It’s 2016, and the EU just passed the General Data Protection Regulation (GDPR). With fines of up to €10M per violation, this data privacy change has companies scrambling to comply before the law goes into effect in May 2018.

Fast forward to 2024, and the data privacy landscape is comparatively unrecognizable. And unfortunately, not every business has adapted to the new requirements despite costly consequences.

But what does this have to do with commerce?

Like data privacy back in 2016, e-commerce is on the brink of its own “GDPR moment” — one that will will hold brands to mile-high product quality and compliance standards. 

Here are the signs this change is coming — and, more importantly, how you can prepare: 

Lax Supply Chains Make Commerce's “GDPR Moment” Inevitable

A “GDPR moment” for commerce might sound like a hot take. But historically, systemic failures (specifically those that put people's health and safety at risk) pave the way for stricter government oversight.

Today, companies operating in the US seemingly get a soft slap on the wrist when they neglect product quality and compliance. This is true, even when they put their end-consumers at risk of injury, illness, and/or death.

Just look at Johnson & Johnson, which continues to hold a stellar reputation for “quality” despite recalling:

• 33k+ bottles of baby powder due to asbestos contamination (2019)
• 5 aerosol sunscreen products sold under its Aveeno and Neutrogena brands due to traces of benzene (2021)
• Several electrosurgery tools after their usage reportedly led to injury or death (2023)

The healthcare brand also settled a $700M lawsuit after failing to warn customers that its talc-based baby powder posed cancer risks. 

The e-commerce supply chain is even more lax, if you can believe it.

That’s why when US e-commerce sales hit a record $870B in 2021 (up 14.2% from 2020) and surpassed $1T in 2022, it was unsurprising that the Consumer Product Safety Commission also reported:

• 6.8% YoY increase in consumer product-related injuries in 2021
• 7.8% YoY increase in 2022

As we enter the third wave of commerce, we can safely assume these kinds of consumer product-related injuries and recalls will become increasingly common — making a “GDPR moment” inevitable.

More Innovative Products Typically Demand More Oversight

Where before e-commerce focused on access to goods and branding, it's now eyeing innovation: 

• First Wave: Access to Goods (1982 - 2008). During its first wave, e-commerce emerged on the back of online marketplaces like Amazon and eBay. This phase focused on importing products from overseas and selling them as is. 
• Second Wave: Brand Name and Aesthetic (2008 - 2020). The second wave saw the rise of direct-to-consumer brands, which cut out middleman retailers and put unique marketing spins on existing offerings. (Think: Glossier's steep up-charge for drugstore makeup because it's soaked in their signature millennial pink and endorsed by influencers.)
• Third Wave: Innovation Above All Else (2020 - Today). However, the third wave of commerce shows a shift in consumer preference from innovative marketing plays to truly innovative products. 

Take Jolie, for example. Its shower filtration system removes chlorine, heavy metals, and other contaminants from water, which is clinically proven to improve hair health. 

Since launching four years ago, the third-wave brand has garnered over 150,000 customers and earned nearly 1,000 five-star reviews (with an average rating of 4.8). Thanks to a robust QC process, it's also kept its return rates below 5%. (For context, the average e-commerce return rate hovers between 20-30%.)

Moving forward, the brands that will find monumental success are those (like Jolie) that develop truly novel, high-quality products. But, with this innovation will come increased scrutiny. 

Consider Lou Montulli's invention of cookies in 1994. Their original purpose was to enable e-commerce shoppers to store products in a virtual cart. 

But nearly two decades later, marketers used cookies to personalize campaigns in an almost predatory manner, and companies were selling the personal data they collected — legal practices that underscored concerns over data privacy. That is until stricter policies like Apple's iOS 14 and GDPR's cookie consent requirements made these behaviors difficult in the late 2010s.

It'd be shortsighted to imagine that commerce's innovations won't seal a similar legislative fate. The difference is we can still get ahead of impending regulations, so when our own “GDPR moment” happens, we're not left scrambling and struggling to adapt.

Beauty Brands Face the Early Warnings of a Looming “GDPR Moment” 

The FDA is already taking steps to treat beauty brands more like pharmaceutical companies. 

Take K18 Hair, for example. The premium haircare brand, acquired by Unilever, uses biomimetic science to penetrate hair's inner cortex and repair the polypeptide chains broken by chemical treatments. One of the product's breakthrough ingredients? Retinol, a fat-soluble vitamin that is not FDA-approved. 

Legislatively speaking, this ingredient blurs whether K18 is a consumer or pharmaceutical product. And it's where questions like "What is required of consumer brands?" and "Who enforces it?" get complicated. 

While the Food and Drug Administration needs to provide pre-market approval for pharmaceutical products, it does not require the same for cosmetics (with the exception of color additives). 

Instead, the FDA only regulates beauty products once they hit the market. This allows consumer brands to use ingredients that fall short of the US government's standards. 

The Modernization of Cosmetics Regulation Act, passed by Congress in 2022, marked a massive expansion of FDA authority over beauty brands and took aim to combat this. For instance, MoCRA includes the power to suspend a facility's production, access safety records, and issue mandatory recalls. 

However, the law favors large conglomerates while disproportionately targeting small- to mid-sized beauty brands (many of which are digitally native). In addition, the FDA still needs to publish the finalized regulation (which will happen by the end of 2025) despite the law going into effect in late 2023. 

To add to the confusion, consumer brands are still subject to state-specific legislation that evolves constantly and can pose contradictory requirements from state to state.

For instance, the Safe Drinking Water and Enforcement Act of 1986 (dubbed CA Prop 65) requires brands to provide warning labels when using toxic chemicals known to cause cancer and birth defects. The state updates its list of known toxins yearly, with 900+ identified on the 2023 list (including Retinol in certain dosages).

Once again, one can't help but notice the parallels with the GDPR, whose predecessor legislature was also a confusing piecemeal of do’s and don'ts.

‍

• Unfamiliar with the Modernization of Cosmetics Regulation Act of 2022? We’ve got you covered — here's everything you need to know about MoCRA (the FDA’s harshest cosmetics regulation since 1938).

‍

But Beauty Brands Will Not Shoulder This Scrutiny Alone

You often hear murmurs about the coming “GDPR moment” affecting beauty, baby, or children's products. But, these consumer categories will by no means be the only ones impacted by future regulations.

In fact, regulators are already extrapolating and reapplying existing legislation in more stringent ways and to more product categories. 

Shein, the Chinese fast-fashion company, quietly filed for an IPO in November 2023. Over two months later, the Securities and Exchange Commission reportedly still hasn't replied in writing to the request (the SEC's typical response time is 30 days). 

Instead, over two dozen US representatives from across the aisle urged SEC Chairperson Gary Gensler to audit Shein's supply chain. Why? Because the committee needs to validate that the company complies with US labor laws (which prohibit imports made with forced labor) before the company can IPO.

This is significant because Shein has historically seen skyrocketing growth in the US despite growing concerns over data privacy, sustainability, and ethical working conditions. 

In the first 9 months of 2023 alone, the company reported $24B in global revenue (outpacing Zara and H&M). Shein even opened a stateside warehouse in late 2022 to meet US demand faster. 

But if the fast-fashion behemoth supposedly uses forced labor, how has it been allowed to expand its US footprint to such monstrous proportions? 

Per Reuters, "a little-known trade exemption known as the de minimis rule" is to blame. 

This exception allows foreign e-commerce companies importing less than $800 worth of goods at a time to evade excess taxes and red tape (like those banning forced labor in the supply chain). However, this exemption does not apply to foreign companies that trade publicly in the US.

Even with this spotlight on Shein's potential compliance malpractice, whatever precedent the SEC sets will undoubtedly leave questions like "What is required of consumer brands?" and "Who enforces it?" outside this unique case. In other words…

Compliance Won’t Be Easy to Solve Without a “GDPR Moment”

Part of what makes product quality and compliance such complex problems to solve are the two conflicting forces in play: free trade and the need for a fair marketplace.

For one, the US has a comprehensive Free Trade Agreement. This legislation aims to boost American prosperity by reducing barriers to manufacturing, importing, and selling goods on US soil. And it's the policy that entitles foreign entities (like Shein) to publicly list on the US stock market. 

However, many believe it's against the country's best interest to allow foreign entities that compete in our public market to fall short of US standards. This includes creating sub-par products using unfair working conditions, which would make it harder for ethically-made, quality products (which tend to be more expensive) to compete.

The solution will likely sit between these two arguments. While US government officials want to participate in globalized trade, they also want to ensure that trade happens fairly and ethically.

But until this compromise is reached, what's expected of brands remains fragmented and confusing. After all, most e-commerce leaders want to do the right thing regarding compliance and product quality. However, it's not always clear what that “right thing” is. 

Companies faced similar uncertainty around data privacy circa 2010s. Eventually, solutions like Vanta Secure Frame emerged to help companies manage their end-to-end privacy compliance. 

A similar approach can be taken by consumer brands looking to get ahead of commerce's impending “GDPR moment” with solutions like Factored Quality. 

Stay Ahead of Regulatory Changes with Factored Quality

Factored Quality is the quality management system trusted by 100+ leading e-commerce brands (including Brooklinen, Canopy, and Halfdays) to ensure compliance, maintain product quality, and exceed customer expectations. 

With it, you get access an extensive network of 2,000+ certified inspectors and auditors operating in 30+ countries. 

To ensure these inspectors follow the latest regulatory requirements, our in-house compliance experts work tirelessly behind the scenes to decipher the latest compliance laws. Even better, we do this for every market your brand sells in (not just the US). 

For instance, Emulait used Factored Quality to streamline compliance testing before its European launch and prevent months of bureaucratic back-and-forth. Today, the baby brand continues to stay compliant and uphold the EU’s stringent quality standards, thanks to our quality control solution. 

But that’s not even the best part. With Factored Quality, you can rest easy knowing that all product testing and compliance paperwork is fully documented and safely housed in your QMS. That way, you can access it anytime you need it. 

Any questions about the changing regulatory landscape? Book a demo — we’d love to help you navigate compliance uncertainty and share our quality control best practices.