Privacy Law and Requirements for eCommerce Businesses

Data-Privacy-and-Privacy-Policies.jpeg

This post is Part 2 of a series covering core legal issues for eCommerce and Internet-based businesses.

Data Privacy and Privacy Policies in eCommerce Business

Privacy concerns arise in any situation where personal information is collected and stored.  In fact, any website that collects personally identifying information is required to post a Privacy Policy disclosing the ways that the party gathers, uses, discloses, and manages personally identifying information.

While there is no single definition for what constitutes personally identifying information, with respect to Privacy Policies, it is prudent for companies to assume a definition that covers any information that could possibly identify a person or information about them. And eCommerce businesses that collect financial information such as bank accounts, credit cards or social security numbers must be hyper-protective of this data.

For eCommerce businesses, data privacy and security are critical aspects of operations.  Failure can subject companies to regulatory penalties, lawsuits, as well as loss of business associated with their site being deemed “unsafe.”

Evolution of the eCommerce Privacy Policy

Although data privacy concerns have been a part of online business since the inception of the Internet, in the past few years there has been a fundamental shift in how companies are expected to handle user data. 

For many years, online businesses would create a privacy policy that was very one-sided and typically granted the company a broad range of rights with respect to how and what data they collected, and how they chose to use it.  Since these policies were buried in a link somewhere on the site, most users never even read the policy.  However, by using the site and services, the users would effectively have consented to the policy.

Data Privacy Laws and eCommerce 

The old approach to user privacy described above will no longer work.  Consumers are more sensitive than ever to how their data is collected and used by the sites they visit and have been pushing back on eCommerce businesses and demanding more transparency and control of their data.

In addition, government regulators and legislators have enacted a host of data privacy laws to govern the collection and use of user data.  These new rules require more than a one-sided privacy policy granting broad privileges to the eCommerce providers.  Instead, eCommerce businesses must disclose in clear language how and what data they collect.  They must also provide the ability for users to review the data that has been collected and must give users the right to have this data deleted upon request.

As such, eCommerce Privacy Policy terms must be written in such a manner that consumers have significantly more power over the collection and use of their data.

As noted above, governments have made data privacy a priority in recent years.  The paramount example of this is seen in “General Data Protection Regulation 2016/679,” commonly known as “GDPR,” which was enacted by the European Union (EU) just a few years ago.  

The Effect of GDPR on eCommerce

At the time it was adopted, the EU’s GDPR established the most comprehensive and consumer-friendly privacy laws in the world. Some key aspects of the GDPR include:

  • Lawfulness, fairness and transparency — Data processing must be lawful, fair, and transparent to the data subject.

  • Purpose limitation — eCommerce companies must process data for the legitimate purposes specified explicitly to the data subject when you collected it.

  • Data minimization — eCommerce companies should collect and process only as much data as absolutely necessary for the purposes specified.

  • Accuracy — eCommerce companies must keep personal data accurate and up to date.

  • Storage limitation — eCommerce companies may only store personally identifying data for as long as necessary for the specified purpose.

  • Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).

  • Accountability — The data controller is responsible for being able to demonstrate GDPR compliance.

U.S. companies should also be particularly cautious with eCommerce because the EU has far stricter privacy regulations, which can affect U.S. companies to the extent U.S. companies interact with EU companies or individuals.

And with maximum penalties for violations of up to 4% of a company’s global annual revenues, eCommerce companies literally cannot afford not to comply with the GDPR.

Although there is not a single, nationwide law in the United States that is generally applicable to privacy policies, there are some federal laws that govern certain elements of Privacy Policies.  Notable examples include:

  • The Fair Information Principles, published by the Federal Trade Commission, provides a set of non-binding governing principles for the commercial use of personal information.  These principles offer guidance to draft policies that encompass existing privacy concerns.  The four critical issues identified in Fair Information Principles are: (1) notice, meaning that information practices must be disclosed before personal information is collected; (2) choice, meaning that consumers must be given options as to how collected personal information can be used beyond the purpose for which it was provided; (3) access, meaning consumers should be able to check the accuracy and completeness of personal information collected; and (4) security, meaning that reasonable steps must be taken to assure consumers that the personal information collected is secure from unauthorized use.

    In order to conform with the Fair Information Principles, a Privacy Policy generally includes statements regarding the following: (1) the sources from which personal information is collected; (2) specifically how the collected personal information is used; (3) with whom the collected personal information is shared; (4) an option allowing consumers to opt out of the disclosure of personal information to third parties; and (5) the steps taken to protect the collected personal information.

  • The Children’s Online Privacy Protection Act (COPPA) mandates that commercial websites, which direct online services to children under 13, or that knowingly collect information from them, inform parents of their information practices, and obtain verifiable parental consent before collecting, using, or disclosing personal information from children. In addition to posting a privacy policy, these websites must also adhere to enumerated information-sharing restrictions.

  • The Health Insurance Portability and Accountability Act (HIPAA) requires notice in writing of the privacy practices of health care services.  HIPPA protect how an individual’s health information is used by organizations and disclosed to others. All health care providers, insurance companies, employer-sponsored health plans and HMOs are the covered entities, which must comply with this privacy rule’s guidelines. The covered entities of HIPAA are one of the most extensively regulated niches, regarding information privacy.

State Data Privacy Laws

California recently passed the California Consumer Privacy Act (CCPA), which established the most stringent consumer privacy laws in the United States.

The CCPA has been referred to as “America’s GDPR.” Similar to the GDPR, the CCPA requires organizations to focus on user data and provide transparency in how they’re collecting, sharing and using such data. Violators of CCPA face penalties up to $7,500 per violation.

eCommerce companies serving or employing California residents may find these CCPA requirements have the biggest impact on their business plans:

1.     Data inventory and mapping of in-scope personal data and instances of “selling” data

2.     New individual rights to data access and erasure 

3.     New individual right to opt-out of data selling 

4.     Updating service-level agreements with third-party data processors 

5.     Remediation of information security gaps and system vulnerabilities

Much like the reach of GDPR extends beyond the EU, eCommerce businesses don’t have to be based in California to become subject to CCPA.  Any data collected from California companies or citizens could implicate CCPA’s provisions.

Numerous other states have implemented regulations for Privacy Policies. For example, Texas requires that “persons who require disclosure of a social security number adopt, make available, and strictly follow a Privacy Policy.”  Additionally, both Nebraska and Pennsylvania have laws treating misleading statements in Privacy Policies published on Web sites as deceptive or fraudulent business practices. And still other states, such as Virginia, are in process of enacting their own CCPA-like comprehensive data privacy laws.

Creating a Privacy Policy for eCommerce

eCommerce businesses must be aware of a number of factors in creating a privacy policy.  First and foremost, they must know what data they want to collect and how they plan to use it. 

Initial Considerations

  • Does your website collect personally identifying information?

  • Are you otherwise required to post a Privacy Policy by law?

Specific Provisions

  • What type of information is collected and from what sources?

  • Do you use cookies or beacons?

  • Are you in compliance with COPPA?

  • Specifically, how is the collected information used?

  • Is the collected information shared with third parties and with whom?

  • What steps are taken to ensure the security of collected information?

  • How can a user access and/or change their information?

  • Is there an opt-out arrangement provided for customers?

  • In the event of a business transition, what will happen to collected information?

Overall Considerations

  • Is the Privacy Policy, or a link thereto, in a conspicuous and easily accessible location?

  • Is the Privacy Policy clear, concise and reasonably understandable?

  • Is the Privacy Policy consistent with your actual practices?

  • How will material changes to your website’s collection, use and disclosure practices be addressed in your Privacy Policy?

In addition to the above operational considerations, eCommerce businesses must comply with applicable state and U.S. data privacy laws like those referenced above.  Moreover, depending on where their users are located, it is possible that they may also need to comply with other laws, such as CCPA and GDPR.

Common Pitfalls – Follow Your Own Privacy Policies

It is important for companies to draft Privacy Policies that accurately reflect their actual practices.  This is commonly where companies run into problems and open themselves up to liability.  When a company fails to strictly follow its posted Privacy Policy in its day-to-day operations, its actions may be seen as unfair or deceptive trade practices leading to enforcement actions.  Thus, it is important to avoid simply borrowing language from another’s Privacy Policy or a standard template.  Rather, a company should disclose their actual collection and maintenance practices in a clear and concise manner.

Finally, although current best practices would be to aim for complying with the core elements of CCPA and GDPR, as they represent the current state of the art with respect to data privacy laws, the laws in this area are still evolving.  Thus, a Privacy Policy that was adequate last year may not be sufficient next year.  

As such, eCommerce businesses must vigilantly monitor changes in these laws and in their own operational practices and must update their own privacy policies as needed.

Conclusion

eCommerce businesses must be aware of a number of factors in creating a privacy policy, including their own operational needs, as well as ever-evolving state, national, and foreign data privacy laws. Failure to do so can cost them dearly.

To view previous articles in this series:

Part 1 eCommerce Law for Internet-Based Businesses

ABOUT THE AUTHOR:  Jim Chester is a 25-year technology business lawyer, professor and entrepreneur.  He is a recognized authority in buying and selling technology businesses, global technology transactions, and providing strategic legal counsel for innovation-based companies.  For more on Jim, visit his professional profile. You may email Jim at jim.chester@klemchuk.com.

For more information on eCommerce data privacy, see our Internet Law and eCommerce Legal Services and Industry Focused Legal Solutions pages.