The eCommerce landscape can often be a complex matrix of legal obligations and data protection measures. Between privacy policies, sales tax regulations that vary by state and even city, and data collection regulations, understanding and navigating these legalities can be a Herculean task. Two laws that often stir confusion are the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is a piece of legislation that came into effect in May 2018, developed by the European Union (EU) to strengthen and unify data protection laws for all individuals within the EU. The regulation not only applies to organizations located within the EU, but it also extends to organizations outside the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. The GDPR’s key purpose is to give individuals more control over their personal data, while imposing strict rules on those hosting and processing this data, no matter where they are based – including the United States.
The GDPR lays out several key principles for data management and rights for the individual, including the rights to access, correct, delete, and transfer personal data. Businesses must ensure that they have clear consent to process the data, that they are safeguarding the data appropriately, and that they notify relevant authorities and data subjects promptly when a data breach occurs. Certain businesses are also required to appoint a Data Protection Officer (DPO) to oversee data security strategy and GDPR compliance. Failure to comply with the GDPR can result in significant financial penalties.
What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that came into effect in California on January 1, 2020. The act aims to enhance privacy rights and consumer protection for residents of California. The CCPA applies to any business that collects consumers’ personal data, does business in California, and satisfies at least one of the following thresholds:
- Annual gross revenues in excess of $25 million
- Buys or sells the personal information of 50,000 or more consumers or households
- Earns more than half of its annual revenue from selling consumers’ personal information
The CCPA provides consumers with specific rights regarding their personal information. This includes the right to know about the personal information a business collects about them and how it is used and shared; the right to delete personal information collected from them (with some exceptions); the right to opt-out of the sale of their personal information; and the right to non-discrimination for exercising their CCPA rights. Businesses are required to give consumers certain disclosures about their data collection and sharing practices.
Should a U.S.-based eCommerce store adhere to these regulations?
Here’s where the real confusion kicks in. Does a U.S.-based eCommerce store need to comply with these regulations? The straightforward answer is – it depends.
If you offer goods or services to, or monitor the behavior of, EU data subjects, regardless of whether a transaction occurs, GDPR applies to you.
For CCPA, if you have consumers in California and meet any of the conditions outlined above – you’re obliged to comply.
So, even if you are based in the United States, if you have EU customers or California-based consumers and meet the respective conditions, GDPR and CCPA are applicable.
What do I need to do to comply with these regulations?
Compliance involves several steps, including, but not limited to:
- Privacy Policy: Update your privacy policy to detail what data you collect, how it’s used, and how users can request data deletion, correction, or portability.
- Consent: Before collecting personal data, make sure you get explicit consent from the user. Make sure the consent can be withdrawn as easily as it was given. With eCommerce stores, this consent is usually accomplished with a notice and making visitors accept “cookies” immediately upon arrival.
- Data Protection Officer (DPO): Depending on the scale of data processing, appointing a DPO may be mandatory under GDPR.
- Security Measures: Implement appropriate security measures to safeguard personal data. In case of a data breach, inform the relevant authority within 72 hours.
Understanding and adhering to GDPR and CCPA isn’t just about legal compliance – it’s about instilling trust, safeguarding customer data, and setting your eCommerce store up for future success.
The links below have the latest information regarding GDPR and CCPA. It is recommended to check these regularly as some information may have changed:
- European Commission – Data protection in the EU: https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
- State of California – California Consumer Privacy Act (CCPA): https://oag.ca.gov/privacy/ccpa
Disclaimer: This post is not intended to provide any legal advice but is for general informational purposes only. Your Store Wizards recommends seeking professional legal advice if you meet the conditions which require you to be in compliance with one or both of these regulations.
Scott Sanfilippo began his eCommerce journey in 1994 by co-founding one of the Internet’s first online retailers, TheFerretStore.com, which was acquired by PetCo in 2006. In 2001, he co-founded the eCommerce design and marketing firm Solid Cactus, which was acquired by web.com in 2009. Today, Scott is the General Manager of Your Store Wizards and lives in Delray Beach, FL. Scott can be contacted at scott@yourstorewizards.com.