The European Union (EU) represents greener pastures for many businesses.
It’s full of potential customers that will love your products and services.
While this may be true, it’s also a place with many strict laws and regulations that affect businesses of all shapes and sizes.
While some people are happy about the numerous regulations, others look at them as an extra burden.
Whatever your personal stance, there’s no denying that things have changed and your organization needs to change to stay relevant.
In this article, you’ll get a clearer understanding of the factors that affect your ability to sell to EU customers.
Strong Customer Authentication (SCA) and how it affects you
Strong customer authentication was introduced in the European Economic Area (EEA) on September 14, 2019. It’s a set of requirements for authenticating online transactions initiated by a customer. Though introduced in September 2019, it isn’t expected to come into full force until December 2020.
SCA is meant to reduce the amount of fraud in the EEA and make card payments more secure. It works by creating a step after a customer confirms their transaction that requires 2 out of 3 things to be present for authentication.
- Something the customer knows like a password or a pin
- Something the customer has like a phone or hardware token
- Something the customer is like their fingerprint or facial recognition
For example, a one-time password or pin is sent to the customer’s phone and is used to complete the transaction. SCA comes into play when a citizen of the EEA initiates an online payment or transaction within Europe. SCA may not be required when a merchant initiates a transaction. For example, a monthly subscription payment shouldn’t be subject to SCA but most online payments and all bank transfers within EEA are affected.
It’s important to note that both the customer and the business need to be within the EEA. If you’re outside the EEA and are doing business with EU customers, you don’t have to implement SCA – yet. Many regions are looking at how SCA plays out in Europe. If it doesn’t have a marked negative effect on Ecommerce conversions then we may see widespread adoption of similar protocols in other countries.
Exemptions to SCA
There are instances when both the customer and the merchant are within Europe but SCA is waived. These are exemptions and can be applied based on the perceived risk level and fraud thresholds of the payment provider or card issuing bank.
Another exemption is possible when the payment is below €30 and the cardholder hasn’t used a similar exemption 5 times in a row. There other exemptions and to get a comprehensive list you can visit Stripe’s Guide on SCA.
The main thing to note is that if you’re in Europe and your customers are in Europe, SCA is mandatory. If you’re outside of Europe and have customers in Europe, it may become mandatory in the near future.
The far-reaching effects of Brexit
Brexit has been on the lips of politicians, entrepreneurs, and marketers alike. It has a direct impact on the largest eCommerce market in Europe. 86% of Brits with internet access shop online.
According to Maurits Bruggnik, the secretary general of European eCommerce and Omni-channel Trade Association, if there’s a hard-Brexit, things will become much more difficult for merchants shipping to the UK.
All products will have to pass through customs, meet specific standards set by the UK (if they choose to adopt new regulations), and other possible challenges. This may result in much longer wait times and frustration for customers. The return rate may be as high as 50% for certain product categories.
The end result is a sharp decline in international eCommerce due to increased prices and unreliable delivery times. Many customers will forgo foreign merchants and instead choose to shop domestically.
Larger international brands may set up fulfilment centers within the UK to avoid poor customer experience. Merchants domestic to the UK may also choose to set up fulfilment centers on the continent. The real losers are smaller businesses that able to set up and manage multiple fulfilment centers while turning a profit.
There’s still time before a deal (or no deal) outcome is decided. Whatever the case, if you’re doing business with countries in the EEA, the UK needs to be considered separately.
GDPR is here to stay
General Data Protection Regulation (GDPR) is great in theory because it gave the ordinary consumer more control over the data that’s collected when they use services online.
In addition to giving users control, it introduced heavy penalties for companies that don’t comply with the regulations. Google itself was fined $57 million for dark patterns baked into phones using Android OS.
When doing business with customers in the EEA, it’s imperative that you adhere to GDPR regulations. It doesn’t matter if you’re physically located in the EEA or not. The regulation still applies. There are many nuances of what you can and cannot do, but I’ll just summarize the most important points.
- Right to be informed. Consumers/subscribers need to be told in the clear unambiguous language who’s collecting their data and how it’s being used.
- Right to be forgotten. If someone asks you to remove them from your database, you remove them from your database.
- Data processors obligations. If you’re processing data on behalf of customers (EG an email marketing tool) you’ll have to adhere to certain security measures
- Data Protection Impact Assessment. If the data you process is sensitive and can affect the rights and freedoms of individuals if compromised, an assessment must be carried out.
These are the main points but it’s by no means a comprehensive breakdown of GDPR. The regulation touches on everything from the information you collect at checkout to the language you use when people sign up for your mailing list. It also bleeds over into your cookie policies.
Evolving cookie policies
Before GDPR, the EEA had what’s known colloquially as The EU cookie law. Its proper name is the ePrivacy Directive and it deals with the way web cookies, amongst other things, are handled. The usual cookie notification banners which tell you a site uses cookies aren’t compliant with the EU cookie law.
Websites are meant to ask for permission before they store cookies on your device. Only the necessary cookies like those for logging in or recording visits are applied automatically.
What’s the implication for an eCommerce site?
GDPR has taken many of the aspects of the ePrivacy Directive and turned them into regulation with stiff penalties. Now, it’s important for all eCommerce stores with EU customers to explicitly state the kind of cookies they’re using and wait for the user to give them consent.
This applies to you whether your business is within the EEA or not.
The challenge here is determining which cookies should be applied automatically and which ones should be applied after a user gives consent. For example, if someone comes to your website, they want to add items to the cart and have them available when they checkout. That’s necessary.
The cookie that saves their username in expectation of the next visit may or may not be necessary. It depends on the expectations of the customer and the function of your website. When in doubt, ask for consent.
Conclusion
The European Union is at the forefront of the battle for online privacy and protection. It’s a good thing for consumers but has proven to be a major hurdle for businesses.
Tough laws are making a lot of organizations think twice before they sell to EU citizens. At the same time, the tough regulatory environment is making innovation more difficult for the EEA. If you’re planning on or already sell to EU citizens, it’s necessary to prepare properly.
That includes but isn’t limited to:
- SCA and whether you need to implement it
- The effects of Brexit on trade to the UK
- GDPR and whether or not you’re compliant
- The constantly evolving nature of consent around cookies
This article has given you a solid idea about all these areas but I still encourage you to do more research and consult with a qualified professional before making any business decisions.
