Sign up for our newsletter.

The latest business advice, Behind the Business interviews and members-only discounts, delivered straight to your inbox.
image representing business laws

Ecommerce Business Laws: Payments & Privacy

While many of the laws regulating ecommerce are the same as those governing brick and mortar businesses, it’s important to gain an understanding of the rules and regulations before diving into the digital marketplace.

The proper handling of credit and debit payments is guided by the Payment Card Industry (PCI) Data Security Standards — a set of operational and technical requirements for processing transactions. These standards are meant to be followed by both the businesses accepting payments, and the developers and manufacturing building software and hardware used to collect payments.

The PCI Standards are as follows:

Build and Maintain a Secure Network

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • Use and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes

Maintain an Information Security Policy

  • Maintain a policy that addresses information security for employees and contractors

The PCI Standards site offers a number of great tips for following the Standards:

  • Buy and use only approved PIN entry devices at your points-of-sale.
  • Buy and use only validated payment software at your POS or website shopping cart.
  • Do not store any sensitive cardholder data in computers or on paper.
  • Use a firewall on your network and PCs.
  • Make sure your wireless router is password-protected and uses encryption.
  • Use strong passwords. Be sure to change default passwords on hardware and software – most are unsafe.
  • Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
  • Teach your employees about security and protecting cardholder data.

A list of currently compliant payment software can be found here, if you’re building your site from scratch.  Most hosted ecommerce platforms, such as Shopify, will already have practices in place to safeguard customer payment information.

Privacy & Spam

If you’re doing business with Canadian businesses or individuals, be careful when it comes to email marketing. Canadian Anti-Spam Legislation (CASL) is very restrictive when it comes to commercial electronic messages (CEMs), defined as electronic messages that encourage people to engage in commercial activity. This doesn’t just apply to email, but also to CEMs sent via text messaging or private messaging systems on social media sites, such as Facebook messenger or Twitter direct messaging.

While the CASL doesn’t ban these types of messages, thankfully, it does require that businesses obtain active consent from the recipients of these messages and that the messages contain certain types of information, including the name of the sender, their contact information, and information on how to unsubscribe.

So how can you obtain active consent? There are a few ways — collect email addresses via opt-in forms on your website, at trade shows or conferences, or in-store. You can be creative, as long as you disclose what you plan to do with the addresses and the recipients consent. Remember — it is the responsibility of the sender to prove consent, so keep records where necessary.

Note: Consent is not necessarily required when you’ve previously done business with the recipient.

Protection of Information

When you’re involved in ecommerce, your customers have to be able to trust you with their sensitive information, including addresses and credit card information. It’s a big responsibility, so there are (rightfully) a number of regulations surrounding it. The Personal Information Protection and Electronic Documents Act (PIPEDA) provides a solid framework for its collection and use.

PIPEDA covers the following information collected during the course of a commercial activity or period of employment:

  • age, name, ID numbers, income, ethnic origin, or blood type;
  • opinions, evaluations, comments, social status, or disciplinary actions; an
  • employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)

The basics of PIPEDA, in terms of ecommerce, can be broken down as follows:

(i) You need consent to collect, use or disclose personal information.
(ii) When using information, you must only do so for the purpose to which the individual has consented.
(iii) Regardless of consent, you have to limit the collection, use and disclosure of information to what “a reasonable person would consider appropriate in the circumstances.”
(iv) Individuals must have the ability to access the information they have provided and make changes or correct mistakes.

In order to build trust with your customers, it’s important to have (and display) a clear, comprehensive privacy policy that covers the collection and use of customer information and the site’s web cookie policy.

Your privacy policy should include the following information:

  • What information will you collect?
  • How will it be stored and for how long?
  • How will it be used?
  • How will it be shared and with whom?
  • How will it be protected?

Make sure that the link to the policy is easy accessible on the website — don’t hide it in the small print deep inside the site! And once you have your privacy policy sorted out, make sure you are always in compliance. You should also revisit it regularly and tweak it if need be, to keep it accurate and consistent with your business objectives. When choosing your ecommerce platform (if you’re not building it yourself), make sure that the platform is compatible with your privacy aims.