Data is something we all produce when we browse internet, buy products online and ‘like’ posts on social media. This data is very valuable to businesses and marketeers, because the data tells them what consumers like and how they behave. This means that, to protect consumers, data needs to be protected. This is what the European Union tries with the General Data Protection Regulation (GDPR). In this article I will explain what the EU’s GDPR is, how it affects the eCommerce sector and how you can still use social commerce within the data protection regulation of the EU.
On May 25, 2018, the new European Union regulation on data protection, the General Data Protection Regulation (GDPR), came into effect. This regulation was implemented because of the ever-growing importance of data. Data (of consumers) is what is valuable in the online sphere, such as within marketing and advertisement. This means that there is a high demand for the data of consumers, which introduces the incentive for foul play of corporations to attain that data in a way that is potentially harmful to the consumers. To protect consumers, the EU implemented the GDPR, in which rules are formed relating to the ‘protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data’ (Art. 1 GDPR).
According to the GDPR directive, personal data is all information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address. This means basically any traffic a person online takes part in, which is why all (EU) online spaces have to take the GDPR into account. This also means companies that have their HQ outside of the EU, if European customers make use of the service then it falls under the GDPR (which means that most eCommerces have to comply with the GDPR). If not, the fines can be pretty hefty: with a Polish eCommerce being fined €650.000(!) in 2019 for instance.
The GDPR is about 88 pages long and I would not recommend it as something you would want to read on your free Sunday-afternoon. However, there are seven principles that the GDPR-Bible presents us that an online space must abide to, which can be summarized as follows:
All data you collect from your users must follow the GDPR requirements. Fairness and transparency refer to that you use the data of your consumers for what you said you would use it for (so don’t sell it to China when you said you only needed it for better website performance). In short, your words must align with your actions: Fairness 101. Users must also have visibility over these actions.
How you process the data must be “specified, explicit and legitimate,” and that means usage of data collected beyond its specified purpose is considered infringement. This is in line with the first principle. For instance, if a user consents to giving you his email to receive that free e-book, this information cannot be used for anything else: including statistical purposes (unless specified in the consent form).
Under the data minimization principle, only necessary data can be asked and kept. It must be “in relation to the purposes for which they are processed.” Basically don’t ask for more than what you need, just like mom taught you.
“Accuracy” means that you must ensure to have updated information. This means you should be reviewing and cleaning out your data on a regular basis. Inaccurate data must be “erased or rectified without delay.”
Delete the data you no longer need unless you have genuine and legal reasons for storing it. If you decide to store data, you need to determine how long it will be stored for and its purpose.
The security principle. “Integrity and confidentiality” sets out to protect the data collected. As an online space, you need to have “technical or organizational” security measures in place to prevent data theft and loss. So not accidentally leaking 1.3 million user records, like Clubhouse this April (which was denied by Clubhouse later in July, possibly fearing the gate-keepers of the mighty data-protection of the GDPR).
The final GDPR principle is the EU government’s way of ensuring you are GDPR-compliant. This means that you need to keep track of all the steps you have taken to be compliant to the GDPR. For instance, records of you having hired a data and legal team to make sure you were GDPR-compliant, plus a record of how you review the data frequently.
So, what does compliance to GDPR actually mean? It is first important to imagine yourself as a customer of your own eCommerce, and then browse on your website. Ask yourself these four questions:
If you answered no to these four, then you better hire yourself a proper legal-team because you are in for a GDPR-ride. If you answered yes to one or more questions, awesome: you are on the right track.
To sum the GDPR up, you need to ask for consent for every type of data you collect from your users. No pre-ticked boxes where users automatically sign up for your newsletter. No. Ask for consent at every step of the way, and do not trick your customers. Be as transparent as you can, with regards to how you will use the data and for what purposes. What are the limitations of the data usage? Will it be kept forever or will it be automatically deleted after a certain period of time? This may seem like a lot, but just as with other aspects in life, ultimately you will feel better when you have actually asked for consent instead of just assumed there was any.
ECommerces naturally fall under the online spaces that the GDPR addresses, so what does this mean for your eCommerce? Marketing and advertisement will be mostly effected by the GDPR. Without the GDPR, you could run ads without needing the consent of consumers. For instance, if someone visited your website, they would consequently see targeted ads on social media of your products. With the GDPR, consumers have to give consent to see these ads. This will be underscored with the new iOS update of Apple on all their mobile devices, with the ability to block all personalized ads. This means that targeted marketing will be more difficult with both the GDPR as the new iOS update. This calls for new marketing strategies, more traditional ones one could argue.
In an earlier article, we addressed the word-of-mouth effect. This means that information that is spread by peers, in a network you trust (such as a friend recommending you something at a party, or an influencer you have been following for years recommending you something on Instagram) is valued more than traditional top-down information (commercials on television, or news from the newspaper). With the GDPR, and more than likely future restrictions on the use of consumers’ data, word-of-mouth becomes only more important. As we addressed in the previous article, this is where Vurdere can play a role. With our review-service, which is GDPR approved, we introduce the word-of-mouth effect on a digital level. One where consumers can opt-in by logging in with their social media of choice (Instagram, Facebook, Pinterest, Twitter, or create a Vurdere account) and share content about the products they (dis)like. Our algorithms prioritize the most relevant content for each user, meaning that users will see content of friends, people they know, or people who have similar interests as them first. This enables the word-of-mouth effect in a GDPR-friendly manner. Users can opt in, and opt out, at any time without being tracked at every site they visit. The only data that is used is their social media data, not the website traffic of other websites. This data is encrypted, and cannot be accessed by Vurdere or by the eCommerce.