8 min read

Privacy & E-commerce: Here’s What You Need to Know

Featured Image

Data privacy has become a hot-button issue. As millions of businesses go online, data breaches have been trending upward over the past decade at an alarming rate. Over 155.8 million individuals were affected by data exposures in the US in 2020, according to Statista. 

Annual number of data breaches and exposed records in the United States from 2005 to 2020

Annual number of data breaches and exposed records in the United States from 2005 to 2020

Consequently, privacy regulations are emerging globally. Government regulators are cracking down on companies that fail to comply with privacy laws like the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). If you’re doing business in France or Austria, you’ve already been affected by the recent EU rulings that 
Google Analytics violates the GDPR.  

As an e-commerce operator, your business model requires collecting significant amounts of sensitive personal information. Data privacy compliance must become a top priority, or you may face serious legal consequences and damage your brand and reputation. 

This article will discuss two major risk factors that you need to prepare for: The viability of recommendation systems and Data Subject Access Requests (DSARs). 

AI-based recommendation systems present privacy risks

In e-commerce, you’re almost certainly using AI (Artificial Intelligence) recommendation systems that are trained with customer data to provide personalized goods and services at scale just like Amazon or Wayfair. However, in Cisco’s 2022 Privacy Benchmark Study, researchers found that 56% of survey respondents were concerned about how businesses leveraging AI impact their right to privacy. As a result, new privacy and AI regulations are emerging. They will require organizations to protect privacy and other individual human rights when using AI recommendation systems. It’s challenging because AI-based recommendations are beneficial for both customers and businesses. Customers are offered items that are personalized to their unique tastes. Meanwhile, your company deeply understands each customer’s preferences and therefore can accurately forecast customer demand and inventory requirements for business efficiency.  

The good news is that another Cisco study showed that 76% of customers are concerned because they don’t understand what organizations are doing with their data. This means you can alleviate concerns by using transparency to build trust in your company. It’s also an essential principle in privacy regulations. Two birds, one stone. Protect your company’s brand by informing users how you will use their personal data before you collect it. For example, you should disclose that you will use their personal data to train AI-based recommendation systems for a personalized shopping experience. 

Besides transparency, there are several other principles you need to follow to comply with privacy regulations. We dive deeper into best practices for protecting personal data in a separate article, but we’ll sum them up here. 

  1. Be transparent about your data policies and practices. 
  2. Get explicit consent from customers to use their information. 
  3. Collect only the minimum amount of data required to achieve a specified goal. 
  4. Limit the purpose of the data you’re collecting: If you’ve collected email addresses to fulfill purchase orders, you can’t use those emails for remarketing without prior consent. 
  5. Ensure the personal data you collect and store is accurate, complete, and up to date. 
  6. Enable customers to easily access, review, and update their information — it is their legal right. 
  7. Implement robust data security systems to protect consumer data. 
  8. Establish a system for the safe disposal of personal data. 

Get ready for DSARs 

As people learn more about their data privacy rights, organizations see an uptick in Data Subject Access Requests or DSARs. A DSAR informs individuals about all the data you’ve collected about them. They can then use it to assess whether you’ve violated their privacy rights. Anybody can submit a DSAR to your company, and you must comply within a specified period. If you don’t have the proper procedures to handle DSARs, you may run into legal trouble. 

When responding to a DSAR, you will need to provide a comprehensive list of all your information on that person, considered personal data. However, if someone only asks for specific details, then that’s all you need to provide.  

People may request the following information: 

  • Confirmation that you collect and use their personal data 
  • Access to their personal information in your database 
  • Your legal basis for processing their information 
  • The amount of time you’ll keep their data 
  • Information about how you obtained their data 
  • Information about whether their data is used for profiling or automated decision making 
  • Third parties with whom you share their personal data 

The big challenge most organizations face is finding all the data associated with each individual. You’ve just been collecting information en masse, and data is spread and siloed across various repositories. For instance, a customer might have submitted one email address to receive email marketing campaigns and another when completing a purchase online. One sits in a marketing database while the other is stored in the platform’s customer account database. It’s likely those two email addresses haven’t been mapped back to the same individual. Now propagate that issue out to numerous other datapoints for hundreds of thousands of customers. Even a handful of DSAR requests will leave you struggling for air. 

If that’s the case, it may be worth launching a data inventory to remove duplicate or unnecessary information. You also need to establish a system for mapping individuals’ data across repositories, or find ways to consolidate databases. A robust data inventory is vital to a lean, effective, and efficient DSAR handling process. 


Start privacy compliance now 

Using big data is the essence of e-commerce. But that poses an equally big risk as data privacy regulations become commonplace. It’s essential to start your journey to compliance now — be aware that Colorado, Virginia, Utah, and California have new privacy laws taking effect in 2023, and other states plan to follow suit. There’s not much time! If you’re unsure how to begin, check out our privacy compliance tips for SMEs, or have a look at our solutions if you want to get started right away. We can help you audit your current processes, train your team in privacy compliance, and implement the correct infrastructure for responding to DSARs.