Staying on the Right Side of the Law in a Digital World

Below Ed Wright, Partner in the commercial team at Shakespeare Martineau, explains that understanding consumer protection and GDPR, as well as how contracts and agreements should be structured, is vital to e-commerce success.

Before anything else, companies must establish how their business model fits inside various regulatory frameworks. For business to business organisations, there is a regulatory regime that they must comply with, but they often have the ability to contract around these regulations, as long as data is processed securely. On the other hand, business to consumer organisations are not only required to follow e-commerce regulations, but they must also comply with a whole layer of compulsory consumer protection legislation. Therefore, the measures that should be taken and what visibility is needed depends heavily on the type of the business and its target customer.

E-commerce has given rise to a host of complexities that were not present “offline”. In order to ensure their protection, consumers must not be placed in a position where they are disadvantaged or unfairly treated. This has led to an increase in the level of consent that is required – specific, informed, unambiguous and given by affirming action – due to its now wide-spread collection and usage, and a resulting reliance for the purposes of contract performance, regulatory compliance or a business’ legitimate interests.

Transparency is key, and consumers must be provided with all the information they need about the business with whom they are dealing, the products or services they are buying, contract processes, how any personal data collected will be stored or shared, and their statutory rights as a consumer or data subject. If a business fails to provide this critical information, consumers may be able to treat the contract with the vendor as void. As well as this, because personal data is so easy to obtain from online sales, businesses must only take essential information and inform consumers of how it will be used, including if it is going to be seen by third parties. If third parties are going to be handling the data, they should be instructed on the correct way to do so, ensuring their actions are in line with the company policy.

Cancellation rights must also be supplied to the consumer for online sales, as trapping them into a sale would break consumer protection regulations. Businesses cannot avoid the cancellation process, so keeping consumers ill-informed only extends the procedure, causing unnecessary issues for both the company and those that have purchased goods from them.

An all-pervading issue in e-commerce, GDPR is another form of consumer protection, which aims to stop the sharing or other use of a person’s data without their consent, as well as stopping businesses from being able to rely on other lawful grounds. All businesses should have their own data protection standards, which cover how employees are expected to deal with any personal data they obtain.

Every business, and employee acting on its behalf, must follow GDPR regulations throughout the process of a sale, meaning security measures need to be in place if data is to be shared outside the country where data protection laws may differ.

Common GDPR pitfalls can often arise from a lack of awareness and compliance by processors engaging in some form of data processing for data controllers.

Common GDPR pitfalls can often arise from a lack of awareness and compliance by processors engaging in some form of data processing for data controllers. However, if processes are regularly assessed, and altered if they are not secure enough, GDPR does not have to be a headache. Businesses are now held specifically accountable for being able to evidence their GDPR compliance and keeping good records of all personal data held, the processing of such data and lawful grounds for doing so, and any process alterations is an ideal way to do this.

Accountability is also no longer purely attached to data controllers. Those who process the data can now be held accountable too and have their own requirements which they must follow. Businesses need to ensure all of their employees carefully consider their role in the protection of personal data to avoid being fined.

The consequences of data breaches are not to be taken lightly. Originally, the maximum fine for a breach was 500,000 euros, however, many businesses were still abusing personal data by sending out mass marketing emails. To tackle this issue, the fines were increased. For relatively minor, procedural non-compliance breaches, businesses may be fined up to 10,000,000 euros or two percent of annual worldwide turnover, depending on scale and severity of consequence. For more severe breaches, including abusive or unscrupulous use of personal data or non-observance of data subject rights, businesses may face fines of up to 20,000,000 euros or four percent of annual worldwide turnover, again depending on scale and severity of consequence.

With those figures in mind, it is clear that companies must be extremely careful that they comply with e-commerce regulations. As long as they make sure that the information they supply is easy to understand and covers every step of the sales process, there should be no issues. E-commerce requires complete certainty on both sides, with transparency being at its heart.