Companies turning to B2C (‘business to consumer’) e-commerce need to be mindful of certain increased legal risks when compared to ‘brick and mortar’ commerce, and a significant one is of course data protection.
For a UK company or non-UK company selling to or monitoring behaviour of UK based consumers, the main laws are the Data Protection Act 2018 (UK law) and the General Data Protection Regulation (EU law).
If you are a UK company or non-UK company selling to or monitoring the behaviour of consumers based in EU countries, each country may well equally have its own version(s) of the Data Protection Act 2018 and so knowledge of GDPR alone is not sufficient.
A failure to comply with these laws carries significant risk, both in terms of potential penalties (fines up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year), and damage to reputation.
Subject to ongoing discussions, Brexit may have an impact on data transfers between the EU and the UK, and therefore companies need to be mindful of the potential for necessary legal works to be carried out in connection with Brexit.
Where you are a UK or non-UK company proposing to sell to or monitor behaviour of consumers outside of the UK or EU, there are very likely to be other laws for those countries which you need to know about, with potentially equally significant risks attached to non-compliance. Establishing that you comply with the Data Protection Act 2018 (or other EU country local implementing law) and the General Data Protection Regulation may not be enough. The law in this area is active.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) (as amended) governs electronic marketing activity including direct e-mail marketing and the use of ‘cookies’ on websites, as it pertains to UK consumers.
There are also severe penalties for failures to comply with PECR, and due to that fact that the legislation operates alongside the main data protection laws, it should be treated with equal seriousness.
As with the Data Protection Act 1998, every country into which you sell is likely to have its own laws equivalent to PECR, and you should establish whether compliance with PECR in the UK would suffice as compliance for every country into which you wish to direct e-commerce activities. It won’t always.
PECR is likely to change at some point in the next couple of years, regardless of Brexit, following the introduction of an EU wide e-Privacy Regulation and you should be mindful that the changes could be significant.
In addition to the above, in the UK, you have a basic ‘duty of care’ to those whose data you might obtain, store, analyse, or otherwise ‘do stuff’ with.
With the new extended reach, the bite from another lockdown may not hurt as much, and there will no doubt be new riches to gain. But, there are also new laws to have on the radar for everything that comes next as you start building out that e-commerce offering, and this is just one small sub-set of them.
For further information on what you’ll need to think about when building out an e-commerce offering, please get in touch with Neil Malone.
Phone: 020 7504 7071 – Extension 201