Privacy Policy for BigCommerce Stores

Privacy Policy for BigCommerce Stores

BigCommerce is an eCommerce software company that produces shopping cart software - a program that you can integrate into your website to allow visitors to make purchases.

By turning browsers into buyers, shopping cart software carries out a crucially important function on your website and also handles personal data on your customers' behalf.

Because you'll be working with payment information, using shopping cart software such as BigCommerce on your website is a big responsibility. It means you'll need to take some extra steps to ensure you are being transparent with your customers about how you and BigCommerce keep information safe.


BigCommerce Users Need a Privacy Policy

BigCommerce Users Need a Privacy Policy

If your company handles personal data in any way - for example by taking customer payments online - you need a Privacy Policy. In many places, a Privacy Policy is mandatory for any commercial business - you are legally required to have one.

What's a Privacy Policy?

A Privacy Policy is your company's opportunity to tell your customers:

  • What sorts of personally identifiable information (also called personal data) you collect from them.
  • How this data is collected, stored and used.
  • Which other organizations or types of organisations you might be sharing this data with.
  • How they can request to access or change this data.

A Privacy Policy is Required by Law

A Privacy Policy is Required by Law

Here are some examples of legal jurisdictions that require companies who are processing personal data (anything that can be used to identify an individual) to have a Privacy Policy:

California

California Online Privacy Protection Act (CalOPPA)

The California Online Privacy Protection Act 2003 (CalOPPA) requires companies operating a commercial website to have an easily accessible Privacy Policy. This Privacy Policy must, among other things:

  • Explain what sorts of personal information the website collects.
  • Explain how users can ask for their personal data to be changed.
  • Let users know how changes to the Policy will be communicated.

The European Union (EU)

EU General Data Protection Directive

Privacy law in the EU is very highly developed, and the personal privacy of EU citizens is highly protected. The EU recently introduced the General Data Protection Regulation (GDPR). Companies breaching the GDPR (no matter where they're based) can receive huge fines (up to €20 million or 4 percent of global turnover).

Art. 12(1) of the GDPR states:

"The controller shall take appropriate measures to provide any information [...] relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language."

Canada

Canada's Personal Information Protection and Electronic Documents Act

The main privacy law in Canada is the Personal Information Protection and Electronic Documents Act (PIPEDA). The Office of the Privacy Commissioner of Canada states that under PIPEDA,

"information about an organization's privacy policies and practices must be readily available to individuals upon request."

A Privacy Policy is Required by BigCommerce

A Privacy Policy is Required by BigCommerce

BigCommerce has a Terms of Service agreement, which also incorporates various other policies and agreements. All users of its shopping cart software must agree to these terms.

Let's take a look at BigCommerce's Acceptable Use Policy Section 1.1:

BigCommerce Acceptable Use Policy: Prohibited Activities/Content clause

This means that you can only use BigCommerce's software if you obey the laws of whichever country your website is operating in.

Aside from the general legal requirement to display a Privacy Policy, BigCommerce's Privacy Policy (also incorporated into its Terms of Service) states:

BigCommerce Privacy Policy: Merchants clause - highlighted

So if you want to use a BigCommerce service on your company's website, you need a legally compliant Privacy Policy.

TermsFeed Privacy Policy Generator: How to Create a Privacy Policy for Your Website

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:

  1. Click on the "Privacy Policy Generator" button.
  2. At Step 1, select the Website option and click "Next step":
  3. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  4. Answer the questions about your website and click "Next step" when finished:
  5. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  6. Answer the questions about your business practices and click "Next step" when finished:
  7. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  8. Enter your email address where you'd like your policy sent, select translation versions and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.


How to Make Your Privacy Policy Comply with BigCommerce's Terms

Make Your Privacy Policy Comply with BigCommerce's Terms

As we've seen, having a Privacy Policy is essential to comply with many privacy laws. It's also a great way for you to ensure that:

  • Your company can be sure that it's keeping its customers' data safe.
  • Your company has systems in place so it can fulfil any data access or modification requests.
  • Your company appears professional and transparent.

Different privacy laws have different requirements about what a Privacy Policy should cover. Broadly speaking, the GDPR is the most stringent privacy law in the world. Therefore, if you want to ensure that your company has an exemplary Privacy Policy, you can aim toward GDPR-compliance.

The guidance below covers things that your company should include in its Privacy Policy if it's a BigCommerce merchant (i.e. it uses a BigCommerce store on its website). You may also need to include other information depending on the nature of your company.

Security of Payment Details

BigCommerce's Terms of Service states:

BigCommerce Terms of Service: Payment Cards clause

This is important. If your website uses a BigCommerce store then your customers will be handing over their credit card details to BigCommerce.

You'll need to communicate this to your customers to comply with privacy laws.

For example, California's "Shine the Light" law (Cal. Civil Code. § §1798.83-1798.84) requires companies to disclose on request the details of any third parties with whom they share California residents' data.

Your company must let your customers know that their personal data (for example their credit card information) is being sent to a third party - BigCommerce - who will process it on your company's behalf.

Let's take a look at how toy retailer and BigCommerce merchant ToyWiz handles this in its Privacy Policy:

ToyWiz Privacy Policy: How do we process your information clause

This is a very transparent approach, which goes above and beyond what is technically required. ToyWiz specifically names BigCommerce and goes to some lengths to reassure its customers about BigCommerce's compliance with data protection regulations.

Hush Puppies, which also uses a BigCommerce store platform, takes a different approach:

Hush Puppies Privacy Policy: How we may share personal information with service providers, business partners and vendors or third parties clause

Hush Puppies is also very transparent here and lists every type of organization with whom it may be sharing customers' data with. However, it doesn't name BigCommerce specifically. This is perfectly acceptable, so long as the company is willing to give this information on request.

Privacy Shield

BigCommerce participates in the EU-US Privacy Shield program. In 2016, the European Commission formally decided that this program was a suitable way of transferring data from the EU to the US. You may wish to mention this in your Privacy Policy if you are serving customers based in the EU.

Here's how BigCommerce user Brock's Performance addresses this in its Privacy Policy:

Brock's Performance Privacy Policy: How do we process your information clause

Security of Browser Information

Privacy laws have implications for your use of your customers' browser information via tools such as cookies. Recital 30 of the GDPR explains why:

"Natural persons may be associated with online identifiers provided by their devices, [...] such as internet protocol addresses, cookie identifiers or other identifiers [...]. This may leave traces [...] may be used to create profiles of the natural persons and identify them."

This means that because cookies track browsing habits and collect login details, they could potentially be used to identify your customers. Therefore, cookies and other browser information can constitute personal data, and thus fall within the ambit of privacy laws like the GDPR.

Let's see what BigCommerce has to say about how it treats your customers' (who BigCommerce calls "Shoppers") browser information. This information is presented in BigCommerce's Privacy Policy.

BigCommerce Privacy Policy: Shoppers and information collected clause

BigCommerce is clear that they do process browser information via their shopping cart software. This means that if you have a BigCommerce store on your website, your Privacy Policy must mention that your customers' browser information will be processed.

Ford UK uses the BigCommerce platform. While BigCommerce is not specifically mentioned in its Privacy Policy, Ford UK has an extremely comprehensive approach to communicating information about its use of cookies. It provides its own Cookie Policy:

Ford UK Cookie Policy intro screenshot

Ford UK's Cookies Policy helpfully explains how customers can disable cookies:

Ford UK Cookie Policy: Controlling and deleting cookies clause

Here's how BigCommerce merchant Andie Swim explains its use of cookies in its Privacy Policy:

Andie Swim Privacy Policy: Cookies clause

Here's another example from BigCommerce merchant CharliChair:

CharliChair Privacy Policy: Essential information we collect clause

"Do Not Track" (DNT) Signals

Some browsers contain a setting known as Do Not Track (DNT) which, when enabled, signals users' preference not to be tracked via cookies and other such mechanisms. There is no legal requirement for websites to obey DNT signals.

CalOPPA, however, requires that companies:

"Disclose how the operator responds to Web browser "do not track" signals [...]"

BigCommerce complies with this requirement ain Section 10 of its own Privacy Policy:

BigCommerce Privacy Policy: Do Not Track signals section

Because BigCommerce states (earlier in this section) that their non-acknowledgement of DNT signals applies both to their website and their services, you'll need to include reference to this in your Privacy Policy if you need to ensure compliance with CalOPPA.

Abandoned Shopping Cart Feature

Imagine the following scenario: a customer is shopping on your company's website. He creates an account, finds a product he's interested in and clicks "Add to Cart." Then his phone rings, or his baby starts crying, or his boss looks over his shoulder, and he abandons the purchase.

BigCommerce has a helpful service where it will email a customer who has abandoned a shopping cart to remind them to complete the purchase. You might be wondering if this complies with the GDPR and other data laws, which have been interpreted as requiring a strong opt-in for receipt of direct marketing emails.

BigCommerce addresses this in its GDPR information and FAQs:

BigCommerce GDPR FAQ: Abandoned shopping cart feature section

Here's how BigCommerce merchant Mineheart explains this in its Privacy Policy:

Mineheart Privacy Policy: Partial purchases clause

Details About Consent

Privacy laws require companies who are processing certain types of personal data to seek consent from their customers. The GDPR is well-known for being strict about how and when companies must gain the consent of their customers. You should comply with a high standard of privacy even if you don't have customers in the EU.

All BigCommerce Users

BigCommerce requires all of its merchants to seek consent to process the personal data of their customers, under Section 3.1.b of its Privacy Policy:

BigCommerce Privacy Policy: Merchants obtain informed consent clause

The UK's data protection authority, the Information Commissioner's Office (ICO), publishes guidance about what UK companies should include in a GDPR-compliant Privacy Policy.

They offer this advice:

ICO UK Privacy Notice Checklist for when relying on consent

This is how BigCommerce merchant Stamp'n'Storage displays the information about consent in its Privacy Policy:

Stamps-n-Storage Privacy and Return Policy: Order information you expressly provide clause

BigCommerce Users Who Process Sensitive Data

Certain types of personal data are known as sensitive personal data or special category data. There is no fixed definition of what constitutes Sensitive Personal Data under US law, but it is clearly defined in Article 9 of the GDPR:

"racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation [,...]"

BigCommerce explicitly mentions merchants that collect sensitive personal data and requires them to obtain affirmative, explicit and informed consent, as well as allow shoppers to revoke their consent:

BigCommerce Privacy Policy: Sensitive personal data and shoppers consent requirement clause

Here's how Carlsberg explains its policy on processing sensitive personal data:

Carlsberg Privacy Policy: Sensitive personal data clause

You will need to provide contact details via which your customers can revoke (withdraw) their consent, or make other requests regarding their data. This can be your Data Protection Officer (DPO) if you have one, or just your general contact details if you don't.

Your Privacy Policy as a BigCommerce User

To use a BigCommerce store on your company's website, you'll need to display a Privacy Policy which:

  • Is complaint with the privacy law of whichever countries or jurisdictions you're operating in.
  • Lets your customers know that their personal data will be shared with a third party.
    • You don't need to specify that this third party is BigCommerce, but there's no reason not to.
  • Explains the way that BigCommerce uses their browser information such as cookies.
    • You should mention how your store handles Do Not Track signals, especially if you serve California residents.
    • You should mention that your customers can opt out of the Abandoned Shopping Cart feature, especially if you serve EU citizens.
  • You should seek consent from your customers to process their personal data, and explain this in your Privacy Policy.
    • If your company processes sensitive personal data, you should explain your basis for doing this.
    • You should explain that it is possible for your customers to withdraw their consent, and provide your company's contact details in case they wish to do this.
Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.