A Simple Guide to GDPR Requirements for Amazon FBA
In a bid to expand its global eCommerce dominance, Amazon recently set its sights on the European market. In 2020, the retail giant launched Amazon.se, throwing open its virtual doors to the countries of France, Germany, Italy, Netherlands, Spain, Sweden, and Turkey.
For retailers that take advantage of Fulfillment by Amazon (FBA) services, this exciting development unlocks promising opportunities to reach an entirely new consumer base. But before you start marketing and selling to citizens of the European Union (EU), you’ll need to brush up on your consumer data and privacy laws—namely, the European Union’s General Data Protection Regulation (GDPR).
Need help with that?
This guide will cover what the GDPR requirements entail and how you can ensure you’re GDPR compliant as an Amazon FBA seller, before you might consider selling your Amazon FBA business.
What Is the GDPR?
“The Regulation updates and modernizes the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights. It focuses on: reinforcing individuals' rights, strengthening the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards.”
The GDPR framework introduced and implemented rules that would protect an individual’s data gathering, storage, and dissemination. It affords each EU citizen the following rights:
- The right to be informed
- The right of access
- The right of rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
Who Does the GDPR Apply to?
Do you sell to or interact with individuals inside the EU?
Then you’ll probably need to abide by GDPR, even if you don’t live in or physically operate out of Europe. Per the EU Commission: “The GDPR concerns all companies which process personal data of citizens (‘data subjects’) who reside in the EU, regardless of where these companies (the ‘data processors’ and ‘data controllers’) are located.”
What’s considered data?
Each GDPR requirement is limited to personal data of a data subject. That means any personal information that is related to an EEA or EU citizen whether directly or indirectly. Examples of personal data include:
- Location data
- IP address
- Consumer demographics
While this is important for FBA users, you should pay particular attention if you use either of the following services:
- Amazon advertising – Sellers who leverage Amazon Marketing Services like Sponsored Products need to be extra cautious. If you fall in this category, you’re required to use a double opt-in consent form if you plan to use the consumer’s sensitive data for any reason.
- Amazon Web Service (AWS) – AWS acts as both a data processor and data collection service under the GDPR. Fortunately, if you use AWS, Amazon provides tools to help maintain GDPR compliance. Specifically, the Data Processing Agreement (DPA) meets GDPR rules and is regularly updated.
What Does GDPR Compliance Entail?
So, what do you have to do to ensure that your FBA business or organization is aligned with GDPR rules for data collection?
There are 7 key principles you should familiarize yourself with, including:
- Lawfulness, fairness, and transparency – Customer data must be processed in a manner that upholds these values. In practice, you must detail how and why you will be processing personal data and only collect, use, or process the personal information relevant to that stated purpose.
- Purpose limitation – Data can only be collected for a specific, explicit, and legitimate purpose. A business must state its intentions and comply with transparency provisions.
- Data minimization – Businesses should only collect the absolute minimum amount of relevant personal data required to satisfy their intended purpose.
- Accuracy – The data that is processed should be relevant and up to date, or else immediately erased.
- Storage limitation – Customer data shouldn’t be stored longer than necessary and deleted or anonymized the moment it becomes irrelevant or outdated.
- Integrity and confidentiality – Consumer’s personal data should be kept secure at all times. FBA businesses must protect data from accidental loss, damage, or destruction, as well as unlawful usage.
- Accountability – Your FBA business or organization is solely responsible for abiding by each GDPR requirement, along with guidelines for Amazon seller messages. In that regard, there are a few important steps you should take to ensure you’re GDPR compliant, including:
- Hiring a data protection officer
- Fulfilling written contracts with contractors and data processors
- Documenting your data processing activities and safeguards measures
- Notifying consumers in the case of a breach
- Training staff about consumer data protection
Preparing Your FBA for GDPR
Data privacy is important given the seriousness of a personal data breach in the ecommerce space. Proper sensitive data protection isn't only a concern for the data subject, it's also important for businesses. Should you fail to comply with each GDPR regulation, it could affect not only your business’s reputation and future but also your bottom line. Noncompliance could result in fines up to 4% of your global turnover from the previous year.
If you’re finding it difficult to continue operating your Amazon FBA business, consider selling it to a trusted buyer, like Forum Brands. We provide exit options to entrepreneurs, buy Amazon FBA businesses, and strategically grow them into world-class consumer brands.
If your FBA brand makes at least $2 million in annual revenue and you’re ready to sell, contact us today, so you can enjoy the fruits of your labor while we worry about the details.
Ecommerce News. Amazon in Europe. https://ecommercenews.eu/amazon-in-europe/
European Commission. Data protection reform. https://ec.europa.eu/commission/presscorner/detail/en/MEMO_15_6385
EU Regulations. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679