Facebook, GDPR and data privacy: Will new measures affect e-commerce sellers?


Data privacy is top of mind. Here’s how e-commerce sellers can prepare for the European Union’s GDPR – the most comprehensive data privacy law since the birth of the internet.


Last week, the issue of data privacy in the Western world reached a new level of urgency. London-based political consultancy Cambridge Analytica came under fire for harvesting the data of 50 million Facebook users, which was then used by The Trump campaign to influence voters online. Experts suspect the consultancy also had a hand in influencing the Brexit vote, which sent a shockwave throughout Europe and the world.

Needless to say, Facebook has faced significant backlash since the revelation. Its stock price dropped by 15% and the #deletefacebook movement took off on social media. Millions of users were shocked by the detailed data Facebook had collected from them and sought to deactivate their accounts.

The timing of the scandal coincides with the implementation of Europe’s General Data Protection Regulation law, which goes into effect May 25th, 2018. The GDPR is the most comprehensive data privacy law drafted by the EU and will set the precedent for data privacy of sovereign nations. It will require any company in the world that handles EU customer data to disclose how it collects, stores and processes users’ data. Users may also request a copy of their data from any business and request that it be deleted. Non-compliance with GDPR could mean a US$20 million fine or the equivalent of 4% of a company’s annual sales.

In the 21st-century globalized world innovation often occurs faster than governments’ abilities to enact corresponding regulations. In the case of social media and e-commerce, free enterprise and governments are coming head-to-head in a battle to protect users’ data. To prevent punitive action and ensure compliance, e-commerce sellers need to stay in the know.


GDPR will affect every company with EU customers – regardless of where that company is based


An important distinction to make is that the GDPR affects companies that process EU citizens data, which means that Asian and American companies will also be forced to comply. For example, if a seller on Amazon or Taobao stores an EU customer’s information, order history, payment preferences, or site activity, that behavior will constitute ‘monitoring’. Both the seller and the platform will be subject to the GDPR even if they’re located outside of Europe.

Furthermore, the law applies to data processing, meaning that any server used to handle customer data is also subject to the law.

Put simply, the GDPR seeks to return the control of data back to consumers, allowing them to delete their digital footprint should they choose to do so. That means that any EU consumer can review, revise and delete their data, and can also restrict how it’s processed. Any request made by a consumer to an e-commerce company must be fulfilled within 30 days. For Chinese companies that don’t have the in-house capacity to field multilingual concerns, this could entail establishing a foreign partner in the EU to handle customers’ privacy.


Compliance with the APEC Cross Border Privacy Rules gives companies a headstart


The Cross Border Privacy Rules (CBPR) issued by the Asia Pacific Economic Cooperation (APEC) system provide a good starting point for Asian businesses, although the certification mechanisms vary. The CBPR relied on a certification conducted by non-state auditors, but the GDPR relies on a centrally governed entity approved by the EU commission. And unlike the GDPR, which can be governed and enforced the EU, the CBPR had no central body to ensure compliance. According to lawyer and data protection specialist Udo Steger, “While the CBPR is in many aspects ‘softer’ than the GDPR, it remains a useful starting point for organizations to put in place the much more formal data protection policies and procedures required by the GDPR. This is particularly true for companies where such procedures have not previously existed.”


E-commerce sellers need to research the measures their platforms have taken to comply and make all data collection ‘opt in’


For SMEs without the resources to hire legal assistance, the GDPR poses a challenge. Many C2C platforms such as Shopify, Amazon, and Alibaba are rolling out training programs for sellers to help them comply with the law, as well as ensuring that their methods for processing data are secure. That said, smart e-commerce sellers can stay ahead of the curve by doing a self-audit before May 25th.

(1) Sellers should determine if and how they collect user data and ensure that the mechanisms used to do so are adequately protected against external security breaches. (2) Sellers should figure out how to handle data requests made by EU citizens. Create a portal on your site that allows customers to make data requests, and check with your e-commerce platform to see if they offer support in this arena. (3) Similar to a privacy policy, sellers will need to post a statement that says how customers’ data is used and processed. (4) It’s a common practice in e-commerce to sign up customers for a newsletter upon completing a purchase. From now on every box that’s automatically checked needs to be ‘unchecked’, allowing customers to opt-in to future correspondence.


Leave a Reply

Your email address will not be published. Required fields are marked *