How to Ensure Your E-Commerce Site is Compliant With Emerging Privacy Laws
Navigating the data privacy landscape these days can be daunting, particularly with the continual emergence of new state and federal regulations. We now have 13 state laws signed, and many others to come online in the next year, not to mention sector-specific laws. These have led to hundreds of lawsuits and enforcement actions.
Given that these laws include consent but require much more than an “opt out” or “opt in,” what should retailers do to protect against an inadvertent privacy violation?
First, let’s look at laws that are commonly cited in privacy cases and key considerations for retailers.
Comprehensive State Laws
Numerous states have followed suit since the passage of the California Consumer Privacy Act (CCPA) in 2018. Currently, 13 states have enacted comprehensive state privacy laws, with four additional laws set to take effect this year: Tennessee, Florida, Oregon, and Montana.
Key Considerations
The Definition of Sensitive Data is Expanding
The definition of “sensitive data” is quickly evolving in certain jurisdictions to include broader medical terms, data collected from minors under 16 years old, and location data. While traditionally applicable to healthcare-related businesses, like pharmacies and clinics, the WA My Health My Data Act (MHMDA), going into effect in March 2024, also applies to retail companies involved in the fitness and wellness sectors, protecting from sharing any information that identifies a consumer’s health status.
Data Sharing Beyond Consent
Consent isn’t sufficient for compliance with the new privacy laws that classify some data as sensitive, requiring explicit “opt in'' rather than “opt out” mechanisms. Aside from the main state privacy laws, the numerous sector-specific state laws and federal regulations such as HIPAA, COPPA, CA Invasion of Privacy Act (CIPA), and MHMDA require broadly limiting data sharing with any unauthorized party, including tags and trackers that are piggybacking on numerous other trackers.
Violating UDAAP provisions
Another increasingly problematic issue is companies getting cited for Unfair, Deceptive or Abusive Acts and Practices (UDAAP), or California’s Unfair Competition Law (UCL) for using trackers to collect and share data from websites. The Federal Trade Commission has been particularly aggressive towards location tracking data purchased from data brokers like Kochava and DRN.
Private Right of Action
Several laws allow for private lawsuits, enabling individuals to take legal action against noncompliant entities, including the WA MHMA, the Video Privacy Protection Act (VPPA) applying to video players, and the Biometric Information Privacy Act (BIPA).
Tips for Retailers to Ensure Compliance
- Multi-state compliance: Go with the “highwater mark.” This used to mean complying with CA law. It now requires a broader analysis that includes Washington state and age-gating laws, not to mention nuances between the CCPA and other state laws.
- Lower the attack surface: Use automated website scans to eliminate all extraneous tags and trackers. This part of the web is extremely dynamic so …
- Check weekly: Regularly audit and scan websites for potential privacy risks, including unauthorized data sharing and vulnerabilities.
- Risk areas: Pay particular attention to video analytics, appointment scheduling tools, sensitive product categories, payment pages, and virtual try-on services with heightened privacy risks.
- Customer trust: Recognize that regulatory fines and legal settlements are not the only risks; customer trust and loyalty can suffer if privacy concerns aren't addressed effectively.
- Catalog and confirm: Inventory and verify all the tags on your site at least monthly, and make sure you apply your policies to the extended list. Remove sharing from fourth, fifth, and Nth-party trackers that aren’t necessary.
For context, Bloomberg Law reported over 265 pixel privacy lawsuits in 2023. These lawsuits and privacy risks continue to grow. While numerous privacy laws exist beyond those discussed in this article, understanding and addressing these key regulations are essential for retailers to mitigate compliance risks and costly fines and safeguard consumer privacy.
As CEO and founder of LOKKER, Ian Cohen is dedicated to providing solutions that empower companies to take control of their privacy obligations.
Related story: 3 Regulatory Trends That Will Define Retail Background Checks in 2024
As CEO and founder of LOKKER, Ian Cohen is dedicated to providing solutions that empower companies to take control of their privacy obligations. Before founding LOKKER in 2021, Cohen formerly served as CEO for Credit.com, and CPO for Experian, where he focused on consumer-permissioned data.