So if I want to sell stuff in the EU, I need to have a "data protection policy" on my site.
Can I get away with borrowing boilerplate, or do I need to make up an actual plan for this? Shouldn't my hosting company, shopify, already take care of this for me?
I guess it's GDPR for the EU, but between the children, swmbo, the axxies, and everything else trying to pull me away from my attention span, I haven't been able to dig deeply into it yet.
Shopify probably has some boilerplate for you. Ask them.
Do you have to collect EU tax ?
I would think NO , but VAT there is 20% or so , and I am sure they want the $$$$
Asking because if I buy something from China , Ebay charges me the 9% California sales tax ,
In reply to californiamilleghia :
Far as I'm aware, I only need to collect tax for sales inside my own state, as that's the only place I have a presence. If I had a warehouse elsewhere, I'd need to collect there too.
Though the buyers would be on the hook for any customs fees or import tax.
Agree with Keith to check if they do have some boilerplate for you that you can use on your website. However that's only half the battle if Shopify processes the orders for you - you probably want to get confirmation from them that they're processing EU orders according to EU law (basically, that the order is pretty much processed in the EU).
Currently this is a bit of a minefield since the Safe Harbor provision ended up getting nixed and the follow-up temporary "data protection" agreements between the EU and US also just got nixed by the ECJ.
That said, if you make it clear that anybody from the EU will be dealing with a US-based company, it might help. But from what I understand, strictly speaking you'd still have to adhere to EU data protection laws for your EU-based customers. The GDPR notice is only part of that.
It's been a minute or two since I've spent any brain cycles on GDPR but what I remember as the biggest item was the "right to be forgotten" when it comes to personal data. The general gist is that if you have PII for an EU citizen, you are required to get consent to use that data in some way, you have to protect that data from leakage, and if that citizen doesn't want you to have their PII anymore, you have to be able to scrub their data from your environment. The penalty for violations is a percentage of your total revenue, not just the revenue you generate in the EU. Now, enforcement for that is another question - are they going to go after A Guy in the US who might have one or two EU customers that are filing complaints? But if you're using a third party for that type of transaction, you should be using someone who understands GDPR and will be your data processor. Keep in mind that the concept of PII as it pertains to GDPR is a little more broad that what might first come to mind - for example, logging the IP address of a visitor to your website is considered "data processing".
On a small tangent, what I've always found to be the biggest anomaly is how the the right to erasure exists along the concept of backup and disaster recovery. So far, it seems like the rulemakers have agreed that a citizen wanting to have their records erased doesn't obligate a company to troll through all their backups and remove data from them or delete those backups wholesale. You'd better have a good record of who wanted to be forgotten, though, so that in the event that you need to perform a recovery (either for operational purposes or building/refreshing a dev or qa environment) those forgotten people can be re-forgotten.
In reply to RevRico :
The tax thing is a whole different ball of wax. The Wayfair decision upended the concept that you only needed to worry about sales tax where you had a physical presence. It's a bit more patchwork now, and I think that in many, if not most, taxing jurisdictions you're responsible for collecting sales tax since you are basically considered to have a presence inside your customer's computer.
I think you're probably correct in terms of worrying about VAT going into the EU, though.
californiamilleghia said:Do you have to collect EU tax ?
I would think NO , but VAT there is 20% or so , and I am sure they want the $$$$
Asking because if I buy something from China , Ebay charges me the 9% California sales tax ,
Tax collection (especially VAT) works slightly differently in the EU and is not the problem of the merchant that is outside of the EU (rules are different if, say, a merchant in France sells something to someone in Italy).
The way it works is that you as the non-EU merchant charge the customer net of tax and fill in the customs declaration with information about the item and its price/value. If the value exceeds the threshold for paying import duty - which is pretty low, less than 20 Euros - you then have to pay import duty and local VAT on the cost of the item(s) and shipping before customs will release the item to you. If you don't, it gets sent back or destroyed. Depending on the value of the item and the shipping company (USPS/FedEx/UPS etc), the shipping company may handle the customs part for the recipient and the recipient will have to pay the shipping company the VAT and import duty (plus a fee of course), but at least you don't have to wander down to the local customs office (which, depending on where the recipient is, may not be that local).
Oh, and as an aside, I would recommend a hearty GBY to customer who ask you to fudge the customs declaration. If customs opens the package and determines you fudged it, you can pretty much be sure that all of the packages you send to the EU afterwards are getting flagged. And that's the best case scenario that doesn't involve you as the merchant getting fined for mis-declaring the value of an item.
Note - the above is for sending stuff to non-business customers. B2B works slightly different but similar in principle IIRC. Might also be somewhat out of date as I haven't had to deal with this much in the last 5-7 years.
In reply to wae :
I'm not as concerned about the tax thing, I've got a decent CPA on speed dial who will deal with all that for me.
Watching what others go through with regards to shipping, I almost feel like it's not worth targeting Europe, but that's a surprisingly big market with surprisingly few makers outside of the UK, so blocking it off altogether isn't a great plan either.
Just would have been nice to be reminded about the data protection thing a month ago when I ordered supplies instead of this week when SWMBO is on night shift, both kids have virtual school, and all my materials are showing up at once. I barely have time to take a leak, let alone dig into digital privacy laws.
In reply to RevRico :
Don't worry too much about the 'right to be forgotten' part unless you're operating a search engine or social media site. What it would boil down to for a small merchant is that a) if a customer asks you to delete the PII you hold on them (and possibly also the data Shopify holds for the transaction between you and the customer), you delete it and email them back saying "yep, done" and b) if someone asks for a copy of the PII data you hold on them (which is likely to be name, address and maybe order information) you send it to them promptly.
Unless you're running a multinational empire, but then you probably already employ lawyers who can advise you on the above instead of random people of the Internet.
Note that this is my personal understanding, but while I am an EU citizen and tend to keep an eye on this stuff, I'm also most definitely not a lawyer.
BoxheadTim (Forum Supporter) said:Oh, and as an aside, I would recommend a hearty GBY to customer who ask you to fudge the customs declaration. If customs opens the package and determines you fudged it, you can pretty much be sure that all of the packages you send to the EU afterwards are getting flagged. And that's the best case scenario that doesn't involve you as the merchant getting fined for mis-declaring the value of an item.
I have found that using the term "fraudulent paperwork" usually shuts this down.
"Can you mark my invoice for $50 so I don't have to pay duties and taxes?"
"Sorry, we cannot provide fraudulent paperwork with shipments. The penalties are too strict."
Wayfair has been a royal PITA. We're paying five digits a year to stay in compliance, as we have to collect and remit taxes right down to the rooftop.
Also might be worth checking this website: https://trade.ec.europa.eu/tradehelp/
Either for information or if you have insomnia 
.
Quick update - it looks like the information I posted above is about to go out of date (or is out of date for the UK already). Looks like companies abroad now get to collect and remit VAT on shipments to the UK and EU: https://www.goglobalpost.com/blog/2020/10/23/eu-uk-making-changes-to-vat-on-parcel-imports/
And here's the official pronouncement from Her Majesty's government: https://www.gov.uk/government/publications/changes-to-vat-treatment-of-overseas-goods-sold-to-customers-from-1-january-2021/changes-to-vat-treatment-of-overseas-goods-sold-to-customers-from-1-january-2021
Well, berkeley.
Sorry Miata owners in the UK, you're not getting any parts from us for a while. This is why some of our competitors don't ship outside the US at all.
Reading more carefully - there's a £135 threshold. Below that, you have to collect VAT. Above that, it's "normal". So there will be a minimum order value to shipment to the UK.
In reply to Keith Tanner :
Looks like it's similar with the EU, with a somewhat different threshold of 150 Euros.
I like the idea of minimum order sizing...
Shopify did have some stuff, few check boxes, some boiler plate, but they suggest looking into it further on your own.
Between the holidays, the house, the virtual schooling, I haven't had time to even finish posting up ready made pages. Hopefully that all changes this week and this thread becomes relevant
You'll need to log in to post.
