In March 2018, when the Cambridge Analytica-Facebook data fiasco became common knowledge, it created ripples across the globe. Governments of several countries took notice of the public outcry and started laying the groundwork for the data & privacy protection of their citizens.
European Union (EU) lawmakers led the charge. Numerous laws and directives were created while some of the outdated laws were re-visited, imposing new obligations and responsibilities on the data controllers and processors.
In this informative guide, we present our research about the European e-commerce regulations and laws which a business owner should be aware of before starting their e-commerce marketplace like Flubit, ASOS or Allegro. Let’s begin with the widely accepted and implemented; GDPR.
General Data Protection Regulation (GDPR), which came into effect on 25th May 2018 is a regulation on data protection and privacy in the European Union (EU) and its economic area. It is to protect EU residents’ data.
Personal data refers to any information that can be traced to an identifiable person. It may include name, email address, IP address, etc.
GDPR applies to any business or enterprise, irrespective of its location and/or the data subjects’ (individuals) citizenship or residence. If you are processing the personal information of individuals inside the European Economic Area (EEA) or if you have EU customers, you need to be aware of it. There are six lawful bases specified by the GDPR (consent, contract, public task, vital interest, legitimate interest or legal requirement).
Apart from the lawful basis, there are certain rights bestowed upon the data subjects’ of the EU under the new regulation, which are as follows:
Furthermore, there are certain duties and rights that the businesses must adhere to as per the new GDPR guidelines:
Due to the European Union’s reliance on GDPR, it has become a model for other countries and states to follow. Countries like Chile, Japan, Brazil, Kenya and the United States of America have many similarities with their regulations, making it a global rule for businesses and enterprises to follow and comply with.
GDPR has reshaped the ecommerce industry in Europe and other continents. Considering the businesses operating in the ecommerce domain have to deal with the personal data of the customers, and collect, store or otherwise use the data, they need to follow a plethora of regulations themselves because of the data handling of EU customers.
Note: From 1 – 10,000 employees, GDPR applies to everyone but record-keeping is required only for companies that have 250+ employees.
There are certain aspects that you need to take into consideration to be GDPR compliant:
Cross-border payment charges across Europe are interchangeable, regardless of its participation in the Euro area. Moreover, the domestic payments in the Euro are very costly, permitting the payment service providers (PSPs) to charge variably.
To cater to this issue, the European Parliament updated its payment regulations. CBPR2 or Cross-border Regulation plans to introduce more transparency of currency conversion charges and set standards at POS (Point of Sale) and ATMs.
PSPs must provide the following to the users who initiate a direct online credit card transfer:
CBPR2 further requires that before the initiation of any card-based transaction that involves a currency conversion at either an ATM or POS, the PSP’s must disclose the following information to the payment service user/payee:
Due to currency conversion, several risks arise given the constant exchange of money. As per the new regulations, the currency rate that is used shall always be the rate at the time of transaction. Three kinds of currencies associated with an online store are:
Great Britain consists of England, Wales and Scotland, and has new VAT rules for the goods imported from the U.K since new year’s day of 2021. Northern Ireland now has dual-status post-Brexit so they will be part of the UK’s customs territory but also a part of the EU single market for VAT purposes.
Henceforth, e-commerce businesses need to take care of the certain technical aspects to ensure they don’t dangle feet in troubled waters:
Although it is yet to become official, it is believed that 19 out of the 27 countries in Europe are required to have a local VAT representative as per the new VAT & EU Regulation of e-commerce. Norway, Australia, Japan, or South Korea are already following this arrangement where the local Fiscal Representative is generally a lawyer or an accountant.
Failing to appoint a Fiscal Representative may result in fines. Bearing in mind that these representatives will be held liable if your platform is not tax compliant, you may have to pay them a handsome amount of money or bank guarantee.
A Strong Customer Authentication (SCA) is made mandatory that helps in reducing customer fraud cases across Britain & Europe. As per Silicon Canals, a fintech company, e-commerce-based businesses are expected to grow up to $1 trillion by 2022 in Europe, and more than $1 billion is the expected fraud on the European cards as per ECB each year.
SCA is required for most card payments. Failing to comply with the SCA could lead to failure in payments transactions, and other costly consequences. As per the new regulation, two-factor authentication is mandatory that will customers provide 2 out of 3 key information to prove their identity, which are as follows:
The advent of 3rd party providers has further increased the competition and complexity. Since 2018, there are two types of open banking providers, both serving different purposes.
PISPs are authorized to initiate payments in & out of a user’s account while AISPs have the power to retrieve account information provided by the banks and institutions.
These two handle customer consents required to access Open baking data. In simple terms, they explain to the customers what will be accessed, for how long and with whom it will be shared.
Things can be overwhelming for the businesses that haven’t had exposure to such a level of data before, however, understanding the nuances, and the concerned laws should be implemented by the organizations to safeguard their and their shareholders’ interests.
Benefits for the online merchants:
What can internet businesses do:
Show the appropriate payment methods depending on the context, and make sure that your platform has a 3D secure 2-factor standard.
Apart from the must do’s, there are a few exemptions as well to the Strong Customer Authentication regulations that has been explained by Stripe, which does a real-time analysis to determine whether to apply SCA to a transaction or not.
Low-risk transactions are considered valid for SCA only if the payment provider deems it necessary, after analyzing it in real-time. However,, there are certain exemptions that are possible if the card payments of the payment provider’s or bank’s overall fraud rates do not exceed the following thresholds:
Transactions below 30 euros are considered to be low value and therefore, may be exempted from SCA, however, if this scenario is repeated more than 5 times and the amount goes over 100 euros, banks will have to request authentication. Also, banks are required to keep a check on the number of transactions.
In this case, the customer’s first payment requires SCA, and the subsequent payment may however be exempt from it.
While completing authentication for a payment, customers have the option to add a business to the allow list which will further get added to the bank’s “trusted beneficiary” list. This will ensure that fewer authentication failures occur.
Customer’s card details collected over the phone are exempt from SCA and do not require authentication.
Payments done by using virtual card numbers which are commonly used by the travel sector are also outside SCA.
When a card is saved in the merchant’s system and payment is made using the saved cards, it is exempt from the authentication since technically, these payments are out of SCAs scope.
Distance selling is, in simple terms, selling through any form of medium including digital, online, mail, among others. If your VAT-registered internet business sells to, say in Britain but you’re not registered there but in some other country in Europe then you’re Distance Selling. It’s not easy to understand but very important for the businesses who have their customers and potential customers in Europe.
Before selling to a customer at distance, please ensure that the following information is included:
All this information has to be provided in an easy-to-understand format.
Under this directive, e-commerce businesses must tell their customers that they can cancel their order within 14 days after it has been delivered, and no reason for cancellation is required.
These e-commerce rules in the EU apply to the businesses that are selling online digital services and should be followed diligently.
If your e-commerce business accepts credit card payments, you need to be aware of how PCI DSS works, and more importantly, how it will impact your business.
While in many aspects, PCI and GDPR scope overlap each other, the difference however lies in their purpose. GDPR acts as a medium for the users to understand their rights and duties when an internet business collects their data, but it does not provide security.
PCI, on the other hand, directly deals with the security & protection aspects of the cardholders data. Loss of data, breaches, identity theft, among others, come under PCI. Even though in this standard, customers don’t have much control over their data, PCI focuses on keeping the servers secure, limiting access, and focusing on mitigation and risk management.
This directive is especially important for businesses that deal in selling & buying electronic goods. Waste Electrical and Electronic Equipment directive (or WEEE) sets collection, recycling, and recovery targets for all types of electronic goods.
As per the WEEE, all electrical equipment placed in the market should be registered in the respective country who are further given the instructions to maintain a directory of the same.
All the member states are obliged to maintain annual reports of all the electrical equipment that are placed in the market, and all the registered equipment should be labelled accordingly.
This becomes challenging for the sellers who want to sell their products in several EU countries since they will be required to be registered individually in each country to ensure that they are compliant with the local manufacturers’ obligations. If the organizations fail to comply with this directive, heavy fines may be imposed.
Even though this directive has more work to do for the manufacturers, internet businesses still have to ensure that their products are under the given regulations.
Some common jargon used in Europe that you need to be aware of.
Let’s define some of the key terms you will see when researching for GDPR.
Other directives and regulations to consider:
European Copyright Directive (not a law but a framework to help the member states to write & draft their laws)
Give your users No pre-checked boxes
Given the scrutiny a business may face if they don’t follow the legal regulations for eCommerce in the European Economic Area (EEA), it is advisable to understand the laws concerning them. Besides, it is important for the new business owners to make sure that they are not neglecting their basic rights and duties as service providers and global citizens. Besides, the impact could be more severe on SMBs or startups than the bigger enterprises.
Disclaimer: The Blog has been created with consideration and care. We strive to ensure that all information is as complete, correct, comprehensible, accurate and up-to-date as possible. Despite our continuing efforts, we cannot guarantee that the information made available is complete, correct, accurate or up-to-date. We advise - the readers should not take decisions completely based on the information and views shared by FATbit on its blog, readers should do their own research to further assure themselves before taking any commercial decision. The 3rd party trademarks, logos and screenshots of the websites and mobile applications are property of their respective owners, we are not directly associated with most of them.