With e-comm accounting for 13.7% of global retail sales in 2019—that’s 3.453 trillion dollars—and rising, companies who step back to embrace the challenges head on will find golden opportunities to keep data safe will be the ones who not only avoid penalties and expensive data breaches, but also increase consumer trust.
Fortunately, the landscape is rife with opportunity. For now, the major focus has centered on the European Union and California markets, but proposed regulations are coming thick and fast, including Brazil’s LGPD, India’s proposed Personal Data Protection Bill, and the proposed New York Privacy Act. Not to mention growing general concern over data privacy. While some e-commerce companies may not be subject to privacy regulation, that’s likely to change soon.
In all the chatter, however, breaches are only expected to rise in 2020. E-commerce has yet to find a solid solution that works for both the business and the consumer. Here are three areas in which anyone can shine:
Challenge 1: The Cost of Compliance
Invest in Data Security
Compliance costs are unavoidable for e-commerce companies doing business in jurisdictions with new privacy regulations. For now, the major efforts have centered on the European Union and California markets, but proposed regulations are coming thick and fast, including Brazil’s LGPD, India’s proposed Personal Data Protection Bill, and the proposed New York Privacy Act. Some e-commerce companies may not be subject to privacy regulation yet, but that is likely to change soon.
The GDPR, which went into effect in May of 2018, was the first major new privacy regulation. GDPR compliance provides some insight into what companies should expect when they work toward compliance with new regulations. Based on GDPR compliance efforts, most companies will need at least seven months to comply with a new privacy regulation. The cost of compliance will vary with the size of the company. A commonly cited report estimated that the 500 largest corporations in the world spent a combined $7.8 billion on GDPR compliance.
Ongoing annual compliance costs exist, too. For example, the GDPR allows individuals to request that companies provide them with copies of the information a company has collected about them or to delete or amend the information. Last year, the average cost to complete a single request was $1400, and most companies surveyed processed more than 100 requests. A survey of companies that have yet to complete their GDPR compliances reveals that the most common failure is their inability to respond to access requests within the required time limit, possibly because half of them are using manual processes to comply with requests.
Ideally, companies that are already compliant with GDPR would have little difficulty complying with new and proposed regulations, which are similar but not identical to GDPR. Unfortunately, many companies report that systems put into place for GDPR will not support newer regulations like CCPA.
In other words, every new regulation will impose additional costs.
Control Your Consumer Data
How better to handle compliance than to comply? Start early and focus on the requirements that are common to most new regulations. Pay particular attention to common trouble spots and trends in enforcement activities, such as the difficulty complying with data subject access requests and the fines levied for data governance violations in the EU. The most effective way to comply—or prepare to comply—is to Inventory and map any personal data you collect, develop efficient, automated processes to handle data requests and opt-in/out requirements.
Challenge #2: Fines and Data Breaches
Avoid a Penalty
Of course, if an organization skimps on compliance costs, they’ve got a potential penalty on their hands. Eighteen months after GDPR took effect, data protection authorities had levied 190 penalties and fines totaling about $124 million. Most of the enforcement actions concerned data governance principles, such as data accuracy and quality, data minimization, and the purpose of collection, but about 50 actions were taken due to inadequate security measures or data breaches.
The GDPR also resulted in an increase in the number of data breach reports. In the United Kingdom, for example, 14,000 breaches were reported in the first year after GDPR went into effect, a 300% increase from the previous year. This may sound like an alarming increase, but probably due to an increase in reporting rather than a massive increase in breaches.
Practice Security 101
In addition to compliance, there are practical ways to reduce the risk of data breaches. According to the 2019 Verizon Data Breach Investigations Report, the majority of data breaches are caused by phishing attacks, stolen credentials, and malware. Make sure your organization follows common sense security practice: train your employees to protect login credentials and evade phishing attacks; keep your software up to date; use malware blockers, anti-virus software and firewalls; encrypt, de-identify or anonymize personal data whenever possible; and govern that data carefully, preferably by keeping sensitive data under your jurisdiction in a private cloud.
Challenge #3: Cookie Restrictions
Plan for Life Without Third-Party Cookies
Another major oncoming problem? Restrictions on the use of third-party cookies, which will affect ad measurement and targeting.
Most of the new regulations consider cookies and information describing an individual’s online behavior to be personal information. This information must, then, be protected from unauthorized access and subject to new restrictions. Most new regulations require that companies disclose their use of cookies, the information they collect using cookies, the purpose of that collection, and any third parties that may have access to the information.
Thanks to consumer privacy concerns around cookies, major internet browsers, including Chrome, Safari, and Firefox are also restricting the use of both first-party and third-party cookies.
Mozilla’s Firefox browser’s default settings use Enhanced Tracking Protection to prevent cross-site tracking, giving users the option to deliberately choose cookies. Apple’s Safari browser uses Intelligent Tracking Prevention (ITP) and fingerprinting defense by default. ITP blocks third-party cookies and social widgets, such as like and share buttons, and Safari uses Private Click Management to support advertising measurement by reporting ad clicks and conversions only to the site the user visits and not to any third-party data companies or to the browser vendor.
Even Google is also restricting cookie usage on its Chrome browser, now requiring third-party cookies to be shared only over secure https connections, and planning to phase out support for third-party cookies entirely within two years.
Advertise Differently
Make full, but careful use, of the first-party data you can collect from customers and visitors to your site. Disclose the type of data you collect and the purpose of the collection. Bear in mind that consumers are generally willing to share relevant data with e-commerce sites they trust. Protect and control the data you collect carefully, to maintain that trust. If you must share or sell data to a third-party, make sure that the third-party commits to complying with applicable regulations. Monitor browser vendors efforts to develop third-party cookie alternatives as well as advertiser efforts, like Project Rearc, to develop privacy-centric alternatives, so that you can adapt quickly as solutions become available.
What’s next for e-comm?
Sure, e-commerce is faced with a trifecta of trouble, changing form every day. But consumers want this convenient option more than ever, which means the opportunity for an organization to set itself apart is more pronounced than ever before. In a world where privacy data concerns are growing as fast as data is being collected, handling it responsibly will result in better business for organizations—and better options for consumers. Win-win.
Do you have a creative way to solve one of the main challenges facing e-comm today? Let us know at hello@metrouter.io. We love to learn from security-conscious organizations.