Data protection in e-commerce

Every day in the world of e-commerce, there is such an incredible variety of transactions that take place; many of which require providers to have access to consumer data. However, many users have concerns about giving over their personal data—and for good reason. Far too often highly sensitive data is misused, unlawfully used for advertising purposes, or even passed on to other third parties. In order to avoid unhappy customers, as well as any possible legal consequences, it is highly recommendable that companies stay on top of the subject of data protection. This is especially the case since the introduction of the GDPR in May 2018 – and if you haven’t had a look at the consequences of this yet, it is high time you do so. Anyone who loses sight of the complex data security issues very quickly runs the danger of breaking laws and incurring very costly fines.

The term ‘data protection’ originally stems from Europe and came about in reference to privacy-protective legislation. In the United States, on the other hand, this is more often referred to as data privacy. Data privacy in the US can vary depending on which state you are in. When it comes to data protection, the laws in the UK stem primarily from European Union legislation, which has comprehensive guidelines and legislation on this matter. Within the European Union, data protection is viewed as being a basic and fundamental right for all citizens and the UK is no different in this regard.

According to the Data Protection Act, data is seen as any information that is being processed in response to instructions given for a specific purpose. In practice, this means any data that relates to information about individuals. Excluded from this is anonymised and statistical information, i.e. data that could not be used to identify an individual. However, if a business decides to anonymise their data themselves, this does not relinquish them of responsibility for protecting that data.

The act also makes sure consumers are protected even after a business goes into bankruptcy or insolvency. In such a case, the consumer should have as many rights as when a company is still in business. One thing that may still be unclear is who is responsible for enforcing this protection. If your business becomes insolvent, then it is also your responsibility to guarantee your consumer’s data is protected. That being said, if a limited company goes into administration and the administrators decide to sell the data, in this case, the responsibility for individual’s data security is the administrator’s prior and during any data sale. Once the sale has been completed, the responsibility naturally shifts to the purchasing party.

There are three main rights relating to the individual under the Data Protection Act. These are the right of access to personal data that is being held regarding them, the right to have incorrect personal data rectified, and the right to prevent personal data being utilised for the purposes of direct marketing. Data controllers are legally required to respond to users who have made a written request for a copy of their personal data held by you, i.e. a subject access request. Even if a user has already given their consent, any new form of data processing taking place will require asking for the users’ consent again.

In the UK, the Information Commissioner’s Office (ICO) has written a very comprehensive guide about data protection in the UK. The ICO is the independent authority which has the responsibility of investigating privacy complaints, educating stakeholders, as well as maintaining privacy guidelines. The website presents the information in a way that is relevant for both the public as well as for businesses and organisations.

As of May 2018, new legislation was introduced across the European Union in the form of the EU General Data Protection Regulation (GDPR). The aim of this piece of legislation is to collectively strengthen data security for individuals and allow for greater unity in this area. Furthermore, it addresses the issue of personal data being exported outside the EU. This makes it easier for businesses conducting across multiple EU countries. According to the summary of the act, it also aims to make it easier for non-European countries to comply with the legislation of the EU.

The operator of a website needs to ensure that visitors know that they are on a site where cookies are being used. The information collected should also not be used for any purpose that might be seen as intrusive or inappropriate. It is worth noting that if cookies are necessary for providing goods and services, websites are not required to offer this service to anyone who rejects the use of cookies. As a business website operator, you should be as transparent as possible towards your customers. Do not just tell them what data you want but also why you want this data. Some websites opt instead to tell users what they won’t use the data for. This is not recommended, however, as it may lead to even less clarity. Information on the privacy policy should be easily accessible and ideally made available to the user as soon as possible. This is especially the case when it comes to apps. Always make sure to keep privacy policies up to date with any changes that might have been made in the running of the website.

Under the Privacy and Electronic Communications Regulations (PECR), individuals need to be informed when information (e.g. a cookie) is to be stored on their device as well as giving them an opportunity to reject this from happening.

In Europe, there is a ‘right to be forgotten’. This is a law introduced in 2006 which allows an individual to ask search engines, like Google, to remove any links that they might have to news articles and such, or at least remove them from the European version of their sites. This is an idea that has been prevalent in the UK for a long time. Over here there is the belief that after a certain amount of time, criminal convictions are ‘spent’ and should not be taken into consideration when it comes to things like employment, insurance, etc. On 13 May 2014, the European Court of Justice cemented the place of this law as a human right when they ruled against google in a landmark case. During this case it, was ruled that Google is to be seen as a so-called ‘data controller’ and is, therefore, required under EU law to remove online that data that is seen as being ‘inadequate, irrelevant, or no longer relevant’.

The Data Protection Act sets out a total of eight principles that businesses must follow when it comes to the use of personal information. Many of the principles have to do with ethics and general good practice for the processing of personal data. We have listed the various principles:

Principle 1: Personal data is to be processed in a way that is fair and lawful

Principle 2: Personal data is to be obtained for one or more purposes that have not only been specified but are also lawful. The data should not be further processed in any way that is incompatible with the specified purpose or purposes.

Principle 3: Personal data is to be adequate, relevant and should not be excessive when it comes to the reason or reasons for their use.

Principle 4: Personal data is to be accurate and should always be kept up to date (if applicable).

Principle 5: Personal data should not be retained for a period that is any longer than is necessary for the purpose or purposes that it has been collected and processed for.

Principle 6: Personal data is to be processed in line with the rights of data subjects under the Data Protection Act.

Principle 7: The technical and organisational approaches taken in response to unauthorised or unlawful processing of personal data should be appropriate against the accidental loss of, destruction of, or damage to personal data.

Principle 8: Personal data is not to be transferred to a country or territory that is outside the European Economic Area (EEA). This is only acceptable if the country or territory in question can guarantee adequate levels of protection for the rights and freedoms of data subjects when it comes to the processing of personal data.

There are certain guidelines that websites need to follow to ensure that your website is legal. These include things like company information (name, address, etc.), as well as a privacy policy. The privacy policy is required to inform the visitor about the following things:

• What information is being collected
• Why this information is being collected
• How the information is being stored and kept safe
• Whether or not the information is going to be shared away from the website
• How to get in touch with the business/website in question

This is where cookies come into play. The user needs to be informed about what cookies are going to be created and for what purpose. The user also needs to give their consent for any cookies that will be left on the user’s computer, laptop, smartphone, etc.

When it comes to e-commerce sites and online shops, there are certain details and features that must be accessible on the web page. Amongst these are included:

• Terms and conditions
• Delivery and Returns policy

These are part of the general Consumer Protection (Distance Selling) Regulations and Electronic Commerce Regulations (EC Directive). As an e-commerce site, it is highly likely that you are collecting and processing credit and debit card information, in which case you must conform to the Payment Card Industry Data Security Standard (PCI DSS), which is there to help prevent fraud by outlining security and encryption requirements. Another thing that will be relevant to your e-commerce site will be the EU Anti Spam Laws; these relate to things like opt-in mailing lists and their opt-out policies. These EU laws also cover situations where email databases have been purchased; in circumstances like this, you are still required to ensure whether the individuals involved have given their consent for their contact details to be passed onto third party websites. Passing consumer information onto other third party websites always requires the consent of the user.

In principle, a privacy policy is basically a contract between your website and the visitor. The more accessible and more comprehensible this contract is, the better it is for everyone involved. This means that you should also ensure that the link to the privacy policy is very visible and easy to find on your web page.

EU legislation aims to keep the consumer as well informed as possible. Before completing a purchase, a consumer has to be informed of their right to cancel the order within 14 days of the purchase being made. This, as well as other information, is required to be sent to the customer, usually via email. E-commerce sites are also expected to provide the buyer with a comprehensive breakdown of all costs incl. delivery, before they confirm the purchase. The laws also specify that the button clicked for completing an order also includes a written acknowledgement of a payment being made. Failure to do this or any of the laws can be prosecuted as a criminal offence.

As can be seen, all these laws and regulations regarding data protection and data security can be very elaborate and complex. For this reason, many e-commerce sites opt to outsource the data and processing systems to a third party website; a popular example of this is PayPal. For a fee, PayPal will take responsibility for the processing of data and payments. There are many different third party sites that offer this service, however, you should always make sure that you choose one that is well-known and reputable.

Of course, with such comprehensive legislation comes equally as comprehensive penalties for failing to comply. It is also the ICO that is responsible for handing out these penalties. There are several forms that these penalties can take: fines, prosecutions, committing to new reforms/courses of action, enforcement notices, or even an audit. Monetary penalties can get very expensive firms with fines going as high as half a million pounds. These penalties can also be very costly in terms of a business’ reputation – on their website the ICO has published details for every penalty incurred, [ICO: Action we’ve taken – enforcement] be they monetary or another form of penalty. This list is very detailed, referring to the business in question, the penalty incurred, as well as the exact reasons for the penalty.

The ICO also makes sure to demonstrate how the quantity and diversity of penalties are increasing year by year. Having handed out only two penalty fines in 2010, they dished out over 100 in 2017. This is set to increase even more due to the changes of May 2018 when the EU General Data Protection Regulation (GDPR) was introduced. The maximum fine is no longer limited to £500,000 and instead can be as much as €20 million or 4% or annual global turnover – whichever is higher. This now means that a GDPR penalty can seriously threaten the insolvency of so many businesses – and why it is best to really pay attention to these new regulations.

These new developments demonstrate just how important it is to stay up to date with legislation regarding data protection and security. This becomes even more relevant for UK businesses as Britain prepares to leave the EU, meaning that businesses need to pay even more attention to any changes that may take place between EU legislation and that relating to the United Kingdom.

As this article has shown, data privacy and security are not always straightforward when it comes to the world of e-commerce. There are several complex issues and obstacles that need to be overcome in order to make sure that you are abiding by all the relevant legal guidelines. It is also worth keeping an eye on your state’s legislation. Given that this is an industry that is constantly changing and developing, the accompanying legislation covering data protection and data security evolves too, reflecting these changes.

Of course, at the moment Brexit is at the forefront of people’s minds in the UK. Given the legal aspects and implications of data protection, this is an issue that could be greatly affected by the UK leaving the EU. The good news for legislators and businesses alike is that, at the moment, the UK is keen to maintain the current data laws as they are, with the minimal amount of change. This is very significant for the digital economy. As it means that there will be little or no disruption to the flow of personal data, as well as other related legal issues. At the moment the EU has 12 so-called ‘adequacy arrangements’ with countries outside the EU (e.g. Switzerland), wherein the flow of personal data between these is protected to the same extent as between EU countries. It is hoped that a similar deal can be struck between Britain and the EU during the Brexit negotiations. While the process of Britain leaving the EU means plenty of complications for many aspects of business, these developments demonstrate that hopefully this won’t be the case for the area of data protection and security.

However, regardless of the outcome of the Brexit negotiations, the new GDPR rules will still apply to your e-commerce store, unless you’re planning on excluding the European market – a loss in potential customers. Because of the way the EU regulations work, the GDPR affects websites which may be visited by people browsing within EU member states. So even if Brexit means that this regulation won’t apply within the UK, UK websites ought still to comply, in case those who are browsing from Germany, for example, visit their site.

As we have seen with the change to the European legislation, this is an industry that is constantly changing and developing, and can affect internet activity across the globe – and with that, affect the data protection and data security too.