The State of Privacy & Data Protection Today

episode Transcript

Podcast Intro

You're listening to Gateway to Ecommerce a podcast by ClearSale. In this series, global ecommerce leaders discuss challenges, best practices, new tech, and secrets to success. And now your host, Denise.

Denise Purtzer

Hello. And welcome back to the Gateway to Ecommerce podcast. My name is Denise Purtzer and I'm VP of Partnerships and Alliances here at ClearSale. GDPR, CCPA, APAP, APA, all of these things are going to be mentioned today, so a little bit of a warning if you are not into acronyms you might want to brace yourself because this is chock full of them today. We've got alphabet soup going on because you can't talk about data protection and privacy anywhere in the world without including some acronyms, so what do all these terms really mean?

In today's episode were going to talk about data protection and privacy. Where it is, where it's going and how you can take steps to follow the best practices and build trust with your customers. We will have a special focus on the European Union, USA, and Australia but many of the tips provided can be applied no matter where you are tuning in because these things are changing constantly, and broadening as we speak.

And this episode is purely based on our knowledge and experience, we're not legal experts in this. And we recommend seeking legal counsel for any advice or situations you might be facing in your business where there's doubt. Today, I have the pleasure of being joined by a special guest, our country manager from Australia, Ralph Kooi. He's going to dive in all the details with me about what the EU, Australia, and US are doing with GDPR and data privacy. And how this is translating to other countries focused on this initiative, like his home country, Australia and states in the US that are adapting to these requirements proactively. Ralph welcome.

Ralph Kooi

Good evening, Denise. It's great to be here. It's currently 11:30 PM. It's morning your time, but I'm glad we could get this up and running. And really good to talk about my own home country, Netherlands, in that space in the European Union. And yeah, let's dive into it.

Denise Purtzer

Yeah, so speaking of which you're from the Netherlands and now you live in Australia, so we've got your take on a couple of different angles.

Ralph Kooi

Yes, it is. It's been a while, that I've been in Australia about 15 years now, so hopefully I can still read a few more Dutch things along the way, but it should be okay.

Denise Purtzer

Well, and that should help explain some of the accent we've got going on, right? Given that you are country manager for Australia, what all does that encompass? What do you think about and take care of for our merchants on a day-to-day basis?

Ralph Kooi

It's really quite a broad overview. I'm the first one here, so when I joined, the first release came out from episode seven of Uncovering Australia, which is funny to see that you had mentioned there, you're looking for somebody on the ground. And then a few months later here I am, so I'm glad to be on the podcasts that are diving into this, my role here really is focused on merchants, predominantly of course, partners and building up our reputation here locally on the ground with everybody else.

Denise Purtzer

All things Australia, right?

Ralph Kooi

Exactly, exactly.

Denise Purtzer

That's awesome, so I think when we want to jump into this today, I think it's best to start with talking about GDPR or The General Data Protection Regulation that came out of the EU. And the EU was the first to create laws around data privacy and protection. And they did this back in 2018, so this is the toughest, privacy and security law that exists on a global basis. It takes a really firm stance on customers' privacy and security. And it's interesting that this is happening at a time when people are trusting their personal data more and more, so it's an interesting juxtaposition. One thing I'd like to mention about this is it's really fully encompassing, but it's not specific on details, so that makes it really tough for all companies, whether you're an enterprise merchant or a smaller SMB merchant to try to get your heels dug in and figure out exactly how it relates to you.

Really, what this is based on is the data subjects privacy rights. And when we talk about data subjects, that's the person that's giving up their data or their information to someone. They have eight different rights, the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and rights in relation to automated decision making and profiling, so that's really the basis where all of this came from and it really is focused on the consumer or that data subject themselves. Given that, we want to look at a little bit of history because if we look at where this came from, it makes a little bit more sense. This goes back, clear back to 1950, to the Convention on Human Rights, where it was stated that everyone has a right to respect and respect for private and family life, home and correspondence, so if you think about that back in 1950 and the evolution of the internet, so the internet was invented then, post that time obviously.

And started to become really mainstream. The EU recognized that there was a need to protect users within this environment as well, so when 1995, the European Data Protection Directive was established, which established just the minimum data privacy and security standards. And then what we want to do is look at what was happening on the internet during that timeframe. In 1995, flashback to actually 1994, when the first legitimate purchase was made, it was actually a Sting CD. That was the first legitimate purchase that was on the internet for those of you wondering about that. The same year that first banner ad appeared and advertising online was born.

And then jump ahead a few more years to 2000 and banks had really started to do online banking, and that was really starting to become popular. And then a few years forward again, in 2006, we had the launch of Facebook and social media. And I think we can all know that there are many challenges that social media has created and the headaches that ensued because of that, not only legally, but ethically and everything else. European parliament passed GDPR into law in 2016. And as of 2018 requirements for all EU members were to be compliant in that, so in the scheme of things, this is all pretty recent when we think about it.

Ralph Kooi

It's pretty crazy if you think of it. In 1995, I was about 10 years old at that time. It's crazy how the internet has been developed so quickly already. And the first Sting CD, it wasn't my audience at that time, for sure. But obviously, it's amazing how we, like you said, have been developing since the two thousands. It's the first time when the iPhone came out. Which is pretty crazy how far we've come so far. But for data protection, who does it apply to really? I think that's one of the questions that I hear as well. Like what businesses? Are you a normal individual with a small company, or small business, small website. Who would it really apply to?

Denise Purtzer

That's a good question. I think it's a question that surfaces or should surface for our merchants, and our bank partners, and anybody that's pulling data from customers around the world, so essentially if you're utilizing the personal data of EU citizens, it applies to you. Any personal data, even if you aren't in the EU. And that's something that really needs to be taken in account because the internet is global and it does apply to you even if you think it doesn't.

Ralph Kooi

Right, or they say, what is on the internet stays on the internet, so it's definitely something to be worried about.

Denise Purtzer

So true.

Ralph Kooi

I did some digging on Australia, so we'll touch base a little bit on that, but in case you have a problem and you get caught in terms of breaching the data regulations, what happens then?

Denise Purtzer

Yeah. Penalties are pretty strict when it comes to GDPR and it's not something that most companies could afford to get caught in. Essentially there's a penalty assessed of 20 million Euro or 4% of their global revenue, so whichever is higher is actually what's assessed.

Ralph Kooi

Wow. That's pretty crazy.

Denise Purtzer

We're not talking small change here by any means.

Ralph Kooi

No.

Denise Purtzer

And then in addition to that data subjects have the right to seek compensation for damages too, so it could be a twofold or a two bag punch for sure.

Ralph Kooi

Right. Funnily enough, because I did do some digging around some of those fines and actually the biggest one so far has been Google. They were fined, but over 50 million euros and for really on having done the wrong thing. There is a whole case study on the internet around that, on how not to do it. I Googled it and I'll share a bit more later on in actual episodes on which other companies were fined and how that's sort of been increasing.

Denise Purtzer

That's interesting. And that's not something that anybody wants to get trapped in by any means.

Ralph Kooi

No.

Denise Purtzer

And it's not just Google that's being scrutinized or held accountable, it's anybody, so yeah, we want to make sure we avoid that for sure. As we get into this GDPR thing, I think that it's important to state that there are seven protection and accountability principles that come about from this. And this is really setting the stage for the other laws that are coming about. We're going to talk about as well, not only in Australia, but the US and these seem to come through, so I'm going to share these seven principles, which are according to article five of GDPR. And that's lawfulness, fairness, and transparency, so processing must be all these things for the person giving up the data, ultimately, that's the main thing.

There has to be purpose limitations. There must be legitimate reasons when collecting this data. There must be data minimization, so that data collection person must collect only the minimum amount of data that's necessary to make their job happen. Obviously there must be accuracy, so data must be kept accurate and up-to-date. There is a storage limitation, so you're only supposed to store for as long as is needed. There's integrity and confidentiality. For example, you want to make sure you're using the highest levels allowed of encryption to protect that data and keep it confidential. And then overall, there's this overarching ray of accountability where the data controller is responsible for compliance with all principals, so it's kind of a catchall for everything. These things in mind, I think some of these things carry over to when Australia then started to put their data protection laws into effect. And if you want to comment a little bit further on that, Ralph. I'd love to hear about it.

Ralph Kooi

Yeah. I think you've spoken enough and with the many different acronyms so far, so GDPR in Australia is really not as prevalent if you're staying in Australia, however, should you go to other countries and deal with other identities from people who live in the EU, it definitely becomes an issue, so although if you're not, you will be held accountable for the privacy act, which is an act in this legislation that is protecting the handling of personal information about individuals. This is really the same thing that you mentioned before and includes the collection, use and storage, and disclosure of personal information in the federal public sector and in the private sector, so you still need to maintain those different rules across the board, whether it's GDPR or privacy acts or not.

If you're an Australian business, should you really care? It's one of the things that I get asked or we do wonder if that's really not really only apply for it to European Union businesses. However, as mentioned, if you're going abroad, it definitely becomes something. Interestingly though, personal data becomes more expanding every time, so initially the personal data didn't maybe not include email addresses or online tax file numbers, IP addresses that wasn't really there. And the more the law continues to grow around this part, more data is being added. Some of the latest updates on that personal data item is for instance, medical records, genetics, biometric data, all those things.

Where in the 2000s and even before were never really a part of the actual initial overview. Does GDPR apply to sharing businesses? It does apply if you collect email addresses of EU residents, you sell goods or services to EU residents, you ship products to EU residents, you offer goods or services, you market to EU, you refer to customers from the EU on your websites, if a branch or you process personal data, or even if your monitor behavior of EU residents, so you can see it really quickly becomes an issue that you need to be aware of when you're selling overseas.

Denise Purtzer

Absolutely, so Ralph, on the Australian side then I know that a lot of times New Zealand gets lumped in with Australia. Are there any other areas that are also inclusive of the Australian law?

Ralph Kooi

Australia's main unit is predominantly the main focus of that encompasses. The closest relation would be more of the Asia countries, so Malaysia, and Singapore, and Papua New Guinea would be more closely connected. However, the privacy laws in this case are really for Australia and then New Zealand will have very similar ones. I can't comment on that in detail, but those are usually very well connected as businesses do ship out to a New Zealand's quite frequently and much more easily than going to a European Union.

Denise Purtzer

Well, let's move on to data privacy laws in the US, so when we contrast US to the EU, we have something very different when it comes to data privacy, there's not any one comprehensive federal law. Rather we have sector specific laws for instance, in telecommunications, in health, credit information, financial institutions, and marketing. Those are all sectors that are earmarked with like health being monitored by a HIPAA, credit information by the FCRA. I did promise a lot of acronyms. And financial institutions by the GLBA, which is collecting information from banks and financial institutions and the laws around that. Given that the FTC or the federal trade commission ultimately has jurisdiction over all these things to prevent deceptive trade practices overall.

And they can take actions against organizations that fail to maintain the data security or secure personal data, which has been a pitfall for some companies. Obviously, leaking out credit card information and things like that, or failed to abide by self-regulatory principles, or any violation of consumer rights. It's pretty open-ended as far as what the FTC has jurisdiction over, but then layered on top of that, we have state data privacy laws. California was the first to come to the table and they jumped into the arena with the California Consumer Privacy Act, which is CCPA in 2018. This merely introduced definitions and broad individual consumer rights for California residents. The California Privacy Rights Act, the CPRA came in November of 2020, so more recently. And that pulled in different things that we saw in GDPR, like the right to rectification, right to restriction, sensitive identifiable information rights, these sorts of things.

And it also created increased fines on breaches for children's data, so it held that even more accountable in light for data owners. And then also that had requirements for companies using third parties, to keep them accountable as well. This goes into effect July 1st, 2023, so that's coming up in the future, but that law has already been put into effect in regard to the merchants and those that need to be held accountable, giving them the timeline to ramp up and get things in place.

Ralph Kooi

That's quite a lot of new things for one state. And I can imagine with the US has so many states combined, there'll be a lot of overlapping and very, maybe contradictory laws coming out around this. Would that be the case?

Denise Purtzer

I think that's definitely happening already. And when you start talking about the enforcement piece, which is now coming into effect, I think we're really going to start to see that happening, so we've got the FTC, which is governing board for all things deceptive trade practice wise, right? And then we've got enforcement from the California Privacy Protection Agency, which is overseeing California specifically, and that's done through a five member board and they're able to hold hearings, assess fines, and clarify guidelines, so this could be quite interesting.

Ralph Kooi

That's pretty crazy.

Yeah. Well, with the enforcement part, it's on Europe, it's already heavily increasing between 2020 and 2021. The GDPR funds rose by nearly 40%, which is pretty crazy considering what's happening. And that 40% is about a 100,000 and 120,000 extra data breaches notifications, so it really massively increased in terms of fines, but also actually the data breaches that have been reported. And that's already happening in the European Union, so imagine in the United States when it comes into effect in 2023, how that will start progressing across the many states that the United States has.

Denise Purtzer

Yeah. I'm not an attorney, but I do know that law is all based on precedent, right? You talk about the Google case that you brought up earlier in this podcast and that precedent that was set, fines are being assessed. And I think that it's just opening up the doors and setting the stage for additional issues moving forward, potentially for merchants, if they're not complying. And then the intricacies behind it, where you've got state by state things being assessed, whether it's California, or we've also got Virginia, and Colorado, and New York who have jumped on in varying degrees with laws as well, so four out of the 50 states have laws in effect that are specific to the privacy act, but then the internet is a global thing, so if you're selling globally, you have to be mindful of these global practices.

Ralph Kooi

It'd be a good time to jump on the GDPR lawyer bandwagon, I think, with this coming out.

Denise Purtzer

Yeah, I think I'll avoid that. But I think that really what it boils down to for merchants, I mean, this is a scary thing. When you start to think about it as a business owner or somebody that's absorbing data information, whether it be a merchant, or a processor, or any of these types of companies that are doing that. Let's delve into that a little bit and really boil it down to what they should be mindful of. Any suggestions from your part?

Ralph Kooi

Well, it's actually one of the things that we've covered in one of our own research that we've done, that we shared, that consumers don't like actually handing over their ID documents when they actually do online orders. And from a merchant point of view, they want to make sure they send out details or send out products to the right person. But from a compliance point of view, when I hear that from merchants saying, well, we're asking for details like their driver's license, for instance. You need to make sure you can actually properly handle that data. And GDPR might not be a direct issue for this, but definitely it will be the privacy act and how you handle personal information. You need to probably destroy that once you have received the email, deleted the email from your server.

And be really mindful of what you are doing with that passport or any other form of identification before you ship out your goods. I think that's something that we need to really be mindful about. And that's something that a company like ClearSale can really help merchants in reducing that risk as well. We don't want to ask for that details, but we can definitely find and make sure there's no fraud happening in that space. A bit of a sidetrack, but that's something that I've heard many times from merchants that they do ask for those documents before they ship out.

Denise Purtzer

That's true. And speaking of using third parties like ClearSale or anyone, whether it's Amazon Web Services to store your information, anything like that, you should ask questions and make sure that, that these partners are fully compliant and that they're doing the right things for the right reasons. And I think that, that sets the tone. And then once you've got that done, I think that you should actually post your privacy policy on your website. That's definitely a standard best practice. You want to explain what details are collected and how it's secured. And behind this have the data policies and procedures in place as you state, so you build that base to do it right and then you post that you're doing it and let people know.

Ralph Kooi

Yeah, exactly. And as an example, not the had already, but a company like even with hotel rooms, for instance. All the hotels are asking you for to verify by giving your driver's license or passports. Actually the Marriott got fined about this when they breached 383 million records, which is massive, globally, and that cost them a fine of $23 million, it was previously at 123 million, but they were able to lower it down. And that could all have be avoided by having the proper safeguards in place with stronger data loss prevention strategies and making sure they de-identify their own customer data.

Denise Purtzer

Absolutely, and you have to give your data subjects the opportunity to consent to the collection in the first place, right?

Ralph Kooi

Yeah. That's how Google got into trouble.

Denise Purtzer

If you do that and just make that a standard operating procedure. You're really meeting most of the laws that are out there.

Ralph Kooi

Yeah. You really need to sit down if you see this happening, sit down, there's checklists that we can provide as well, just to go through it all. Obviously, as you mentioned earlier, we're not experts in this, or do you sign off on this by an expert in this field, but at least know that if you have the information that you have to get consent for them, how you store it, you make sure it's securely stored and you delete it after, after you really don't even need it anymore, just so you're covered.

Denise Purtzer

Exactly. And I think that the conservative approach is the best way to take, really. If you think you might need it, but you don't definitely need it, get rid of it.

Ralph Kooi

Yeah, exactly, exactly. And tell them, right? And tell your clients and your customer that you have deleted this record, for instance.

Denise Purtzer

Exactly. And even when you're thinking about cookies and use of cookies on your site, you need to disclose that as well. And you want to give your users the ability to block or disable them too.

Ralph Kooi

Yes. Yeah. And that's a whole other topic that's been happening now with the latest updates, the cookie updates, cookie war as they say. But yeah, it's definitely a current minefield that you need to be on top of, especially if you're a small business, you can't get caught out because it didn't cost you a lot of business from visitors coming in and you're remarking that you want to do and yeah, be on top of it.

Denise Purtzer

And I think overall, you just want to stay informed. The legal obligations are changing constantly and ecommerce is a global thing, so you need to stay on top of these things and make sure your compliant overall. And as we've mentioned a couple of times throughout, when in doubt seek legal counsel.

Ralph Kooi

Yeah, exactly. And especially the smaller merchants they continue to grow. And looking at that over the horizon, looking to go to America or going to the EU for their business then definitely, yeah, seek advice on that. And we actually will have a podcast around cross border marketing, so that's something you should check it out as well, when that comes out later in the season to sort of help you with other facets of going global.

Denise Purtzer

And speaking of which each of these topics could be something to dig into in more detail. We have a ton of resources in our resources section on ClearSale, so if you want to look into all of these types of topics and more we've got that information there, so thanks Ralph for taking part and helping us dissect a little bit more about what's going on around the world, especially in your corner of the world. If you want to take a deeper dive into the topic, again, visit our website at ClearSale to learn how online payments process works. It's also linked in the description of the podcast, along with another resource to get you started. Thanks again for listening to Gateway to Ecommerce.

If you like what you heard today, be sure to stay connected and subscribe or follow on all major platforms like Apple, Spotify, or iHeart. If you have a question or would like us to cover a topic, email us at podcast@ClearSale. We'd love to hear from you and to learn how to prevent ecommerce fraud, visit our website. We have a ton of resources, so please don't be shy about visiting and absorbing some of those. Thanks again for joining us today.

Podcast Outro

For more ecommerce insights, visit us on our website at ClearSale dot com.

Find out how ClearSale can help you protect your business from chargebacks.