Erin Conway, Counsel, McDonald Hopkins LLC
Nick Kurk, Member, McDonald Hopkins LLC
The global food and beverage e-commerce market is expected to grow to $22.4 billion in 2020, possibly reaching $36.4 billion in 2023. That’s up from $14.9 billion in 2019. Food and beverage e-commerce revenue in the United States alone is projected to exceed $15.2 billion this year and $19 billion by 2022.
It’s no surprise that much of this recent uptick is due, in large part, to the global COVID-19 pandemic. With most people now working from home and limiting in-person interactions, consumers have flocked online to purchase food, beverages and other essential goods. And it’s not only online grocery and delivery services like Instacart and Amazon Fresh that are reaping the benefits of this increased consumer demand. Many food and beverage brands themselves have also added or shifted to direct-to-consumer e-commerce offerings. Where supply chain, shipping, and payment processing, among other things, previously made direct sales logistically unattainable and unprofitable, e-commerce became one of the most powerful tools for some in the food and beverage industry to stay relevant and accessible to their customers during the pandemic.
One of the biggest benefits, and potential pitfalls, of moving to a direct-to-consumer platform is the ability to collect and use consumer data. Data including social profiles, purchasing history, purchasing patterns, and demographics allow brands to target, tailor, and communicate with customers who are increasingly willing to purchase foods, beverages and other packaged goods online. But, as they say: “With great power, comes great responsibility.” E-commerce sites are an obvious target of cyber attacks and many of them are not sufficiently safeguarded. A breach can compromise sensitive customer data, which may lead not only to the loss of trust, sales and your brand’s reputation, but can also have serious liability consequences. Beyond that, improper use of customer data can lead to actions by both state and federal authorities.
Whether new to e-commerce, or a seasoned veteran, here are five steps to consider taking to avoid a data privacy misstep:
1. Be Smart with Technology
The best way to deal with a data privacy breach is to take steps to prevent one altogether. Securing your payment gateway (by using a third-party payment processor, for example), having an up-to-date SSL certificate and HTTPS protocol, using a firewall, updating plugins and software, using multi-layer security (such as two-factor authentications), encrypting data, utilizing data classification and segmentation, using pseudonymization and anonymization techniques, and using strong passwords—company wide—are a few ways to ward off cybersecurity attacks.
2. Be Aware of Data Privacy and Security Laws and Regulations
While there is currently no single principal data protection legislation in the United States, there are a number of state and federal laws that serve to protect the personal data of U.S. residents. Notably, if you sell to customers in California and meet certain revenue, sales, or data handling
thresholds, then the California Consumer Privacy Act (CCPA) kicks in to provide certain data privacy and security rights and protections to California residents. For example, companies subject to the CCPA must implement a system to delete consumer data at the consumer’s request. Also, if you do business with customers in Europe, get familiar with the General Data Protection Regulation (GDPR), which, among other things, requires that a company justify why it needs data from its customers and how that data will be used. Obligations under this patchwork of data privacy laws will inevitably vary (and sometimes contradict), but the laws typically address how data can be collected, what type of notices need to be given, how data can be stored, how data can be transferred, and when, and under what circumstances, data must be deleted.
If a breach occurs, the GDPR, CCPA (and similar laws in other states), and federal laws such as HIPPA and Gramm-Leach-Bliley Act (GLBA), require that customers be notified within a certain time period. Certain state laws also levy civil penalties if notification requirements are not timely met. And for newsworthy breaches, a class action lawsuit is sure to follow.
3. Don’t do Fishy Things with Customer Data
While not a breach, illegitimately using or manipulating customer data, such as by selling or trading consumer information without consent or allowing targeted ads improperly, may still land a company in hot water with the Federal Trade Commission (FTC) or a state Attorney General. The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace. The FTC also has authority to enforce a variety of sector specific consumer protection laws, including the Truth in Lending Act, the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act, and GLBA. These actions may also lead to class action litigation.
4. Assess Risks and Make a Plan
Start by conducting a data privacy review and risk assessment, including vulnerability scanning and penetration testing, and identify any assets and data that need to be secured. You should evaluate your cybersecurity policy or look into cybersecurity insurance if you do not have it yet. Prepare a Written Information Security Program (WISP) and an Incident Response Plan. As part of your Incident Response Plan, create an Incident Response Team that should be composed of an interdisciplinary team including IT, a C-suite executive, and an attorney (consider having your external law firm and potentially an external forensics firm preapproved by your cyber insurance carrier).
5. Implement Appropriate Polices and Provide Training
All company employees need to be aware of how important it is to protect customer information. Provide ongoing data privacy and security training and awareness to your employees and vendors, including conducting a breach response workshop. Set strong password policies, and instruct that employees are never to share login credentials. Limit user and administrator privileges and control access to confidential customer information based on a “need to know” basis. Have all employees and vendors, and in some cases visitors, sign confidentiality
agreements that specifically address customer data. Review your employee exit process to ensure that once employees leave your company, they don’t still have access to your systems. And, be sure that your vendors are maintaining appropriate security measures as well, to the extent they have access to customer information.
Moving to an e-commerce platform can present a whole host of challenges that aren’t as obvious in a brick-and-mortar retail setting, including data privacy. With the sea change in consumer shopping patterns accelerated by COVID-19, food and beverage brands should be prepared to address data privacy and protection laws as part of their regular business.