Running an e-commerce business can be a highly profitable endeavor. With some reports estimating the digital economy to be worth around $25 trillion by 2025, it’s clear that financial opportunities abound for people looking to make a living online.
However, there are a growing number of legal pitfalls for entrepreneurs involved in ecommerce – and slipping up can get expensive.
One big step toward circumventing these risks is uncovering what they are and how they can impact your business. To help, we’ve outlined three of the most expensive legal pitfalls you’ll encounter in the world of ecommerce, plus actionable measures you can take to avoid them.
Pitfall #1: Ignoring the GDPR & Other Data Privacy Legislation
With little pomp and circumstance (but many compulsory emails), the EU’s General Data Protection Regulation (GDPR) came into effect on May 25th, 2018 – concluding a full two-year window in which businesses across Europe had the chance to improve their data collection practices or face monetary penalties of up to €10 million+.
While taking the GDPR seriously may seem obvious to many business owners operating in Europe, American companies should also take note. That’s because the GDPR is enforceable in any legal scenario involving the data collection of an EU citizen. Even if you’re set up in San Diego, California, the long arm of the EU can still reach you across the Atlantic if you mishandle the personal information of a European customer.
Plus, American politicians have not been ignoring the GDPR. At this juncture ,there’s a data privacy law for every U.S. state, and new bills (or strong amendments to existing ones) have been appearing on a regular basis.
California already passed the California Consumer Privacy Act (CCPA) earlier this year, and its stringent regulations, paired with severe fines for non-compliance, make it a big upcoming hurdle for American businesses. Going into effect January 1st, 2020, any company that offers goods or services to Californians must adhere to the CCPA or risk legal repercussions. Not giving users proper access to the data you collect about them, for instance, is enough grounds for litigation.
The bottom line is this: laws like the GDPR and CCPA were constructed to be enforceable outside of their respective geographic confines. This makes things tricky for online businesses, who potentially have customers from all over the world. It’s a new day and age for privacy legislation, and staying legally compliant requires action on your part as a business owner.
Solution: Understand the Foundation of Privacy Laws
There are a few big steps you can take to make your site more compliant, and some are easier than others. Here are the basic tenets that all e-commerce businesses should follow:
- User Consent: Get proper, informed consent from users BEFORE collecting their data.
- Data Mapping: Know what data you collect, why you collect it, and keep records of what processing activities your users consent to.
- Data Security: Minimize the data you use, and make sure each third-party service provider you use is trustworthy.
- User Rights: Allow users to exercise their rights – accessing data, removing or altering it, etc.
Also, remember that the more data you collect from your users, the riskier things can get for your business – especially in the event of a data breach. When you’re evaluating the data collection processes and data privacy measures you employ on your website, be sure to keep this in mind.
Finally, while these principles are useful for you to understand the foundation of what it takes to comply with these new privacy laws, note that to ensure you are fully compliant, you should read the bills yourself and may need to consult with a lawyer.
Pitfall #2: Mishandling User Data + Botching Data Breaches
As an online business owner, it’s nearly impossible to avoid handling user data in some capacity. Whether you’re simply using a third-party tool like Google Analytics to track your marketing statistics or collecting user emails for a monthly newsletter, success often hinges on the information your customers give you at different points on your website.
Such data is valuable – a fact that isn’t lost on hackers, cybercriminals, and other dishonest characters patrolling the internet. And when such people find chances to exploit a website or database, they do so indiscriminately. Unfortunately, this happens more often than it should.
Formally referred to as a “data breach”, this type of security failure happens often in the U.S. and across the globe, and affects millions of people every year. Yet until recently, breaches were of little financial consequence to businesses. Take Equifax, for example – they leaked the data of 145 million Americans in 2017 and weren’t fined a single dollar.
Ignoring or skirting around new privacy legislation may be a huge pitfall, but mishandling or neglecting the data of your users – especially in a way that results in a data breach – will get you into even more trouble. Not only because you’ll get fined and/or sued for it, but because it will cripple your reputation as a dependable company. Uber’s public fall from grace (and loss of $20 billion in market value) is a clear example of how much damage a breach can do to your business’s image and pocketbook.
Solution: Implement “Privacy by Design”
Privacy by Design (PbD) might sound buzzy, but it represents a fundamentally sound concept. At its core, PbD is about incorporating privacy into all levels of your website and product, rather than addressing it as an afterthought. Embracing what it stands for and what it advises that businesses adopt is a big step toward avoiding legal pitfalls involving user data.
To reiterate, Privacy by Design must be a proactive, non-reactive process. Integrating protective measures for user privacy at all stages of your website and product, conducting cybersecurity risk assessments of your third-party service providers, and keeping your various frameworks and plugins up-to-date each play a key role in establishing yourself as a pro-PbD company.
However, beyond the helpful elements outlined in PbD, the most effective way to protect your business from a cyber attack is to teach employees at all levels of your company the most common mistakes that lead to security failures and how to avoid them.
A recent study undertaken by a London-based consulting firm found that 66% of data breaches occur because of “employee negligence or malfeasance”. Having the technology and systems in place to keep data secure is crucial, but creating a work environment that promotes best online practices and teaches employees how to minimize errors could ultimately end up saving you from data breaches.
Pitfall #3: Having a Jargon-filled Terms & Conditions Hidden on Your Website
Getting legitimate user consent to your terms and conditions will keep the court in your favor (should any issues arise), and help mitigate most legal issues before they even become a problem for your business. But how can you be sure you’re collecting proper, informed consent?
Solution: Simplify Your Terms & Employ Clickwrap
If you don’t clearly understand what’s being said in your terms of service, your customers surely don’t. And if they don’t understand the terms, then they certainly can’t consent to them. Simply put, having an overt amount of legalese weaken your terms and conditions and its ability to protect your business.
To be sure you avoid presenting your customers with heavy doses of jargon on your website’s policies, go over them with a lawyer, and make sure everything is both legal and also clear to the layman. Lawsuits frequently stem from vague, misinterpretable language, so you want to minimize (and hopefully eliminate) all such instances everywhere on your website.
One great way to ensure consent is with a clickwrap agreement. Clickwrap requires users to take an affirmative action before they can proceed to certain parts of your website – actions such as clicking an unchecked box or button (thus the name). By clearly informing your users that they are agreeing to your website’s terms at the point they create an account or begin using your service, you can make sure they give their full consent.
WeddingDress.com’s login & sign-up form (clickwrap consent example)
Note, however, that having pre-checked boxes doesn’t count toward consent anymore, and making your policies simply visible (like with a banner, for instance) doesn’t either. To protect yourself to the fullest extent, be sure you fully understand what does and doesn’t constitute consent in the post-GDPR world so you can obtain it from your users.
Your terms and conditions has the potential to shield your business from a swath of frivolous lawsuits, so it’s important to make yours as strong as possible. But strong doesn’t necessarily mean complex and lengthy. Beefing up your terms with jargon-free language, and getting users to consent to it will help you avoid many avoidable legal problems down the road.
Legal pitfalls for online businesses have grown in depth and quantity over recent years. As courts around the western world begin to take aim at companies for mishandling the heaps of data they gather from customers, it’s in the best interest of your business to take these new laws seriously.
It’s not all fire and brimstone, however. If you work toward complying with legislation like the GDPR and CCPA, invest in data privacy, and incorporate transparent policies with clickwrap on your website, you’ll be in a much better position to avoid costly legal fines and take home a bigger slice of your company’s revenue as a result.