This is the second part in a series I'm writing on legal considerations for direct-to-consumer ecommerce brands operating in the UK, whether headquartered in the UK or abroad. The first post covered the Consumer Contracts Regulations (2013) and the Consumer Rights Act (2015).
In this post I'm writing about possibly my most hated topic: GDPR (the 'General Data Protection Regulations'). It's not that I disagree with consumers having more control over their data. It's that some of its supposed requirements simply get in the way of a consumer's experience of the internet, while providing little or no actual protection or enforcement of privacy. I also just remember the implementation of this legislation causing such a massive amount of fuss in every organisation I was a part of at the time of its launch back in 2018.
With that said, the Data Protection Act 2018 (which is the UK's implementation of GDPR, a law which came first from the European Union) is an important piece of legislation and has been seen as a gold standard for privacy regulation around the world, so we need to talk about it.
Standard caveat: I'm not a lawyer and have no legal training. What I do have is over 12 years experience in ecommerce in the UK and elsewhere, as a brand owner and operator, and more recently as the owner of a 3PL specialising in foreign ecommerce sellers in the UK. On the downside, that means you can't take anything here as legal advice, and you should do your own research to complement reading this article. On the plus side, what I write is readable and born from real life experience.
I also want to emphasise that this post is a broad overview from the perspective of online sellers. It's not intended as a comprehensive overview of the data protection requirements, and some aspects of its interpretation are still being discussed and debated. If you do want to conduct further research, I can recommend the guides on the UK Information Commissioner's Office website.
Let's talk about the legislation itself and what it means for online sellers in the UK.
The Data Protection Act (2018) is a personal data law adopted in the aftermath of Brexit, which mirrors the EU’s GDPR but is specific to the UK. It has a big impact on ecommerce companies because the entire industry relies on collecting and processing data like addresses and emails. GDPR places various obligations on ecommerce companies:
In general terms, this is all about putting your customer in control and being respectful and cautious with their data.
As an ecommerce operator, it's likely that most data you collect will be held on third party apps like Shopify, Mailchimp, Google Drive or Dropbox, which themselves are required to conform to data protection laws such as GDPR. They should have various security and protection measures for customer data, of which you can be aware but on which you probably don't need to become an expert.
Do make sure that you're using the latest version of any third party tools you're using, especially the main ones holding customer data like ecommerce platforms, as these will have the latest security updates necessary for safeguarding data.
A first piece of practical advice for ecommerce companies is to make sure you have an up-to-date privacy policy which clearly explains to visitors to your website how you intend to use their data. I'd recommend referring in this policy to some of those third party apps with which you're working, so it's clear why you're sharing customer data with third parties - i.e. for the essential functioning of your business.
When it comes to writing a privacy policy, there are hundreds of free templates online. Just make sure you go through yours to add in references to your company, and amend any sections as it relates to your specific activities.
A key requirement of GDPR is not to hold on to any information for longer than you need it. I'd argue that holding on to past order details is essential for the operation of an ecommerce business: in order to, for example, respond to customer enquiries, distinguish previous customers from new customers, identify buying patterns and plan inventory.
But there's plenty of duplicated data which can be removed. Be especially cautious with spreadsheets of customer data which you may have saved on a device or in cloud storage. You'd be wise to delete these as soon as possible after use, especially data on your device, as you're completely responsible for this and can't rely on security protections that might exist in cloud storage.
A specific example of this might be times when you download a database of order details from your ecommerce shopping platform (e.g. Shopify) for the purposes of doing some analysis on what your customers have bought or in which countries your customers are located. Once you've run the analysis, have the answers you need and have recorded them, you should remove the raw data from your device or cloud storage.
Bear in mind you can always re-download updated versions of data from the source location in future, so there's no reason to keep hold of older copies. Don’t keep data hanging around unless you have a specific purpose for doing so.
Cookies are considered to be personal data, which is why you tend to see those annoying pop-ups on websites drawing your attention to the use of cookies and notifying visitors of privacy policies.
While cookie notifications aren’t explicitly required by GDPR, you are required to gain ‘informed consent’ from visitors to your website before 'non-essential cookies' can be placed on their devices, which is why in practice cookie notifications are used so widely. Non-essential cookies seem to include ones used for analytics, advertising or tracking purposes, and examples might be Meta's Pixel and the Google Analytics Tracking Code.
I personally consider cookies like Meta's Pixel and Google Analytics to be completely essential to running an online store in the 2020s, but that may not be the legal definition of 'essential'.
'Essential' cookies are those necessary for the basic functioning and security of the website, such as shopping cart cookies, and these do not require consent. These essential cookies tend to be built in to the infrastructure of shopping cart platforms like Shopify and BigCommerce, and you wouldn't normally install them separately.
Cookie notifications, in my opinion, have significantly worsened everyone's experience of the internet. It's the norm now to land on a website and immediately face a darkened screen with the need to click again in order to accept cookies and get to the actual website. Hardly anyone actually reads them, and whether you accept or reject the cookies it's then pot luck whether bits of the website you're visiting will work properly. On top of that, errors on some cookie notifications, or browser updates, can make it impossible to use a website.
I've included the rant above because while you're diligently ensuring compliance with GDPR, try not to lose sight of the actual customer experience. Assuming you're going to include a cookie notification on your website, you need to make sure it's as unobtrusive as possible, and that your website still works while it's open.
It’s fine to collect email addresses during the checkout process and use these to notify and liaise with customers on the progress of their order. In fact, collecting emails is absolutely essential for the operation of your business: one of the laws we discussed in part one of this series of posts specifically requires that you send customers an order confirmation email, for example.
You can also rely on this kind of 'legitimate interest' test to give the customer information about your business and even inform them about other products and services you offer which may be of interest - as long as they have an opportunity to unsubscribe at any time, which in practice means an unsubscribe link at the bottom of any email or text message.
An example here could be including "customers who bought X are also interested in Y" information at the bottom of your order confirmation email, or sending follow-up emails mentioning other products and services your business offers.
One determination of whether something counts as a 'legitimate interest' reason for sending information is whether the customer would be surprised to have their data used in that way. It's a bit of a balancing act: you need to consider the pursuit of your legitimate interest as a business against an individual's interests, rights and freedoms.
What you cannot do is just upload every customer to your general marketing list and start sending follow-up emails without first giving customers a specific opportunity to opt in or out of such messaging. But in the case of paying customers, the GDPR guidelines don't seem to preclude having a pre-ticked box on the checkout, provided you also have an unsubscribe link at the bottom of subsequent emails, because these are opportunities to opt out.
Prospective customers - i.e. people whose business you hope to win but have not paid you yet - can only be sent marketing information if they have specifically opted in to hearing from you. So in their case, pre-ticked boxes are not OK.
You can transfer people's data within your own company, even if your company is based outside of the UK and you collected data from customers within the UK. Obviously this is assuming you have a legitimate need to hold on to this data and you continue to protect it as per the GDPR safeguards. You can also transfer customer data to companies within the UK as needed during the course of your business, as they are also subject to the requirements of GDPR.
Some countries have been designated as having an adequate level of data protection - such as those in the European Economic Area and Japan - so it's OK to transfer data to these countries too.
If you plan to transfer data from your company to a third party company outside of the UK not on the adequacy list, this counts as a 'restricted transfer' and you must take steps to ensure they will continue to protect customer data in line with all the protections customers gain under GDPR. For example, having contract terms that ensure data protection standards are met. If you intend to transfer data like this, you're advised to conduct further research to make sure you're confirming with the transfer rules.
Larger apps like Shopify and Mailchimp should know what they're doing here, but be especially cautious with smaller third party companies and ensure you're not risking data security. One step you could take is to anonymise customer data by removing any information which could identify individuals. Doing this takes the data outside of the scope of GDPR.
Individuals have the right to ask companies if they're storing their information and to request copies of any data held. You normally have one month to respond if they do so, but can stop the clock if a request is unclear or especially complex.
In any response to a Subject Access Request, as well as providing copies of data, you should include information like for what you're using the data, how it was obtained, how it can be amended or deleted, and how long you intend to store it. I'd recommend simply linking to your privacy policy to explain most of this.
There are grounds for refusing a DSAR or withholding information, for example in the case of requests which are being made to harass or disrupt your business, or communication that is legally privileged such as that between you and your legal advisors.
The law makes it clear that anyone can choose to have their data deleted. They should ask you in writing or verbally, giving you details of what data they want to be erased, and providing information like their name, email address or account information in order to help you do this.
In these situations you must remove a customer's data from all locations: data held in email accounts, shopping cart platforms, offline databases and email marketing platforms for example.
There are several exemptions to the requirement to delete data, but the only ones I think that really apply in the case of ecommerce are compliance with legal obligations or when data might be necessary for establishing, exercising or defending legal claims.
Of course, someone has to pay for the enforcement of all of the above. And that's where your annual fee to the Information Commissioner's Office comes in.
Every organisation that processes personal data, whether a registered company or sole trader, has to pay this fee unless they're exempt. There's a self-assessment on the ICO's website which will tell you whether you need to pay this fee or not and allow you to register. The fee depends on size and turnover and is £40-£60 for most small organisations.
There's a lot more to GDPR than the general overview I've given here. These are some of the main points for ecommerce operators, so I've skipped the specific laws on things like CCTV or the treatment of medical records. Of course it's possible that you're an online store selling CCTV cameras, or a supplier of medicines which is also involved in medical research, in which case you may have access to particularly sensitive data or be subject to additional rules or exemptions. But the outline above covers the main points for 'vanilla' ecommerce.