Privacy Policy for Dropshipping

If you own or operate a dropshipping store, you will need to have and display a Privacy Policy.

Since most dropshipping companies accept and ship orders worldwide, there's a high probability that you will need to abide by privacy and data protection laws. A considerable part of that is ensuring that your company's website has a Privacy Policy.

This article discusses the requirements dropshippers need to keep in mind and what clauses and sections to include when writing a compliant Privacy Policy. It also addresses where to display your Privacy Policy and how to get consent to it.

Why Your Dropshipping Company Needs a Privacy Policy

In addition to the fact that Privacy Policies are now required by major privacy and data protection laws worldwide, they also protect dropshipping company owners from liability. Let's talk about specifics.

You're Collecting Personally Identifiable Information

When someone purchases a product from you online, they give you personal information that identifies them. Because you collect that personal information when your customers make a purchase, privacy laws now demand that you include a publicly posted Privacy Policy on your website. Even if you don't have a website, you still need to post a Privacy Policy in a prominent location in your store or office's physical location.

Under privacy laws, personal information includes all data used to locate, identify, or contact an individual. Just some of the kinds of data that can be considered "personal information" includes the following:

• Credit card numbers
• Screen names
• Telephone numbers
• Biometric data
• IP addresses
• Physical addresses
• Sexual orientation
• Date of birth
• Political affiliations
• Religious affiliations
• Full names
• Passport numbers

Now, this isn't a complete list of the kinds of data that comprises "personal information" under the law, but you get the idea.

Many Laws Require a Privacy Policy

Laws that require a Privacy Policy are now found in virtually every country worldwide. Here's a brief overview of them:

• The General Data Protection Regulation (GDPR): The GDPR governs all processing of personal information inside the European Union (EU). If you do business with residents of any country within the EU, then you are required to abide by the GDPR's rules and regulations whether you have offices in the EU or not. In order to comply with the GDPR, you must have a GDPR-compliant Privacy Policy posted in a place that customers can easily access and written in straightforward language.
• The California Online Privacy Protection Act (CalOPPA) and The California Consumer Privacy Act (CCPA/CPRA) both demand that if a company does business with residents of the State of California and collects personal information, it must post a Privacy Policy on its website.
• The Data Protection Act 1998 (DPA) is the UK's privacy law, which demands that companies be informative and transparent in collecting and using personal information. The only way to comply with those two requirements is to use a Privacy Policy.
• The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's privacy law that requires a Privacy Policy.
• Australia demands that companies have a Privacy Policy through the Privacy Act of 1988
• Several Asian countries, including South Korea, Singapore, Vietnam, and Malaysia, all have personal data protection acts (PDPAs) that also require companies to have a PP.

Protect Yourself from Liability

You also need a Privacy Policy for your dropshipping company to protect it from liability. Imagine that there were no laws requiring that you have a Privacy Policy. In that case, you could still face a lawsuit if customers believed that you mishandled their data. Even if you did nothing wrong, there's a strong possibility that you'd end up having to fight a legal battle that would cost you in terms of both time and money.

Since most major countries have enacted privacy legislation, if you continued doing business without complying and a customer decided to take you to court, you'd be up a creek without a paddle. You would be completely unprotected.

However, with a proper Privacy Policy in place, you have a measure of protection from liability. When a customer accepts your Privacy Policy, they authorize all data practices that you iterate within the document. By accepting your Privacy Policy, the customer removes any cause of action they may have had against you.

Drafting Your Privacy Policy

There are just a few things to keep in mind when drafting your dropshipping Privacy Policy:

• Always write your Privacy Policy in a language that a majority of people can understand. In general, it's suggested that you stay away from legalese and industry-specific jargon and write so that those with a sixth-grade education can easily understand.
• Customize your Privacy Policy for your own business. A cookie-cutter template is better than nothing, but a dropshipping company collects different info than, say, a construction company. Write your Privacy Policy so that it reflects your company's real-life data collection, use, storage, and safety practices.
• Use clear headings and structure your Privacy Policy so that it's easy for customers to scan it for the precise information they need. Think about including bulleted lists or an FAQ if appropriate.

The following provisions can help you to remain in compliance with international privacy laws. Remember to write the Privacy Policy in clear and simple language, that you post it in a prominent location, and that you obtain explicit consent from your customers.

The following provisions are all things you should include in a proper dropshipping Privacy Policy.

The Information You Collect

Just about every Privacy Policy in existence starts by describing the kind of data the company collects. It's a best practice to be as specific as possible when declaring the categories and types of personal data you gather from customers.

For instance, if you collect names, email addresses, telephone numbers, and credit card numbers when someone makes a purchase, you need to let your customers know that.

This is how Sunrise Wholesale lists the kind of information it collects:

Here's an example that has more details and information in an organized format:

How the Information is Collected and Used

Some Privacy Policies include the "how" with the "what" of data collection in the same section. However, others separate the "how' in a section all to itself. Again, being as specific as possible is better than talking in generalities.

Here's an example of a clause disclosing this:

You should be as transparent as possible and let your customers know the precise steps your company takes to acquire their information. Note that some privacy laws are stricter than others. For example, the GDPR requires you to list within your Privacy Policy every procedure you have to collect data.

Disclose how it will be used as well, as seen here:

Information You Disclose or Share

Remember that some companies share personal data with third parties with whom they are affiliated. Sometimes they do so as a matter of legal process. Occasionally personal data is sold to third parties, too. You need to detail what information is shared or sold and under what circumstances. You should also be as clear as possible about the nature and identities of the third parties with whom you share information.

Here's how ASI, an IT and software dropshipping company, discloses this information.

Here's another example with additional details and information:

How Customers Can Update and Access Information

Under current privacy laws, customers have the right to access the private information you've collected from them. They also have the right to correct it if it's not right, and they also have the right to have you delete that information.

Your Privacy Policy must reiterate these customer rights. It must also outline the process they must go through to take advantage of those rights.

Here's an excerpt of a clause dislcosing rights:

Many dropshipping companies comply with the law simply by letting their customers know that they have these rights and giving some information on how they can be exercised.

Shopify lets customers know how this information via a detailed clause seen below:

How You Protect Personal Information

Another section you'll want to include in your dropshipping Privacy Policy is how you protect your customer's information. What security measures for data do you have in place? If you have a specific security policy and any specific security methods you use (encryption, data masking, tokenization), you should mention those things.

It's a good practice to have a plan to ensure that you keep the data security practices you outline in your Privacy Policy. Data breaches are a serious matter and can cost you dearly should they occur.

Teledynamics lists how it protects customer data like this:

List Procedures for Opting Out

You're required to give customers a way to say "no" to accepting emails, cookies, and other communication and data collection efforts, as well as sharing and selling of personal data. If you don't provide your customers with a straightforward way to opt out of your communications or data collecting efforts, you're opening yourself up to liability. You could face significant fines.

Here's an example of how to disclose this:

Providing a way to opt-out also shows your customers respect. Just because they bought something from you once doesn't mean they are obligated to receive your marketing messages until the end of time.

Showing that kind of respect increases the likelihood that customers will retain a positive image of your brand even if they don't want you communicating with them right now.

Your Privacy Policy should outline the way in which your customers can refuse your promotions. Additionally, you should provide a specific email address, telephone number, or both so that customers can get in touch if anything goes wrong with their opt-out request and they end up still receiving your materials, etc.

Here's how Shopify let's people know that they can opt out of allowing tracking cookies to be placed on their devices:

Updates to Your Privacy Policy and Update Notifications

Laws change and so do company practices. If either are altered in any way, you should reflect those changes in updates to your dropshipping Privacy Policy.

Moreover, any time you update your Privacy Policy, you should also notify your customers of that fact. Your Privacy Policy should also outline your notification methods.

Include a clause similar to the following to reserve your right to update your Privacy Policy, and let users know how you'll notify them of material updates:

Displaying and Getting Consent for Your Dropshipping Privacy Policy

Your dropshipping Privacy Policy needs to be placed in a conspicuous location. A lot of dropshipping companies place their Privacy Policies in the footer of their website. In this way, no matter what page the customer visits, they will always be able to access the Privacy Policy.

You also need to consider how to get users to agree to your Privacy Policy. The most common and highly recommended method is to use an "I Agree" checkbox.

Place a link to your Privacy Policy in your website's footer, and anywhere where personal information is requested. For example, at the bottom of account registration and ecommerce checkout forms.

Here's an example of a Privacy Policy linked to a site footer:

Here's how you can display a Privacy Policy and get consent to it while users sign up for an account:

Summary

Privacy laws enacted by countries all over the world now require companies to have a Privacy Policy. Dropshipping companies are no exception. If your dropshipping company collects and uses its customers' private, personal information, then a Privacy Policy is mandatory.

Personal information includes such things as first and last names, email addresses, login information, telephone numbers, physical addresses, social security numbers, credit card information, and more.

When drafting your Privacy Policy, you must ensure that you write it in clear and simple language. You must place it in a conspicuous, prominent location on your website.

The following clauses and sections should be included in your Privacy Policy:

• What personal information is collected, why the data is collected, and how the information is used
• How personal information is collected
• What types and categories of personal information are shared with third parties
• Whether personal information is sold
• How customers can access their information, correct it, or have it deleted
• How you protect your customers' personal information
• How customers can opt-out of communications or data collection efforts
• Detail your policies on updating your PP and how you notify customers when updates occur

Finally, recall that while a Privacy Policy is required by law, it's an excellent way to help build trust with your dropshipping customers. Remember that people buy from companies they know, like, and trust at the end of the day.

Having a Privacy Policy shows customers that you respect them and that you have systems and processes in place to handle their valuable, private information responsibly.