How Ecommerce Retailers Can Build a Successful Privacy Program

Digital commerce has been a steadily growing market in recent years and you may have heard the whispers of a new federal privacy bill in the United States, or your company is exploring expanding into Europe and now GDPR is on your radar. It is nearly impossible for a consumer to complete an online transaction without sharing their personal data, and now more than ever, online retailers must find ways to protect that personal data.&nbsp;Privacy has become more and more top of mind for companies and their internal teams ranging from legal to security to customer success and yes even sales. So where do you begin? Well, let’s start with the basics.<h2>What is Privacy?</h2>For a long time, it depended who you asked and where they lived. In the US, most folks would have considered private information as, generally, their social security number, credit card number, and with the implementation of HIPAA (1996), their health information. In many countries (specifically in Europe), privacy is and has been considered a fundamental human right, and was codified as such in 2018 with the <a href="https://gdpr.eu/tag/gdpr/">General Data Protection Regulation</a> (GDPR).&nbsp;The<a href="https://iapp.org/about/what-is-privacy/"> International Association of Privacy Professionals (IAPP)</a> defines information privacy as “the right to have some control over how your personal information is collected and used.” But to many individuals, privacy is a fundamental right that must be protected in a constantly changing and complex world where data is now the most <a href="https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data">valuable resource</a>.&nbsp;When shopping online, consumers place a certain level of trust with the retailer by placing an order and sharing their information, or subscribing to promotional emails or texts. Privacy becomes more than a checkbox, but rather the evangelism of respecting and fulfilling the responsibility we have to our users and their data, and embedding data protection concepts (ex: data minimization, privacy by design, access controls) into a company's product design and culture. Privacy is a right that we as companies and as individuals must consider the risk and reward of each action.<h2>Why is Privacy Important?</h2>Privacy is important to companies for two simplified reasons:<ul><li>Responsibility and Risk&nbsp;</li><li>Product and Brand</li></ul>Responsibility and Risk. As mentioned, data is now the world’s most <a href="https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data">valuable resource</a>. Unlike oil and gold, its predecessors, data comes from a real life person who might be using an app to shop on their phone or computer. Completing an ecommerce transaction requires a shopper to share their first and last name, email, phone number, shipping and billing address, and payment information. Consumers are reluctant to share their personal information or create store accounts if they believe their privacy can be invaded, put at risk, or shared with third parties without their consent.&nbsp;If a bar of gold was stolen, it was a shame; if a person’s data gets stolen, their entire lives can be upended between identity, cyber, and physical crime. The responsibility companies take on when collecting user data cannot be underestimated, and risk must be evaluated for each type of data collected.Product and Brand. Sales, recruiting, marketing and customer retention depends heavily on the PR and image of the company. Companies like <a href="https://www.latimes.com/business/la-xpm-2012-jan-17-la-fi-google-privacy-20120117-story.html">Google</a> and <a href="https://9to5mac.com/2022/05/18/apple-privacy-on-iphone-new-ad/">Apple</a> are capitalizing on increased privacy awareness with advertising campaigns focused on promoting their user privacy practices. Product trust doesn’t happen overnight; it has to be built. Trust is what keeps and retains users. And when your company semi-anonymously is mentioned on the <a href="https://oag.ca.gov/privacy/ccpa/enforcement">CCPA’s Enforcement Case</a> list, it can set that trust-building back.Let’s go over what a privacy program is, so we can get into the nitty gritty of how to put together a privacy program for your company.&nbsp;<h2>What is a Privacy Program?&nbsp;</h2>A privacy program is the umbrella term for all the processes in an organization that work together to protect user, employee, and customer information, as well as fulfill legal privacy requirements (like DSARs under the <a href="https://gdpr.eu/article-15-right-of-access/">GDPR</a>).&nbsp;<h3>Why do Ecommerce Retailers Need a Privacy Program?&nbsp;</h3>Two oversimplified reasons: regulatory compliance and company values. A privacy program operationalizes your privacy strategy and position for the company to ensure compliance and buy-in, not just from stakeholders- but the company as a whole.Without a privacy program, a company is subject to numerous compliance violations (for example, the EU’s privacy regulation GDPR can fine up to 4% of a company’s annual revenue for noncompliance). Here are some recent fines:<ul><li>Amazon was fined<a href="https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/"> €746 million</a> in 2021 for ad targeting that was considered have infringed on user privacy</li><li>Whatsapp was fined<a href="https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/"> €225 million</a> in 2021 regarding a deemed lack of user privacy transparency &nbsp;</li></ul>Fines are only a fraction of the damage caused by noncompliance. In 2018, <a href="https://techcrunch.com/2019/11/19/macys-said-hackers-stole-customer-credit-cards-again/?guccounter=1&amp;guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&amp;guce_referrer_sig=AQAAAMMqZDVJkjUlsrQQ1vbJpF32hJ9LtBB_49GIIqsifvV3Sb3EVJSQP34-0by42dwMcSoxE5_1kShi5SEg63YcTr7tZtBvFj2jGt-8N3XrFqbrKMuxaTz-WFj0m2Dr34oFbtvcOK_FHWdhr1S1OSQBdEnW6JMeocVCYel2RGFLqN-O">Macy’s</a> suffered a data breach involving consumer credit card information due to negligent security practices- resulting in a class action <a href="https://www.infosecurity-magazine.com/news/macys-pays-192k-to-settle-data/">lawsuit</a>. A year later, Macy’s suffered another data breach, resulting in a <a href="https://www.cbsnews.com/news/macys-hack-customer-data-stolen-after-retailers-online-store-was-hacked/">11% drop</a> in stock price.&nbsp;So can a privacy program prevent a data breach? No—just like an emergency evacuation plan can’t prevent a fire. The purpose of a privacy program is to:<ul><li>Educate, embed, and evangelize privacy best practices</li><li>Prepare for and comply with privacy regulations</li></ul>So let’s get to it!<h2>How Do You Design a Privacy Program?&nbsp;</h2>Designing a privacy program from scratch, or from existing security compliance measures, can seem intimidating. If you’re looking at regulatory compliance, the EU’s GDPR is usually considered the golden standard for privacy regulation. That sets the bar for compliance high- especially if your company does not currently do business with EU residents.&nbsp;If your company is US-based only, compliance with <a href="https://oag.ca.gov/privacy/ccpa">California’s CCPA</a> (soon-to-be <a href="https://cppa.ca.gov/meetings/materials/20220608_item3.pdf">CPRA</a> come 2023) is the gold standard for US privacy regulation, as it closely mimics many of GDPR’s requirements- and other many states are following suit.However, there is no longer any mystery behind the basics of a strong privacy program. There are so many great articles (<a href="https://iapp.org/resources/topics/crafting-a-privacy-notice/">Crafting a Privacy Notice</a>), how-tos (<a href="https://iapp.org/resources/topics/how-to-build-a-privacy-program/">How to Build a Privacy Program</a>), and guides (<a href="https://iapp.org/resources/topics/privacy-101/">Privacy 101</a>) that have already been written to help you through this process.&nbsp;You’ve got the budget and the buy-in to build out the company’s privacy program - but where to begin? What processes, policies, and procedures should you have before you can think about expanding your privacy program beyond regulatory requirements and into new markets?&nbsp;Here’s a checklist of the things you should consider as you build your program:<ul><li>Operational Requirements: the policies, procedures, documentation and training you need to have in place.<ul><li>Establish Privacy Program Team &amp; Stakeholders</li><li>Develop Regulatory Incident Reporting Process</li><li>Create Privacy Policies: User Privacy Policy, Employee Privacy Policy, Candidate Privacy Policy</li><li>Provide company-wide training covering privacy framework and impact on work, culture and employees</li><li>Implement Data Processing Agreements (DPAs)</li><li>Create centrally located privacy documentation covering relevant topics and information for all employees</li></ul></li><li>Technical Requirements: the privacy implementation on tooling and products<ul><li>Data mapping documentation*</li><li>Introduce &amp; evangelize privacy by design</li><li>Document access control policies</li><li>Cookie use policy</li><li>Understand risk &amp; implement Data Protection Impact Assessments (DPIAs)*</li></ul></li><li>Consumer Request Requirements<ul><li>Data Subject Access Request (DSARs) Process*</li></ul></li></ul>*requirements may take your team longer and additional resources to implement; consider kicking those off first.This is a lot, and it’s also not at all exhaustive. But, this list gets your bases covered for the US’s state laws, and a strong foundation to build upon for the global regulatory privacy landscape.<h3>Building the Cross-Functional Team</h3>One person cannot launch a privacy program without the direct involvement of the stakeholder group, which spans across the company. There are many ways to organize it, but you can think of it as two groups of stakeholders: &nbsp;<ul><li>The Product Stakeholders: these stakeholders manage the product, integration, tooling, and implementation of privacy requirements. This group is usually made up of product management, engineering, and security representatives, and their role is to provide insight, engage impacted teams, analyze feasibility, and execute the technical implementations.</li><li>The Operational Stakeholders: these stakeholders manage the creation and implementation of internal and external company privacy policies, processes, procedures, and enablement for employees. This group is usually made up of legal, compliance, human resources, customer experience and communications stakeholders.</li></ul>*There are many areas of overlap- for example, the engineering team will work with the customer team to design and test the DSAR lifecycle process.&nbsp;<h2>Operationalizing Your Privacy Program</h2>The biggest factor of whether or not a privacy program will be successful is executive support. The implementation of a program may require teams to perform a new task or a different process, and buy-in can be especially difficult at companies where larger privacy initiatives are new. Executive leadership must visibly champion the privacy program for success - continually, at All Hands meetings, at privacy events, at team meetings, in their team communications, etc.Privacy, and compliance with regulations should be a part of the company culture and identity. This requires advocacy stemming from executive leadership to instill the concept of “Privacy by Design” into each team’s roadmap and the company’s operational values.<h3>Know Your Audience</h3>The most effective way to embed data privacy in company culture is by making it relevant to your employees. For example, privacy training, when purchased “out of the box” by a vendor that does a multitude of compliance training courses, is generic and broad. Therefore, it may be unrelatable.&nbsp;When a course isn’t engaging, material is not easily digested/retained. Creating company specific training that brings in actual company stories, incidents, solutions, events, and impact is memorable. Relatable and humorous memes and gifs help as well depending on your audience!Celebrating the work of all the stakeholders who supported building the privacy program should not be overlooked. Plan an official launch day, with an All Hands and a speech to get employees engaged. Cake is never a bad idea!<h2>Let’s Get Started</h2>Developing a privacy program can feel daunting. But it really doesn’t have to. There are so many resources available to help you through the process.&nbsp;Changing company culture to embrace privacy takes time.&nbsp;Whether you are a multimillion-dollar ecommerce company or a small and medium-sized business (SMB), merchants must meet basic compliance requirements. It’s a lot to handle, so instead of putting the burden on the development team, merchants must find a platform that works to combat these risks by facilitating compliance and security. A robust solution will not only meet current compliance requirements but also have the support of a dedicated team to maintain and update the solution as regulations change. Bolt solves the complicated technological challenges involved in checkout, fraud detection, and digital wallets so that retailers can devote their energy to what matters most — growing their product, brand, and customer base.&nbsp;So, let’s get started - focus on the basics, subscribe to Bolt’s legal blog for more privacy resources and how-tos, and contact Bolt to see how we can help your company implement a secure and compliant checkout.Learn how we can help you at <a href="http://bolt.com/platform">Bolt.com/platform</a>.