With the new GDPR laws now in effect, sellers will need to know a little bit about how to deal with the data of their European buyers. Here is an overview of some of the factors it helps to understand.
BitBoost’s marketplace allows anyone, anywhere in the world to do business with each other. Unlike conventional e-commerce platforms, there are no restrictions for certain countries or jurisdictions. Buyer and seller connect on a peer-to-peer basis, with the ability to trade with whoever they want, assuming that both parties agree.
While this gives a high degree of freedom to all our users, it also shifts the burden of responsibility onto them for understanding and observing any relevant laws or regulations within their jurisdiction. For example, sellers are responsible for their own taxes, and deciding whether they need to pay VAT – which varies from country to country. The same is true of the way customer data is handled. With the EU’s General Data Protection Regulation (GDPR) now being enforced, sellers will need to be aware of how they should treat buyers’ personal information.
No personal data until sale
On our platform, sellers will only have to worry about dealing with customer data after a purchase has been made. While the buyer is still browsing and going through the purchase process, no personal information is collected – it is only when the sale is finalised that details such as the address for delivery are provided to the seller. However, invoices and delivery information will include personal data, and as such should be treated carefully.
Data is valuable – and possession is nine tenths of the law
The maxim has become that data is like the oil of the internet. It’s hugely valuable. Online services run on data, collecting and monetising it in a variety of ways. E-commerce is no different – but the advent of GDPR means that this is going to change. No longer can businesses collect and use customer data without their explicit consent. One of the core principles of GDPR is that personal data is just that – personal – and that customers have the right to determine what is done with their information.
Previously, online businesses were typically opaque about the data they collected and how they used it. Not any more: if you want to keep customers’ details and use them in some way later, you need to be up-front and transparent about exactly what you’re doing. Your customers will also need to give explicit consent to this. That means drawing it to their attention in clear language, and not bundling it with many other issues in your terms and conditions. It’s no longer acceptable to assume consent on the part of your users, and it’s also important to give them the ability to withdraw consent easily in the future.
If customers want, they are within their rights to demand to know what data you are holding about them. They can ask to see a copy of it, they can ask to have that transferred to another business, and they can require that you erase it.
One of the things businesses will need to get used to doing is taking a more granular approach to data use. Previously, a catch-all tick box would typically be used to cover a wide range of activities. However, merchants are now required to confirm consent for each different purpose. GDPR is quite specific about this. Separate tick boxes are needed for order processing, marketing, and statistics or transfer of data to other companies. Accepting each one of these must be a distinct, deliberate action for the customer. Pre-checked boxes are no longer allowed!
What if it goes wrong?
Data breaches are a fact of life for 21st century web businesses. No one should be complacent about this, but the odds of data going missing or being corrupted or stolen are high. GDPR states that customers have a right to know when there is a data breach – this is their personal information, after all, and they need to be able to mitigate any damage that might be caused by it (e.g. by changing passwords).
Any company that experiences a leak or breach in its data storage must report the incident to the relevant supervisory body no more than 72 hours from the moment they notice the problem. There are some heavy penalties for non-compliance, so aside from making sure your security is up to scratch and any data you collect is stored carefully, it’s worth knowing who you should report a breach to. Information about your supervisory body should also be made available to customers, since they have a right to know who to make a complaint to in the event of a grievance arising (see the List of National Competent Authorities).
Making life harder?
There’s an overall sense that GDPR will make life more difficult for e-commerce companies. There are some potential short-term impacts; for example, the new laws will make it harder to carry out mailing campaigns, since every single person on your email list needs to have given consent for you to contact them. The inevitable result is that mailing lists will become shorter. In fact, the Wetherspoons chain of pubs recently deleted its entire email database, saying it would no longer send out newsletters this way. (There was some speculation that it may have been a result of the company losing track of who had given consent, and therefore running the risk of heavy fines if they sent any further emails.)
As a general principle, though, GDPR brings greater clarity to e-commerce businesses as well as their customers. It formalises rules that already existed, but that were rarely enforced. It also places businesses on a more sustainable footing for the future. In codifying the rules around the collection of personal data and ensuring its transparent use, it lays the groundwork for forward-thinking businesses to regain the trust that has been lost by many large online corporations.
For more information, see https://www.eugdpr.org/.