Privacy compliance in ecommerce – a comprehensive guide

,

Written by Karolina Lubowicka, Paweł Socha

Published August 22, 2023

ecommerce compliance

The rapid evolution of ecommerce has made privacy compliance a critical concern for many online businesses. With the increasing number of data breaches, consumer awareness, and fines for non-compliance, safeguarding customers’ data and respecting their privacy has become a new standard.

According to Gartner, 75% of global consumers will have their personal data protected by privacy laws by the end of 2023. This means a rise from 10% in 2020.

Understanding and meeting the legal obligations surrounding privacy in ecommerce is a necessity that allows you to grow and build trust among your clients.

In this article, we will guide you through the most important laws and regulations concerning privacy compliance in ecommerce. We will also show you the dos and don’ts of compliance and introduce you to privacy-driven analytics.

Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but doesn’t provide legal consultancy.

What is ecommerce compliance?

In simple terms, ecommerce compliance means adhering to the rules governing ecommerce activities in the markets you sell in. These include but are not limited to ecommerce regulations per se, data privacy regulations, online payment standards, accessibility norms, and the avoidance of dark patterns.

Investing in your ecommerce business’ compliance is undoubtedly worth the sweat. A 2021 study by Cisco showed that 79% of consumers consider privacy compliance a buying factor.

Ecommerce regulations

This chapter will take you through regulations and standards that set rules for your ecommerce business across various markets.

The regulations apply only to a specific region (like the EU) or country. We’ve indicated the covered area at the beginning of each section.

The Digital Services Act

Covered area: EU

On December 15, 2020, the European Commission introduced the Digital Services Act (DSA) that entered into force on November 16, 2022. The act replaced and enhanced the e-Commerce Directive – a regulation that, back in 2000, set the foundational legal framework for online services in the EU.

The DSA aims to create a safer digital space that protects the users’ rights. It applies to all digital services that connect consumers to goods, services, or content. This includes online marketplaces.

The DSA is meant to improve social media content moderation and protect users from illegal content, goods, and services. Thanks to the act, citizens will better control how online platforms and big-tech companies use their data.

It also gives the European Commission the right to demand access to the algorithms of platforms to ensure transparency in how they recommend content to their users. It obliges the platforms to label all ads and inform users about the entities promoting them.

Finally, the new regulations require platforms to provide a plain-language summary of their terms and conditions for easy understanding.

Steps to a DSA-compliant ecommerce:

  1. Provide users with clear information on why they are recommended certain information.
  2. Enable users to exercise the right to opt out from recommendation systems based on profiling.
  3. Enable users to exercise the right to complain to the platform, seek out-of-court settlements, complain to their national authority in their language, or seek compensation for breaches of the rules.
  4. Don’t display advertisements based on sensitive user data such as ethnic origin, political opinions, or sexual orientation.
  5. Don’t use profiling towards children and display advertisements on that basis.
  6. Don’t use the so-called ‘dark patterns‘ in the interface of online platforms. This refers to design choices that manipulate users into decisions they don’t intend to make.

The DSA will become fully applicable on February 17, 2024. However, small and micro-enterprises will be exempted from some of the rules that might be burdensome for them.

Moreover, the European Commission has decided that the most prominent players whose active users exceed 45 million a month will fall under the Digital Services Act from August 25, 2023.

These are referred to as Very Large Online Platforms (VLOP) and Very Large Online Search Engines (VLOSE) and include, among other concerns, Amazon, Apple, Facebook, Instagram, Google, and Bing. They fall under the most strict rules of the DSA due to their significant societal and economic impact.

Make sure to check the Digital Services Directive FAQ.

The EU states that the Digital Services Act will help small and medium-sized businesses and startups expand beyond their home market. This is because it reduces the costs of complying with 27 different laws across Europe.

So far, the member states have regulated these services differently. This created barriers for smaller companies looking to expand and scale up across the EU and resulted in different levels of protection for Europeans.

Read more about the DSA package in our article DMA and DSA – how these new laws influence online business.

Data protection regulations

The focal point of these regulations is processing personal data and protecting consumers’ privacy online. And since your ecommerce deals with personal or even sensitive data daily – understanding and complying with them is a must.

This chapter will guide you through the most important data protection regulations worldwide.

ePrivacy Directive

Covered area: European Economic Area (EEA)

The ePrivacy Directive, also known as the “cookie law”, was passed by the European Union in 2002 and amended in 2009. It governs the use of cookies and the processing of personal data on websites.

Since its enforcement, websites frequented by EU visitors have to obtain explicit user consent before activating any cookies or trackers that aren’t strictly necessary for the core functioning of the website and services.

But there’s more to that. Your website also has to:

  • Ask for cookie consent in a user-friendly way.
  • Inform the end-users about all cookies and trackers your website uses in understandable, plain language.
  • Inform them about the purposes of data processing as well as data storage, retention, and access.
  • Make the withdrawal of cookie consent as easy as its submission.

Because of the ePrivacy Directive, your website must present a cookie banner in the EU, giving European visitors more control over their personal data.

Learn more about cookie consent from our article Everything you need to know about cookie consent in the EU.

Despite being nicknamed the “cookie law”, the ePrivacy Directive is not an actual law. It is a legislative act that sets out a goal all EU countries must achieve and implement locally. However, it’s up to the EU countries how they accomplish these goals. Therefore, you should seek more guidance on the local implementation of the directive in the countries you run your business.

ePrivacy Regulation is a draft regulation proposed by the European Commission that will replace the ePrivacy Directive in the future. It will update the current rules for using modern technology and adapt them to GDPR.

The new regulation will impose stricter rules for electronic communications and cover services such as Skype, WhatsApp, Facebook Messenger, Gmail, iMessage, or Viber. The goal is to prevent communication apps and internet services from intercepting, recording, or tapping into user messages.

Other key provisions of the proposed ePrivacy Regulation include:

  • The same level of protection of electronic communication for all people and businesses and a single set of rules for companies across the EU
  • Protection of metadata – the information that describes other pieces of data, such as author, date, location, etc. Metadata should be anonymized or deleted if visitors don’t allow its use. The exception includes data necessary for billing.
  • Simpler rules for cookies. Introducing user-friendly browser settings provides an easy way to accept or refuse tracking cookies and other identifiers. No consent is required for cookies that improve the internet experience, such as by saving shopping cart history or counting website visitors.
  • Protection against spam. The regulation will ban unsolicited electronic communications by email, SMS, and automated calling machines.
  • More effective enforcement. Like with GDPR, data protection authorities will be responsible for enforcing the new regulation rules.

The ePrivacy Regulation is still in the legislative process, and its effective date remains unknown. But one thing is for sure: cookies and consent will stay.

General Data Protection Regulation (GDPR)

Covered area: European Economic Area (EEA)

In May 2018, GDPR replaced the 1995 European Data Protection Directive (95/46EC). GDPR gives individuals complete control over their personal data. It also strengthens and unifies rules governing data collection from individuals within the European Union.

The regulation sets out procedures for data handling, transparency, documentation, and user consent, forcing organizations to keep records of and monitor all activities related to processing personal data.

The notion of personal data is comprehensive under GDPR. It refers to any information that relates to a natural person and allows identifying them. These stretch way further than a person’s name, surname, and location – they also include online identifiers like IP addresses, cookies, as well as factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

Non-compliance exposes your business to fines reaching up to 4% of your annual turnover. In some cases, these can amount to millions of euros.

Steps to GDPR-compliant ecommerce:

  1. Map all types of personal data you collect – including cookies and unique identifiers used in your data platforms, such as analytics, CRM, etc.
  2. Limit your data collection to the minimum data necessary to fulfill a certain purpose.
  3. Establish a process for gathering specific, informed, freely given, and unambiguous visitors’ consent for collecting personal data. For this, consider using a dedicated consent manager. Collect separate consent for each type of data processing – one for A/B testing, one for optimizing user experience, etc.
  4. Remember that some types of cookies don’t require consent. Examples include cookies necessary for a website to function correctly, such as the ones used to save items in your shopping cart.
  5. Allow visitors to exercise their rights, including the right to access, rectify, transfer, erase or restrict the processing of their data. You can use a consent manager that will also help you manage users’ data requests.
  6. Craft your privacy policy. In the policy, tell users who is processing their personal data, what legal basis you use for such processing, the purposes for data collection, the types of personal data you gather, how long you store it, where you transfer it, and which third-parties you share it with.
  7. Sign a data processing agreement with platforms and products that process personal data on your behalf. They include your analytics software, CRM, email marketing vendors, etc. Ensure these platforms follow best practices for complying with GDPR, and preferably don’t send user data outside the EU. The rulings by different EU data protection authorities against Facebook and Google Analytics suggest processing this kind of data inside the EEA is best.
  8. Assign a data protection officer responsible for compliance with GDPR inside your organization. This applies to cases described in Article 37 of the GDPR.
  9. Avoid sending personal data to countries with lesser privacy standards, such as the US. This rules out the use of Google Analytics, as Google transfers and stores information about EU citizens on US-based cloud servers, making them available to US surveillance laws and US intelligence.

GDPR, user consent and cookie walls

Since the enforcement of GDPR, many website owners have resorted to so-called cookie walls. These pop-up banners block the whole website content unless the visitor allows the use of all cookies and identifiers requested by the website owner.

Implementations surrounding cookie consent vary across the member states, but according to the Guidelines 05/2020 on consent under Regulation 2016/679, this practice is not considered valid consent under GDPR. Access to a website cannot be conditional on the user’s consent.

Want to learn more about GDPR? We covered the frequently asked questions in a series of articles:

Why is GDPR compliance beneficial for your business? Read our interview with Lisette Meij: GDPR compliance is a competitive advantage.

Telecommunications Telemedia Data Protection Act (TTDSG)/ Telecommunications Digital Services Data Protection Act (TDDDG)

Covered area: Germany

If you run an ecommerce business in Germany, meaning you process data there, your company falls under the TTDSG. This act, having come into effect in December 2021, merges data protection rules scattered across various German laws. It is also a local implementation of the ePrivacy Directive and a supplement to GDPR.

The law was renamed the Telecommunications Digital Services Data Protection Act (TDDDG) on May 13, 2024 in order to bring German law into line with the European Digital Services Act (DSA).

TTDSG/TDDDG requires every website that uses cookies to ask visitors for explicit and informed consent to their collection. This also applies to any technology that gathers user information, such as your analytics platform.

In short, to comply with the TTDSG/TDDDG, you must receive visitors’ consent before you begin to store cookies or even access technical information on their device. According to the TTDSG/TDDDG, it is necessary to obtain consent before accessing any information on an end-user’s device.

The only exceptions to this general obligation are cookies that are “strictly necessary” for providing a service expressly requested by the user.

This means that as an ecommerce business, you don’t need user consent for cookies that are used to store items in a shopping cart. They are needed to complete the transaction that the user explicitly requested.

Steps to TTDSG/TDDDG-compliant ecommerce:

  1. Design a user-friendly cookie banner in German that allows visitors to reject or accept cookies easily, or to ignore the banner to avoid cookie walls entirely.
  2. In the banner, offer visitors access to your privacy policy, where you outline your cookie policy.
  3. Inform the user about the type of data you collect (personal or not), how it will be used, and for how long. Make it clear whether any third parties will gain access to the users’ information.
  4. Don’t show automatically checked consents for particular cookies. If users want to agree, they need to do so by checking them on their own.
  5. Allow users to consent only to specific cookie categories and decline others.
  6. Avoid dark patterns. Don’t punish your users for not wanting to accept cookies. Don’t put pressure on them to do it.
  7. Collect data only after the user has given their consent.
  8. Use a Consent Manager that allows users to have their consent under control and to revise it anytime.

Read more about TTDSG-compliant cookie banners and analytics in our article TTDSG (TDDG)– how to make sure your analytics complies with the German law.

CNIL guidelines

Covered area: France

The French Commission Nationale de l’informatique et des Libertés (CNIL) is an autonomous data protection authority responsible for safeguarding consumer privacy in collecting, storing, and using their personal data. The agency can enforce data privacy laws like the French Data Protection Act, GDPR, and ePrivacy Directive.

CNIL’s guidelines, published on October 1, 2020, have greatly impacted France’s ecommerce sector and significantly sharpened its data protection regime. They also made French consumers aware of their rights.

That said, if your ecommerce business is based in France or French overseas territories, or you collect and process their citizens’ personal data, you must comply with CNIL guidelines.

Steps to CNIL-compliant ecommerce:

  1. Map all the personal data you collect, process, and store.
  2. Determine the legal basis for processing consumer data. You must have a lawful basis such as consent, legal obligation, contractual necessity, vital interest, and legitimate interest for each type of information processed.
  3. Create a comprehensive and transparent privacy policy explaining how you collect, use, store, and protect data.
  4. Establish effective and robust security measures for protecting personal data from breaches, loss, or unauthorized access.
  5. Enable consumers to exercise their rights to access, rectify, delete, restrict the processing and transfer of data.
  6. Ensure that third parties handling personal data comply with CNIL regulations by implementing appropriate contracts.
  7. Train your staff to increase awareness of the guidelines.
  8. Put in place a data breach response plan that outlines actions and steps to be taken in case of a security incident.
  9. Conducting regular audits and assessments to evaluate existing data protection practices.
  10. Obtain and manage valid consent from consumers to use and process their data.
  11. Assess the impact of processing data and implement necessary measures to mitigate risks.

Besides the general privacy guidelines, the CNIL also sets the rules for compliant cookie consent collection. These rules are:

  1. Obtain explicit user consent. This must be a clear affirmative statement from the user, like clicking on the “Accept” button. Ignoring the banner and continuing to browse the website is not valid consent. No pre-checked cookies are allowed.
  2. Give an option to easily refuse cookies. This should be as easy as accepting them.
  3. Give an option to easily withdraw cookies. A user should be able to do so at any time.
  4. Inform users about the purpose of cookie collection.
  5. Be able to provide proof of consent at any time. And to prove that consent was freely given, informed, specific and unambiguous.

Some cookies, however, are allowed without user consent. These include cookies:

  • Intended for service authentication
  • Used to remember the cart items
  • Intended to generate traffic statistics (some)
  • Used to manage users’ consent
  • Used for user interface customization
  • Language preference cookies

Furthermore, the CNIL also banned cookie walls, meaning that you can’t make entry to your ecommerce store conditional upon a user’s consent.

CCPA & CPRA

Covered area: California, United States

The California Consumer Privacy Act (CCPA) is the original privacy act enforced in California that revolutionized the approach to data privacy in the US. This legislation was altered and expanded with the introduction of the California Privacy Rights Act (CPRA) which came into force on January 1, 2023

Your ecommerce business falls under CPRA regulations if:

  • It has gross annual revenue greater than or equal to $25 million.
  • It obtains information from 100,000 or more California residents/households or devices annually.
  • It generates at least 50% of annual income from sharing or selling the information of California residents.

Furthermore, it also depends on the type of information that you process. If the data falls within the categories of personal information or sensitive personal information, as defined by the CPRA, you are bound by the law. To learn more about these types of data, consult the following chapters of our CCPA & CPRA article:

If your ecommerce business operates in California and meets the above criteria, you should take steps to comply with the CPRA.

Steps to CPRA-compliant ecommerce:

  1. Map your data and its sources. This refers to every information about your customers gathered by marketing and sales tools.
  2. Ensure that the data is well-prepared for your clients’ access, deletion, and portability requests. If your marketing software vendor cannot fulfill these requirements, consider switching to a more privacy-oriented one.
  3. Check your third-party data sources. If your company buys data, ensure it comes from legitimate, legal sources. Non-compliance may result in hefty fines.
  4. Create a process for handling customer requests. Provide at least two methods for consumers to make their requests: a toll-free number and an online form.
  5. Provide a clear and understandable opt-out request form. Place it on your homepage with the text Do Not Sell or Share My Personal Information.
  6. Give consumers the option to submit requests to: delete their personal information, learn how it was collected, transfer it to another entity, and limit its use and disclosure.
  7. Update your privacy policy. It should describe the rights of California residents. You can follow these guidelines on Making Your CCPA Privacy Policy Compliant With the CPRA.
  8. Watch out for updates to the law. Just like the CCPA, the CPRA may be updated after some time. There’s already a bill proposal called the American Data Privacy and Protection Act (ADPPA).

For more privacy regulations that may apply to your ecommerce business in the US, check our article Data Privacy Laws in the United States.

PIPEDA & CPPA

Covered area: Canada

The privacy landscape of Canada is shaped by two main legal acts: the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Consumer Privacy Protection Act (CPPA).

The first one entered into force in 2000 and has been modified several times since then, with the most significant changes being introduced in 2015 by the Digital Privacy Act. The Bill C-27 introduced the CPPA in 2022 to amend the outdated parts of PIPEDA.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is a Canadian federal law protecting user privacy and governing how companies handle personal information. It applies to private organizations that collect, use or disclose personal information when offering services or products to Canadian residents.

Exemption occurs when your ecommerce business operates entirely in Albert, British Columbia, or Quebec provinces, where it is bound by local privacy laws. PIPEDA covers all other cases.

Piwik PRO provides its clients with tools to achieve PIPEDA compliance.

With Piwik PRO, organizations covered by PIPEDA are able to collect valid user consent, facilitate compliant data collection processes and implement appropriate security safeguards.

Learn more about following PIPEDA’s requirements with Piwik PRO: Piwik PRO is a PIPEDA-compliant analytics vendor.

Steps to a PIPEDA-compliant ecommerce business:

  1. Appoint a chief privacy officer (CPO) responsible for your company’s compliance.
  2. Limit the collection of personal information only to the purposes your company needs.
  3. Ensure that your visitors’ personal information is accurate, complete, and up-to-date.
  4. Do not obtain, use or disclose personal information without prior consent.
  5. Clearly communicate the purpose of collecting the data and how you will process it.
  6. Keep personal information only for as long as is necessary for your purposes.
  7. Inform visitors about the types of information you collect, the third parties you share it with, and possible risks to the individuals involved (do so in your privacy policy or while requesting user consent).
  8. Maintain transparent policies and practices regarding the management of personal information and keep them publicly available.
  9. Give users the possibility to access their personal information that you process and to review it.
  10. Give users the possibility to challenge your PIPEDA compliance and to contact your CPO in this regard.
  11. Implement security measures to protect personal information that are proportionate to their sensitivity.

Note that PIPEDA allows two types of consent:

  • Express consent – given by explicit action, like clicking the “I agree” button.
  • Implied consent – occurs through users’ action or inaction, like ignoring the opt-out option on the consent banner.

However, the first option is recommended if you were to prove the validity of consent in case a user had a complaint regarding your compliance.

Consumer Privacy Protection Act (CPPA)

CPPA is Canada’s solution to bringing its privacy laws up to speed with today’s standards. It aims at addressing the needs of Canadians that rely on digital technology and responding to feedback received on existing legislation.

The bill is currently in draft stage and, in the future, will supplement PIPEDA. It will apply to any organization that shares personal information of Canadian residents for commercial purposes, as well as those shared about employee candidates – which can also impact your ecommerce business if you decide to expand your team with a Canadian employee.

Steps to a CCPA-compliant ecommerce business:

  1. Employ safety measures to protect the personal information your company (or somebody else on your behalf) collects, uses or discloses.
  2. Appoint a person responsible for your company’s compliance. Disclose their contact details, e.g., in your privacy policy or upon a user’s request.
  3. Make sure you have a reasonable purpose for collecting, using or disclosing personal information. Ask the following questions:
    • Is the information sensitive?
    • Does the data collection represent an actual business need of your company?
    • Can you achieve the same purpose by collecting less data?
    • Is the potential loss of privacy by an individual proportional to the benefits?
  4. Obtain meaningful consent for collecting, processing, and disclosing personal information – express or implied. More on that in the consent chapter of our article.
  5. Enable users to transfer their personal information to another organization like a bank or insurance company.
  6. Enable users to request the deletion of all their data.
  7. Establish transparent processes for handling personal information. Describe thoroughly:
    • How you protect personal information.
    • How you deal with requests for information and complaints.
    • How you explain the policies and procedures of your organization.
    • How you train your staff about compliance.
  8. Write your privacy policy in plain language.
  9. Inform users about automated decision systems that you use to predict, recommend or make decisions about an individual.
  10. Keep a record of user consents in a readily accessible form.
  11. Process personal data of minors in the way you handle sensitive information.

The date of the CPPA’s final enforcement is still unknown, just like its final form. Hence, if you run your business in Canada, follow any updates and adapt to the proposed changes in advance.

Read more about PIPEDA and CPPA in our article PIPEDA & CPPA: How the Canadian privacy laws impact your analytics.

Privacy laws around the globe

As we mentioned at the beginning of the article, privacy laws are spreading rapidly across the globe. Apart from the countries covered in this guide, many others are also adjusting their legislation to evolving privacy standards.

These include but are not limited to, New Zealand, Brazil, and Switzerland. If you run your ecommerce business in countries other than those we described, be sure to check out our article about 11 new privacy laws around the world.

Dark patterns will get you nowhere

Although not directly related to privacy at first sight, dark patterns are another important step to compliant and user-friendly ecommerce. In short, they are design patterns that intentionally mislead users into actions that they don’t mean to perform and that serve the sole purpose of the business. Hence, they are prevalent in ecommerce stores aiming to maximize their sales by any means.

These practices include, among other things:

  • Forcing users to click the accept and agree buttons to eliminate annoying banners.
  • Making them sign up for the newsletter as a condition to browse the website further.
  • Using confusing language like double negatives.
  • Hiding the total price of a product or service until the final step of checkout.
  • Omitting or downplaying important information.

Regarding privacy, dark patterns are often used while asking for user consent. That’s why privacy regulations like the CCPA, CNIL, and GDPR address them. An example of such practice is giving no choice regarding consent or only informing the user about data collection.

Further steps toward compliance

Changes in the privacy landscape seriously affect how you do business and shape your marketing strategy. With the growing number of regulations establishing new rules for handling users’ data, this trend will continue in the following years. And companies that apply the privacy-first approach are about to gain a significant edge over their competitors as the privacy awareness of internet users grows.

But these changes affect more than just the legal aspect. The battle continues on the technical ground. An example of such is the end of retargeting ad campaigns as we know them. This is due to the deprecation of third-party cookies that allow vendors to follow visitors across websites and to share their browser history with other companies, mostly for advertising purposes. Browsers like Safari and Firefox have blocked and limited their use, and Google’s Chrome will follow suit in 2024.

That’s why ecommerce companies have to rethink their strategy and adjust to the new legal and technical privacy standards. Doing so will build trust with your customers and allow you to remain effective in marketing and analytics activities.

Although this might seem daunting, taking small steps will push you in the right direction. To make them even easier for you, we’ve compiled a short list of activities that will help you evaluate your current tech stack and make sure the platforms you use allow you to stay compliant and effective:

  1. Choose privacy-conscious tech providers in favor of those that fulfill fewer privacy standards. Privacy-oriented vendors build their tools according to privacy by design and privacy by default principles. This approach allows them to adapt to data privacy regulations more easily.
  2. Ensure the tools you use allow you to respect visitors’ choices by providing opt-ins, opt-outs, and requests to access or exercise their rights. Alternatively, they let you completely anonymize data and collect user information without gathering consent or opt-outs. Find out more about this concept in our article Anonymous tracking: How to do useful analytics without personal data.
  3. If you’re doing business in the EU, choose tech platforms that are EU-owned and based over the ones that transfer user data to the US. This means that if you want to do web analytics, Google Analytics may not be the best fit for you. Learn why in our article Privacy Shield 2.0: What it is and how it will affect your business.
  4. Prioritize first-party data sources over third-party ones. Since third-party tracking raises privacy concerns and is becoming increasingly difficult due to new privacy settings in browsers and the popularity of ad blocks, the most efficient way to collect valuable user data is to rely on your own sources. Platforms such as customer data platforms (CDP) allow you to integrate data from your CRM, analytics, offline records, etc. You can then use them to create single customer views and activate your audiences in ad networks, A/B tools, and other tools in your stack. They also give you full control over this data. Find out more about how to use a CDP effectively in our article: How to perform successful audience targeting with a CDP.

Make your ecommerce analytics privacy-compliant

If you want to make your web or app analytics compliant with data privacy regulations and keep crucial ecommerce functionalities, you can achieve that with Piwik PRO Analytics Suite. The platform offers an integrated Consent Manager, a wide range of data anonymization methods, and easily configurable privacy settings. Piwik PRO has also been listed by the CNIL as a privacy-compliant platform. Piwik PRO Analytics Suite is used by organizations such as the European Commission, Crédit Agricole, the Government of the Netherlands, and DKMS.