Retail Industry Regulations to Watch

And to conduct yourself appropriately means complying with local, state, national and federal regulations and industry guidelines. It’s not just in one area either. There’s so much to consider across employment practices, wage protection, data protection, ethical sourcing and more.

That’s why we’ve come up with a guide to inform you of essential regulations and the best ways to comply with them.

Currently, there aren't any country-wide set of data protection guidelines that retailers need to be aware of for their customers. This might sound simple at first, but it actually makes things a lot more complicated. Instead, there are hundreds of separate laws across different states that aren’t tied together. So, this means you have to be aware of the specific data protection laws within every state where your business operates.

As a starting point, it’s useful to know that the Federal Trade Commission Act (FTCA) and the US Federal Trade Commission (FTC) are responsible for assigning these laws and that you should do research into specific regulations.

If you’re familiar with Europe’s General Data Protection Regulation (GDPR), then you’ll know that Europe takes a stricter stance on the protection of consumers’ data. In Europe, individuals own their personal information and have the legal right to control it, who can use it and request to have it permanently erased. But the United States has been far more lenient with data protection laws rooted in harms prevention compared to Europe’s rights-based laws.

But this year marks a major shift in data protection laws in the US. California is the first state to pass its own data protection law, The California Consumer Privacy Act (CCPA), which allows any Californian consumer to demand to see all the information a company has saved on them as well as the full list of all third parties that data has been shared with. And other states, including Colorado, Connecticut, Utah and Virginia, are following suit and planning to enforce new GDPR-inspired laws this year.

There are other laws that relate to data protection. For example, the Telephone Consumer Protection Act (TCPA), stops unsolicited text messages and phone calls. Violating the act can result in between $500 - $1500 fines and there is no cap. So, racking up thousands of violations could lead to millions of dollars in penalties. Meanwhile, the CAN-SPAM Act deals with email regulations, covering things like not using false header information, clearly labelling an email as an ad and giving consumers the ability to opt out of future emails. Failure to comply can lead to penalties of $50,120 and the person who sent the email would also be held responsible as well as the company. Further charges may also be brought up against you for deceptive advertising under Section 5 of the FTC Act, leading to imprisonment. 

Considering retail and e-commerce companies lose an estimated $48 billion to fraud each year and the damage it can have on customers, fraud regulations are ever-present. In June 2023, the INFORM Consumers Act was passed to protect consumers from online fraud. Online marketplaces are required to gather, verify and disclose bank account details, government-issued IDs, Tax IDs and contact information about their customers and suppliers.

Here’s what that looks like:

• ID identification: Marketplaces have to verify the information within three days of receiving it. This is meant to stop sellers of stolen and counterfeit products from using platforms that need a seller’s identity. The verification also needs to happen yearly.
• Contact information: Data like name, address and email is needed from high-volume third-party sellers to help with transparency.
• Reporting: Marketplaces are encouraged to promote their reporting mechanisms to consumers so they can take direct action against fraudsters. (Failure to stick with any of these rules will lead to $50,120 fine per violation).

The Fraud and Scams Reduction Act seeks to raise awareness of, identify and combat schemes to defraud consumers, especially schemes that target seniors. Section 112 establishes the Senior Scams Prevention Advisory Group, which consists of government and industry representatives and is tasked with studying and upgrading existing educational materials aimed at preventing scams that affect seniors. Section 122 establishes the Office for the Prevention of Fraud Targeting Seniors within the Bureau of Consumer Protection. The Office is charged with assisting the Commission in oversight of fraud targeting seniors and coordination with other relevant agencies, dissemination of educational materials concerning fraud targeting seniors, and logging complaints of such fraud.

Another proposed fraud act to be aware of is the SHOP SAFE Act. This is meant to stop unauthorized trademarked products from being sold through online platforms and protect consumers. Pre-screening methods and similar data from the INFORM Act would be collected. 

Then, there’s the federal Mail or Telephone Order Merchandise Trade Regulation Rule. This law requires stores to ship telephone, mail, fax, and Internet orders within 30 days. If the merchant promises an earlier shipment date, it must meet that deadline. If the retailer has a reasonable basis for not getting your order out on time, it must obtain your consent to the delay. And if you don't respond or consent, the merchant must issue a refund. Merchants have more time—50 days instead of 30—to make the shipment if you're also applying for credit.

There’s been a lot going on with the supply chain in the last few years. Inflation, a recession and labor shortages have created a need for retailers to adapt to global events and legislation that aren’t just focused on North America and Canada. 

Some of the most prominent regulations to adhere to include:

• The Supply Chain Due Diligence Act was introduced in Germany in January 2023. It requires in-depth risk analysis, compliance and preventive practices on an international scale. Failure to comply includes heavy fines, reputational damage, lowered sustainability ratings and higher interest rates. 

• An act passed in 2010 requires SEC-listed brands to disclose conflict materials and whether the materials come from the Democratic Republic of the Congo. Retailers must submit a conflict minerals report that describes products and due diligence practices. 

• OFAC sanction lists are based on the laws of various countries around the world. Each has its own specific guidelines and penalties. 

In terms of sourcing sustainable products and engaging in ethical practices, retailers are under more scrutiny than ever. In a climate of cancel culture, polarizing opinions and bankruptcies, it’s vital that you behave ethically. Complying with regulations is one aspect of that. This includes paying attention to guidelines that deal with forced labor and child labor.

In May 2023 the Fighting Against Forced Labor and Child Labor in Supply Chain Act was passed in Canada. Going into effect in January 2024, the Act focuses on businesses who have at least $20 million in assets and generate at least $40 million in revenue. Companies must regularly create public reports that show everything they’re doing to reduce the risk of forced labor and child labor in their supply chains. Directors and the company are liable for $250,000 per violation of the act. 

Over in the US, the Uygher Forced Labor Prevention Act (UFLPA) came into effect in June 2022. This law prevents the importation of goods produced under forced labor in the People’s Republic of China, especially in Xinjiang. Meanwhile, the United-States-Mexico-Canada Agreement (USMCA) is focused on protecting the rights of farmers and creating better-paying jobs. For a full guide on the  USMCA ethical practices and penalties, go here. 

How to comply with these regulations 

• Run detailed compliance checks: Run compliance checks to verify your suppliers are legitimate, have their finances in order and aren’t in violation of local, state, national and federal regulations. For example, running Know Your Customer (KYC) / ID verification checks can protect you from being duped by a scammer pretending to be a director of a legitimate supplier. And running sanctions checks means you won’t work with suppliers who are in violation of sanctions and won’t be subject to hefty fines as a result.

• Maintain a digital audit trail: You can never be careful enough. Record all your activities and internal processes that will be needed for reporting requirements. Having a reliable audit trail means you’re fully protected in case governing bodies ask for specific documents. 

• Vet your suppliers specifically:  Hone in on your supply chain with a robust supply chain management policy. Scour sanctions lists, run international Know Your Customer (KYC) and ID verification checks and check adverse media databases. Think twice about working with (or continuing to work with) suppliers who fall foul of compliance violations. Their non-compliance reflects directly on your brand and could cause your own customers to walk away and spend their money with competitors. That will not only affect your bottom line, but it will also hurt your brand reputation considerably.

• Appoint a Chief Compliance Officer (CCO): Processes are only as good as the people in charge of them. So, you’ll want to hire a reliable Chief Compliance Officer to oversee everything. A strong CCO communicates clearly, transparently and regularly with all departments, stays up-to-date on any changes in regulations and sets out specific processes, protocols, systems and teams to make sure the company is adhering to all relevant regulations, guidelines and industry standards. Plus, they have no issues with holding others accountable and are proactive about making the necessary changes to outdated regulatory processes.

• Create synergy between departments: Adding to my previous point, every team needs to know the importance of compliance and the hefty fines that non-compliance brings. The CCO or designated regulatory champion should set up monthly compliance training to educate staff on different legislations, including their specific requirements, what processes and systems are in place, what non-compliance means and any other relevant information. Also, don’t be afraid to communicate and collaborate with the legal team to monitor incidents, public disclosures and risks. 

• Tap into industry-changing technology: AI and automation are speeding up compliance checks, bringing data together into a single location and removing the need for laborious manual tasks. 

At the end of the day, remember that the first step is always education. Understand which regulations impact you, then build a plan, processes and systems to minimize your compliance risks.