Customer Data Privacy in E-Commerce

🇪🇺💡Today, the European Data Protection Board published its Recommendations 2/2025 that aim to clarify when #ecommerce providers may lawfully require users to create an account as a condition for accessing offers or completing a purchase. 🔹The #EDPB stresses that mandatory accounts generally expose individuals to unnecessary and disproportionate risks such as expanded identification across sessions, longer retention of personal data, increased attack surfaces through dormant accounts, and greater opportunities for tracking and profiling. 🔹The EDPB reiterates that controllers must identify a valid Article 6 #GDPR legal basis and demonstrate strict necessity for each processing purpose. Account creation is rarely “necessary for contract performance” as one-time purchases can be fulfilled through guest checkout without persistent identifiers. 🔹Even after-sales services, exercising consumer or GDPR rights, or verifying eligibility conditions can be delivered through alternative, less intrusive mechanisms such as temporary links or secure upload forms. By contrast, mandatory accounts may be justified for genuine subscription models that require recurring authenticated access, or for exclusive, closed-membership communities where account-based identification is integral to the service. 🔹Controllers also cannot rely on Article 6(1)(c) GDPR unless a precise legal obligation explicitly requires account creation, which is seldom the case in typical retail or tax record scenarios. Article 6(1)(f) GDPR provides no broad justification either: purposes such as order tracking, operational convenience, customer loyalty, facilitation of future purchases, or fraud prevention fail the strict necessity and balancing tests when equally effective and less intrusive alternatives exist. The Board underlines that users do not reasonably expect compulsory account creation in ordinary purchasing flows, mainly when prompted only at checkout. 🔹Accordingly, the EDPB recommends that e-merchants offer genuine choice: a voluntary account or a guest checkout option. Guest mode better reflects data minimisation, limits retention, reduces security risks, and supports transparency by allowing individuals to understand and control the scope of processing. Additional services such as loyalty programmes, personalised recommendations or facilitated re-orders must rely on an appropriate legal basis (typically consent) and remain clearly separated from the core purchase process. 🔹Overall, requiring user accounts should be lawful only in narrow, well-defined circumstances where controllers can demonstrate strict necessity, such as for subscription-based services. In all other cases, forcing account creation breaches Article 6 GDPR and undermines data protection by design and by default. #privacy

Three states just activated new privacy laws on January 1st. Indiana. Kentucky. Rhode Island. These laws extend frameworks pioneered in California and Virginia, but carry nuances that sellers need to understand. Most DTC brands aren't paying attention. Here's why you should: If you collect email addresses for abandoned cart emails, you're affected. If you run retargeting ads, you're affected. If you use send emails.. you're affected. Rhode Island's law has a broad definition of "sale" that encompasses not only direct monetary transactions but also data sharing with analytics and advertising services. Translation: Sending customer data to Facebook for lookalike audiences might legally count as "selling" their information. A supplement brand got hit with this in Kentucky: They were syncing customer emails to Meta for custom audiences. Under the new law, that's a "sale" of personal data. Now they're required to: - Disclose it in their privacy policy - Offer an opt-out - Maintain records of who opted out - Respond to deletion requests within 45 days They had none of this. They got a notice. They have 30 days to comply or face fines. The fix: Update your privacy policy NOW to include these states. Add an opt-out link in your footer. Audit every tool that touches customer data (Google Analytics, Segment, Klaviyo, TikTok Pixel). For B2B eCommerce operators, even procurement officer profiles on portals or analytics from support chatbots could trigger compliance requirements. This isn't just a B2C problem. If you sell anything and collect any personal data, you're in scope. Most brands will ignore this until they get a letter. Don't be most brands.

All organizations must comply with evolving privacy regulations and meet customer expectations. Clarity on what needs to be managed is critical. These are three key areas to focus on: 1) Privacy Rights Requests. 2) Consent & Communication Preference 3) Cookie Consent Management. Here are details: 1) Privacy Rights Requests (DSRs) These rights are governed by laws like GDPR (EU), CCPA (US), etc. They empower individuals to control their personal data, including: -- Access, Delete, Correct, Portability. Example: “Send me all data you have about me” -- Restrict Processing, Withdraw Consent. Example: “Pause processing my data for marketing” -- Object to Automated Decisions Example: “Request human review of a loan application instead of relying solely on an algorithm.” -- Opt-Out of Sale/Sharing Example: “Do not sell my data to third parties” (CCPA) -- Limit Sensitive Data Use Example: “Restrict use of my health data for analytics” 2) Consent & Communication Preferences Governed by: GDPR, TCPA (US), CAN-SPAM (US), CASL (Canada), etc These preferences give customers control over following engagement: -- Marketing opt-in/out (email, SMS, calls) Example: “Subscribe to product updates via email” -- Transactional notifications Example: “Receive SMS for delivery status” -- Terms acceptance Example: “Agree to app Terms of Service before use” -- Sensitive data consent Example: “Allow use of biometric data for authentication” -- Frequency & channel preferences Example: “Send me monthly newsletters, not weekly” 3) Cookie Consent Management These are governed by: ePrivacy Directive (EU), GDPR, CPRA, etc They ensure transparency and compliance with tracking technologies: -- Published cookie policy Example: “View detailed cookie categories on website” -- Consent banners (accept/reject/preferences) Example: “Choose analytics cookies only” -- Block non-essential cookies until consent Example: “No ad tracking until user opts in” -- Record and audit consent Example: “Store timestamp of user’s cookie choice” -- Editable/revocable consent Example: “Change cookie settings anytime via footer link” -- Essential cookies exempt Example: “Session cookies for login remain active”

A hairdresser and a marketer came into the bar. Hold on… Haircuts and marketing? 🤔 Here's the reality: Consumers are more aware than ever of how their data is used. User privacy is no longer a checkbox – It is a trust-building cornerstone for any online business. 88% of consumers say they won’t share personal information unless they trust a brand. Think about it: Every time a user visits your website, they’re making an active choice to trust you or not. They want to feel heard and respected. If you're not prioritizing their privacy preferences, you're risking their data AND loyalty. We’ve all been there – Asked for a quick trim and got VERY short hair instead. Using consumers’ data without consent is just like cutting the hair you shouldn’t cut. That horrible bad haircut ruined our mood for weeks. And a poor data privacy experience can drive customers straight to your competitors, leaving your shopping carts empty. How do you avoid this pitfall? - Listen to your users. Use consent and preference management tools such as Usercentrics to allow customers full control of their data. - Be transparent. Clearly communicate how you use their information and respect their choices. - Build trust: When users feel secure about their data, they’re more likely to engage with your brand. Make sure your website isn’t alienating users with poor data practices. Start by evaluating your current approach to data privacy by scanning your website for trackers. Remember, respecting consumer choices isn’t just an ethical practice. It’s essential for long-term success in e-commerce. Focus on creating a digital environment where consumers feel valued and secure. Trust me, it will pay off! 💰

To protect your customers' data effectively, you must start by gaining a comprehensive understanding of the data you're safeguarding. This involves going beyond a surface-level awareness of its sensitivity. Instead, you should delve into the specifics of the data you handle, categorizing it based on its nature. For instance, the data could fall into categories like Protected Health Information (PHI), Personally Identifiable Information (PII), or cardholder information. It's crucial to pinpoint the exact kind of data you're processing. To achieve this, we recommend a more precise approach. Begin by identifying the data types within your ecosystem and tracing their origins. Create a visual map that outlines the sources of this data, building a clear understanding of your customers and the data they provide. By comprehending the paths data takes within your system, you can establish a more robust data protection strategy. In summary, by categorizing and deeply understanding the data you handle, as well as mapping its flow within your organization, you can develop a more effective and tailored approach to protect your customers' data.

Is using your preexisting personal data, collected for a different purpose, to train your data an incompatible purpose under GDPR? Belgian DPA says: Yes but allows the use of legitimate interest as the new legal basis. 💡 Important also for US based / operating companies because the new US state privacy laws have the same "incompatible purpose test" BUT require consent as the new legal basis. At issue: a company's use of customers' personal data, (including payment transactions), collected to facilitate the payment - to build and train models to offer personalized discounts for third-party non-banking services and products. Key points: Further processing for building the model for third party discounts is an incompatible new purpose 🔹 If you do not disclose a processing purpose at the outset, further processing may constitute a new purpose. 🔹 Saying that you use customers' transaction data to better know and serve your customers for all marketing and commercial purpose for banking and insurance products is NOT the same as saying you will use it to build models to serve all types of third party commercial partners. 🔹 Customer expectations are key: Here, the customer entrusted his personal and transactional data to the bank as a banking customer and had no reasonable expectation that the bank would use the same data, with no possibility for the customer to object, to train data models that transcend the bank's banking and insurance activities. The appropriate legal basis for the use of the model for third part discounts is consent, but for building the model itself can be legitimate interest. 🔹 Building data models in order to offer customers personalised discounts on third-party products and services is a legitimate interest 🔹 The processing of the data is necessary for the purpose: data models are a necessary intermediate step between the transaction data, and offering personalised discounts through digital means. 🔹 The damage to rights does not outweigh the bank's interest: because here the company processes data where (1) as many identifiers as possible have been removed in order to train a model without applying it to identified individuals in an operational context; (2) no attempts are ever made to re-identify the individuals in the training set; (3) the resulting models are merely algorithms that no longer contain personal data; (4) no personal data is share with third parties and (5) no special categories of personal data are processed. 🔹 Thus: the impact on the individual and the processing of his personal data is kept to a minimum. The individual can still object to the use under Art 21. 🔹 To actually use the model for the third party discount, you need opt in consent. H/t Simon Hania, Romain Robert pic by Vectorjuice on Freepik #dataprivacy #dataprotection #privacyFOMO #AIprivacy

BOOM! Just as we’re about to wrap up for the holidays, the Swedish Authority for Privacy Protection (IMY) delivers decisions on three new cases involving the Meta Pixel. The cases concern Apotea (online pharmacy), Kry (online healthcare provider), and Länsförsäkringar (insurance and banking). All three were reported after it was discovered that significant amounts of customer data, such as email addresses and phone numbers, had been transferred to Meta. In all cases, this occurred because the websites used the Meta Pixel directly in their source code. The companies then inadvertently activated Automatic Advanced Matching in Business Manager, causing the pixel to scrape personal data from forms and send it to Meta. This clearly illustrates how a single thirdparty JavaScript on a site can access all information available on the page, highlighting the risks of data leakage. You can read all three fresh cases (in swedish) on imy.se https://lnkd.in/dAMvaD3e My recommendations for working with marketing tracking remain the same: ✅ Always implement tracking technologies as far as possible using server-side GTM. ✅ Minimize the amount of third-party scripts, logic, and requests executed directly in the user’s browser. ✅ Limit the volume of data processed and transmitted ✅ Regularly audit and monitor your site to identify potential leaks in time. ✅ Document and establish internal procedures for working with tracking technologies. ✅ Ensure you obtain proper user consent and respect it fully. I’ve previously created an article series about the Meta pixel where I cover: 📝 Part 1 - What a tracking pixel is, the associated risks, and how to implement them more securely https://lnkd.in/d8-C4c3B 📝 Part 2 - An audit of 35 Swedish banks and how they use the Meta Pixel https://lnkd.in/dR9TyyqN 📝 Part 3 - A guide to auditing your site and identifying risks related to the Meta Pixel https://lnkd.in/dk-EdTSr 🎤 🇸🇪 You can also listen to Tony Hammarlund´s podcast on Digital Marketing, where I discuss these cases and how to work with data protection when using this type of tracking technology. https://lnkd.in/dUtDpKje ⛺ During the holiday break, I’ll be preparing a session for MeasureCamp Malmö on how to work with privacy and compliance in larger organizations. We’ve talked about the technical aspects, but how do we engage the organization? See you there?! Worried about privacy and compliance in your current implementation? Send me a DM, and I’ll get back to you right away!

🛒 “𝗙𝗼𝗿𝗴𝗲𝘁 𝗦𝗼𝗺𝗲𝘁𝗵𝗶𝗻𝗴?” – 𝗗𝗮𝘁𝗮 𝗣𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗔𝘂𝘁𝗵𝗼𝗿𝗶𝘁𝘆 𝗼𝗳 𝗛𝗲𝘀𝘀𝗲 𝗼𝗻 𝗔𝗯𝗮𝗻𝗱𝗼𝗻𝗲𝗱 𝗦𝗵𝗼𝗽𝗽𝗶𝗻𝗴 𝗖𝗮𝗿𝘁𝘀 𝗘𝗺𝗮𝗶𝗹𝘀 In its latest annual report for 2024, the DPA of Hesse discusses the legality of promotional emails to online shoppers who abandon their carts. Studies show that the abandonment rate for online purchases ranges from 65 to over 80 % depending on the sector. The DPA reports a high number of complaints associated with emails that companies send to re-engage shoppers who have left items in their carts without completing checkout. According to the DPA, this type of promotional emails is considered advertising and (usually) no contract relationship exists between the company and the customer. 𝗜𝗻 𝗽𝗿𝗶𝗻𝗰𝗶𝗽𝗹𝗲: 𝗖𝗼𝗻𝘀𝗲𝗻𝘁 In all complaints received, there was no prior existing customer relationship and none of the data subjects had given their consent to data processing. Therefore, sending promotional emails to these individuals was not legally permissible under the GDPR. Since the transaction is not finalized, there is no actual contract, despite the fact that customers had provided their email address during the initiated ordering process. Therefore, such reminders constitute advertising and are only permissible with explicit consent in accordance with Art. 6(1)(a) GDPR in conjunction with Section 7 UWG (Unfair Competition Act; transposition of Art. 13 ePrivacy Directive). The wording must clearly indicate that the person is agreeing to the collection and processing of their data. Simply entering an email address during an online ordering process does not suffice. The assertion that these emails are pre-contractual measures and that the processing can be based on Art. 6(1)(b) GDPR is also legally unfounded. After the order process has been cancelled, promotional emails can no longer be justified as pre-contractual measures. 𝗘𝘅𝗰𝗲𝗽𝘁𝗶𝗼𝗻: 𝗔𝗱𝘃𝗲𝗿𝘁𝗶𝘀𝗶𝗻𝗴 𝘁𝗼 𝗲𝘅𝗶𝘀𝘁𝗶𝗻𝗴 𝗰𝘂𝘀𝘁𝗼𝗺𝗲𝗿𝘀 A different situation arises if the data subject has logged in with their account - so existing customers are affected. However, even in this case, additional UWG requirements (based on Art. 13 (2) ePrivacy Directive) apply: only advertising for similar products and services is allowed, there must be no customer objection, and information on the right to object must be provided in every email. In all cases reported to the DPA, the controllers were reprimanded (Art. 58 (2) (b) GDPR). Full text of the annual report is available here (in German): https://lnkd.in/dvrF6R29 #privacy #marketing #dataprotection #DSGVO #GDPR

Why Discretion Is a Core Product Feature, Not a Bonus Most brands treat discretion as packaging. In sexual wellness, it is part of the product. From the moment a user lands on a site to the moment the order arrives, privacy influences every decision. It affects: Whether someone clicks Whether they add to cart Whether they complete checkout Whether they return Discretion is not a single feature. It is a system. Website experience Does it feel safe, clean, and non exposing Payment Are billing descriptors neutral and recognizable Packaging Is delivery completely unidentifiable Communication Are emails and notifications subtle and respectful When these elements align, confidence increases. When one breaks, hesitation returns. There is also a psychological shift. When discretion is handled well, the purchase feels normalized. It moves from something hidden to something routine. That shift directly impacts repeat behavior. Another layer is expectation. Consumers now assume discretion. It is no longer a differentiator. It is a requirement. Which means execution must be consistent. Not just promised. At V For Vibes, discretion is embedded into the entire experience. Because in this category, privacy is not an add on. It is the foundation of trust. #SexTech #Ecommerce #CustomerExperience #ConsumerBehavior #DigitalStrategy