet clear which mechanisms will be used, but international law, reciprocal privacy agreements, and treaties may make it possible for the EU to sanction US businesses via US organizations like the FTC.
“As the GDPR is not in force it is not clear to what extent an EU member state would leverage an international treaty with the US, or an agreement with the FTC to enforce its regulation on a company located exclusively in the US without a designated representative in the EU, but they clearly are claiming the right to do so.”
In short, US retailers will have to see what happens, but there is risk inherent in ignoring the GDPR.