The last couple years have been a boom time for new regulatory frameworks in the ecommerce and digital payment spheres. In addition to the 400-kilogram gorilla that is the European Union’s General Data Protection Regulation, 2018 saw the amendment of California’s Automatic Renewal Law, as well as the passing of the deadline for the revised Payment Services Directive to be codified into national legislation.
These regulations may apply only to specific geographical regions, but the internet doesn’t play well with borders—especially when the specific geographical regions in question are enormous markets like the EU and the state of California. For businesses, it’s almost always safer and more cost effective to apply regulatory changes across the board whenever possible, and that’s why even internet surfers outside the EU see all of the mandatory pop-up warnings about browser cookies mandated by the GDPR.
Unless you plan to strictly limit your business dealings to regions outside the coverage of these regulations, it is imperative that merchants learn what these regulations require of them and take the necessary steps to become compliant.
The GDPR applies to all organizations that process data belonging to citizens of the European Union and the European Economic Area, no matter where those organizations themselves are based. The goal of the regulation is to protect individuals from the theft or misuse of their personal data.
Although it has been in effect for less than two years, the GDPR has already demonstrated that it isn’t kidding around when it comes to enforcement—British Airways was fined £183 million for failing to protect its customers from a data breach, and Marriott International was fined £99 million for a similar incident.
Companies in the United States are taking the GDPR seriously, with most projecting that they will reach full compliance by the end of 2019. This is no small feat; the requirements of the GDPR are fairly extensive and can be difficult for some companies to implement. Among other things, the GDPR may require businesses dealing with citizens of the EU to:
For the average merchant, operating a small business and not a multi-million dollar international concern, the GDPR offers both some benefits and some challenges.
From a merchant perspective, the customer’s right to delete their own data is concerning. They could potentially delete data that can be utilized for fraud detection and analysis, or information that merchants could use to bolster their case in chargeback representments. On the other hand, the GDPR has spurred improved fraud prevention and incident response strategies throughout the ecommerce industry. If the US ever enacts a law similar to the GDPR, merchants will have a big head start on compliance.
It’s also important to be aware of some of the exceptions allowed under the GDPR. Data used for fraud prevention, for instance, is not subject to the consent requirements of the regulation.
Originally intended to make online transactions safer for consumers and facilitate open banking and cross-border payments within the EU, the Payments Services Directive was revised in 2015. EU governments were given ten years to enact laws based on PSD2, and the deadline for businesses to achieve compliance was September of this year.
The main requirement of PSD2 is that companies use Strong Customer Authentication (SCA) processes to approve transactions. SCA relies on authenticators that would be difficult for fraudsters to steal or replicate, such as:
SCA exemptions are offered for merchants who fall below certain fraud activity thresholds.
Effective July 2018, California revised its existing Automatic Renewal Law to better address automatically renewing payments in the context of ecommerce. Primarily, the law requires that companies who do business in California provide customers with a way to cancel their subscriptions or recurring payments over the internet. The revisions also touch on the handling of free trial periods and promotional pricing.
For the most part, this regulation should be the easiest of the three to comply with. In most cases, full disclosure of the terms and conditions of your subscriptions and renewable offers, along with a simple online form for cancellations, will suffice, but subscription-based merchants should read the details of the law carefully. Civil penalties are applicable to merchants who fail to comply.
Unlike the EU’s regulations, the ARL is unlikely to cause any friction or inconvenience for customers, and in most cases should contribute to greater transparency and improved customer experience.
When you’re engaged in ecommerce, the whole world has the potential to be your customer market—which means that you need to concern yourself with laws and regulations worldwide, ensuring that you comply with the ones that apply to you. This can be a lot of work and responsibility for a small business, but the rewards are considerable when you take into account the incredible reach of the internet and the revenue potential of selling your products and services to anyone who wants them, no matter where on the planet they’re located.
So don’t stick your head in the sand and hope that the EU won’t bother to pick on a small American company just for violating a few little GDPR requirements. Learn what changes you need to make, work out a plan and a timetable for implementing them, and let your business take on the world!
Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com