Privacy Policy for Facebook and Instagram Stores

Last updated on 16 November 2021 by Robert Bateman (TermsFeed Privacy and Data Protection Research Writer)

Privacy Policy for Facebook and Instagram Stores

Are you opening a Facebook or Instagram store? If so, you need a Privacy Policy.

To comply with privacy law and with Facebook's terms, you'll need a clear and comprehensive Privacy Policy explaining what personal information you collect, how you use it, and how you share it with Facebook.

In this article, we'll explain everything you need to include in your Privacy Policy so you can hit the ground running with your Facebook and Instagram store.


Do I Really Need a Privacy Policy for This?

Perhaps you're a micro-sized business owner, or you just want to sell craft products you make at home. You don't have a legal department. You're not planning to do anything complicated with your customers' personal information.

Do you really need a Privacy Policy for your Facebook and/or Instagram store?

Yes, you do. The law requires it, and so do privacy laws around the world.

Any sort of online commerce carries risks to customers' personal information. Plus, remember that you're working with Facebook: a company not well-known for its discretion with people's data.

Your Store and Privacy Law

When you sell products via your Facebook or Instagram store, you're collecting and processing your customers' personal information. In fact, you're processing the personal information of anyone who visits your store.

Some activities considered "processing personal information" include:

  • Taking payments, whether via Checkout on Facebook or Instagram, or a third-party payment processor
  • Collecting your customers' names and mailing addresses
  • Using Facebook's Business Tools for advertising or analytics

This brings your business activities within the scope of privacy laws around the world.

Because of the nature of the internet, national privacy laws aren't confined within national borders. If you have or you would like to have customers in any of the following regions, you'll need to comply with the relevant privacy laws:

  • United States: There's no federal privacy law in the U.S., but state laws in California, Nevada, and elsewhere apply all over the country.
  • European Union: The EU's General Data Protection Regulation (GDPR) requires any business offering goods or services in the EU to create a Privacy Policy (and much more).
  • United Kingdom: Although the U.K. has now left the EU, it has its own version of the GDPR, plus other relevant laws like the Data Protection Act 2018.
  • Canada: Under the Personal Information Protection and Electronic Documents Act (PIPEDA), practically all private sector companies operating in Canada must create a Privacy Policy.

There are many more regions with general privacy laws requiring businesses to create a Privacy Policy.

Facebook's Terms for Business Users

Before you sign up to create a Facebook Page as a business, Facebook requires you to agree to its terms. These terms require that you notify your customers of how you collect and use their personal information.

Facebook has many terms for business users. Facebook and Instagram stores are both examples of "Facebook Commerce surfaces," covered by policies including Facebook's Terms of Service, the Commerce Product Seller Agreement, the Facebook Business Tools Terms, and many, many more.

You'll find several clauses that require you to create a Privacy Policy throughout these myriad terms. For example, there's this section of Facebook's Pages, Groups and Events Policy:

Facebook Pages Groups and Events Policy: Collecting data from users - Must provide notice section

And here's a section of the Facebook Business Tools Terms:

Facebook Business Tools Terms: Special provisions clause - Provide notice section

Here you're required to tell people how Facebook collects and uses their personal information for analytics and advertising purposes.

The message is clear: You need a Privacy Policy to operate on Facebook's platform. But don't panic; Creating a Privacy Policy isn't as complicated as it might seem.

How to Create a Privacy Policy for Your Facebook or Instagram Store

How to Create a Privacy Policy for Your Facebook or Instagram Store

All Facebook or Instagram stores are unique. But there's some information every Privacy Policy needs to cover to ensure it complies with the law and with Facebook's terms.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:

  1. At Step 1, select the Website option and click "Next step":
  2. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  3. Answer some questions about your website and click "Next step" when finished:
  4. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  5. Answer some questions about your business and click "Next step" when finished:
  6. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  7. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

Here's the information you need to provide to ensure your Privacy Policy meets the required standards.

Contact Details for Your Business

First of all, you need to let people know who you are, where you are based, and how they can get in touch with you.

Here's an example from Cake Owls:

Cake Owls Privacy Policy: Contact details clause

If you're offering your products in the EU or the U.K., you'll need to add that you're the "controller" of your customers' personal information. Requirements for businesses operating in the EU and the U.K. are more extensive, as we'll see below.

Personal Information that You Collect

You need to provide a list of all the personal information you collect. Think as broadly as possible. If you have a website, in addition to your Facebook or Instagram store, include details of any personal information you collect on your website, as well.

Personal information means names, addresses, and contact details. But it also means technical data collected from people's devices, like IP addresses, user IDs, and cookie data. For more information, see our article What is Personal Information Under Privacy Laws?

Here's how AerWorx lists all the types of personal information it collects:

AerWorx Privacy Policy: What Personal Data does Pastureworx process clause

If you have a website that uses third-party cookies, you may want to consider creating a separate Cookies Policy.

Your Purposes for Collecting Personal Information

Your Purposes for Collecting Personal Information

As well as explaining what personal information you collect, you must explain how you use personal information.

For example, you collect credit card information to process payments for your products. You collect shipping addresses, so you know where to send people's purchases.

But you have more complicated purposes for collecting personal information, too. For example, your Facebook Page collects technical data from people's devices. You use this to gain insights into their behaviors in your store and elsewhere on the web. We'll look at how to explain this below.

Here's an example from Collusion, setting out how and why the company uses people's contact details:

Collusion Privacy Policy: How we use your personal information - chart

Remember: You shouldn't be collecting any personal information unless you have a clear business purpose for doing so.

Your Use of Facebook Business Tools

Your Facebook or Instagram store uses Facebook Business Tools. Under the terms of use for these products, you need to explain how they work in your Privacy Policy.

Here's how Alarmy does this, regarding its use of analytics data provided by Facebook Insights:

Alarmy Privacy Policy: Facebook Insights clause

If you're serving customers in the EU or the U.K., running a Facebook Page makes you a "joint controller" with Facebook. We'll look at this in more detail below.

How You Share Personal Information

How You Share Personal Information

When people submit their personal information to your Facebook or Instagram store, it's shared with Facebook. You probably also share personal information with other third parties, too.

Your Privacy Policy should set out how and why you share personal information with third parties.

Here's an example from Atlassian:

Atlassian Privacy Policy: Sharing with third parties clause

You don't necessarily need to identify the specific third parties with whom you share personal information. It may be enough to list the types of third parties with whom you share personal information.

If You're Serving EU or UK Customers

If You're Serving EU or UK Customers

The Privacy Policy requirements we've set out above are the bare minimum and should be sufficient if you only serve customers in the United States. If you're based in or have customers in the EU, you'll need to comply with the GDPR's more extensive Privacy Policy requirements.

When you visit a company's Facebook Page from a country in which the GDPR applies, you'll notice this "Information about Page Insights data" link in the corner:

H and M United Kingdom Facebook Page with Insights Data highlighted

This link explains how Facebook and the Page admin process personal information as "joint controllers."

In the EU or U.K., if you have a Facebook or Instagram store, you're a Facebook Page admin and your relationship with Facebook is governed by the Page Insights Controller Addendum. This agreement splits the GDPR's responsibilities between you, the Page admin, and Facebook.

Here are some additional sections you should include in your Privacy Policy to comply with your side of this agreement.

Before processing personal information under the GDPR, you must determine your legal basis for processing.

We won't go into detail regarding the GDPR's six legal bases for processing in this article. We also can't advise on which legal basis is suitable for your processing of Page Insights data. Here are some resources to help you learn more about the GDPR's legal bases.

Here's how Daimler identifies its lawful basis for processing Page Insights data:

Daimler Privacy Policy: Facebook Page Insights Data clause

Identity of the Data Controller

Facebook requires that you specify the "responsible data controller." This means your business.

Here's how Cake Owls does this:

Cake Owls Privacy Policy: Controller clause

Data Subject Rights

You must inform people of their rights under the GDPR (known as the "data subject rights"). Facebook doesn't explicitly require this, but it is a legal requirement.

The GDPR allows people to request that you let people access and maintain control over the personal information you hold about them. As the data controller, it's your duty to fulfill these rights requests.

Here are the six GDPR data subject rights. You must list these in your Privacy Policy, along with a brief explanation of each, even if you don't believe they are relevant to your business:

  • The right to be informed: You must provide people with information about your processing of their personal information.
  • The right of access: You must provide a person with access to their personal information on request.
  • The right to rectification: You must correct any inaccurate or out-of-date personal information on request.
  • The right to erasure: You must erase the personal information you hold about a person on request.
  • The right to restrict processing: You must restrict your processing of a person's personal information on request.
  • The right to data portability: You must provide a person with a portable, machine-readable copy of their personal information on request.
  • The right to object: You must stop processing a person's personal information on request.
  • Rights in relation to automated decision making and profiling: People have the right not to be subject to automated processing with legal or similarly significant effects.

None of these rights is absolute: there are exceptions to each of them, and not all will apply in your situation.

For more information, see our article 8 User Rights Under the GDPR.

You must let people know that they can submit a request to exercise their data subject rights to your business. Provide an email address or web form that will enable people to do this.

If you receive a data subject rights request that relates to Facebook Insights data, you must forward this request to Facebook under the Page Insights Controller Addendum.

Right to Make a Complaint

Finally, you must inform people that they have the right to make a complaint to a Data Protection Authority regarding the way you have handled their information.

Here's how Securys does this:

Securys Privacy Policy: Right to make a complaint clause

Your Data Protection Authority will vary depending on where you are based, or where you conduct the majority of your business. See our article about Data Protection Authorities for more information.

Summary

Your Facebook or Instagram store needs a Privacy Policy to help your customers understand how you process their personal information. You also need a Privacy Policy to comply with Facebook's terms and the law.

Your Privacy Policy must explain:

  • Who you are (contact details for your business)
  • What personal information you collect
  • Your purposes for collecting personal information
  • How you use Facebook Business Tools

If you have customers in the EU or U.K., you must also explain:

  • Your legal basis for processing personal information
  • The identity of the responsible data controller
  • Your customers' data subject rights
  • The right to make a complaint to a Data Protection Authority
Robert Bateman

Robert Bateman

TermsFeed Privacy and Data Protection Research Writer

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.