Opportunities for online marketplaces have grown during the COVID-19 pandemics, from second-hand clothes to artworks. Since privacy risks grow with the number of users and transactions, this is a good time for the platforms to review their approach to data protection.
This article builds on my earlier article on COVID-19 business adaptation published as part of Aphaia Blog industry adaptation series. It is based on my own and Aphaia broader team’s practical experience, plus insights from some awesome clients and industry experts.
Online marketplace culture taking over
According to Fabio Occhiuzzo, Operations Manager at Depop, a global second-hand marketplace for fashion items, “this unique moment in time will encourage more and more people to reconsider resale as an alternative to shopping new and therefore cause a long-term channel shift in how we consume fashion, especially as we see the pandemic reveal the realities of brick and mortar and the benefit of digital commerce.”
Depop’s insight reveals the above is more than just about the availability and convenience, but about a broader cultural, environmental and ethical shift. “We also know that, with resale being a primary function of our marketplace, we’re champions of responsible fashion consumption and this pandemic is really shining a light on the realities of the current fashion ecosystem. Depop represents a move in the right direction for fashion because we extend the life of millions of items, which helps reduce waste. We want to use our reach to drive positive changes across the industry, making fashion circular. This means generating a culture that’s based around self-expression, creativity and creating more value in what you already own. And it’s something we’re hearing from our community more and more during this time – they’re the champions of this movement and they expect consumers to also be more mindful of the environment after this pandemic ends,” concludes Mr Occiuzzo.
A continuation of the trend towards remote selling is also acknowledged by Arianna Perini, an arts management professional: “COVID-19 only fuelled this development. During art auctions, for example, most top-lots had already been sold through telephone bids, showing that physical presence was not a must in order to buy an artwork, regardless of its price.” She further points at the emergence of wider online art marketplaces that have, in a way not dissimilar to online marketplaces in other industries, lowered the online market entry threshold for smaller players. “Gagosian and Zwirner have opened its online platform to host smaller galleries that could not afford to launch their own online platforms. The same online shift has been undertaken by the major art fairs, such as Art Basel and Frieze,” says Ms Perini.
Online marketplaces and GDPR
Data protection implications for online marketplaces might at first glance be similar to other online businesses. True, an online marketplace would typically process the data of its customers, both sellers and buyers. However, other persons’ data might be involved: selling an artwork would involve the use of the artist’s name and other information. Selling a fashion item might involve a personally identifiable photo of a model. Under each of these scenarios, an online marketplace needs to be prepared to process the data of third parties who are not their customers, which needs to be reflected in their privacy policies.
Furthermore, depending on their business model, some online marketplaces may act as data processors on behalf of their participants. In that case, they need to enter into a data processing agreement with their participants that includes all the mandatory components mentioned in Article 28 GDPR. Most importantly, a data processor is not allowed to process their customers’ data on their own behalf. Accordingly, this model would typically be suitable for those platforms that focus on underlying marketplace technology and do not intend to benefit from content analytics for their own purposes.
Online marketplaces, ePrivacy Regulation and NIS Directive
Online marketplaces regularly include data less common in other online services. Notably, online marketplaces typically include a peer-to-peer messaging feature that enables direct contact between buyers and sellers. Whereas such messaging platforms typically require a degree of supervision for fraud prevention and user safety purposes, one should also note that message content is subject to a higher expectation of privacy than other user data processed. Notably, the Proposal for the new EU ePrivacy Regulation extends communications privacy protection to messaging services that are ancillary to other services, such as online marketplaces or online gaming.
In addition, online marketplaces may be captured by additional security requirements of the Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union, known as the NIS Directive. These include the requirement for a separate notification of security incidents or data breaches, in addition to a similar requirement of the GDPR.
Key data privacy tips for online marketplaces
If you are an online marketplace and believe you have not yet sufficiently looked deeper into the data privacy aspects of your business, here are some key tips:
- review your Privacy Policy: ensure it captures all the data and all the individuals whose personal data you are processing;
- review the privacy regime for your messaging feature: is there the right balance between fraud prevention, security and privacy of the participants?
- check if your online marketplace might be captured by your country’s legislation on NIS security incident reporting requirements.
- check whether your Privacy Policy makes it clear whether you are using artificial intelligence (AI) to profile buyers and sellers when matching them;
- ensure buyers and sellers are informed with whom you might be sharing their data, including their preferences;
- if you are a processor for the sellers, make sure your Terms of Service include an Article 28 GDPR data processing agreement.