A Guide to Understanding GDPR Implications for Subscription Businesses

By Catherine Moore, President and Managing Director for J.P. Morgan Merchant Services Europe and William Long, Partner and head of the European Data Protection Practice at Sidley Austin LLP.

In the Subscription Economy, millions of people work, shop and play online every day, leaving behind volumes of data that can include sensitive information. A study by IDC estimates that by 2020 there will be 5,200GB of data for every consumer on earth. In total, that works out at 40 zettabytes, or 57 times more than every grain of sand on every beach.

Regulators have increasingly become concerned with how companies capture, manage and protect the swathes of data they hold on their customers. Within the European Union (EU), these concerns have resulted in the General Data Protection Regulation (GDPR), a new regulation which aims to give consumers greater rights and security over how their data is used.

GDPR is the most comprehensive framework of its kind in the world and will have profound implications not just for businesses operating in the EU, but any that hold data on EU citizens. Companies in breach of GDPR could face severe fines, and with an implementation date of 25 May 2018, time is running out to ensure compliance.

Subscription businesses, which frequently come into contact with sensitive customer information like payment details, will have to be especially ready.

WHAT IS GDPR?

GDPR will effectively replace the EU Data Directive, which was established in 1995, during the early days of the internet, but is now considered inadequate to deal with current challenges. This is understandable considering the average smartphone today has 10x more processing power than a PC in 1995, while eCommerce sales are over €500 billion a year in Europe alone.3

The new legislation establishes guidelines on how companies should handle customer privacy, store data securely, and respond to security breaches. It also attempts to offer a unified standard of operating across Europe so that companies do not have to deal with several regulatory environments.

For the first time, obligations will be placed on data controllers and data processors. In other words, GDPR will affect not just an organisation (the controller) but also its outsourcing provider (e.g., a cloud computing company, or a third-party payment provider). Previous legislation placed responsibility solely on the controller.

GDPR also addresses the export of personal data outside the EU. The legislation makes it clear that it does not just apply for European companies, but any business processing the data of EU citizens, even if not based in the EU.

DATA MANAGEMENT, PORTABILITY AND CUSTOMER RIGHTS

At the heart of GDPR are a number of changes to the way that customer data is handled. Under the legislation, customers will have to give explicit permission for companies to hold data about them. But that’s not all, companies must also provide evidence that this consent has been given. One potential implication is that companies may have to alter their auto-renewal and subscription payment processes.

Companies can no longer store a customer’s personal data simply because it may prove useful in the future, or so they can pass it on to another provider. From now on, the responsibility will be on businesses to justify why they’re retaining customer information, otherwise it may have to be erased.

Subscription businesses will particularly be impacted by this since they store a variety of data that helps them gain insights into customer behaviour such as usage, profile, etc.

GDPR: KEY IMPLICATIONS FOR SUBSCRIPTION BUSINESSES

  • Consent: Companies will have to actively get consent to store a customer’s personal data.
  • Customer profiling: New restrictions on using data for customer profiling
  • Security and data breaches Data breaches have to be reported within 72 hours of discovery.
  • Data portability: Consumer has right to request transfer of personal data in certain circumstances.
  • Data transfer: Prohibitions on transferring data to non-EEA* countries without adequate safeguards.* The EEA includes EU countries and also Iceland, Liechtenstein and Norway. It allows them to be part of the EU’s single market.
  • Right to be forgotten: A business must erase an individual’s personal data in certain circumstances.
  • Security: Businesses must have security systems that are appropriate to the level of risk

Businesses will need to implement new policies on data retention and deletion, particularly when customers do not give them permission to store data about them. The “right to be forgotten” is a particular challenge for organisations because of the rich web of information that’s held in databases. Whereas companies may have previously been concerned about how to store and archive information, now the focus is turning to what information is held and how they can access it. For example, a merchant may have to remove someone’s personal information from all of their payment transaction record histories; if they so request.

It’s also important to realise that data does not just mean information held on a database. GDPR makes no distinction between physical and digital data: it could be customer details held on paper, or in old files at a warehouse, for example. This would now have to be made available in the event of a consumer request.

TIMESCALE

Given that GDPR becomes law in May 2018, businesses should already be looking at how GDPR will have an impact on their procedures. Under the regulation, firms can face fines of €20 million or 4 percent of global revenues, whichever is greater. And that’s just for ‘serious breaches’. Such things as failing to keep proper breach logs, or failing to report a breach within a set timescale, will carry fines of up to €10 million or 2 percent of global revenue.

GDPR also allows individuals to make a claim for damages for non-financial loss. Companies, and third party payment providers, who may unknowingly store credit card details, are frequent targets for attacks by cyber-criminals so they will have to ensure especially tight protocols in this regard. Payment providers may also start offering value-added data protection services as a means of reducing the investment required by businesses, and helping them win more business.

One area that will also be changing is the credit card authentication standard PCI DSS. Although this is unconnected to GDPR, a new standard, PCI DSS 3.2 is set to become operational in February 2018. Companies who implement this standard will be some way to becoming GDPR compliant, at least as far as payments are concerned. For example, multi-factor authentication (MFA) becomes mandatory in PCI DSS 3.2, offering retailers a way of protecting customer personal details.

CONCLUSION

Companies are going to have to radically rethink the way they do business. There are obvious ways in which organisations will have to change, e.g., in obtaining customer consent and shifting data retention policies. But there are more subtle changes too: there will need to be a shift in company thinking, to ensure that customer concerns are at the heart of company policy.

GDPR could entail huge volumes of work: from amending contracts to make them compliant, changing privacy policies and notices, and altering company procedures to deal with data subject rights.

The organisational changes will mean greater transparency and will also offer more security for customers. Companies that act quickly and robustly in implementing these changes may also find they will benefit from a greater degree of trust from their customers.

In short, implementing GDPR may mean major changes but it should benefit businesses and customers alike. Don’t delay, however, the time for action is now: companies who haven’t started thinking about it, may find it’s already too late.

Zuora stock soars in debut: ‘The inflection point of the subscription economy’

Excerpts from the article by Emily Bary on MarketWatch

Zuora Inc.’s management didn’t hesitate about their plans to take the company public even during a period of heavy market volatility, a move that paid off Thursday.

Shares of Zuora ZUO, +3.00% which makes software that helps companies transition to subscription business models, popped 43% in their first day of trading , closing at $20 after listing at $14. That opening price was above the company’s already-raised range. Zuora raised $154 million through the offering.

“Investors realize a bet on us is a bet on the entire subscription economy,” Chief Executive Tien Tzuo told MarketWatch. Zuora claims to have coined the term “subscription economy” to describe how more companies are moving to recurring-revenue models and trying to sell their products as “services.”

Tzuo, a Salesforce.com Inc. CRM, -1.97%  veteran, said his company aspires to have the same long-term success as Salesforce, with aims to deliver 25% to 30% growth over an extended period of time.

He said that Zuora possesses “twin engines of growth” in its billing and revenue-recognition business lines. On the billing side, Zuora provides tools to companies that give them the option to bill customers through a variety of models, including a flat-fee structure or one based on volume. Tzuo believes Zuora is encouraging and enabling companies to think about their business model through the lens of providing services, giving the example of a guitar seller that now offers an app for lessons and bills monthly for it.

“Today marks the inflection point of the subscription economy,” Tzuo said. “Companies should not view business models as selling products but instead as selling services that we should subscribe to.” He cited Spotify Technology SA’s SPOT, -0.07%  recent listing as evidence that the movement has steam.

As for revenue recognition, “all accounting rules are changing for the subscription economy,” Tzuo said, and “it’s not going to get easier” to handle bookkeeping. Zuora offers services that enable businesses to recognize revenue under new accounting standards, which public companies were required to adopt by January.

Read the full article on MarketWatch

BMW and Lexus Launching Car Subscription Services

Excerpts from the article by Dana E. Neuts on Subscription Insider

More automakers want their share of the subscription economy.

Two more automakers – BMW and Lexus – have announced they want to get in on the subscription economy, each with their own version of a car subscription service. BMW first revealed their plans during the Detroit Auto Show, but details were not disclosed at that time. BMW has now launched its pilot program, called Access by BMW, an exclusive service that gives members unlimited access to their choice of BMWs for one monthly fee which includes insurance, maintenance, taxes, car washes, detailing, personal delivery by a concierge and roadside assistance.

For $2,000 a month, at the Legend tier, subscribers can select a vehicle from BMW’s M2, 4 series, 5 Series or the X5. For $3,700 a month, at the BMW M tier, subscribers can select an M car, including the M4 convertible, M5, M6 convertible, X5M or X6M. There is a $575 joining fee, but it is being waived for the program’s first 50 members. The program is currently being launched in Nashville, Tennessee, but could expand across the U.S. if it is successful.

According to BMW Blog, Access by BMW members will select their vehicle based from an iOS or Android mobile app, facilitated by local BMW dealers. A concierge will personally deliver the vehicle, fueled or charged, detailed and ready to go. The program requires a 32-day commitment. Daily vehicle upgrades are available. Access by BMW offers a few features that other car subscriptions are not yet offering: movement between subscription plans, pausing a subscription for a $200 convenience fee, and corporate memberships.

‘As customers continue to explore the growing mobility market, service-related offerings are becoming more in demand. With Access by BMW, our members will enjoy the freedom of personal mobility with access across a broad range of our highly emotional vehicles’ said Ian Smith, CEO of BMW Group Financial Services USA and Region Americas, in a news release. ‘Subscription-based services are of emerging interest for our customers, and we’re excited to be offering a mobility service to meet their individual and evolving needs.’

Read the full article on Subscription Insider

BMW's car subscription pilot program starts at $2,000 per month

Excerpts from the article by Jon Fingas on Engadget

BMW's car subscription pilot program starts at $2,000 per month

The rumors of BMW's American branch joining the car subscription craze were true. The automaker has launched a pilot Access by BMW program in Nashville, giving you a more flexible alternative to ownership that lets you switch cars as often as you like (through a mobile app, of course) without paying extra for maintenance. It's expensive like the Porsche equivalent, but that also means you're choosing from higher-end vehicles in lineup.

A 'basic' Legend tier starts at $2,000 per month lets you choose from the M2, 4 Series, 5 Series (including the 530e plug-in hybrid), and the X5 (including its PHEV model). Pay as much as $3,700 per month for the performance-minded M tier and you can drive the M4 convertible, M5, M6 convertible, X5M and X6M.

BMW stressed that this is a pilot, and thus an "opportunity to learn." There's a chance that Access could change if and when it spreads to other cities. However, we'd expect a wider launch to be more a matter of "when" than "if." Like other brands, BMW is adapting to an era where ridesharing and (eventually) self-driving cars will reduce the incentive to own a car. Instead of paying for maintenance or worrying about owning the 'wrong' car, you can just get the vehicle you want when you want it.

The Check Box: The Growing Need for Auto-Renewal Second Consent

Excerpts from the article by Lisa B. Dubrow, Esq., Dubrow & Bhonslay on Subscription Insider

Companies that sell products or services through subscription models need to keep in mind that there are numerous federal and state laws could impact how these models are structured and advertised. With recent legal settlements by major subscription brands as a bell weather, it might be time to revisit your auto-renewal policies and advertising to ensure you are not in danger of being held to these new legal standards. Lisa B. Dubrow, Esq. explains.

Read the full article on Subscription Insider

Why Subscriptions are the Future of B2B

Excerpts from the article by Bob Moore on Multichannel Merchant

The subscription economy has taken commerce by storm. From music and television to beauty and groceries, consumers have grown comfortable with storing their credit cards on file to receive products and services from brands they love on a recurring basis.

But what about B2B companies? The B2B e-commerce market may be estimated to reach $6.7 trillion by 2020, but complexities inherent in B2B operations have hindered branded manufacturers and distributors from fully reaching that potential – and from innovating on the customer experience at the same strength as B2C brands.

Enter subscriptions, which have fueled success for Netflix, Spotify, BirchBox and Blue Apron. With the right investments in subscription models, it’s time for B2B companies to learn from leading B2C brands and secure customer loyalty for the long term.

Put Customer Loyalty First

B2C companies were the first to remodel around customer behavior, garnering repeat customers through subscriptions. Dollar Shave Club revitalized the grooming industry when they boldly set out to sell bargain razor subscriptions online at a monthly cadence. With their model, Dollar Shave beat Gillette in the game of brand love and ultimately sold for $1 billion to Unilever, the largest ever M&A deal for a privately-held e-commerce company. More recently, GM launched a subscription-based concierge service in which users pay a flat fee for on-demand access to Cadillacs, bringing a fresh luxury spin to the world of driving.

Can the subscription model bring the same kind of magic to B2B brands? B2B companies notoriously struggle to compete for brand love – in many ways, an industrial dishwasher just doesn’t have the same allure of the hottest new iPhone.

But sometimes, loyalty has nothing to do with brand love. Instead, it can simply come down to the pain of switching who we buy from. From accounts to authorizations, B2B buying is generally more complex than that of B2C. Once a customer has identified a merchant that knows their needs and makes a product that works, the prospect of vetting and switching is all the more overwhelming.

Subscriptions alleviate that anxiety by simplifying the customer experience. In a way, B2B purchases already resemble subscription models – customers usually buy products from branded manufacturers and distributors on a regular schedule and in bulk. B2B vendors have the opportunity to automate those repeat transactions, solidifying customer relationships to make them “sticky” over the long term.

Read the full article on Multichannel Merchant

Online fortunes—and challenges—are increasing for B2B companies

Excerpts from the article on Digital Commerce 360

Business-to-business companies are reaping the benefits of e-commerce, with more than half reporting increases in both the size and profitability of their average online orders last year over 2016, Forrester Research Inc. says in a new report based on a study of B2BecNews readers.

The study found that the average online ticket, or average order value, was $1,816—compared with $148 noted in a similar study of online retailers. The report, “Measuring Up: Benchmarking Your B2B eCommerce Performance,” was authored by Forrester B2B analyst John Bruno and other analysts and is based on the Forrester/Internet Retailer Q3 2017 Global B2B Sell-Side Online Survey. Forrester surveyed last July and August 120 B2B professionals who subscribe to B2BecNews, a sister publication of Internet Retailer, published by Vertical Web Media LLC.

Forrester asserts in the report, however, that the increasing benefits of B2B e-commerce require companies to work hard to remain competitive.  As B2B companies mature online, it says, they must often spend more to continue standing out among other sellers and retain their customers. Many are following that advice.

Read the entire article on Digitial Commerce 360