Safe Harbor is dead. Long live… something else?

January 21, 2016 - Product UpdatesSecurity

When most companies set out to sell online, compliance isn’t top of mind. We might think about PCI compliance. We usually think about sales tax compliance. If you work with Russian developers, you might have seen the news of economic sanctions and thought, “I hope this doesn’t impact my business.”

But if you’re not running your business in the EU, you probably have never thought, “I wonder which EU laws I’m supposed to be following?” If you’re not in the EU, your biggest concern with customers in the EU is probably shipping, not which data security laws you’re expected to abide by.

But today, your concern is data privacy.

Safe Harbor: What it was

Safe Harbor was a data sharing pact between the US and EU that allowed US companies to receive and process data from folks in the EU. It was one single approach for every EU member state. Thousands of US businesses, including us, relied on it to ensure we complied with the EU’s requirements for personal data.

Unfortunately for the thousands of us who relied on it, the EU Supreme Court invalidated it in October. A group working on a replacement, informally called Safe Harbor 2.0, had until the end of January (2016) to come up with an acceptable replacement. (If you’re interested, the concerns from the EU stem from the US Government’s… ahem… “questionable” treatment of internet security, encryption, and data privacy, as revealed largely by Snowden.)

Though we’ve been collectively hopeful for a replacement in time for the January deadline, we don’t want to run the risk of leaving our users without an option for compliance. And though the EU has said they would pursue companies in violation of their data protection policies, nobody is sure how aggressively they may be in doing so. While nobody expects every agency from every member state to immediately start going after ecommerce merchants, let alone smaller merchants, it’s important for you to be aware of the changing landscape.

The current workaround for ecommerce

In the absence of Safe Harbor, there are three options to collect the information you need (through FoxyCart) to sell from the US into the EU. Two of the three options are non-starters for an ecommerce context, but the 3rd option is to obtain the customer’s explicit consent to transfer their data.

To that end, we’ve added a feature (available in FoxyCart v2.0) to obtain this consent from EU customers. It looks like this:

This is a required checkbox that displays if a customer has a billing or shipping address in an EU member state. (You can customize the text in the “language” section of your admin.)

Please note: We are not international compliance experts, and this blog post does not constitute legal advice, nor can we guarantee this consent checkbox will meet your business’s unique needs. Please check with your own counsel to discuss how your organization should handle the invalidation of Safe Harbor.

What FoxyCart users need to do

Our goal with FoxyCart has always been to not mess with what you’ve set. For this reason, we strive to avoid making changes to your templates or functionality. Further, because we support old versions (we don’t force upgrades, again because we don’t want to force you onto our timeline or risk breaking your checkouts), so the action required will depend on your FoxyCart version and your business.

Note that even if your business isn’t in the US, the FoxyCart servers are, and that’s what matters.

For all users:

If you already don’t allow international shipping or have other functionality (country restrictions, for example) that prevents orders from the EU, you are likely safe, though you should check with your own compliance team or counsel to double check.

For users on v2.0:

This new feature is defaulted to off for existing stores. Though we don’t anticipate problems with enabling it, we will not make that call for you (just in case any of your own customizations interfere). You can enable this in the “template configuration” page of your FoxyCart admin. If you have the default “responsive” checkout, this is all you have to do. If you have customized your checkout, we recommend attempting the option, but if it doesn’t appear, please contact us and we can help you through it.

You also can use the new 2.0 functionality to restrict shipping and billing to exclude EU member states entirely, which will prevent any checkouts and the subsequent data transfer.

We recommend you take this action by January 31.

For users on v1.1 and prior:

Unfortunately, our older versions don’t allow us to add an easy option you can simply enable. Instead, you can take some of the following options:

  • Upgrade to 2.0. We’re happy to help, and if you’ve got a simple integration, this might be very doable.

  • Add a custom checkbox to allow customers to provide their consent. Please contact us for code to copy/paste.

  • Restrict international shipping, if you don’t intend to sell to the EU.

  • Restrict countries on the checkout using one of the custom scripts here: https://wiki.foxycart.com/snippets/start

We wish there was a better option, and we will update again as soon as a new agreement is in place. Our hope is still that this new functionality goes unused because a new data sharing agreement is reached. But at this point, optimism is fading and we want you to be prepared.