In recent years, as a result of the strong technological development, e-commerce services have quickly become popular and attracted a huge amount of consumers due to their convenience. To conduct e-commerce transactions, consumers must provide their personal information to service providers or their partners. The collected personal information will be stored and managed by businesses, on the one hand, to meet the demands of customers in transactions. On the other hand, it will be used to take care of and provide after-sales service to customers through discounts, promotions, or advertising. Businesses can easily reach their old customers through available customer data mining, improve and adjust their services properly, thereby expand their market share. This personal information when accessed (like above mention) can become valuable data, therefore, all businesses desire to access, collect, use and exploit the customers’ personal information. However, not most businesses are aware of the regulations to collect and use customers’ personal information legally.
In the scope of the article, we will highlight some legal regulations that businesses should note and comply with when collecting and using customer information, especially personal information collected through cyberspace.
So, what types of information are included in personal information?
Personal information is information contributing to identifying a particular individual, including his/her name, age, home address, phone number, medical information, account number, information on personal payment transactions, and other information that the individual wishes to keep confidential.
Requirements when collecting customer information
Collecting personal information is to create a database that collects the personal information of many consumers who are customers or potential customers of the businesses. Currently, Vietnamese law, in general, and Law on Protection of consumer’s rights, in particular, really appreciate protecting customer information. Accordingly, when customers conduct transactions, use goods and services, they will be guaranteed the safety and confidentiality of their information. Businesses are not allowed to provide customers’ personal information to third parties, except in case there is a request from a competent authority or the consent of that customer.
In order to collect customer information for business purposes, businesses need to take the following responsibilities:
- Notify clearly and openly the customer of the purpose of the collection and use of customer information before such activities being done;
- Use the information in conformity with the purpose informed to customers, and with the consent by the customers;
- Ensure safety, accuracy, completeness during collection, use, and transfer of customer information;
- Update or adjust by themselves or help customers to update and adjust as the information is found to be incorrect;
- Not provide, share, spread the customer information collected, assessed, controlled by businesses to third parties, except in case getting the consent of the customer or complying with the law.
Thus, in order to collect and use customer information legally and avoid possible risks in the future, businesses need to develop and publish an Information Security Policy for customers’ personal information. Accordingly, this policy should clearly stipulate the following contents:
- Purpose(s) of collection of personal information;
- Scope of information use;
- Duration of information storage;
- Persons or organizations that may access such information;
- Address of the information collection and management unit, indicating how consumers can ask about the collection and processing of information relevant to them;
- Method and tools for consumers to access and modify their personal data on the e-commerce system of the information collection unit. ;
The Information Security Policy needs to be specifically communicated to customers by the businesses before or at the time the businesses collect information. Businesses may post/publicize the Information Security Policy at an easy-to-spot position on these websites, email, message, or other methods as agreed between the two parties.
In addition, businesses need to ensure that there is a mechanism to ask for permission from customers when collecting their information through online functions on their websites. Businesses also need to have their own mechanism so that customers can choose to allow or not allow the use of their information in the following cases:
- Sharing, disclosure or transfer of information to a third party;
- Use of personal information for sending advertisements, product introductions and other commercial information.
On the other hand, in some special cases, businesses are entitled to collect information from customers without their prior consent as follows:
- Collection of personal information already published on e-commerce websites;
- Collection of personal information for concluding or performing goods and service purchase and sale contracts;
- Collection of personal information for calculating prices or charges for use of information, products and services online.
After collecting and storing customers’ information, businesses shall assure safety and security of the information, and prevent the following acts: (i) hacking or illegally accessing information; (ii) Illegally using information; (iii) Illegally altering or destroying information. Business shall formulate mechanisms for receiving and settling customer complaints about the use of personal information for improper purposes or beyond the notified scope. In case an information system is hacked, posing a risk of loss of customers’ information, businesses shall notify the incident to a functional authority within 24 hours after detecting it.
Businesses also need to have a plan to change customer information when there is a request to change, update, adjust or cancel by doing it themselves or providing tools for customers to self-check, update and adjust their personal information. In addition, businesses must destroy stored personal information when the purpose of use has been fulfilled or the storage period expires and must notify the customer unless otherwise provided for by law.
In case the businesses fail to comply with the above regulations, businesses may be administratively sanctioned, and depending on the particular violation, the administrative sanction may be up to VND 60,000,000. If the relevant information is customers’ confidential information, the fine can be up to VND 80,000,000. In addition, customers have the right to claim damages due to violations in the provision of personal information.
The above are a number of legal issues related to the collection and use of customers’ personal information that businesses need to understand and comply with, in order to properly perform, limit errors that lead to unfortunate consequences.
