TECHNOLOGY LAW CORNER E-Commerce Firms: Get Ready for New Privacy Laws

TECHNOLOGY LAW CORNER E-Commerce Firms: Get Ready for New Privacy Laws 620 360 C-Suite Network

Need a web designer, SEO advisor or other ecommerce expert?
Quickly and conveniently find solutions for your online business before making your next planning or purchasing decisions. Gather key insights and information before selecting your vendors.
Visit ALL EC today.

The Federal Trade Commission regulates privacy in the United States, and under the FTC rules, a website need not have a privacy policy at all. However, a website must comply with and not violate its policy if it has one.

LifeLock learned that lesson the hard way when the FTC sued it for failing to abide by its privacy policy.

How do other countries’ privacy laws apply to U.S. businesses? Time will tell, as the new European Union General Data Protection Regulation goes into effect in May of next year.

What Happens Next May?

Beginning in May 2018, a significant legal change to individual privacy rights will come into force. The EU GDPR replaces the EU Data Protection Directive 95/46/EC, also known as the “EU Data Directive.” It is designed to standardize European data privacy laws and ensure EU citizens’ data privacy rights.

The EU regulations are based on the idea that privacy is a fundamental right of the individual and not something to be bought and sold by corporations.

Many U.S.-based organizations either have not heard of the GDPR or believe it applies only to organizations based in the EU. The GDPR, however, applies to all organizations that offer goods or services to, or monitor the behavior of, EU data subjects, regardless of the company’s location.

If an organization offers goods or services to or processes data of EU citizens, it likely will be subject to these regulations.

There are two main concerns for U.S. businesses: applicability and enforcement. It is clear that large multinational enterprises will have to comply, but what about the small to medium company that is unsure whether its customers are EU residents?

Presumably, if the small to medium company does not actively “offer goods or services to, or monitor the behaviour of, EU data subjects” it will have no need to comply with the GDPR.

The question, though, is whether the cost-benefit analysis shows it best to comply with the potentially very costly GDPR just in case, or accept the risk.

What About the Cloud?

Cloud service providers, which may have data stored anywhere across the globe, are not exempt from GDPR enforcement. So it…