Data pro­tec­tion in e-commerce

Every day in the world of e-commerce, there is such an in­cred­ible variety of trans­ac­tions that take place; many of which require providers to have access to consumer data. However, many users have concerns about giving over their personal data—and for good reason. Far too often highly sensitive data is misused, un­law­fully used for ad­vert­ising purposes, or even passed on to other third parties. In order to avoid unhappy customers, as well as any possible legal con­sequences, it is highly re­com­mend­able that companies stay on top of the subject of data pro­tec­tion. This is es­pe­cially the case since the in­tro­duc­tion of the GDPR in May 2018 – and if you haven’t had a look at the con­sequences of this yet, it is high time you do so. Anyone who loses sight of the complex data security issues very quickly runs the danger of breaking laws and incurring very costly fines.

The term ‘data pro­tec­tion’ ori­gin­ally stems from Europe and came about in reference to privacy-pro­tect­ive le­gis­la­tion. In the United States, on the other hand, this is more often referred to as data privacy. Data privacy in the US can vary depending on which state you are in. When it comes to data pro­tec­tion, the laws in the UK stem primarily from European Union le­gis­la­tion, which has com­pre­hens­ive guidelines and le­gis­la­tion on this matter. Within the European Union, data pro­tec­tion is viewed as being a basic and fun­da­ment­al right for all citizens and the UK is no different in this regard.

According to the Data Pro­tec­tion Act, data is seen as any in­form­a­tion that is being processed in response to in­struc­tions given for a specific purpose. In practice, this means any data that relates to in­form­a­tion about in­di­vidu­als. Excluded from this is an­onymised and stat­ist­ic­al in­form­a­tion, i.e. data that could not be used to identify an in­di­vidu­al. However, if a business decides to anonymise their data them­selves, this does not re­lin­quish them of re­spons­ib­il­ity for pro­tect­ing that data.

The act also makes sure consumers are protected even after a business goes into bank­ruptcy or in­solv­ency. In such a case, the consumer should have as many rights as when a company is still in business. One thing that may still be unclear is who is re­spons­ible for enforcing this pro­tec­tion. If your business becomes insolvent, then it is also your re­spons­ib­il­ity to guarantee your consumer’s data is protected. That being said, if a limited company goes into ad­min­is­tra­tion and the ad­min­is­trat­ors decide to sell the data, in this case, the re­spons­ib­il­ity for in­di­vidu­al’s data security is the ad­min­is­trat­or’s prior and during any data sale. Once the sale has been completed, the re­spons­ib­il­ity naturally shifts to the pur­chas­ing party. There are three main rights relating to the in­di­vidu­al under the Data Pro­tec­tion Act. These are the right of access to personal data that is being held regarding them, the right to have incorrect personal data rectified, and the right to prevent personal data being utilised for the purposes of direct marketing. Data con­trol­lers are legally required to respond to users who have made a written request for a copy of their personal data held by you, i.e. a subject access request. Even if a user has already given their consent, any new form of data pro­cessing taking place will require asking for the users’ consent again. In the UK, the In­form­a­tion Com­mis­sion­er’s Office (ICO) has written a very com­pre­hens­ive guide about data pro­tec­tion in the UK. The ICO is the in­de­pend­ent authority which has the re­spons­ib­il­ity of in­vest­ig­at­ing privacy com­plaints, educating stake­hold­ers, as well as main­tain­ing privacy guidelines. The website presents the in­form­a­tion in a way that is relevant for both the public as well as for busi­nesses and or­gan­isa­tions.

As of May 2018, new le­gis­la­tion was in­tro­duced across the European Union in the form of the EU General Data Pro­tec­tion Reg­u­la­tion (GDPR). The aim of this piece of le­gis­la­tion is to col­lect­ively strengthen data security for in­di­vidu­als and allow for greater unity in this area. Fur­ther­more, it addresses the issue of personal data being exported outside the EU. This makes it easier for busi­nesses con­duct­ing across multiple EU countries. According to the summary of the act, it also aims to make it easier for non-European countries to comply with the le­gis­la­tion of the EU.

The operator of a website needs to ensure that visitors know that they are on a site where cookies are being used. The in­form­a­tion collected should also not be used for any purpose that might be seen as intrusive or in­ap­pro­pri­ate. It is worth noting that if cookies are necessary for providing goods and services, websites are not required to offer this service to anyone who rejects the use of cookies. As a business website operator, you should be as trans­par­ent as possible towards your customers. Do not just tell them what data you want but also why you want this data. Some websites opt instead to tell users what they won’t use the data for. This is not re­com­men­ded, however, as it may lead to even less clarity. In­form­a­tion on the privacy policy should be easily ac­cess­ible and ideally made available to the user as soon as possible. This is es­pe­cially the case when it comes to apps. Always make sure to keep privacy policies up to date with any changes that might have been made in the running of the website.

Under the Privacy and Elec­tron­ic Com­mu­nic­a­tions Reg­u­la­tions (PECR), in­di­vidu­als need to be informed when in­form­a­tion (e.g. a cookie) is to be stored on their device as well as giving them an op­por­tun­ity to reject this from happening.

In Europe, there is a ‘right to be forgotten’. This is a law in­tro­duced in 2006 which allows an in­di­vidu­al to ask search engines, like Google, to remove any links that they might have to news articles and such, or at least remove them from the European version of their sites. This is an idea that has been prevalent in the UK for a long time. Over here there is the belief that after a certain amount of time, criminal con­vic­tions are ‘spent’ and should not be taken into con­sid­er­a­tion when it comes to things like em­ploy­ment, insurance, etc. On 13 May 2014, the European Court of Justice cemented the place of this law as a human right when they ruled against google in a landmark case. During this case it, was ruled that Google is to be seen as a so-called ‘data con­trol­ler’ and is, therefore, required under EU law to remove online that data that is seen as being ‘in­ad­equate, ir­rel­ev­ant, or no longer relevant’.

The Data Pro­tec­tion Act sets out a total of eight prin­ciples that busi­nesses must follow when it comes to the use of personal in­form­a­tion. Many of the prin­ciples have to do with ethics and general good practice for the pro­cessing of personal data. We have listed the various prin­ciples:

Principle 1: Personal data is to be processed in a way that is fair and lawful

Principle 2: Personal data is to be obtained for one or more purposes that have not only been specified but are also lawful. The data should not be further processed in any way that is in­com­pat­ible with the specified purpose or purposes.

Principle 3: Personal data is to be adequate, relevant and should not be excessive when it comes to the reason or reasons for their use.

Principle 4: Personal data is to be accurate and should always be kept up to date (if ap­plic­able).

Principle 5: Personal data should not be retained for a period that is any longer than is necessary for the purpose or purposes that it has been collected and processed for.

Principle 6: Personal data is to be processed in line with the rights of data subjects under the Data Pro­tec­tion Act.

Principle 7: The technical and or­gan­isa­tion­al ap­proaches taken in response to un­au­thor­ised or unlawful pro­cessing of personal data should be ap­pro­pri­ate against the ac­ci­dent­al loss of, de­struc­tion of, or damage to personal data.

Principle 8: Personal data is not to be trans­ferred to a country or territory that is outside the European Economic Area (EEA). This is only ac­cept­able if the country or territory in question can guarantee adequate levels of pro­tec­tion for the rights and freedoms of data subjects when it comes to the pro­cessing of personal data.

There are certain guidelines that websites need to follow to ensure that your website is legal. These include things like company in­form­a­tion (name, address, etc.), as well as a privacy policy. The privacy policy is required to inform the visitor about the following things:

• What in­form­a­tion is being collected
• Why this in­form­a­tion is being collected
• How the in­form­a­tion is being stored and kept safe
• Whether or not the in­form­a­tion is going to be shared away from the website
• How to get in touch with the business/website in question

This is where cookies come into play. The user needs to be informed about what cookies are going to be created and for what purpose. The user also needs to give their consent for any cookies that will be left on the user’s computer, laptop, smart­phone, etc.

When it comes to e-commerce sites and online shops, there are certain details and features that must be ac­cess­ible on the web page. Amongst these are included:

• Terms and con­di­tions
• Delivery and Returns policy

These are part of the general Consumer Pro­tec­tion (Distance Selling) Reg­u­la­tions and Elec­tron­ic Commerce Reg­u­la­tions (EC Directive). As an e-commerce site, it is highly likely that you are col­lect­ing and pro­cessing credit and debit card in­form­a­tion, in which case you must conform to the Payment Card Industry Data Security Standard (PCI DSS), which is there to help prevent fraud by outlining security and en­cryp­tion re­quire­ments. Another thing that will be relevant to your e-commerce site will be the EU Anti Spam Laws; these relate to things like opt-in mailing lists and their opt-out policies. These EU laws also cover situ­ations where email databases have been purchased; in cir­cum­stances like this, you are still required to ensure whether the in­di­vidu­als involved have given their consent for their contact details to be passed onto third party websites. Passing consumer in­form­a­tion onto other third party websites always requires the consent of the user.

In principle, a privacy policy is basically a contract between your website and the visitor. The more ac­cess­ible and more com­pre­hens­ible this contract is, the better it is for everyone involved. This means that you should also ensure that the link to the privacy policy is very visible and easy to find on your web page.

EU le­gis­la­tion aims to keep the consumer as well informed as possible. Before com­plet­ing a purchase, a consumer has to be informed of their right to cancel the order within 14 days of the purchase being made. This, as well as other in­form­a­tion, is required to be sent to the customer, usually via email. E-commerce sites are also expected to provide the buyer with a com­pre­hens­ive breakdown of all costs incl. delivery, before they confirm the purchase. The laws also specify that the button clicked for com­plet­ing an order also includes a written ac­know­ledge­ment of a payment being made. Failure to do this or any of the laws can be pro­sec­uted as a criminal offence.

As can be seen, all these laws and reg­u­la­tions regarding data pro­tec­tion and data security can be very elaborate and complex. For this reason, many e-commerce sites opt to outsource the data and pro­cessing systems to a third party website; a popular example of this is PayPal. For a fee, PayPal will take re­spons­ib­il­ity for the pro­cessing of data and payments. There are many different third party sites that offer this service, however, you should always make sure that you choose one that is well-known and reputable.

Of course, with such com­pre­hens­ive le­gis­la­tion comes equally as com­pre­hens­ive penalties for failing to comply. It is also the ICO that is re­spons­ible for handing out these penalties. There are several forms that these penalties can take: fines, pro­sec­u­tions, com­mit­ting to new reforms/courses of action, en­force­ment notices, or even an audit. Monetary penalties can get very expensive firms with fines going as high as half a million pounds. These penalties can also be very costly in terms of a business’ repu­ta­tion – on their website the ICO has published details for every penalty incurred, [ICO: Action we’ve taken – en­force­ment] be they monetary or another form of penalty. This list is very detailed, referring to the business in question, the penalty incurred, as well as the exact reasons for the penalty.

The ICO also makes sure to demon­strate how the quantity and diversity of penalties are in­creas­ing year by year. Having handed out only two penalty fines in 2010, they dished out over 100 in 2017. This is set to increase even more due to the changes of May 2018 when the EU General Data Pro­tec­tion Reg­u­la­tion (GDPR) was in­tro­duced. The maximum fine is no longer limited to £500,000 and instead can be as much as €20 million or 4% or annual global turnover – whichever is higher. This now means that a GDPR penalty can seriously threaten the in­solv­ency of so many busi­nesses – and why it is best to really pay attention to these new reg­u­la­tions.

These new de­vel­op­ments demon­strate just how important it is to stay up to date with le­gis­la­tion regarding data pro­tec­tion and security. This becomes even more relevant for UK busi­nesses as Britain prepares to leave the EU, meaning that busi­nesses need to pay even more attention to any changes that may take place between EU le­gis­la­tion and that relating to the United Kingdom.

As this article has shown, data privacy and security are not always straight­for­ward when it comes to the world of e-commerce. There are several complex issues and obstacles that need to be overcome in order to make sure that you are abiding by all the relevant legal guidelines. It is also worth keeping an eye on your state’s le­gis­la­tion. Given that this is an industry that is con­stantly changing and de­vel­op­ing, the ac­com­pa­ny­ing le­gis­la­tion covering data pro­tec­tion and data security evolves too, re­flect­ing these changes.

Of course, at the moment Brexit is at the forefront of people’s minds in the UK. Given the legal aspects and im­plic­a­tions of data pro­tec­tion, this is an issue that could be greatly affected by the UK leaving the EU. The good news for le­gis­lat­ors and busi­nesses alike is that, at the moment, the UK is keen to maintain the current data laws as they are, with the minimal amount of change. This is very sig­ni­fic­ant for the digital economy. As it means that there will be little or no dis­rup­tion to the flow of personal data, as well as other related legal issues. At the moment the EU has 12 so-called ‘adequacy ar­range­ments’ with countries outside the EU (e.g. Switzer­land), wherein the flow of personal data between these is protected to the same extent as between EU countries. It is hoped that a similar deal can be struck between Britain and the EU during the Brexit ne­go­ti­ations. While the process of Britain leaving the EU means plenty of com­plic­a­tions for many aspects of business, these de­vel­op­ments demon­strate that hopefully this won’t be the case for the area of data pro­tec­tion and security.

However, re­gard­less of the outcome of the Brexit ne­go­ti­ations, the new GDPR rules will still apply to your e-commerce store, unless you’re planning on excluding the European market – a loss in potential customers. Because of the way the EU reg­u­la­tions work, the GDPR affects websites which may be visited by people browsing within EU member states. So even if Brexit means that this reg­u­la­tion won’t apply within the UK, UK websites ought still to comply, in case those who are browsing from Germany, for example, visit their site.

As we have seen with the change to the European le­gis­la­tion, this is an industry that is con­stantly changing and de­vel­op­ing, and can affect internet activity across the globe – and with that, affect the data pro­tec­tion and data security too.