On protecting privacy in the EU, US and China

Online retail presents unparalleled opportunities for reaching new consumer markets and collecting consumer data. With such opportunities, however, come heightened regulatory scrutiny, compounded by high-profile consumer data security breaches in the US, Germany and elsewhere. Not surprisingly, there have long existed specific requirements for the collection and use of consumer data in the context of online retailing, for example in the US. Other countries, notably China, are now also regulating consumer privacy, and there are more changes to come, particularly in the EU.


In the US, there is a patchwork of data privacy and security laws that apply to online retailers, including:

  • restrictions on the collection of personal information from children under 13
  • laws mandating the encryption of credit card numbers and other sensitive data when transmitted over a website or other public network
  • laws requiring compliance with PCI-DSS (payment card industry data security standards)
  • consumer notice laws and
  • breach notification laws.

Recently, two of the most populous US states, California and Florida, have broadened their data breach notification laws in a manner that directly impacts online retailers, by requiring notice of any material compromise of user name and password or other online login credentials. Notably, both of these states require notice to state regulators, in addition to notice to affected individuals.

California has also recently amended its online privacy protection act (CalOPPA) and now requires a company that collects personal information online about California residents to state whether its website honors any sort of do-not-track requests, and permits any third parties to collect personal information across the website and other third party sites. This amendment reaches nearly every website that engages in any sort of behavioral advertising and comes in addition to previous CalOPPA requirements for online privacy notices. The California Attorney General has the ability to enforce CalOPPA and has been relatively active in the privacy area over the last couple of years.

California has also passed a new law giving minors a “right to be forgotten.” This law takes effect on January 15, 2015 and will require websites that either target minors or knowingly collect personal information from minors to give minors a way to remove any information they have posted to the site. Notably, websites are only required to afford this right to registered users, with respect to information they themselves have posted. The new law would not give teens a right to have a website remove information posted about them by another person. This same law also prohibits marketing certain products to minors, such as alcohol, tobacco, tattoos, firearms and lottery tickets.


In the world’s largest retail market, China, a revised Consumer Rights Law came into effect earlier this year. This is a major development because, like the US but unlike the EU, China does not have a comprehensive data protection law.

Although prior legislation already was applicable in part to consumer personal information, the addition of data privacy protection in the new Consumer Rights Law is intended to fill a legal void and make the Consumer Rights Law an integral part of the laws and regulations governing data privacy in China.

The new Consumer Rights Law notably gives consumers the right to have their personal information protected in accordance with the law when purchasing and using merchandise or services, and requires businesses that collect or use consumer personal information obtained either on-line or off-line to observe the following:

  • The purpose, method, scope and rules of collection and use of personal information must be explicitly stated and consented to by consumers.
  • Business operators must keep personal information confidential and not disclose, sell or illegally provide such information to others.
  • Business operators must take measures to ensure information security and to prevent information disclosure or loss.
  • Sending commercial information to consumers is prohibited where the consumer has not consented or requested it, or where the consumer has indicated that s/he does not want to be sent such information.

The law does not specify how business operators must notify consumers and obtain consents, or stipulate whether the notification has to be given orally or in writing, or whether opt-in or opt-out.

The addition of data privacy protection to the Consumer Rights Law reflects a general trend toward greater data privacy regulation in China. PRC government authorities are becoming more interested in data privacy and more willing to take steps toward enforcing private sector personal information protection. This change in attitude is evidenced by the fact that a violation of the law may result in the business operator facing such consequences as confiscation of illegal earnings as well as a fine between two and ten times the value of the illegal earnings. Where there are no illegal earnings, a fine up to RMB500,000 RMB be imposed.


The EU, the largest jurisdiction/region with harmonized, comprehensive data protection laws, is in the final stages of negotiating the new Data Protection Regulation, anticipated to take effect in 2017. The Regulation will replace the 1995 Data Protection Directive and will for the most part render the EU member states’ national data protection laws obsolete.

One of the key outcomes of the Regulation is the dramatic effect it will have on online retailers established outside the EU but targeting EU residents. Indeed, the Regulation is expected to expand the application of EU data protection requirements by having its terms apply to the processing of personal data of data subjects residing in the EU by a controller not established in the EU, where the processing activities are related to:

  • the offering of goods or services to such data subjects in the EU or
  • the monitoring of their behavior

This reflects a new approach to EU data protection law akin to the tenets of consumer law, which seeks to provide a minimum level of protection to EU member state residents regardless of, for example, the type of sales channel, the governing law of the contract or location of the retailer. As data protection and privacy become more critical to legislators, regulators and consumers, it is only natural that online retailers pay more attention and invest greater resources in ensuring the protection of their customers’ data.