Protecting customer data in the age of eCommerce personalisation

Everyone loves receiving a bespoke shopping experience. From accurate product recommendations that help us find exactly what we’re looking for to targeted emails that let us know when the next sale will be, personalisation is one of the main driving forces behind the continued growth of eCommerce.

In the past, e-tailers required direct access to large volumes of private customer data to provide a truly personalised shopping experience. If this data was poorly protected, potentially sensitive personal information would be exposed to any number of cybersecurity threats.

From the e-tailer's perspective, the financial cost of rectifying these issues was bad enough. But factor in the reputational damage and a serious data breach could completely erode trust in your brand – whether your site was compliant with data protection regulations or not.

Things have changed in recent years. With the advent of a new generation of personalisation tools and machine learning algorithms, there's been a noticeable reduction in the amount of data needed to personalise the shopping experience.

Nevertheless, many consumers worry about the potential cost of eCommerce personalisation. The goal of this article is to allay those fears and explain how e-tailers can strike the right balance between personalisation, compliance, and security while giving their customers peace of mind.

Data privacy requirements in eCommerce

The most well-known legislation governing data privacy and security in the European Union is General Data Protection Regulation (GDPR).

Passed in May 2018 and supplemented by the UK’s Data Protection Act of 2018, GDPR redefines the way brands gather, process, and store customer information. Its main purpose is to give internet users in the EU greater visibility and control over the way their personal data is used by vendors.

In addition to GDPR, European e-tailers must comply with a host of supplementary legislation.

The Electronic Commerce Regulations of 2002, for instance, specifies the type of data consumers must have access to when making an online purchase. This includes pricing information, tax and shipping costs, and the name of the service provider – along with the company’s registration number and place of registration.

E-tailers must also adhere to Payment Card Industry Data Security Standards, Anti-spam Laws, and numerous other rules and regulations. While, those that operate in California or process the personal information of California residents are subject to the California Consumer Privacy Act (CCPA).

The impact of data protection regulation on international e-tailers

Naturally, to remain compliant with such a diverse array of regulations, there are numerous steps you must take.

First and foremost, customers must have access to any personal data you hold on them. You must also communicate, as clearly as possible:

• What information is being collected and why
• How this information is being used
• What measures have been put in place to protect it
• When and where it will be shared outside of your site, if at all (pending consent)

This information should be contained within your brand’s cookie policy. And, as per GDPR regulations, this should be plainly visible across your site.

Aside from confirming that any information collected won’t be used inappropriately, your cookie policy should also inform users that they are entitled to ‘opt out’ of data collection activities. The only exception being cookies that are fundamental to the running of your site.

Possible sanctions

Sanctions for non-compliance with existing legislation vary. EU-based e-tailers face fines of up to €20 million or 4% of global annual turnover (whichever is higher) for GDPR violations. This stands in stark contrast to CCPA, where breaches carry a maximum fine of $7,500 for intentional infringements.

The financial penalties will be of secondary concern to some, however, when measured against the reputational damage.

A survey conducted by UK-based cybersecurity firm Semafone found that the majority of people (86% of the 2000 respondents) would refuse to do business with a company that had suffered a data breach – particularly if consumer credit card information had been compromised. Semafone CEO Tim Critchley believes this underlines the financial impact reputational damage, and the resulting erosion of trust, can have on organisations in terms of lost business.

E-tailers shouldn't regard GDPR compliance as a bothersome and expensive burden. Particularly in today's market, where there exist several tools that enable you to adhere with data protection regulations and offer a bespoke shopping experience to your customers.

These include powerful on-site search tools and personalised category navigation.

Personalisation without compromising on data security

Site search

Cutting-edge site-search personalisation tools analyse the areas of your product catalogue shoppers are currently exploring to understand session intent – without collecting personally identifiable information. They can also remember personal preferences to tailor search results in real-time.

Intuitive machine learning algorithms can even learn from user interactions to dynamically replace irrelevant filters with more applicable alternatives.

Category navigation

Personalised category navigation operates in much the same way. It examines the wider context of your shopper's browsing habits to infer user intent and sort category listings. The algorithm also uses real-time data to adjust searches to each customer's unique preferences.

It bears repeating that this can be done without collecting typical demographic data, such as age, gender, or location. And allows you to provide more personalised browsing experiences.

More accurate results

There's another benefit to this approach, beyond data security.

You might think that the greater the volume of data at your disposal, the easier it is to personalise the shopping experience. However, it's often the case that the opposite is true.

Preferences can vary substantially within demographic groups. This makes demographic information an unreliable and misleading basis for personalisation.

Past behaviour, user intent, and personal preferences offer far more valuable insights. They treat each user as an individual, looking beyond generic demographic data to understand the specific wants and needs of each user. 

This helps you improve the overall customer experience, increases satisfaction, and, ultimately, boosts revenue.

Additional security measures

All the same, it remains true that cybercrime is on the rise globally. In the past year, the average organisational cost of cybercrime rose from $1.4 to $13 million, while security breaches increased by 11%.

Thankfully, there are plenty of simple security measures you can install to better protect your customers (and yourself) from hackers. These include:

• Implementing a reliable firewall to protect against malware infections
• Recommending two-factor authentication on customer accounts
• Encrypting user passwords
• Restricting third-party data access
• Blocking traffic from untrustworthy data centres
• Storing only essential customer info

Of those listed, it's particularly important you're aware of how third-party apps process and save shared data. And that you're only sharing information that's absolutely necessary to the shopping experience. Some apps don't require a lot of sharing to function effectively, so it might be worth investigating one of these to further reduce the likelihood of misuse. 

None of these measures should have a negative impact on the level of personalisation you’re able to offer. On the contrary, they will help you further establish your brand as conscientious and trustworthy.

Reduce eCommerce security threats on your site

Personalisation and data protection needn’t be mutually exclusive. If you invest in the right tools, you can give your customers bespoke shopping experiences without the need for personally identifiable information.

That’s not to say you should rest on your laurels. The best eCommerce sites review their security protocols continuously to ensure the customer data they do collect is properly protected. This enables you to offer safe and unique customer experiences, while protecting your business from potentially costly fines and other sanctions.