BigCommerce is an eCommerce software company that produces shopping cart software - a program that you can integrate into your website to allow visitors to make purchases.
By turning browsers into buyers, shopping cart software carries out a crucially important function on your website and also handles personal data on your customers' behalf.
Because you'll be working with payment information, using shopping cart software such as BigCommerce on your website is a big responsibility. It means you'll need to take some extra steps to ensure you are being transparent with your customers about how you and BigCommerce keep information safe.
- What sorts of personally identifiable information (also called personal data) you collect from them.
- How this data is collected, stored and used.
- Which other organizations or types of organisations you might be sharing this data with.
- How they can request to access or change this data.
- Explain what sorts of personal information the website collects.
- Explain how users can ask for their personal data to be changed.
- Let users know how changes to the Policy will be communicated.
The European Union (EU)
Privacy law in the EU is very highly developed, and the personal privacy of EU citizens is highly protected. The EU recently introduced the General Data Protection Regulation (GDPR). Companies breaching the GDPR (no matter where they're based) can receive huge fines (up to €20 million or 4 percent of global turnover).
Art. 12(1) of the GDPR states:
"The controller shall take appropriate measures to provide any information [...] relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language."
The main privacy law in Canada is the Personal Information Protection and Electronic Documents Act (PIPEDA). The Office of the Privacy Commissioner of Canada states that under PIPEDA,
"information about an organization's privacy policies and practices must be readily available to individuals upon request."
BigCommerce has a Terms of Service agreement, which also incorporates various other policies and agreements. All users of its shopping cart software must agree to these terms.
Let's take a look at BigCommerce's Acceptable Use Policy Section 1.1:
This means that you can only use BigCommerce's software if you obey the laws of whichever country your website is operating in.
- Your company can be sure that it's keeping its customers' data safe.
- Your company has systems in place so it can fulfil any data access or modification requests.
- Your company appears professional and transparent.
Security of Payment Details
BigCommerce's Terms of Service states:
This is important. If your website uses a BigCommerce store then your customers will be handing over their credit card details to BigCommerce.
You'll need to communicate this to your customers to comply with privacy laws.
For example, California's "Shine the Light" law (Cal. Civil Code. § §1798.83-1798.84) requires companies to disclose on request the details of any third parties with whom they share California residents' data.
Your company must let your customers know that their personal data (for example their credit card information) is being sent to a third party - BigCommerce - who will process it on your company's behalf.
This is a very transparent approach, which goes above and beyond what is technically required. ToyWiz specifically names BigCommerce and goes to some lengths to reassure its customers about BigCommerce's compliance with data protection regulations.
Hush Puppies, which also uses a BigCommerce store platform, takes a different approach:
Hush Puppies is also very transparent here and lists every type of organization with whom it may be sharing customers' data with. However, it doesn't name BigCommerce specifically. This is perfectly acceptable, so long as the company is willing to give this information on request.
Security of Browser Information
Privacy laws have implications for your use of your customers' browser information via tools such as cookies. Recital 30 of the GDPR explains why:
"Natural persons may be associated with online identifiers provided by their devices, [...] such as internet protocol addresses, cookie identifiers or other identifiers [...]. This may leave traces [...] may be used to create profiles of the natural persons and identify them."
Ford UK's Cookies Policy helpfully explains how customers can disable cookies:
Here's another example from BigCommerce merchant CharliChair:
"Do Not Track" (DNT) Signals
Some browsers contain a setting known as Do Not Track (DNT) which, when enabled, signals users' preference not to be tracked via cookies and other such mechanisms. There is no legal requirement for websites to obey DNT signals.
CalOPPA, however, requires that companies:
"Disclose how the operator responds to Web browser "do not track" signals [...]"
Imagine the following scenario: a customer is shopping on your company's website. He creates an account, finds a product he's interested in and clicks "Add to Cart." Then his phone rings, or his baby starts crying, or his boss looks over his shoulder, and he abandons the purchase.
BigCommerce has a helpful service where it will email a customer who has abandoned a shopping cart to remind them to complete the purchase. You might be wondering if this complies with the GDPR and other data laws, which have been interpreted as requiring a strong opt-in for receipt of direct marketing emails.
BigCommerce addresses this in its GDPR information and FAQs:
Details About Consent
Privacy laws require companies who are processing certain types of personal data to seek consent from their customers. The GDPR is well-known for being strict about how and when companies must gain the consent of their customers. You should comply with a high standard of privacy even if you don't have customers in the EU.
All BigCommerce Users
They offer this advice:
BigCommerce Users Who Process Sensitive Data
Certain types of personal data are known as sensitive personal data or special category data. There is no fixed definition of what constitutes Sensitive Personal Data under US law, but it is clearly defined in Article 9 of the GDPR:
"racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation [,...]"
BigCommerce explicitly mentions merchants that collect sensitive personal data and requires them to obtain affirmative, explicit and informed consent, as well as allow shoppers to revoke their consent:
Here's how Carlsberg explains its policy on processing sensitive personal data:
You will need to provide contact details via which your customers can revoke (withdraw) their consent, or make other requests regarding their data. This can be your Data Protection Officer (DPO) if you have one, or just your general contact details if you don't.
- Is complaint with the privacy law of whichever countries or jurisdictions you're operating in.
- Lets your customers know that their personal data will be shared with a third party.
- You don't need to specify that this third party is BigCommerce, but there's no reason not to.
- Explains the way that BigCommerce uses their browser information such as cookies.
- You should mention how your store handles Do Not Track signals, especially if you serve California residents.
- You should mention that your customers can opt out of the Abandoned Shopping Cart feature, especially if you serve EU citizens.
- If your company processes sensitive personal data, you should explain your basis for doing this.
- You should explain that it is possible for your customers to withdraw their consent, and provide your company's contact details in case they wish to do this.