Customer data protection: How online marketplaces can secure private customer information

Online marketplaces must, by the very nature of how they work, collect and store a lot of information about both the buyers and sellers who use their platforms.

Some of this data collection is required by law. The recently-passed INFORM Consumers Act, for example, requires online marketplaces in the United States to collect and verify certain information from sellers who earn at least $5,000 in gross revenue (and who complete more than 200 transactions) in a 12-month period, in an effort to combat fraud. Similarly, DAC7 in the EU places seller data reporting responsibilities on marketplace operators.

But the vast majority of this data collection is a necessary part of completing a digital transaction. To create an account, users must select a username and password and provide information such as their name and email address.To make a purchase, they must provide their payment details. To receive a physical item, they must provide their address. These exchanges of information are what allow online marketplaces to function as intended. 

And yet, while necessary, the collection and storage of customer data can also be a liability — specifically if the data is breached, leaked, or otherwise compromised. When this happens, it can lead to regulatory action, legal action from your users, and significant damage to your brand reputation and customer trust. 

That’s where customer data protection comes into play.

Below, we define what customer data protection is, discuss why it’s important, and take a look at the different types of customer information marketplaces need to protect. We also outline some of the most relevant consumer privacy laws you should be aware of and offer three tips you can use to better protect your users’ information.

Customer data protection refers to the processes, technologies, and systems a business uses to properly collect, handle, store, and retrieve customer information. This includes personally identifiable information (PII) and other sensitive and non-sensitive data. 

Online marketplaces (and every other online business) have a number of incentives to keep customer data as safe and secure as possible, including:

• It helps you reduce regulatory risk: Multiple consumer privacy laws around the world have established requirements for how online businesses must collect, handle, secure, and store any data they collect from their users. Failure to meet these requirements may result in regulatory action, including significant fines and the possibility of prison time.
• It helps you avoid lawsuits: Customers affected by a data breach have the option to sue your business for damages, either independently or as a part of a broader class-action lawsuit. This can result in high legal fees, compensation paid to the plaintiff, and other expenses.
• It helps safeguard your customer trust: Trust in your marketplace is arguably your most valuable asset. It’s this trust that brings users to your platform and convinces them to make a purchase. Anything that damages this trust can have serious repercussions for your business. At best, it may cause customers to simply reconsider making their next purchase. At worst, it may send them into the arms of your competitors and slow down your growth. A breach of financial or personal data can be detrimental to your users’ financial situation or sense of safety and security.

Customer information can be grouped into a handful of different buckets, as defined by various laws and regulations. These include personal identifiable information (PII), personal information (PI), sensitive personal information (SPI), and nonpublic personal information (NPI). 

These definitions overlap in some areas. Which information businesses should prioritize safeguarding will depend on the specific rules and regulations that they are subject to.

Ideally, any information you collect from your users should be secured and protected to avoid damaging your brand reputation and customer trust, regardless of whether it falls into one of the categories discussed above.

Countries and jurisdictions around the world have enacted a number of consumer privacy laws that businesses need to be aware of. 

Below is an overview of some of the most important overarching consumer privacy laws that online marketplaces need to be aware of.

GDPR is a consumer privacy and security law adopted by the European Union in 2018. It applies to any business that collects data from consumers or users in the EU, even if that business is not itself based in an EU country. This means any non-EU marketplace that attracts European users and collects data from these users is subject to the tenets of GDPR.

GDPR outlines six reasons a business can collect a user’s personal identifiable information:

• Vital interest of the individual
• The public interest
• Contractual necessity
• Compliance with legal obligations
• Unambiguous consent of the individual
• Legitimate interest of the data controller

If your business collects data from users in the European Union, GDPR requires you to take reasonable precautions to protect the PII of those individuals against damage, theft, or loss, amongst other requirements. 

Marketplaces operating in the US and more precisely in California, should pay attention to the California Consumer Privacy Act (CCPA), which was signed into law on January 1, 2020. It can be thought of as the Californian version of GDPR. It was designed to give California residents more transparency and control over how their data is collected and used. It applies to any business that operates within California or collects information on users who are California residents. 

Like GDPR, the CCPA requires you to take reasonable steps to secure the following categories of personal data that you collect from users:

• Identifiers 
• Customer records
• Characteristics of protected classifications under California or federal law
• Commercial information
• Biometric information
• Internet or other electronic network activity information
• Geolocation data
• Audio, electronic, visual, thermal, olfactory, or similar information
• Professional or employment-related information
• Education information
• Inferences

The California Privacy Rights Act (CPRA) builds upon the CCPA by establishing the California Privacy Protection Agency (CPPA) and closing a number of loopholes around how businesses can use customer data. It also establishes the concept of “sensitive personal information,” which expands the list above to include:

• Government-issued identifiers
• Racial or ethnic origin
• Religious beliefs
• Financial account information
• Account log-in credentials
• Exact geolocation
• Contents of email and text messages
• Genetic data
• Biometric information
• Health data
• Data concerning a person’s sex life or sexual orientation

It’s also important to note that both the CCPA and CPRA empower consumers to take legal action in the event that their personal information is breached due to a business’s negligence or inadequate security procedures. 

In the absence of federal privacy law, individual states have the ability to enact their own laws for protecting consumer data. In addition to California, four other states have enacted comprehensive consumer privacy laws, including:

• Colorado: Colorado Privacy Act, effective July 1, 2023
• Connecticut: Connecticut Personal Data Privacy and Online Monitoring, effective July 1, 2023
• Virginia: Virginia Consumer Data Protection Act, effective January 1, 2023
• Utah: Utah Consumer Privacy Act, effective December 31, 2023

According to the National Conference of State Legislatures (NCSL), at least 25 additional states are considering their own comprehensive consumer privacy laws. So far in 2023, an estimated 140 consumer privacy bills have been introduced in statehouses around the United States. 

Laws protecting customers’ data privacy are quite common around the world. According to the United Nations Conference on Trade and Development (UNCTAD), 137 out of 194 countries have enacted some form of data privacy legislation.

Some examples of these international laws include:

• Australia: The Privacy Act
• China: Personal Information Protection Law (PIPL)
• Brazil: General Data Protection Law (LGPD)
• India: Digital Personal Data Protection Act, proposed
• South Africa: Protection of Personal Information Act (PoPIA)
• Nigeria: Nigerian Data Protection Regulation (NDPR)

With this in mind, it’s critical that businesses operating in multiple jurisdictions understand the relevant regulations and ensure they are compliant with all such laws. 

If you use marketplace software to run your business, choose a marketplace SaaS provider that takes care of securely storing your data. And you still need to handle the data on your platform with care and adhere to regulations. As your marketplace grows or if your industry is highly regulated, you can also take additional steps to ensure data protection on your platform. Below are some tips you can use to better protect the sensitive consumer data your online marketplace collects.

Many marketplaces verify a user’s identity when they list something on the platform to make money or when a monetary transaction happens. These verifications are usually handled by the marketplace’s payment provider. However, as your business grows, there are a number of reasons you might want to verify the identities of your buyers and sellers at onboarding. 

On one hand, as noted above, regulations like the INFORM Consumers Act and DAC7 require online marketplaces to collect and verify key information about sellers who pass certain revenue thresholds each year. On the other, to sell certain types of products, such as tobacco or alcohol, marketplaces must verify the buyer’s age.

But identity verification can also play a role in protecting user data, as it acts as a first layer of defense against bad actors who may be trying to gain access to your platform. With this initial foothold, it’s harder for fraudsters to carry out their attacks, whether the goal of those attacks is to gain access to sensitive customer data or something else.

When choosing an identity verification partner, seek a solution that safely stores your customers’ data for you. Doing so will save you a lot of time, money, and effort compared to building your own data storage processes and protocols internally. Look for a solution that holds a globally accepted security and privacy certification, such as SOC 2 or ISO 27001. Likewise, ensure that the company’s data storage practices are compliant with GDPR, CCPA, CPRA, or other regulations in your area of operation.

Two-factor authentication (2FA) adds a layer of defense to the log-in process. It requires users to complete an additional authentication step on top of providing their username and password. 

It might involve answering a security question or inputting a one-time code sent to the user via email or text, among other options. This helps protect your users against account takeover attacks, such as phishing attempts, password spraying, and credential stuffing that could leave their personal data compromised. 

And while it’s a relatively simple solution, it works. According to a Google study, enabling two-factor authentication can block up to 100% of automated bot hacks. 

It’s important, however, not to just think of two-factor authentication as something you should put in place only for your users. Instead, consider enforcing 2FA measures for your employees as well. After all, they may have access to large amounts of consumer data, making them an ideal target for bad actors. 

Reverification is the process of re-confirming a user’s identity at high-risk moments to ensure that an account has not become compromised. It’s often leveraged when a user attempts to complete a transaction or when suspicious activity is detected. For transactions, your payment provider may also have additional security steps in place.

But you can also require reverification when a user attempts to access or change sensitive account information. In addition to protecting your users from other types of fraud, this has the added effect of protecting the consumer’s information. Even if a bad actor is able to gain access to a user’s account via a password-spraying attack, for example, reverification is an additional layer of protection.

When you operate an online marketplace, you have a responsibility to protect and secure the data that your customers and sellers share with you. The advice above is a great starting point, but it’s also important to tailor your security activities to the unique realities of your business. When you’re choosing an identity verification partner, shy away from any provider who embraces a one-size-fits-all approach. Look for a solution that you can adjust to meet the needs of your business.