The regulatory environment for brands and retailers that do business online is getting stricter thanks to regulatory changes in Europe with the General Data Protection Regulation (GDPR), as well as existing regulations in the U.S. Companies that adapt quickly can turn these changes into a competitive advantage.

As we grapple worldwide with the implications of the incredible amount of personal data generated every day, consumers are pressuring brands and legislators alike for more control over their information. This becomes increasingly complicated as a larger number of businesses pivot towards subscription models, where customer-brand relationships are fluid, longer-term, and involve more uses of personal data and consumer behavior information. Neglecting the privacy desires of these consumers puts brands at risk of everything from fines and penalties to a loss of trust with their customers. There are a number of key compliance obligations that organizations should consider as they adopt new business models and expand to new geographies.

Get ready for GDPR

The GDPR, passed by the European Parliament and Council in 2016, bolsters data protection measures for Europeans. The regulation, which becomes enforceable May 25, 2018, gives these individuals greater control over their personal data and is expected to simplify the regulatory environment for brands operating online by providing uniformity across Europe.

The ripples caused by this legislation will reach every corner of the global retail market, including the U.S. According to Ovum, 70 percent of global IT decision-makers expect to increase spending to meet data protection requirements. The GDPR will force companies that process or receive European data (even if your business is located outside Europe) to transform their information handling practices to meet a new, higher standard. For instance, part of the regulation calls for data portability, allowing an individual to request transfer of their personal data from one processing system to another in a commonly used format.

Though this regulation is not enforceable for a few months, brands that process European data should already be preparing. Once the regulations go into effect, the penalties are steep. Organizations that do not comply with certain GDPR articles can incur fines of 20 million euros, or 4 percent of total global revenue, whichever is greater.

In the U.S., no state is the same

In the U.S., there is no single, comprehensive federal law like the GDPR that regulates the collection and use of personal data. Instead, the U.S. has a patchwork system of federal and state laws and regulations that sometimes overlap. Many guidelines have been developed by governmental agencies and industry groups, but they are not enforceable by law. They are however, part of self-regulatory guidelines considered “best practices.” These frameworks include accountability components increasingly used as a tool for regulatory alignment.

Although there isn’t a comprehensive federal U.S. data privacy law, there are a number of federal privacy-related laws that regulate the collection and use of personal data. Some apply to particular categories of information, such as financial or health data, or electronic communications. Others apply to activities that use personal information, such as telemarketing and commercial email.

Particular states like California require websites that collect user data to communicate the type of information being collected, the types of third-parties they might share that information with, and their online tracking practices. Connecticut and Massachusetts also have stringent laws protecting consumers’ data and requiring companies to safeguard that information.

The risk of noncompliance

The penalties for noncompliance vary depending on the type and severity of the violation, ranging, for example, from very high fines and delays in payment processing to civil lawsuits. Often, companies that have not maintained compliance struggle to catch up, giving significant competitive advantage to those that have implemented efficient data privacy systems and processes.

Ensuring ecommerce success

Maintaining a reputation as a company that respects consumer privacy is becoming more critical to brands every day. If done correctly, using consumer data to tailor online shopping experiences can strengthen the relationship between a brand and its customers. Yet, as the connection between a brand and its customers becomes more personal, it also becomes more complicated. Organizations that have relied on ad hoc best practices or even their own sense of right and wrong to manage customer information can no longer play data privacy by ear. Brands and retailers that conduct business online must take their role as custodians of personal data seriously. It’s no longer just the right thing to do—it’s the price of doing business in some of the world’s most desirable global markets.