Understanding the Right to Be Forgotten in Online Retail

Picture buying something online that you regret. You leave a harsh review, but later, you wish you could wipe away your online trace. Every click, comment, and transaction is saved in the digital age. The “Right to Be Forgotten” helps people regain their privacy. But how does this principle apply to the bustling world of online retail?

The Right to Be Forgotten (RTBF) has led to many discussions among consumers, businesses, and legal experts. Personal data is key to operations in online retail, so understanding this right is not just relevant; it’s crucial. In this post, we’ll explore the concept and its effects on retailers and consumers. We’ll also share tips for navigating this changing legal landscape.

What Is the Right to Be Forgotten?

Origins and Definition

The Right to Be Forgotten is part of the General Data Protection Regulation (GDPR) that the European Union implemented in 2018. It allows people to ask to delete personal data when it’s no longer needed or if they change their mind.

Article 17 of the GDPR gives people the right to erase their data quickly, but only in certain situations.

This includes:

• When the data is no longer needed
• If consent is withdrawn
• If the individual objects to processing
• When data is unlawfully processed
• To comply with legal obligations

Practical Example

Consider a customer who shops frequently from an e-commerce store. Years later, they erase their purchase history and personal info from the retailer’s database. Under the GDPR, customers can ask retailers to delete their data. The retailer must comply unless they have valid reasons to keep it, like meeting legal obligations.

Why the Right to Be Forgotten Matters in Online Retail

Data-Driven Nature of E-commerce

Online retail thrives on data, which drives personalised experiences and targeted marketing. Data includes personal preferences, browsing habits, payment details, and shipping addresses.

However, this dependency on personal data also creates vulnerabilities. Breaches, misuse, and privacy issues are constant risks. So, GDPR compliance and honouring RTBF requests are key to keeping customer trust.

Building Trust and Brand Loyalty

Brands that handle data openly and respect RTBF requests show they can be trusted. Mishandling data or ignoring deletion requests can hurt reputations. It may lead to fines and push away loyal customers.

Legal Obligations and Penalties

Not following RTBF requests can lead to big fines under GDPR. These can be as high as €20 million or 4% of global annual turnover, whichever is greater. For online retailers, the stakes couldn’t be higher.

How Online Retailers Should Handle RTBF Requests

Step 1: Implement Clear Policies

Retailers must create and maintain clear, accessible data privacy policies that explain:

• How customers can submit RTBF requests
• What information is needed to verify identity
• Expected timeframes for data deletion

Step 2: Verification of Identity

Verify the identity of the person making the RTBF request before processing it. This helps prevent fraudulent deletion attempts and protects other users’ data.

Step 3: Assess the Request

Retailers must assess whether the data qualifies for deletion:

• Is the data no longer necessary?
• Has consent been withdrawn?
• Is there a legal obligation to retain it?

If the law says to keep data (like for taxes), the retailer has to tell the requester.

Step 4: Execute and Confirm

After approval, the retailer should delete the data from all systems, including backups, if possible. They must then confirm the action with the individual.

Tip: Keep a safe record of the RTBF request and your actions. This is important for compliance audits.

Challenges Retailers Face

Balancing Rights and Legal Obligations

Retailers often struggle to balance RTBF requests and legal record-keeping rules. For example:

• Financial records must typically be retained for six to ten years.
• Transaction data may be needed for fraud prevention.

So, retailers need to know which data to keep and which to delete.

Technological Limitations

Deleting data that is spread across different systems, cloud servers, and third-party providers can be challenging. Retailers must invest in integrated data management solutions that enable comprehensive data removal.

Cross-Border Compliance

Retailers operating internationally must navigate varying data protection laws. GDPR controls data for EU citizens. Brazil has LGPD, and California has CCPA. Each has its own rules.

Pro Tip: Use GDPR standards everywhere. They meet most global requirements and set a high bar.

Consumer Perspective: How to Exercise Your Right to Be Forgotten

Step-by-Step Guide

1. Verify Your Identity: Be prepared to provide proof of identity.
2. Identify the Retailer: Gather details about the retailer and your interactions (e.g., accounts, orders).
3. Submit a Formal Request: Most retailers provide an online form or a specific email.
4. Await Confirmation: Retailers must reply within one month. They can extend this by two more months for complex cases.

What Can and Cannot Be Deleted

Can be deleted:

• Account information
• Purchase history
• Email communications

Cannot always be deleted:

• Financial records required for tax purposes
• Records related to legal disputes

Real-Life Scenario

Jessica ordered luxury skincare products from a European online store. Later, she decided to delete her account for privacy reasons. She made an RTBF request and confirmed her identity. Within three weeks, she got a note saying her account and personal data had been deleted. It also explained which financial records were kept for legal reasons.

Best Practices for Online Retailers

Be Transparent

Transparency builds trust. Clearly explain data collection, usage, and retention policies at every customer touchpoint.

Invest in Data Management

Adopt systems that enable efficient data identification, tracking, and deletion across platforms.

Consider:

• Customer Relationship Management (CRM) systems
• Data mapping tools
• Secure backup solutions

Train Your Team

All customer data management employees must be trained in GDPR rules and RTBF procedures. This training ensures everyone is consistent and accurate.

Maintain Communication

Keep the customer updated on their RTBF request. Communicate about progress, timelines, and any data exemptions.

Future Trends: Evolving Privacy Expectations

The digital landscape is dynamic, and consumer expectations around privacy are rising.

Here are key trends to watch:

• Enhanced User Control: Future platforms might let customers manage their data better. They won’t need to make formal RTBF requests.
• AI and Data Deletion: AI can help find and delete customer data quickly, making it easier to follow the rules.
• Global Convergence: Data privacy laws will increasingly align around the world. GDPR principles primarily drive this change.

Retailers who embrace these changes will gain an edge in customer trust and loyalty.

Conclusion: Understanding the Right to Be Forgotten in Online Retail

The Right to Be Forgotten changes how we view, value, and protect personal data. Online retailers need more than legal compliance. They must also commit to transparency, respect, and customer empowerment.

Respecting the RTBF in online retail goes beyond just following rules. It’s about creating lasting trust in a data-driven world. Retailers who show empathy and work efficiently will avoid penalties and gain loyal customers for life.

Ready to make privacy a cornerstone of your brand?

If you’re a retailer, start by auditing your data practices today. If you’re a consumer, don’t hesitate to exercise your rights and advocate for privacy. Let’s create a digital world where trust and transparency are the norm, not the exception.