Manufacturing leaders aren’t exactly diving into the world of ecommerce headfirst. Instead, they’re cautiously dipping one toe at a time into the waters. Several things keep them from going “all in,” so to speak, but one of the most serious is compliance with privacy regulations.
In June 2018, California’s governor signed the California Consumer Privacy Act into law. This year, the law officially went into effect. Under the CCPA, companies must notify users if they intend to monetize their data and give them the option to opt-out.
Its reach will be significant. The law is expected to affect more than 500,000 businesses in the United States alone — and many more around the world.
Those that fail to comply will face hefty fines. So if manufacturers are going to survive in the age of ecommerce, they won’t be able to wade in little by little and take on privacy compliance halfway. Privacy regulations are complicated, and compliance can literally make or break a business.
Ignorance of the Law Is Not a Defense
Most companies that do business online have researched state and national laws to some extent, but data privacy laws aren’t easy to understand. To truly comply with all of their nuances and demands, businesses have to hire additional people, integrate complex processes into internal operations, and put forth massive amounts of effort.
Most got into ecommerce with the hopes that having an online presence would help them avoid headaches and reach customers more easily. But when the market matures, regulations do, too. And while most companies know not to send email newsletters to people who didn’t subscribe or sell customer information without permission, they don’t know the finer details of regulations, much less how they differ by state.
For instance, a prospective client reached out to us after it had ended up in court for violating a state privacy law it didn’t know existed. The company’s website was using an assumptive privacy policy, which assumes that users agree to their data being collected and used by merely using the site. Because the company was using the site to do business in a state that banned these privacy policies, it faced a potential fine of $1,000 per site visit. The company ended up settling the case out of court, but it was still a shocking and scary discovery.
Even for well-meaning manufacturers, ignorance doesn’t hold up in court as a legal defense. Intentional violations can cost up to $7,500 per violation. And unintentional violations can be $2,500 per violation, making even accidents a significant cost. Manufacturers are timid about ecommerce because data privacy and compliance are intimidating. Some never pursue ecommerce for this very reason.
Imagine a small manufacturer that’s decided to sell online. It goes through the entire process of building a site, implementing new operations, and calculating shipping as transactions occur. Then suddenly, it has to be responsible and ready for multiple data checks and data wiping. It’s a lot to take on, both from the operations and the financial perspective. In total, meeting compliance standards could initially cost companies up to $55 billion.
Make Ecommerce Security a Priority
As you implement ecommerce in your manufacturing business or work to strengthen compliance with your current ecommerce system, here are three things to focus on:
1. Ensure that your systems are secured and encrypted. Wherever your ecommerce data lives, you need to be 100% sure it’s secured and encrypted. This is especially important if you’re handling, storing, or passing along credit card information.
Doing this is a combination of several elements. First, have an audit done that considers your specific industry so you can be entirely sure you know what regulations to comply with and to what degree. After that, you’ll have to put additional processes into place, and those processes will likely need additional software and hardware systems to serve their purpose.
We’ve worked with manufacturers where credit card information was being stored on-site and transferred between systems in a way that wasn’t secure. Often, older ERP systems don’t have the necessary security fields. It’s key, then, to move to a modern ERP and integrated ecommerce system to avoid and rectify situations like these.
2. Monitor employee access. Be aware of which employees have access to your development, staging, and production systems. While digital hacking is a security concern, physical access to information is, too. The best way to control who has access to private information is to grant permission to only specific roles and for only certain pieces of the system. A developer shouldn’t be making coding changes and publishing unchecked. A combination of role-based technical security and tight control on physical access is the best way to address this concern.
A manufacturing company often has a small technical team. We’ve seen teams of one that have access to all levels of data in these smaller organizations. Hiring multiple people just for data privacy management and security purposes is a serious financial burden, but you need to make having multiple people designated to multiple parts of the privacy process a priority.
3. Keep up with CCPA and GDPR. Being aware of and keeping up with CCPA and the European Union’s General Data Protection Regulation will be essential to staying compliant. If you meet the criteria for CCPA, be sure that you can wipe customers’ information from existence completely upon request.
If your annual gross is more than $25 million or you derive more than half of your annual revenue from selling California residents’ information, you have to comply with the law. This means being transparent about your data-usage policies, giving consumers access to the information you’ve collected about them, offering the choice to sell their information, and being capable of deleting all of their personal information upon request.
Knowing the processes and resources you need to handle compliance obligations is the hard part. You need people who can handle customer requests for data review and deletion and who can remove and keep the right data. Being supported by business and accounting teams will make this process smoother and stronger.
A few years ago, the internet was like the Wild West. Like most wild things, it gets bigger and needs to be tamed and managed. That management is a process. Some laws sound good on paper but will do more harm than good if fully enforced. They can even force honest manufacturers away from ecommerce. Ultimately, we will find a balance with responsible security and data if everyone works together. In the meantime, be aware of laws and make an honest effort to comply with them. There’s plenty of opportunity in ecommerce; you just have to pursue that opportunity with the right systems, team, and security in place.
_____________________________________________________________
Michael Bird is the CEO of Spindustry, a digital agency focused on eCommerce, SharePoint portals, and enterprise websites. He has almost 30 years of experience in interactive development, user behavior, and business solutions.