Removing PII from Orders after 30 days


#1

I just received some information that on August 24, 2019 all PII (personally identifiable information) must be removed from orders in our database. I have reviewed the Amazon info on this…
https://docs.developer.amazonservices.com/en_US/dev_guide/DG_DataProtectionPolicy.html

#1 Does anyone have other information on this?
#2 Is the go live date on this accurate?
#3 What issues has it caused with your system? Especially returns?

thanks
Jim Rogan


#2

Please be more specific on this. I would help if you gave the exact quote.

Is the notice talking about the data you can download in the future using the Marketplace Web Service, or is it talking about data you already downloaded before now?

David Nelson
Dynamic Enterprise Technologies Inc
Seattle Washington USA


#3

https://docs.developer.amazonservices.com/en_US/dev_guide/DG_DataProtectionPolicy.html

under

Data Retention and Recovery.
Developers will retain PII only for the purpose of, and as long as is necessary to fulfill orders (no longer than 30 days after order shipment)

thx
Jim Rogan


#4

Jim,

I am familiar with that DDP policy. But that policy does not mention the date Aug 24 2019 that you mentioned. Where are you getting that date from?

Are you using MWS for your own company’s integration or are you providing a service for other sellers?

Please notice the definition of “Developer” as stated in the DPP. It says:

"Developer" means any person or entity (including you, if applicable) that uses the Marketplace APIs for the purpose of integrating or enhancing a third-party Seller’s systems

Focusing on the part that says “for … third-party Seller’s systems”…from a plain reading of the definition of a “developer” it seems to me the rule you mentioned only applies to companies doing development for third-party sellers and therefore does not apply to sellers doing development for themselves. This is an open question in my mind, and it hasn’t been clarified by any Amazon staff members that I have seen on these forums. On the other side of the coin, Amazon is making sellers who are doing their own development apply and go through the same process as third-party developers.

I hope an Amazon staff member comments on this issue for clarification.

David Nelson
Dynamic Enterprise Technologies Inc
Seattle Washington USA


#5

Interesting distinction about third party vs. internal.

I filled out the survey months ago, with no complaints and just recently lost access to address information - the API just returns city/state/zip and no address or name information.

For a single developer working on an internal system the Data Protection Policy is very very daunting. I don’t want to just lie, but I can’t possibly do everything required therein.

" Developers must build mechanisms to monitor the logs and all system activities to trigger investigative alarms on suspicious actions (e.g., multiple unauthorized calls, unexpected request rate and data retrieval volume, and access to canary data records)."

We just print shipping labels!

Seems to just be another step in Amazon’s quest to eliminate private sellers from doing their own fulfillment.

Also I’m surprised how little information about this process I’m seeing on this forum - I expected to see many many questions about it but I can see hardly anything.


#6

Although I am completely sympathetic, I’m afraid a more realistic view of the situation is from Amazon’s viewpoint. These rules are difficult, but not impossible (and again I would like to point out how much easier they are when completely hosted on AWS)

Amazon decided this was the easiest way to show governance over “their” customer data. This is probably in no small part a response to recent external regulatory efforts and various consumer protection efforts. There have also been quite a few recent large platform personal consumer data breaches, almost all from third party or contractor vulnerabilities. Amazon has been tightening access to buyer info via seller central for some time, mostly (we assume) because people are abusing it.

Wishful thinking. Challenging the definition of third party on this platform isn’t very convincing.

I’m afraid from any security based Least Privilege Principle, Amazon doesn’t think just printing labels justifies access to the backend API and customer data - unless you think it is important enough to surround it with the designated set of controls. Amazon would probably point out that you can do this from seller central, and from any number of inexpensive third parties that (we assume) have the controls in place. This shouldn’t be a huge thing to fix unless you are also using the customer data for other things.

There are lots and lots of threads and posts on this going back to late 2018, most of them don’t contain many specific questions. Amazon hasn’t done a great job of communicating these changes, so most of the posts are simply in disbelieve, or protest.