Data pro­tec­tion in e-commerce

Every day in the world of e-commerce, there is such an in­cred­i­ble variety of trans­ac­tions taking place; many of which require providers to have access to consumer data. However, many users have concerns about giving over their personal data—and for good reason. Far too often highly sensitive data is misused, un­law­ful­ly used for ad­ver­tis­ing purposes, or even handed onto other third parties. In order to avoid unhappy customers, as well as any possible legal con­se­quences, it is highly rec­om­mend­able that companies stay on top of the subject of data pro­tec­tion. Anyone who loses sight of the complex data security issues very quickly runs the danger of breaking laws and incurring very costly fines.

The term ‘data pro­tec­tion’ orig­i­nal­ly stems from Europe and came about in reference to privacy-pro­tec­tive leg­is­la­tion. In the United States, on the other hand, this was more often referred to as data privacy. Data privacy in the US can vary depending on which state you are in. This article outlines both the national leg­is­la­tion as well as country/state-specific laws and guide­lines that you need to follow as an online business operator.

Data pro­tec­tion laws are there to help keep your online personal in­for­ma­tion safe and secure. At the moment, the United States is without any na­tion­wide laws or leg­is­la­tion covering this exact topic. It should be mentioned, however, that some degree of data pro­tec­tion is provided under the likes of the United States Privacy Act, the Safe Harbor Act, as well as the Health Insurance Porta­bil­i­ty and Ac­count­abil­i­ty Act (HIPAA). That being said, none of these are par­tic­u­lar­ly relevant to the area of consumer data pro­tec­tion.

The United States values the first amendment of its con­sti­tu­tion, i.e. the right to free speech, very highly. This means in practice that data pro­tec­tion rules can be impeded or blocked entirely. This is why the "right to be forgotten" is observed in Europe, where an in­di­vid­ual can ask search engines, such as Google, to remove news articles about them. This cannot be easily applied across the Atlantic, where the con­sti­tu­tion protects freedom of ex­pres­sion, meaning that people cannot request to have negative in­for­ma­tion about them to be removed from the web so easily. In other words, there is no con­sti­tu­tion­al basis for all-en­com­pass­ing data privacy act. Simply put: if an in­di­vid­ual or business has gone to the effort of entering data, it is seen as having the right to store and use it, even if it is the case that the data was collected without per­mis­sion, tech­ni­cal­ly speaking.

However, since May 2018, there has been a new EU reg­u­la­tion in place, which also affects the US market, to an extent. The General Data Pro­tec­tion Reg­u­la­tion applies to all countries in the EU, but more specif­i­cal­ly, to the web users within the EU. This means that your US website, if visited by an internet user based in the EU, has to comply with these data pro­tec­tion reg­u­la­tions too. Because of this, it is important that while you make sure you’re up to speed with the local reg­u­la­tions (different states may have different reg­u­la­tions), you should also keep the EU reg­u­la­tions in mind, and put the right measures in place in case you get a visitor from an EU country.

The Federal Trade Com­mis­sion (FTC) defines personal data as in­for­ma­tion that can be used to identify a person and even get in contact with them. Among this type of in­for­ma­tion are IP addresses and device iden­ti­fiers; a dis­tinc­tive telephone number as­so­ci­at­ed with a smart­phone or other handheld devices. Sensitive personal data is seen as being things such personal health data, financial data, credit rating data, student data, and any other data that could be used for identity fraud or theft. Any in­for­ma­tion collected online from children under the age of 13 is also deemed as being sensitive personal data.

Generally, data security breach notices and data security laws of the in­di­vid­ual states are sure to cover names of persons, as well as a gov­ern­ment ID no., payment card no., and health insurance data. Par­tic­u­lar­ly relevant to online business owners is the fact that some state laws cover username and passwords for in­di­vid­u­als’ online accounts. 

The FTC has ju­ris­dic­tion over many busi­ness­es within the com­mer­cial sector and when it comes to some issues, has the authority to issue and implement privacy reg­u­la­tion in certain areas of industry, including com­mer­cial email, children’s privacy, and tele­mar­ket­ing. With regards to these areas, the FTC aims to prevent business practices that are unfair or deceptive. High profile data security breaches are dealt with by attorney generals within each state. As has been made clear, given the related courtroom dramas, these are all de­cen­tral­ized reg­u­la­to­ry bodies or de­part­ments; there is no official national data pro­tec­tion authority in the United States.

This has led to the US becoming re­ac­tionary as opposed to pre­ven­ta­tive in this area, in­tro­duc­ing some of the acts mentioned above. Cal­i­for­nia is an exception to this rule, being a state that has advanced and spe­cial­ized leg­is­la­tion when it comes to privacy, including data privacy. Section 1 of Article 1 of the Cal­i­for­nia con­sti­tu­tion outlines the in­alien­able right of its citizens to privacy. An example of this can be seen with the Online Privacy Pro­tec­tion Act (2004); this act requires that the operator of a website posts an easily iden­ti­fi­able link to the website’s privacy policy (often titled ‘Your Cal­i­for­nia Privacy Rights’). This is required to outline the types of in­for­ma­tion collected by the website and how this in­for­ma­tion will or might be shared with other parties. It also must detail the way in which a user can go about reviewing and even making changes to the data that is stored about them.

Failure to follow these rules can be costly for a business. If within 30 days of being contacted, a site still does not have a privacy policy posted or is found to be violating the law in some other way, then the website operator can be subject to legal action. In this case, they can be accused of neg­li­gence, whether con­scious­ly or un­con­scious­ly, and can even be subject to fines. It’s also worth noting that this law does not only apply to companies based within the state borders; as soon as a website can be easily accessed by residents of Cal­i­for­nia, the act comes into play for a company that saves/stores in­for­ma­tion online.

When it comes to cookies and other similar tracking devices, Cal­i­forn­ian law requires firms to include in its privacy policy any in­for­ma­tion regarding per­son­al­ly iden­ti­fi­able data that is being collected and tracked across multiple websites over an extended period of time. If it is the case that they are utilizing such methods, then they also need to include details on whether or not they honor any ‘Do-Not-Track’ program by giving visitors the ability to opt out of such tracking systems. However, Cal­i­forn­ian law does not require websites to provide a ‘Do-Not-Track’ option.

The law in Cal­i­for­nia does state that website operators are required to ex­plic­it­ly state in their privacy policy if there are any third parties who have access to personal consumer data relating the website in question. This in­for­ma­tion may have been sourced from the website or from a third party webpage. Ad­ver­tis­ing of certain products and services is also not permitted in Cal­i­for­nia. Included in this list are tattoos, firearms, alcohol, some dietary sup­ple­ments, and ul­tra­vi­o­let tanning.

Minors in Cal­i­for­nia are treated specially under the law – in this case, the term minor refers to anyone under the age of 18. Minors, who are reg­is­tered users of a site, have the right to remove any content that they might have posted and uploaded from the site or web service. This piece of leg­is­la­tion applies to websites and online services that are prin­ci­pal­ly aimed at the afore­men­tioned minors, or that knowingly collect and file per­son­al­ly iden­ti­fi­able in­for­ma­tion from minors.

The state of Mass­a­chu­setts has a law requiring any or­ga­ni­za­tion to make one or more of its employees re­spon­si­ble for their in­for­ma­tion security program. As with the afore­men­tioned laws specific to Cal­i­for­nia, this law covers all or­ga­ni­za­tions that possess or license personal data (sensitive or otherwise) on Mass­a­chu­setts, meaning that it extends beyond the borders of the state. There is a similar na­tion­wide law that applies to all companies and or­ga­ni­za­tions subject to the HIPAA (see above), which are all required to appoint a data pro­tec­tion officer and IT security officer. One of the main reasons for this is that the data security re­quire­ments expected of these HIPAA regulated or­ga­ni­za­tions are more extensive and there are some states that have even more detailed security re­quire­ments for things like payment card data and social security numbers.

The security program required by law in Mass­a­chu­setts requires any or­ga­ni­za­tion or firm, etc. to have a written in­for­ma­tion security program. This program needs to be com­pre­hen­sive and there are certain minimum re­quire­ments that it must possess. It needs to make sure that all service providers who have access to this sensitive personal data are bound to these reg­u­la­tions. There are also en­cryp­tion re­quire­ments on the trans­mis­sion of sensitive personal in­for­ma­tion via wireless networks and beyond the physical/lo­gis­ti­cal area of the or­ga­ni­za­tion. The same applies to any laptops and portable devices that an or­ga­ni­za­tion might have. It is worth noting that this law isn’t just specific to Mass­a­chu­setts but applies to the state of Nevada as well.

North of the border there is a similar set of rules that have been im­ple­ment­ed under the Personal In­for­ma­tion Pro­tec­tion and Elec­tron­ic Documents Act 2000 (PIPEDA). This law outlines that or­ga­ni­za­tions in Canada need to:

• Acquire consent when they collect, use, or disclose personal in­for­ma­tion of its customers.
• Acquire and file in­for­ma­tion by using methods that are legal and fair.
• Clearly state what their policies relating to personal in­for­ma­tion are
• Never refuse to supply customers with product/service if they choose to opt out of having their data being collected, used and disclosed. 

The e-commerce industry handles a lot of very personal, sensitive, and important data. This means that no matter how much security is im­ple­ment­ed, there will still always be the threat of a sig­nif­i­cant breach and the loss of such data. Currently, 47 states require state residents to be notified when there has been a breach of security per­tain­ing to the use of one or more of the following pieces of in­for­ma­tion: name, credit card no., bank account no., gov­ern­ment ID no., social security no., etc.

It is worth noting that more and more states are beginning to recognize tax IDs and login details (username and password) as being sensitive data. As a result, they are also becoming subject to the laws regarding breaches. Breaches of in­for­ma­tion from financial in­sti­tu­tions need to be reported to consumers according to federal law. There are also some states where some breaches need to be reported to state officials, in some cases it might even go as far as a par­tic­u­lar state’s Attorney General.

In­evitably these rules and guide­lines will also oc­ca­sion­al­ly be breached and broken. Civil penalties are handed out by the FTC, State Attorney Generals, or even the reg­u­la­to­ry body of the industry sector in question. Fur­ther­more, such vi­o­la­tions can also lead to lawsuits and trips to court. It goes without saying that such things should be avoided, as the cost of com­pen­sa­tion for lawyer fees, etc., can add up and make it endeavor expensive. Failure to provide suf­fi­cient data security for personal data, for example with credit card details, can easily lead to the e-commerce busi­ness­es being sued.

In the United States, marketing com­mu­ni­ca­tion is regulated ex­ten­sive­ly. There is a federal law, the so-called CAN-SPAM Act, which not only applies to emails but to all com­mer­cial messages – defined by the law as “any elec­tron­ic mail message the primary purpose of which is the com­mer­cial ad­ver­tise­ment or promotion of a com­mer­cial product or service”. The law does not dis­tin­guish between business-to-customer and business-to-business emailing. Just like with a lawsuit, failing to carefully follow the rules in this area can be very costly; each in­di­vid­ual mail found to be in violation of the CAN-SPAM Act can be subject to a fine of up to $40,654. This in­for­ma­tion is very important for any business using this sort of com­mu­ni­ca­tion, including the likes of newslet­ters, updates, blog, etc.

The CAN-SPAM Act is quite com­pre­hen­sive in the range of issues that it covers. Here is an overview of its primary re­quire­ments:

1. No mis­lead­ing/false in­for­ma­tion in the header – it must be easy for the re­cip­i­ents to identify the in­di­vid­ual or or­ga­ni­za­tion who wrote and sent the message.
    
2. No mis­lead­ing subject lines – this guideline should be fairly self-ex­plana­to­ry.
    
3. Disclose that the message is an ad­ver­tise­ment – although the law provides quite a bit of leeway when it comes to this par­tic­u­lar rule
    
4. Include an address – every email needs to also feature a physical postal address.
    
5. Include opt-out in­for­ma­tion – this ought to be easily iden­ti­fi­able and easy to carry out. It is rec­om­mend­ed that you use a different type of font size and color for this. A return email address or online link is suf­fi­cient in this regard. If you wish, it is possible to present the recipient with a menu, wherein they can choose to opt out of certain cat­e­gories of emails, however, you will also need to include an option to cease all com­mu­ni­ca­tion. Finally, you should make sure that such replies from customers do not end up in your spam folder – adjust your settings if necessary.
    
6. A timely opt-out – the 30 day period after you send a business email is crucial as you are required to process any request to be un­sub­scribed made during this period. This process is not allowed to be in any way com­pli­cat­ed; you cannot require them to do any more than send a simple reply or visit more than one web page. It is illegal to demand iden­ti­fi­ca­tion or even a fee from the in­di­vid­ual. Once an opt-out request has been sent, you have 10 working days to process and execute it. It must be noted that such a request prohibits not just you or your or­ga­ni­za­tion sending emails, it also prohibits the selling or trans­fer­ring of email addresses to other companies – the exception being if the company you are trans­fer­ring them to is, in fact, one that has been employed for the purpose of assisting you with CAN-SPAM Act com­pli­ance.
    
7. Don’t shirk away from re­spon­si­bil­i­ty – employing a third party to look after your email marketing does not leave you immune to being legally re­spon­si­ble for what is being sent out to re­cip­i­ents. Both you and the third party can be held legally re­spon­si­ble for any actions taken or not taken, as the case may be.

Purposely altering the origin or routing of an email with the aim of mis­lead­ing users is pros­e­cutable under federal law.

Apart from in Cal­i­for­nia (see above), in the United States there is no specific law covering the use of cookies or other similar online activity tracking devices. One piece of leg­is­la­tion that is very important is the Children’s Online Privacy Act (COPPA). This act refers to the in­for­ma­tion that is au­to­mat­i­cal­ly collected from websites aimed at children, as well as other websites, networks, and even plug-ins that knowingly collect in­for­ma­tion from children under the age of 13 who are using the internet. Be­hav­ioral ad­ver­tis­ing for children under the age of 13 is also covered by COPPA.

It is vital that a customer or visitor to your site is well aware that there are cookies or other similar tracking devices in use. Failure to inform visitors of this can bring about the risk of legal action, fines, etc. There is also something known as the Digital Ad­ver­tis­ing Alliance code of conduct. Among other things, it rec­om­mends the inclusion of a display icon that makes it easy for users to decide against being tracked for be­hav­ioral ad­ver­tis­ing purposes.

Fur­ther­more, due to the new reg­u­la­tions in place in Europe after the GDPR came into action, you should also be aware that your cookie policies should extend beyond following the US reg­u­la­tions – unless you only want to target a US market, which would put you at a dis­ad­van­tage, as you would lose a large number of potential website visitors. Because of the new reg­u­la­tion, you should be aware that prin­ci­ples in Europe, such as the right to be forgotten, which normally do not apply for US sites, may now be something you should consider.

These days plenty of e-commerce activity takes place via smart­phone apps, as one might expect. This increase in shopping on the go has led to a wider debate regarding data privacy relating to location data. This is where telecom­mu­ni­ca­tions companies become involved. The Federal Com­mu­ni­ca­tions Com­mis­sion (FCC) which regulates the col­lect­ing and dis­clos­ing of location in­for­ma­tion by telecom­mu­ni­ca­tions companies.

As this article has shown, data privacy and security are not always straight­for­ward when it comes to the world of e-commerce. There are several complex issues and obstacles that need to be overcome in order to make sure that you are abiding by all the relevant legal guide­lines. It is also worth keeping an eye on your state’s leg­is­la­tion. As we have seen with the change to the European leg­is­la­tion, this is an industry that is con­stant­ly changing and de­vel­op­ing, and can affect internet activity across the globe – and with that, affect data pro­tec­tion and data security too.