As part of the global move to protect personal information, Amazon updated their Personally Identifiable Information (PII) policy earlier this year. With changes having had time to take effect, they’re now requiring third parties to comply. That includes Amazon Sellers like many of our customers, and it includes us as a software integrator and all our competitors.
What does this mean, what are we doing, and what do you need to do?
Let’s break this down.
What Does This Mean?
Amazon now requires third parties not retain any information you could use to identify a person, except while fulfilling an order. That means Cloud Commerce Pro and our competitors will need to remove the following information from our system no later than 30 days after the order is shipped.
Personally Identifiable information includes:
- Personal names
- Personal addresses
- Email addresses
- Phone numbers
- Payment details
- IP address
- Geo-location records
- Survey responses
- Anything included in their gift messages
The policy allows this information to be kept for only up to 30 days past order shipment in order to process orders and deal with any returns, refunds, or other customer service. We recognise that returns and orders adjustments happen after this time but unfortunately Amazon won’t allow active display of this data after this time and the data must be moved into ‘cold’ or offline storage.
Amazon does recognise that tax and other regulations may require Sellers to keep this information. PII is allowed to be archived – which means “stored as a ‘cold’ or offline (e.g., not available for immediate or interactive use) backup. Any backup must be encrypted and kept in a physically secured location. This data can be recovered in the event of a tax audit.
What Are We Doing?
After thirty days, all PII collected from Amazon in Cloud Commerce Pro’s system will automatically be archived into cold storage. That means we will redact things like names and addresses from orders using one-way encryption. Instead you may see encrypted data or blank fields where the customer data previously was. You will still be able to see full order information by clicking through to Amazon from CCP.
As we have to remove the name and address data it will make it impossible to search for orders on that criteria. You can still search for orders using Order ID’s etc. This will impact searching in the Customer Area and the Dispatch Queue. We will also redact names and addresses from Sales Reports.
What About Orders from Other Channels?
Currently this policy applies to only Amazon orders although this may be expanded as channels require. It will not affect Trade Orders and orders requiring credit payments over time.
What Do You Need to Do?
If you store customer information only in Cloud Commerce Pro, you’re fine – we’ll be taking care of it for you.
If you store or duplicate this information outside your CCP system, you’ll need to take a few steps of your own. Any additional copies of PII should be earmarked for destruction at the earliest possible interval.
You will also need an Incident Response Plan similar to our own but in line with your own corporate hierarchy. As part of this plan, Amazon must be informed of each incident via email (firstname.lastname@example.org) within 24 hours of detection.
Reference: Amazon Data Protection Policy
Quote: Data Retention and Recovery. Developers will retain PII only for the purpose of, and as long as is necessary to fulfil orders (no longer than 30 days after order shipment), or to calculate/remit taxes. If a Developer is required by law to retain archival copies of PII for tax or similar regulatory purposes, this archived Amazon Information must be stored as a “cold” or offline (e.g., not available for immediate or interactive use) backup stored in a physically secure facility, and all archived data on backup media must be encrypted.