This article will discuss the following topics:
- How eCommerce websites collect Personally Identifiable Information
- Fines for non-compliance with privacy laws, and
How eCommerce websites collect Personally Identifiable Information
When websites collect Personally Identifiable Information (PII), privacy laws may govern how that information is collected, used and disclosed to others. PII is defined as any information that directly or indirectly identifies or relates to a specific person.
Examples of PII include the following:
- Physical address
- Email address
- Phone number, and
- Payment information, such as credit card numbers.
eCommerce websites usually collect PII via the following means:
- Contact forms for customers to contact you and inquire about your business and any of the products that you sell
- Newsletter sign up forms, where users can sign up to get emails about new products or sales
- Order forms, where users can input their PII to purchase an item from you, and
- Payment processing pages, where users can also make payments.
Privacy laws are generally enacted in order to protect consumers, specifically with respect to protecting their right to control their PII and knowing who has access to potentially sensitive information. Privacy laws are unique, however, for their broad reach. Not only may privacy laws apply to businesses in the jurisdiction where the law was passed, but anywhere in which the business’s website can be accessed. Because your website may be accessed by consumers across the United States and the world, your business needs to be aware of the major privacy laws governing the use of consumer PII. These laws include the following:
- California Consumer Privacy Act (CCPA)
- California Online Privacy Protection Act (CalOPPA)
- Nevada Revised Statutes Chapter 603A
- Delaware Online Privacy and Protection Act (DOPPA)
- Europe’s General Data Protection Regulation (GDPR)
Privacy laws, such as the CCPA cited above, now provide consumers with private rights of action against businesses under certain circumstances, allowing consumers to sue businesses directly for non-compliance. If businesses mishandle PII and inadvertently disclose the information to unauthorized parties, your business could be subject to lawsuits and heavy fines.
Fines for non-compliance
Donata Kalnenaite is a licensed attorney focusing on privacy and technology law. She is a Certified Information Privacy Professional and the President of Termageddon, LLC, a company that generates Privacy Policies, Terms of Service, and more for small business websites. Donata is the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.View My Profile...