General Data Protection Regulation, or GDPR, is the EU's policy aimed at protecting and controlling the use of personal data collected by any websites or web apps that EU citizens have access to. It takes effect May 25th. The core of the policy is to limit what personal data websites and web appscan have access to and what they can use it for. GDPR also gives individuals more and easier access and control of their personal data. While if directly affects all of the EU member nations, it also affects any website or web appthat holds any information on any citizen of the EU. While the Experion and Facebook data breaches are fresh in most minds, it is exactly this type of large scale breach that GDPR was written to protect individuals against. But what exactly is GDPR and how does it affect, say a US online retailer?
So What Exactly is GDPR?
Passed by the EU in 2016, GDPR expands on data protection policies already in place. Namely, it forces any company that collects personal data from an individual to explicitly and clearly ask for that information, which the informed individual can accept or reject. Individuals can also go back and reverse their original decision. The other expansion is on fines: GDPR stipulates that penalties can come with a $20 million dollar or 4% of global turnover (whichever is larger) fine. While massive companies like Facebook, Apple, Google, or Amazon could more than likely withstand a penalty like that, smaller companies could go belly up quickly.
In the GDPR, the EU has defined —controllers— and —processors.— Data controllers are the companies that collect your data. For instance, when you make a purchase online the company that you are buying from - the one who asks for your information - is the controller. The data processor is the company that holds onto that information on behalf of the controller. In terms of an ecommerce store, when you ask for a customer's information in order to complete a transaction, your store is the data processor. However, your ecommerce store, more than likely, holds all of its data somewhere else, typically your host takes care of your data on servers. So services like Google hosting, AWS, and GoDaddy (to name a few) are all controllers, and therefore carry much of the onus of holding personal data.
But What Does GDPR Mean for My Online Store?
For those who have ecommerce stores, there are several implications even if you are not based in the EU. First, if you have a customer that orders from the EU, you will technically have to abide by the GDPR - we will get into enforcement in a little bit. Even if a visitor from an EU country comes across your website, you still technically have to have systems in place to abide by the policies laid out in the GDPR.
The first major implication is in the fact that your company acts as a controller. Your store requires certain information from customers in order for customers to pay for and receive their goods or services. Now, with the GDPR standards in effect May 25th, you will be required to blatantly, clearly, and repeatedly let customers know and be able to accept or reject the fact that you are collecting information and that information is being held privately, securely, and that they have the ability to access the data you have on them. You also have to give them the option to later remove their data from your files. As a data controller, you will also have to ensure that your data processor (your host) is also compliant to the terms of the GDPR.
So, can you simply add more small print like —By clicking Continue, you hereby agree to our Terms of Service?— No, you can't. The GDPR stipulates that consent from an individual has to be informed and made clear to that individual. You can't simply hide the data that you are going to collect in 16 pages of legal wording that you have purposely written in such a way as to deter users from ever reading it. You have to make it explicit what you are using a customers personal data for, and potentially who you are planning on sharing that data with. Which brings us to the next major piece of the GDPR for ecommerce stores: advertising.
How is Advertising Going to Work?
It is truly attempting to unweave an incredibly messy system. Previous to the GDPR, say you had 15 advertising partners that all ran ads on your site. Your customers had no idea who your partners were, or that their information was being shared with those ad partners - besides the semi-recent —This Site Uses Cookies— warning. Oftentimes, you might not know exactly who your advertising partners were beyond Google or Microsoft or Amazon. Now, with the GDPR in place, your site will not only have to let customers know who your advertising partners are, but also what information of theirs you are sharing with each ad partner. You aren't required to blatantly share this with customers on every page, but your company must give them easy access to exactly this type of information.
Perhaps your site allows advertising from a company that a certain customer does not want their information to be shared with. Based on the new GDPR policies, your customer can stop their information from being shared with that company. Our friends at Obility have published this helpful post with lots of information for advertisers.
This is a huge push towards transparency. We've even heard of an ad firm that has completely embraced the GDPR policies so much so that they are taking transparency with customers to a new level. People.io, for instance, is actually paying people for their information while complying with all of the GDPR policies.
Other companies are offering incentives, rewards, coupons, discounts, and loyalty programs in exchange for customer information. While getting a customer or user to submit information once might be easy, getting consent from that customer to hold on to their information might be a bit trickier as individuals can turn on or off whatever companies have access to their personal data.
A customer might order form your ecommerce store, input all of the necessary information, receive the confirmation that their order is on its way and then delete all of their information. You can still complete the transaction, but you will no longer have access to things like: their demographic, their browsing history, their interests, their affinity group, and so much more. This makes some forms of advertising much more difficult.
It also makes personalization of your ecommerce store much more difficult. Personalized shopping relies heavily on the continuity of a customer's data. Using cookies and having access to a customers data means that you can potentially see their browsing history, especially on your site. That data allows you to serve personalized ads, landing pages, discounts, and more - all things that have been shown to improve conversion rates. However, after May 25th, a customer can ignore this degree of personalization in order to opt for more privacy and better control of their information. The incentives mentioned above are one way to ensure that customers keep trusting you and your ecommerce store with their information.
What About Enforcement?
Honestly, no one truly knows what enforcement is going to be like. We know that it is potentially a major gamble to not comply with the GDPR, but beyond that and because the policy has yet to be enforced, no one knows how or to what degree enforcement will occur. That is why we mentioned earlier that even if you have one visitor to your site or one customer from the EU, you technically have to abide by the GDPR. Will the EU crack down on your site if a single citizen's data is not protected in accordance with the policies? We simply don't know, but we do know that the EU can take money from you that was never going to the EU.
In the above instance, let's say that you do $100 million in sales annually, and 99.99% of that is domestic to the US. If the EU decided to enforce the GDPR policies against your business based on this single transaction with one of its citizens, it can take $20 million dollars from your business. Even though less than one tenth of one percent of your sales came from the EU, 5% of your global sales will now be collected by the EU.
In other words, it is simply safer to comply with the GDPR policies than to risk losing your company.
If you are looking for more details on what GDPR is exactly and what it might mean for your business, we suggest the following links:
https://www.theverge.com/2018/3/28/17172548/gdpr-compliance-requirements-privacy-notice
https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/