Cookies can be helpful business tools, but they often toe the data protection line dangerously. As a result of this tendency towards uncertainty, the EU has introduced a new cookie law to protect its users. This new policy will affect any US company that does online business with EU customers. What do website operators need to pay attention to when it comes to this new cookie law?EU cookie laws and how they affect your business
Data protection in e-commerce
Every day in the world of e-commerce, there is such an incredible variety of transactions taking place; many of which require providers to have access to consumer data. However, many users have concerns about giving over their personal data—and for good reason. Far too often highly sensitive data is misused, unlawfully used for advertising purposes, or even handed onto other third parties. In order to avoid unhappy customers, as well as any possible legal consequences, it is highly recommendable that companies stay on top of the subject of data protection. Anyone who loses sight of the complex data security issues very quickly runs the danger of breaking laws and incurring very costly fines.
The term ‘data protection’ originally stems from Europe and came about in reference to privacy-protective legislation. In the United States, on the other hand, this was more often referred to as data privacy. Data privacy in the US can vary depending on which state you are in. This article outlines both the national legislation as well as country/state-specific laws and guidelines that you need to follow as an online business operator.
- The aim of data security
- Personal data vs. sensitive personal data
- Security breaches
- Email marketing
- A note on Google Analytics and similar
- Cookie policies in the US
The aim of data security
Data protection laws are there to help keep your online personal information safe and secure. At the moment, the United States is without any nationwide laws or legislation covering this exact topic. It should be mentioned, however, that some degree of data protection is provided under the likes of the United States Privacy Act, the Safe Harbor Act, as well as the Health Insurance Portability and Accountability Act (HIPAA). That being said, none of these are particularly relevant to the area of consumer data protection.
The United States values the first amendment of its constitution, i.e. the right to free speech, very highly. This means in practice that data protection rules can be impeded or blocked entirely. This is why the so-called ‘right to be forgotten’ isobserved in Europe, where an individual can ask search engines, such as Google, to remove news articles about them. This cannot be easily applied across the Atlantic, where the constitution protects freedom of expression, meaning that people cannot request to have negative information about them to be removed from the web so easily. In other words, there is no constitutional basis for all-encompassing data privacy act. Simply put: if an individual or business has gone to the effort of entering data, it is seen as having the right to store and use it, even if it is the case that the data was collected without permission, technically speaking.
However, since May 2018, there has been a new EU regulation in place, which also affects the US market, to an extent. The General Data Protection Regulation applies to all countries in the EU, but more specifically, to the web users within the EU. This means that your US website, if visited by an internet user based in the EU, has to comply with these data protection regulations too. Because of this, it is important that while you make sure you’re up to speed with the local regulations (different states may have different regulations), you should also keep the EU regulations in mind, and put the right measures in place in case you get a visitor from an EU country.
Personal data vs. sensitive personal data
The Federal Trade Commission (FTC) defines personal data as information that can be used to identify a person and even get in contact with them. Among this type of information are IP addresses and device identifiers; a distinctive telephone number associated with a smartphone or other handheld devices. Sensitive personal data is seen as being things such personal health data, financial data, credit rating data, student data, and any other data that could be used for identity fraud or theft. Any information collected online from children under the age of 13 is also deemed as being sensitive personal data.
Generally, data security breach notices and data security laws of the individual states are sure to cover names of persons, as well as a government ID no., payment card no., and health insurance data. Particularly relevant to online business owners is the fact that some state laws cover username and passwords for individuals’ online accounts.
The FTC has jurisdiction over many businesses within the commercial sector and when it comes to some issues, has the authority to issue and implement privacy regulation in certain areas of industry, including commercial email, children’s privacy, and telemarketing. With regards to these areas, the FTC aims to prevent business practices that are unfair or deceptive. High profile data security breaches are dealt with by attorney generals within each state. As has been made clear, given the related courtroom dramas, these are all decentralized regulatory bodies or departments; there is no official national data protection authority in the United States.
Data protection in California
Following the cookie trail
Minors in California are treated specially under the law – in this case, the term minor refers to anyone under the age of 18. Minors, who are registered users of a site, have the right to remove any content that they might have posted and uploaded from the site or web service. This piece of legislation applies to websites and online services that are principally aimed at the aforementioned minors, or that knowingly collect and file personally identifiable information from minors.
Data privacy in Massachusetts
The state of Massachusetts has a law requiring any organization to make one or more of its employees responsible for their information security program. As with the aforementioned laws specific to California, this law covers all organizations that possess or license personal data (sensitive or otherwise) on Massachusetts, meaning that it extends beyond the borders of the state. There is a similar nationwide law that applies to all companies and organizations subject to the HIPAA (see above), which are all required to appoint a data protection officer and IT security officer. One of the main reasons for this is that the data security requirements expected of these HIPAA regulated organizations are more extensive and there are some states that have even more detailed security requirements for things like payment card data and social security numbers.
The security program required by law in Massachusetts requires any organization or firm, etc. to have a written information security program. This program needs to be comprehensive and there are certain minimum requirements that it must possess. It needs to make sure that all service providers who have access to this sensitive personal data are bound to these regulations. There are also encryption requirements on the transmission of sensitive personal informationvia wireless networks andbeyond the physical/logistical area of the organization. The same applies to any laptops and portable devices that an organization might have. It is worth noting that this law isn’t just specific to Massachusetts but applies to the state of Nevada as well.
Data security in Canada
North of the border there is a similar set of rules that have been implemented under the Personal Information Protection and Electronic Documents Act 2000 (PIPEDA). This law outlines that organizations in Canada need to:
- Acquire consent when they collect, use, or disclose personal information of its customers.
- Acquire and file information by using methods that are legal and fair.
- Clearly state what their policies relating to personal information are
- Never refuse to supply customers with product/service if they choose to opt out of having their data being collected, used and disclosed.
The e-commerce industry handles a lot of very personal, sensitive, and important data. This means that no matter how much security is implemented, there will still always be the threat of a significant breach and the loss of such data. Currently, 47 states require state residents to be notified when there has been a breach of security pertaining to the use of one or more of the following pieces of information: name, credit card no., bank account no., government ID no., social security no., etc.
It is worth noting that more and more states are beginning to recognize tax IDs and login details (username and password) as being sensitive data. As a result, they are also becoming subject to the laws regarding breaches. Breaches of information from financial institutions need to be reported to consumers according to federal law. There are also some states where some breaches need to be reported to state officials, in some cases it might even go as far as a particular state’s Attorney General.
What happens if these rules are broken?
Inevitably these rules and guidelines will also occasionally be breached and broken. Civil penalties are handed out by the FTC, State Attorney Generals, or even the regulatory body of the industry sector in question. Furthermore, such violations can also lead to lawsuits and trips to court. It goes without saying that such things should be avoided, as the cost of compensation for lawyer fees, etc., can add up and make it endeavor expensive. Failure to provide sufficient data security for personal data, for example with credit card details, can easily lead to the e-commerce businesses being sued.
In the United States, marketing communication is regulated extensively. There is a federal law, the so-called CAN-SPAM Act, which not only applies to emails but to all commercial messages – defined by the law as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service”. The law does not distinguish between business-to-customer and business-to-business emailing. Just like with a lawsuit, failing to carefully follow the rules in this area can be very costly; each individual mail found to be in violation of the CAN-SPAM Act can be subject to a fine of up to $40,654. This information is very important for any business using this sort of communication, including the likes of newsletters, updates, blog, etc.
The CAN-SPAM Act is quite comprehensive in the range of issues that it covers. Here is an overview of its primary requirements:
- No misleading/false information in the header – it must be easy for the recipients to identify the individual or organization who wrote and sent the message.
- No misleading subject lines – this guideline should be fairly self-explanatory.
- Disclose that the message is an advertisement – although the law provides quite a bit of leeway when it comes to this particular rule
- Include an address – every email needs to also feature a physical postal address.
- Include opt-out information – this ought to be easily identifiable and easy to carry out. It is recommended that you use a different type of font size and color for this. A return email address or online link is sufficient in this regard. If you wish, it is possible to present the recipient with a menu, wherein they can choose to opt out of certain categories of emails, however, you will also need to include an option to cease all communication. Finally, you should make sure that such replies from customers do not end up in your spam folder – adjust your settings if necessary.
- A timely opt-out – the 30 day period after you send a business email is crucial as you are required to process any request to be unsubscribed made during this period. This process is not allowed to be in any way complicated; you cannot require them to do any more than send a simple reply or visit more than one web page. It is illegal to demand identification or even a fee from the individual. Once an opt-out request has been sent, you have 10 working days to process and execute it. It must be noted that such a request prohibits not just you or your organization sending emails, it also prohibits the selling or transferring of email addresses to other companies – the exception being if the company you are transferring them to is, in fact, one that has been employed for the purpose of assisting you with CAN-SPAM Act compliance.
- Don’t shirk away from responsibility – employing a third party to look after your email marketing does not leave you immune to being legally responsible for what is being sent out to recipients. Both you and the third party can be held legally responsible for any actions taken or not taken, as the case may be.
Purposely altering the origin or routing of an email with the aim of misleading users is prosecutable under federal law.
A note on Google Analytics and similar
Website operators who use Google Analytics must now also obtain the explicit consent of website visitors regarding tracking in order to act in compliance with EU law - a position that is accompanied by legal uncertainties and warning risks for those affected. However, there are also data protection alternatives to Google Analytics such as Piwik or Chartbeat, which you can use for your web analyses instead.
Take a look at the official EU GDPR portal to see what the key changes are to data protection and cookie policies in the EU. Of course, it doesn’t apply as heavily to the US market, but it could have an effect on your relationship to EU customers all the same.
Cookie policies in the US
It is vital that a customer or visitor to your site is well aware that there are cookies or other similar tracking devices in use. Failure to inform visitors of this can bring about the risk of legal action, fines, etc. There is also something known as the Digital Advertising Alliance code of conduct. Among other things, it recommends the inclusion of a display icon that makes it easy for users to decide against being tracked for behavioral advertising purposes.
Furthermore, due to the new regulations in place in Europe after the GDPR came into action, you should also be aware that your cookie policies should extend beyond following the US regulations – unless you only want to target a US market, which would put you at a disadvantage, as you would lose a large number of potential website visitors. Because of the new regulation, you should be aware that principles in Europe, such as the right to be forgotten, which normally do not apply for US sites, may now be something you should consider.
These days plenty of e-commerce activity takes place via smartphone apps, as one might expect. This increase in shopping on the go has led to a wider debate regarding data privacy relating to location data. This is where telecommunications companies become involved. The Federal Communications Commission (FCC) which regulates the collecting and disclosing of location information by telecommunications companies.
As this article has shown, data privacy and security are not always straightforward when it comes to the world of e-commerce. There are several complex issues and obstacles that need to be overcome in order to make sure that you are abiding by all the relevant legal guidelines. It is also worth keeping an eye on your state’s legislation. As we have seen with the change to the European legislation, this is an industry that is constantly changing and developing, and can affect internet activity across the globe – and with that, affect data protection and data security too.