Data privacy is top of mind for retailer information security, compliance and risk management officers. And for good reason. Data breaches and compliance violations can tarnish a retailer’s reputation and lead to steep regulatory fines and costly lawsuits. Target, for example, spent over $200 million on legal fees related to its headline-grabbing 2013 data breach.
Across the world, regulators are expanding data privacy rules to protect consumers and give individuals more control over their personal information. Mandates like the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) significantly impact how businesses gather and manage consumer data. Going forward, retailers must evolve their data security systems and practices to keep pace with expanding government regulations and maintain customer trust.
GDPR and CCPA Establish Strict Data Privacy Requirements
GDPR was enacted in 2016 to strengthen and unify data protection within the European Union. The regulation is intended to give consumers greater visibility and control over their personal information and to improve the flow of confidential data within the EU. The law applies not only to EU-based retailers, but to any organization that offers goods or services in the EU. GDPR lays out detailed requirements for collecting, storing, protecting and using personal data, for reporting data breaches, and for training workforces.
Bottom line: any retailer that does business in the EU must comply with GDPR or risk stiff penalties. While the largest GDPR fines have been doled out in other industries (a major airline and global hospitality company were hit with $230 million and $123 million fines, respectively), retailers haven't walked away unscathed. Polish online retailer Morele.net, for example, was fined €645,000 last November for a data breach affecting 2.2 million people.
National governments across the globe are instituting data protection rules similar to GDPR. Examples include the Personal Information Security Specification in China, the Act on the Protection of Personal Information in Japan, the Personal Data Protection Bill in India, and the General Data Protection Law in Brazil. And, in the U.S., many individual states are enacting consumer data protection laws, the most prominent of which is CCPA in California.
While data privacy laws are often similar, retailers really need to consider each regulation individually to ensure compliance. For example, GDPR and CCPA handle consumer consent requirements differently. With GDPR, consumers must explicitly agree to data collection during sign-up, while with CCPA retailers can simply allow consumers to opt out of data collection.
3 Keys to Achieving Compliance and Earning Customer Trust
By adhering to data protection regulations, retailers can avoid ugly headlines and costly fines, as well as preserve customer confidence and loyalty. Here are three tips for ensuring compliance and building customer trust:
- Take a fresh look at your website and make sure consumers have full visibility and control over their personal information and preferences throughout the entire buyer journey. Common user interface design techniques like pre-checking consent boxes or making it difficult for customers to revoke consent or unsubscribe from services are not permissible under many data protection statutes.
- Implement strong security measures to defend against data breaches. Whether your e-commerce systems are hosted on-premises or in the cloud, strong security solutions and practices are essential for protecting IT infrastructure and safeguarding confidential customer data. Enforcement agencies have handed out the largest GDPR fines to businesses that have leaked personal data like credit card information.
- Introduce comprehensive identity governance solutions to closely monitor and control access to customer accounts and data. Identity and access management solutions are the cornerstone of a strong security framework and are critical for protecting personal data, managing compliance, and streamlining the user experience. For example, one of the world’s largest ticket marketplaces has mastered the art of compliance on a global scale. The company’s chief security architect identified four key best practices that have contributed to its success: agility; data minimization; privacy and security by default and by design; and last but by no means least, regarding your privacy team as enablers to your business, not gatekeepers.
CIAM Solutions Are Built With Consumers in Mind
When formulating an identity governance plan, be sure to choose a customer identity and access management (CIAM) solution. Unlike traditional enterprise IAM solutions used to control employee access to corporate IT systems, CIAM solutions are purpose-built for consumer-facing applications. CIAM platforms are designed to be more scalable and user friendly, and they support social logins (e.g., Facebook, Google, etc.) and other consumer-centric features. They also integrate with CRM systems, marketing automation platforms, business intelligence tools and other back-office applications, helping retailers provide seamless customer experiences and gain insights into consumer behavior.
Tara Bartley is senior manager, industry marketing at Akamai, the intelligent edge platform for securing and delivering digital experiences.
Related story: Online Shopping Isn't Going Away Any Time Soon. Are You Prepared?
Tara Bartley is Senior Manager, Global Industry Marketing at Akamai Technologies, a globally distributed intelligent edge platform.