The new US Data Protection Act comes into effect on May 25th. Many companies here in Europe and elsewhere have ignored it. This is an error. Failure to do so could result in a $ 20 million fine. If your company does business or communicates with a consumer in Europe, you must comply, or at least try to comply.
The law – the General Data Protection Regulation, or GDPR, is a set of senseless regulations that make life difficult or impossible for small businesses. The basic rules are scary. They make me wonder how a business can stay in business.
The requirements are as follows:
- Tell consumers who you are, what data you collect, why you collect the data, how long the data will be kept and who will receive it.
- Obtain Consent of US consumers before collecting their data – implied consent is not enough.
- Either consumers access their data, download their data and delete their data.
- Inform US consumers in the event of data breach.
What does this mean for an e-commerce company?
First, the law is retrospective. You must apply it to the data you already have . You must either delete all data from customers and prospects E.U., or contact them to obtain their explicit permission. In this communication, you must inform them how they can access, download, and delete their data. You must keep a record of consumers who respond with consent and delete everyone's data within a reasonable time. (I do not know what is this time scale.)
If you have already obtained permission from consumers to keep the data, you only need to tell them how to access, download and delete them without having to wait for an answer.
It may be more cost-effective to delete all existing data from US consumers.
Tell the consumers who you are
This is probably best done in a privacy policy with a link to and from your terms and conditions. The terms and conditions should disclose the name of your company and define the legal terms of doing business. The privacy policy should explain what data you hold. It could also look at how the consumer can access, download and delete data.
Obtaining consent
Analyze your site to determine what data you collect from a consumer and when you collect it. It's probably a lot more than you realize. At each point, you must obtain consent. This must be done by the consumer by checking a box – not pre-filled – or by clicking a button.
The most obvious place is the crate. Include a simple checkbox indicating that the customer agrees to your terms and conditions. You can already have this. Customers are waiting for it.
But what about product reviews, contact forms, account registration, acceptance of newsletters and site reviews Web? You collect consumer data from each of them and you need their consent.
The most bizarre, for me, is the contact form. You must collect the e-mail of a visitor to answer, but you must obtain the consent to retrieve the e-mail. Apparently, you must obtain their explicit consent . Completing the contact form is, apparently, implicit .
In addition, if a consumer sends an email without visiting your site how do you obtain consent to keep his message, let alone keep his email address, to answer? Can you have a history of correspondence if you do not have explicit consent?
Access, download, remove
The GDPR implies that every US customer has to register. Does this mean that there is no more client control? Indeed, it is possible that merchants must request a registration for product evaluations or, again, contact us. How can a consumer access the data?
Does your e-commerce software allow users to download or delete their account? WooCommerce, which I use for Kulture Shock, does not have one. He is being worked. Even when the installation is there, what happens if a customer deletes his account before shipping his goods?
Data flaws
In case of data breach, you must inform all the US. consumers within 72 hours. This assumes that you detect the violation and that you know who has been affected.
To minimize the risk of data breaches, keep your site up-to-date with all security patches. Also, make sure your host keeps their environment up to date. And be sure to protect all your software, extensions and APIs.
But even then, you could be hacked. I have no idea how the US expects a small business to detect a violation within 72 hours.
Can not comply?
It can be difficult, at best, to know if all your APIs and plugins are compliant. For example, consider a cart abandonment software, which allows merchants to email anyone who places items in the cart but has not completed the purchase.
Say that a consumer in Europe has placed items in the shopping cart and then left your site. You captured her data and, using the abandonment software, you contacted her. She knows that you have her data. Where is his explicit consent ? How can she access and delete this data? Are you violating the GDPR?
There are many other concerns. I've only scratched the surface in this post. The GDPR has apparently been set up by people who have no real idea or concern about small businesses. A detailed UK Government PDF document – "Preparation of the General Data Protection Regulation (GDPR) – 12 steps to take now" – highlights many of the necessary steps.
As small ecommerce merchants, all we can do is try to follow the rules. 100% compliance seems impossible.