E-commerce sites: How should the RGPD be applied?
The duties of e-tailers, the rights of e-consumers
Originating in the United States and imported into France since 2014, Black Friday and Cyber Monday have grown considerably in the space of 3 years, to such an extent that the famous Friday of sensational sales was considered by the French version of the e-commerce site Amazon as “the most intense day in [its] history” last year. This famous 24 November 2017 was indeed marked by a record number of bank transactions: 42.8 million, 13% more than the previous year. Of the 79% of consumers who wanted to take advantage of these two days of offers, 89% planned to use the internet (e-commerce sites) and spend an average of 187 euros there.
This is a consistent development in a country where e-commerce generated €81.7 billion in 2018. But even though there are now 37.5 million of them buying online, the French are still sceptical and distrustful about the use that online sellers make of their personal data. According to a study by Obsconso, while 67% of them do not trust brands to comply with the RGPD, 81% find the collection of their personal data by e-tailers worrying. However, companies must respect numerous obligations concerning users’ personal data. An apprehension that leads 59% to provide false data and 76% to give up content or services that are too demanding in terms of information requested.
Fears and reticence are justified, however, in the face of retailers who are fond of personal data: 50% of French companies practised predictive marketing in 2017. This strategy aims to gather information on the profile of customers, their needs and desires in order to anticipate their future behaviour in order to provide them with personalised offers, optimise their user experience, but also prepare restocking according to demand. To achieve this, companies use Big Data technologies, applied to data from loyalty programmes, web browsing and smartphones. Data deemed relevant is then extracted and analysed using algorithms.
A recent example illustrating this attraction of retailers to data collection is the drive-to-store platforms Teemo and Fidzup. While Teemo offers in-app tools to collect various information about users for commercial targeting, Fidzup specialises in the installation of boxes designed to pick up wifi signals from smartphones. Installed in retail outlets, they measure traffic while collecting some behavioural data. However, due to the entry into force of the RGPD, these two companies have been served with formal notice by the CNIL for failing to comply with the obligations to collect the “General Regulation on the Protection of Personal Data” and to define a data retention period. This year is therefore special: it is the first in which, like these two companies, e-commerce sites are obliged to comply with the requirements of the RGPD. This will obviously have consequences for the user experience of e-consumers.
Concrete changes for e-commerce sites
Updated information about personal data
Certain information about the use of your personal data needs to be updated, the main ones being
- the uses that will be made of it;
- the duration of their conservation;
- the commitment to sufficient security;
- a reminder to Internet users of their rights (access, modification, deletion, etc.) as well as an explanation of the procedure for requesting the exercise of their rights;
- where applicable, the use of Google Analytics for the purpose of tracking traffic;
In addition, each user must check a box that is not pre-ticked indicating that he/she accepts the GTC before each purchase.
Cookie usage parameters
There are two parameters that govern their use.
- the informed “General Regulation on the Protection of Personal Data“;
- data retention.
Obligations related to the General Regulation on the Protection of Personal Data (RGPD)
As soon as you arrive on the e-commerce site, a window must appear explaining the purpose of cookies. If they are intended for analysis and marketing, an insert must be provided to record the “General Regulation on the Protection of Personal Data” (RGPD) and the choices of Internet users, who can accept or refuse their use in this context, without prejudice.
The length of time that data obtained through cookies is kept varies according to their nature but cannot exceed 13 months when they concern statistics or are used to measure the audience.
80% of consumers prefer the companies that they trust the most in terms of managing their personal data, a fact that highlights the link between compliance with the RGPD and professional reputation.
In order to reconcile these two elements, Fair&Smart offers companies solutions for managing the collection of the General Data Protection Regulation and for responding to requests to exercise their rights.