7 Laws That Can Land You in "eCommerce Jail"
In recent years, governments around the world have worked to help citizens protect their privacy and regain control of their sensitive data. While this is generally considered a good thing for individuals, it makes life much more complicated for the eCommerce professional. Being unaware of relevant global laws can cause you to quickly rack up significant fines and penalties - sometimes measured in the millions.
Here are 7 laws that can land you in "eCommerce Jail": The GDPR, The ADA, State Sales Taxes, The CCPA, The CPRA, Prop 65, and the CAN-SPAM Act. Alphabet soup, huh?
First, a disclaimer: This article is written from the POV of a practitioner. The information does not, and is not intended to constitute legal or tax advice - it is for informational purposes only. If any of this raises concerns or questions, please do seek further advice from your attorney or a tax professional (I am neither).
With that out of the way, let’s get on with our list!
#1 - The GDPR: The European Union brags that the General Data Protection Regulation is?“the toughest privacy and security law in the world”?and they might be right - in 2019, Google was fined a whopping 50 million Euros (about $60 million as of this writing) for a breach. If you do business in the EU or do business with EU citizens, you likely fall under the GDPR’s jurisdiction and could also be subject to fines up to 20 million Euros or 4% of the preceding year’s worldwide annual revenue, whichever is?greater.
Most of all, the GDPR is concerned with the procurement, handling, and disposal of “personal data” (any information that can directly or indirectly identify a person). This includes not only information like names and addresses but even social posts and photos.?Article 5?of the GDPR summarizes the key requirements for the use of personal data by businesses including data minimization (asking for the least amount of data necessary), transparency, accuracy, and security of this information.
“Sensitive data” is a special class of “personal data” that can be used to determine things like racial and ethnic origin, religion, health, and financial status and gets even stronger protections. In general, this data should not be collected except in specifically authorized circumstances such as when used to enable a medical diagnosis. When collected, it should be protected very carefully using encryption, physical security, and other safeguards.
The implications of the GDPR on your digital marketing efforts can be extensive, impacting everything from website copy and forms to how and where your data is stored. You should conduct an in-depth compliance review including your IT department and any other entity (internal or external) that processes user data for you so that you protect your consumers’ privacy and you protect yourself from costly fines.
#2 - The ADA:?When you think of the Americans with Disabilities Act, you likely think about accessibility requirements for retailers, restaurants, and other businesses. These are important parts of the act but the ADA?also?impacts how your website or web store should be designed. It applies to your company if you have 15 or more full-time employees and you also operate 20 or more weeks per year.
The ADA’s standard is that your site should offer “reasonable accessibility” to people with disabilities. What this means isn’t explicitly stated by the ADA but it is spelled out by the World Wide Web Consortium’s detailed “Web Content Accessibility Guidelines” (WCAG), now in version 2.1. A?WCAG quick reference?is available online -?here are some examples of included requirements:
There are a number of tools available that will check your website for WCAG compliance -?AudioEye?and?AccessiBe?are two examples. These types of tools are likely your best bet to ensure that nothing gets missed.
#3 - State Sales Tax:?This is a real can of worms for brands or, more precisely, 50 different cans of worms. The first challenge when it comes to state taxes is determining where you have “nexus.” This is just a fancy word for saying that you have a connection to the state - it generally occurs when you have facilities there or because you’re selling lots of product to that state’s consumers. When you have nexus in a state, generally you have to collect and pay sales tax to that state.
The problem is that each state defines nexus in their own way making it extremely difficult to stay compliant. In some cases, though, “marketplace facilitators” (Amazon and Walmart as examples) will collect and pay state taxes on your behalf for products sold on their platforms. When you sell through these channels, you’re covered in most states for those sales.
The cost of sales tax compliance can be very high. If you’re a small or mid-sized business and you don’t have an army of CPAs on staff, you may find it overwhelming. Fortunately, there are some great solutions out there that can keep you in check without a whole lot of fuss. Check out?TaxJar, for example, if you’re looking for a fully-automated solution suitable for SMBs.
#4 - The CCPA:?The California Consumer Privacy Act was passed in 2018 and went into effect in 2020. It applies to your company if you meet?any?of the following criteria: you earn revenue above $25 million per year, you derive 50% or more of revenue from the sale of consumer information, or you buy / sell / receive the personal information of 50,000 or more consumers, households, or devices.
The California Office of the Attorney General has posted a great “fact sheet” on their site about what the CCPA requires, but at a high level it?grants California consumers:
In many ways, the requirements of the CCPA are similar to those of the GDPR. If you’re a mid-sized or larger company selling across the US and in the EU, you’ll need to comply with both laws.
#5 - The CPRA:?Passed at the end of 2020, the CPRA (California Privacy Rights Act) is the younger and tougher cousin of the CCPA. It doesn’t go into effect until January 2023. CPRA puts “teeth” into the CCPA by establishing a new enforcement entity called the “California Privacy Protection Agency” (the CPPA in case you didn’t already have enough acronyms). Like GDPR, CPRA introduces a new class of “sensitive” personal data and creates?new rights:
The CPRA mandates that your website include links making it easier for users to opt-out of the use, sharing, or sale of their personal information. With the CPRA, though, some companies formerly targeted by CCPA will become exempt since the definition of covered companies is somewhat relaxed.
#6 - Prop 65:?Here’s another state of California law that you’ll need to keep in mind. Prop 65, also known as the Safe Drinking Water and Toxic Enforcement Act of 1986, requires businesses with 10 or more employees to “provide warnings to Californians about significant exposures to chemicals that cause cancer, birth defects, or other reproductive harm.” California’s Office of Environmental Health Hazard?maintains a list of these chemicals.
Although this law goes back to 1986, it has been updated to keep up with the times. If you’re an eCommerce marketer who sells consumer products that include listed chemicals, this means that you must not only include a “prop 65 warning” on the product itself but also in your item content. That’s true for content on your own website or on a marketplace like Amazon.com or eBay.
#7 - CAN SPAM Act:?This one is an oldie but a goodie and relates specifically to email. CAN-SPAM stands for… wait for it... “Controlling the Assault of Non-Solicited Pornography And Marketing.” It’s somewhat controversial because it preempted some state laws that were actually tougher than CAN-SPAM.
The act had some impact on slowing the deluge of unwanted emails but anti-spam technologies have also played a big role. Unlike some of the other laws referenced here, compliance with this one is relatively straightforward. Here are?some highlights:?marketers must make opting out of email marketing straightforward (and honor those requests within 10 days), marketers can’t misrepresent the sender or subject of an email, and “adult” content must be appropriately marked. More information is available in a?compliance guide hosted on the FTC’s website.
Note that in the TCPA, the Telephone Consumer Protection Act, also deserves a close look if you plan to use SMS to reach your shoppers instead of (or in addition to) email.
More than ever, brands need to be aggressive in pursuing eCommerce growth. Aggressive doesn't mean reckless, though. Make sure that you and your team are prepared to spot the landmines. Remember also that when it comes to compliance, if something doesn't feel right, it probably isn't.
Want to talk more about this article or about eCommerce in general? Message me!
Unlimited Ad Creatives at $1,500/month || Offering Marketing-Task as a Service || VP at Sales-Push.com
1 年Thanks for the vital reminder.