The expansion of the internet and the rapid rise of digitisation means retailers have access to customers in more markets than ever. But operating in multiple countries and collecting large volumes of data means understanding data protection laws worldwide is essential.
Online retailers must ensure they can comply with new and evolving regulations as they collaborate, grow, and innovate in the global digital marketplace. Having talent on the team that understands data protection is essential, particularly during the busiest periods in the retail calendar. 

Understanding the global nature of data protection law 

Data protection laws generally apply “extraterritorially”, meaning that governments can regulate the collection, storage, processing, and distribution of data of businesses operating in their territories regardless of where those businesses are based.
Ecommerce brands must ensure they can comply with all relevant laws and obey complex rules about transferring personal data across borders, while building trust with their customers and avoiding costly cyberattacks.
This also means training teams on data protection laws is essential when trading in multiple jurisdictions. Regulations are continually amended and updated and staying ahead of the curve is crucial. A well-trained team can reduce the risk of data breaches, avoid costly regulatory investigations, build customer trust, and improve efficiency.

Here are some key data protection laws that online businesses should understand: 

General Data Protection Regulation (GDPR): European Union (EU), European Economic Area (EEA), and United Kingdom (UK)

The GDPR is a comprehensive European data protection law that provides rights for individuals and compliance responsibilities for organisations. Regulators across Europe have powers to impose significant fines on organisations that violate the law.
Here are some of the rights people have under the GDPR to take note of: 

  • The right to access personal data 
  • The right to correct errors in personal data 
  • The right to erase personal data 
  • The right to object to the processing of your personal data 
  • The right to “data portability” (obtaining a copy of personal data that can be transferred to another organisation) 

Companies covered by the GDPR must facilitate people’s requests to exercise these rights. 
The GDPR also requires companies to put contracts and other safeguards in place before transferring personal data out of the EEA or the UK.  

China: Personal Information Protection Law (PIPL)

The PIPL is China’s main data protection law and provides people in China with similar rights as under the GDPR, but its rules on “international data transfers” are somewhat stricter than the GDPR’s. In certain cases, organisations must undergo an assessment by the Chinese regulator before transferring personal data out of China. 

California: California Consumer Privacy Act (CCPA)

The CCPA gives California residents more control over their personal data and requires businesses to be transparent about their data collection practices.
Rights under the CCPA include: 

  • The right to know how a business collects, uses and shares personal information. 
  • The right to delete personal information 
  • The right to opt-out of the sale or sharing of personal information 
  • The right to limit the use and disclosure of sensitive personal information 

While California does not impose rules on international data transfers, online businesses covered by the CCPA must ensure they allow consumers to opt out certain cookies and other tracking technologies.  

Meeting data protection requirements in busy retail periods

Millions of shoppers will purchase gifts online in the coming festive period, which means businesses will collect vast amounts of personal data. Whichever markets your business operates in, understanding data protection law is a crucial part of running a retail business. 

As a global B Corp Data Protection Officer (DPO), we assist organisations to maintain compliance to global data protection and privacy regulations. We have Subject Matter Experts who can support you with any queries you may have in relation to safeguarding your cybersecurity and data privacy, especially during the busy retail period.

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at