The European Commission's New Deal for Consumers (New Deal) is a package of reforms that seeks to enhance existing consumer protection legislation and improve the ability of individuals and regulators to bring enforcement action where traders fail to comply. Traders that target consumers in the EU have two years to get in shape: EU Member States need to implement these new rules into local law by 28 May 2022. See here for the headline changes.
The New Deal empowers regulators across the EU to impose direct fines for breaches of consumer legislation - a right that has not previously been available to many regulators. The Omnibus Directive is a core part of the New Deal and provides for fines of up to 4% of the trader's annual turnover in the Member State(s) where the breach occurred, or €2 million in cases where information on turnover is not available. Individual Member States are free to set higher fines in their implementing legislation. With the introduction of fines at this level, consumer protection compliance, like privacy, will fast become a strategic priority and a Board-level issue.
Much like the General Data Protection Regulation (GDPR), the New Deal seeks to achieve greater accountability of businesses as well as more transparency and enhanced rights for consumers. There is a lot that organisations can leverage from their experience getting ready for the GDPR to smooth the path to compliance with the New Deal. Here are our top five tips.
1. Start preparing early
Two years is plenty of time to prepare for the New Deal: two months is not. Now is the time to:
a) Understand the new requirements
Some aspects of the New Deal are new. For example, traders must take steps to improve transparency in relation to ranking and search results and personalised pricing, and existing consumer rights will apply to digital content and services that are provided for free.
Other aspects of consumer law are unchanged by the New Deal, such as the requirement for transparency and fairness in consumer terms and conditions, but the introduction of meaningful fines means that there may be areas where your current approach carries a level of risk that will be harder to accept in the context of GDPR-style fines for infringements.
b) Assess which parts of your business will be affected
The New Deal is likely to affect pricing, advertising and marketing, product development and legal departments. Work out who within those teams can help develop the strategy, drive change, and embed and disseminate institutional knowledge.
2. Prioritise effectively
Identify the changes that will require the longest lead-time, and are the highest risk from a regulatory enforcement perspective. Focus on these first.
In the context of the GDPR, organisations prioritised developing compliant user consent flows and establishing mechanisms for users to exercise their data subject rights. This made sense for a variety of reasons: regulators across Europe opined extensively on these topics, while making the technical changes required to comply was complex and time-consuming.
Similarly, traders should focus on ensuring that consumer touchpoints meet the objectives of the New Deal. Prioritise the consumer purchase flow (focusing on transparency of ranking and search results and the presentation of pricing) and establishing practical processes to address and respond to consumer enquiries and complaints. These are open to audit by consumers seeking to enforce their enhanced rights and regulators seeking to use their improved enforcement powers.
3. Communicate with internal stakeholders
Explain the key changes to senior stakeholders and those with Board-level responsibilities - the sooner, the better.
Public awareness of privacy rights grew rapidly as GDPR implementation date approached. This led to a degree of panic in boardrooms worldwide. Develop a proactive strategy for engaging and educating senior decision-makers so they know what is coming and are prepared to accept and promote a degree of organisational change.
4. Upskill your business
In the six months ahead of implementation, deliver training to all areas of the business, especially advertising and marketing teams and anyone in a direct consumer-facing role.
Are existing resources sufficient? The GDPR saw a huge growth in privacy roles - with intense competition to recruit experienced candidates. Although the New Deal is unlikely to merit an expansion on the same scale, the enhanced fines and improved rights for individuals may justify an increase in headcount dedicated to delivering the New Deal for consumers.
5. Monitor regulatory attitudes and activity
As we are seeing post-GDPR, market practice and enforcement priorities will evolve over time. Keep a close eye on what regulators are saying in the run up to implementation of the New Deal and identify enforcement priorities.
It is likely that regulators with responsibility for enforcing the New Deal will expand significantly over the next two years. By comparison during 2018-2019, the Information Commissioner's Office increased its workforce by 40%.
Regulators in some jurisdictions will be more active than others. Consider which regulators are most likely to take an interest in your business, taking account of the geographic spread of consumers that access your products and services and focus on the priority areas they identify.