Below are a list of privacy regulations that may apply in e-commerce businesses. Other regulations may apply as all businesses are different.
Federal Regulations
Federal Trade Commission (FTC): The FTC has authority through the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The act is broad and can cover any aspect of privacy. The act is generally broken down into two parts, (1) deceptive acts, and (2) unfair practices. In terms of privacy, deceptive acts generally occur when businesses do not comply with their privacy policies, including misrepresentations or omitted material information. Unfair acts are acts that are highly inconsistent with reasonable consumer expectations, including failures to take reasonable steps to secure software.
Children’s Online Privacy Protection Act (COPPA): COPPA regulates data about children under the age of 13. The regulation applies when web services are (1) directed at children or (2) the business has “actual knowledge” of children under the age of 13 using the service. If the regulations are applicable, a business should create a COPPA compliance program to monitor data collected about users to ensure there are no violations and obtain necessary parental consent.
Fair and Accurate Credit Transactions Act (FACTA): FACTA requires businesses to truncate credit care information on receipts for purchases. The business must not display no more than the last five digits of the credit card number on the receipt. In addition, businesses must not display the credit card’s expiration date on the receipt.
Telemarketing Consumer Protection Act (TCPA): If a business plans to send automated text messages, or autodialed or prerecorded phone calls to an individual, the TCPA requires (1) prior express consent, or (2) prior express written consent.
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act): CAN-SPAM Act applies to any electronic mail message the primary purpose of which the commercial advertisement or promotion of a commercial product or service. The Act requires (1) use of accurate email header information, (2) use of accurate email subject line, (3) Identify the message as an ad, (4) provide sender’s mailing address, (5) instructions on how to opt-out of receiving future emails, (6) the business honor opt-out requests promptly, and (7) monitor third party service providers.
Health Insurance Portability and Accountability Act (HIPPA): HIPPA protects the privacy and security of certain health information, and provides requirements for regulated entities, including covered entities and business associates. HIPPA generally applies to health care providers, health plans, or health care clearninghouses. The regulation may apply to a business if the business is partnered with such business as well.
State Regulations
California Online Privacy Protection Act (CalOPPA): CalOPPA requires any business with a website that collects personal information to disclose the collection and other information in a privacy policy.
California Consumer Privacy Act (CCPA): CCPA requires businesses to provide a privacy notice or policy that contains the CCPA requirements. In addition, the business must implement a set of procedures to manage personal information and handle data subject requests. Furthermore, the CCPA provides a privacy right of action for data breaches against the company.
California Privacy Rights Act (CPRA): The CPRA will be in effect January 2023. The Act is similar to the CCPA, however, the Act as expanded portions of the CCPA to include more requirements.
Other State’s Privacy Regulations: Some other states that have privacy regulations include Massachusetts and New York.
Biometric Data Privacy Laws: Some states have enacted laws that are directed at the collection, use, storage, and disclosure of biometric data. Generally, before collecting biometric data, a business should (1) provide notice that biometric data is being collected and stored, (2) inform the individual in writing of the specific purpose and length of time for which the biometric data will be collected, stored, and used, and (3) receive a written release from the individual. Security safeguards and retention policies should also be in place.
Automatic Renewal Laws: States have their own automatic renewal laws that restrict automatic renewal of services. Regulated businesses must (1) clearly and conspicuously disclose the auto-renewal terms before the purchase is fulfilled, (2) obtain consent to the agreement before charging the credit card, (3) provide an acknowledgement to the terms, cancelation policy, and information regarding how to cancel the subscription in a manner that is capable of being retained by the consumer, (4) provide a toll-free phone number, email address, and postal address, or other cost-effective, timely and easy to use mechanism to cancel the subscription, (5) allow consumers who accept the auto-renewal terms online to terminate the subscription online, and (6) provide clear and conspicuous notice of any material changes to the auto-renewal terms, along with information on how to cancel the subscription.
Call Recording Laws: States have their own laws that restrict a companies ability to record phone calls. There are “one party consent” or “two party consent” states. In one party consent states, only one party needs to consent to the recording, while two party consent states require all parties to consent to the recording.
Compliance Standards
PCI DSS: Although not a legal requirement, there are standards that apply to business that store, process or transmit cardholder data. Generally, services like PayPal and Stripe provide a level of PCI DSS compliance.
Cyber Security Assessments: Most laws that regulate cyber security requires the business to employ “reasonable” security practices.