John Martin
Associate Editor
Loyola University Chicago School of Law J.D. 2018

Every day, thousands of gigabytes of data flow around the world.  Transfers between consumers and producers make up a large portion of that data.  There has been talk recently of the commercialization of said data, such as Facebook and Google selling their users’ data to third parties.  These third parties are more than willing to pay large sums for this information, as it provides actionable data on consumer trends, such as their likes and dislikes.  This data can be used by companies to shift their marketing strategies to capture a greater market share.  For the e-commerce retailer, whether large or small, this data can be valuable as a resource and a commodity.  As such, knowing what you can and can not do with the data is important.  Here, we will be discussing Data Management risks when it comes to the collection of consumer data.

In the United States, no single law exists at the federal level regarding the collection and use of personal data. Rather, there is a patchwork of federal and state laws that sometimes overlap and contradict one another. There are guidelines developed by various agencies and industry groups that lack the force of law but are considered “best practices” for a business to follow.

Some of these laws include the Federal Trade Comission Act (FTC) (15 U.S.C. §§41-58) prohibiting unfair or deceptive practices, the Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. §§6501-6506) which concerns the collection of information from children, the CAN-SPAM Act (15 U.S.C. §§7701-7713 and 18 U.S.C. §1037) and the Telephone Consumer Protection Act (47 U.S.C. §227 et seq.) which regulate the collection and use of e-mail addresses and telephones, and the Electronic Communications Privacy Act (18 U.S.C. §2510) which regulates the interception of electronic communications.  If your sector of business involves medicine and the health industry, HIPPA, or the Health Insurance Portability and Accountability Act (42 U.S.C. 1301 et seq.), as well as other HIPPA related laws may come into play as well.

In addition to these federal statutes, there are state laws and statutes on the books that restrict what information can be collected and what it can be used for.  For example, California has a number of privacy laws on the books, more so than any other state.  California led the way in security breach notification laws, and many other states have taken their cues from California’s work.  Security breach notification laws compel the owners of any data that includes personal data to notify if there is a breach of the system.  Massachusetts has an extensive listing of the security protocols, codified in Massachusetts Regulation 201 CMR 17.00.

All of these laws impact the e-commerce retailer and must be taken into consideration when a retailer is deciding how best to set up their business.  These laws stress the crucial importance of having a privacy policy.  Different consumers have different tolerances for what data can be collected and used.  It is better to err on the side of caution in these situations.  Crafting a policy that limits the amount of data retained and available to the retailer might seem as handicapping the retailer’s ability to improve revenue through the sale of such information, but it may be better to avoid the potential pitfall.

A privacy policy should be clear cut, indicating what personal information you will collect from site visitors, who that information will be shared with, and how that information will be properly stored.  This is something that may be applicable only to retailers that have standalone websites, and not those who sell through a third party, such as Amazon, Etsy, or Shopify. However, including a privacy policy on your site within that third party seller adds another layer of disclosure, even if it is a mirror of that site’s policy.

It is highly advised that your privacy policy be written or reviewed by a lawyer.  The Small Business Administration has a useful resource on best practices when it comes to writing a privacy policy.

Ultimately, this aspect of setting up your e-commerce endeavor, or improving it if you’ve already been in business for some time, may seem a costly one from the consumption of time and money.  While your business may not deal with the volume of data or the sensitive nature of data, it is sobering to remember what recently happened with the Equifax breach in 2017, as well as the Target data breach in 2013.  More recently, the Facebook Cambridge Analytica data breach as well as the UnderArmour breach remind us of the importance of strong protections.  The breaches are happening more often, so everyone who deals with such data must keep these requirements in mind.