E-Commerce and Data Protection: New Best Practices Since GDPR

The General Data Protection Regulation (GDPR) — a European Union (EU) privacy regulation that went into effect May 25, 2018 — dramatically changed the way companies worldwide can collect, use, transmit and store the personal data of E.U. citizens.

No longer can merchants use prepopulated consent forms or single-click agreements to collect customer and e-commerce data. Instead, consumers must manually opt-in to give consent and must have a clear way to access their personal data, change subscription preferences and delete their personal information at any time.

But how well has GDPR been implemented?

Although organizations had years to prepare, many waited until the last minute to update policies and gather consent from their users and customers — and even more are still unprepared. So as the flurry of email notifications about privacy settings begins to slow, it’s time to take a look at what, if anything, has really changed since May 25 and which best practices e-commerce merchants should be following to become — and stay — compliant.

What We’ve Learned From GDPR

Six months into GDPR, e-commerce merchants have learned — and changed — a lot, even as they continue to work toward compliance. Google found it needed to increase its privacy policy by more than 48% (other merchants likely also faced increases to their policy size). Other major organizations, like the Los Angeles Times and the New York Daily News, have restricted website access to, ignored or even temporarily abandoned their EU customers as they sort through and comply with GDPR requirements.

Merchants who have complied with the standards may have found that they’ve lost upward of 25% of their addressable market. The reasons for the loss are simple: These customers haven’t given their consent to receive emails, which may be due to either the customers withdrawing their consent or their opt-in emails landing in junk folders.

And it’s not just EU citizens withdrawing consent. An estimated 33% of U.S. customers have decided not to complete an online transaction after reading something in the privacy policy they didn’t agree or feel comfortable with.

As a result of the decline in addressable markets, some e-commerce merchants have seen their business volume decline; after all, merchants can’t gain existing customers by having them opt in — they can only lose them. Even online giant Facebook reported a decline of nearly a million monthly active users and declining ad revenue growth in Europe during the most recent quarter, which the company attributes to GDPR.

Best Practices for e-Commerce Data Compliance

To avoid losing customers and revenue, e-commerce merchants must continue to emphasize to customers that they’re valued as people, not just as data. Taking the time to explain to customers just how you will use their personal data can go a long way in improving the customer experience, retaining and building the customer base, and increasing loyalty. Here are five best practices you should be implementing into your e-commerce store to achieve these goals.

Process Customer Requests to Delete Records

Ensure you have a process in place to let clients easily request their customer records be deleted. Then make sure you follow through on each request, deleting those records across your entire e-commerce business.

Update Terms of Service

Consider including a statement on how you process EU customers’ personal data, especially if this differs from how you handle the data on non-EU customers.

Update Privacy Policies

Let customers know what rights they have under the GDPR, what data they may be asked for and how your policies have changed for processing customer data.

Modify Cookie Policies

When cookies are used to identify a shopper via their device, those cookies are considered personal data and are subject to GDPR regulations. Update cookie policies to detail what cookies you use and how you use the collected data. You’ll also need to allow customers to specifically give/revoke consent for this usage.

Use Compliant Traffic Sources

Because not all advertising platforms are currently GDPR-compliant, e-commerce merchants must be mindful of the companies they choose to help generate traffic. Many ad and affiliate networks are using marketing metrics like cost per click and click-through rates — all of which rely on collecting data through the use of cookies stored on the customer’s browsers. And this could be problematic with GDPR’s calls for transparency about the use of these cookies.

Protecting Your Customers

What merchants must remember is that even if they have just one EU customer, they must fully comply with GDPR regulations or face fines of up to 4% of their global revenue. And GDPR compliance isn’t a one-and-done proposition. Merchants must ensure they continue to be compliant with regulations to avoid future penalties. Although no fines have yet been imposed, that doesn’t mean merchants should be complacent. Instead, they should continue to actively work to bring their systems into compliance.

While the initial reports emerging from GDPR compliance might worry some merchants, the long-term outlook predicts GDPR will add value and include a level playing field for merchants collecting personal data, transparent privacy policies, and an improved customer focus.

Another way to add value to your business is by partnering with a fraud solutions provider like ClearSale that’s trusted by companies around the world. If you’re looking to safely and securely grow your business, contact us today to learn how we can help you, too.

ClearSale Fraud Protection Buyers Guide