At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1.1. Your Store and Privacy Law
- 1.2. Facebook's Terms for Business Users
- 2.1. Contact Details for Your Business
- 2.2. Personal Information that You Collect
- 2.3. Your Purposes for Collecting Personal Information
- 2.4. Your Use of Facebook Business Tools
- 3. How You Share Personal Information
- 4. If You're Serving EU or UK Customers
- 4.1. Your Legal Basis for Processing
- 4.2. Identity of the Data Controller
- 4.3. Data Subject Rights
- 4.4. Right to Make a Complaint
- 5. Summary
Perhaps you're a micro-sized business owner, or you just want to sell craft products you make at home. You don't have a legal department. You're not planning to do anything complicated with your customers' personal information.
Yes, you do. The law requires it, and so do privacy laws around the world.
Any sort of online commerce carries risks to customers' personal information. Plus, remember that you're working with Facebook: a company not well-known for its discretion with people's data.
Your Store and Privacy Law
When you sell products via your Facebook or Instagram store, you're collecting and processing your customers' personal information. In fact, you're processing the personal information of anyone who visits your store.
Some activities considered "processing personal information" include:
- Taking payments, whether via Checkout on Facebook or Instagram, or a third-party payment processor
- Collecting your customers' names and mailing addresses
- Using Facebook's Business Tools for advertising or analytics
This brings your business activities within the scope of privacy laws around the world.
Because of the nature of the internet, national privacy laws aren't confined within national borders. If you have or you would like to have customers in any of the following regions, you'll need to comply with the relevant privacy laws:
- United States: There's no federal privacy law in the U.S., but state laws in California and elsewhere apply all over the country.
- United Kingdom: Although the U.K. has now left the EU, it has its own version of the GDPR, plus other relevant laws like the Data Protection Act 2018.
Facebook's Terms for Business Users
Before you sign up to create a Facebook Page as a business, Facebook requires you to agree to its terms. These terms require that you notify your customers of how you collect and use their personal information.
Facebook has many terms for business users. Facebook and Instagram stores are both examples of "Facebook Commerce surfaces," covered by policies including Facebook's Terms of Service, the Commerce Product Seller Agreement, the Facebook Business Tools Terms, and many, many more.
And here's a section of the Facebook Business Tools Terms:
Here you're required to tell people how Facebook collects and uses their personal information for analytics and advertising purposes.
Contact Details for Your Business
First of all, you need to let people know who you are, where you are based, and how they can get in touch with you.
Here's an example from Cake Owls:
If you're offering your products in the EU or the U.K., you'll need to add that you're the "controller" of your customers' personal information. Requirements for businesses operating in the EU and the U.K. are more extensive, as we'll see below.
Personal Information that You Collect
You need to provide a list of all the personal information you collect. Think as broadly as possible. If you have a website, in addition to your Facebook or Instagram store, include details of any personal information you collect on your website, as well.
Personal information means names, addresses, and contact details. But it also means technical data collected from people's devices, like IP addresses, user IDs, and cookie data. For more information, see our article What is Personal Information Under Privacy Laws?
Here's how AerWorx lists all the types of personal information it collects:
If you have a website that uses third-party cookies, you may want to consider creating a separate Cookies Policy.
Your Purposes for Collecting Personal Information
As well as explaining what personal information you collect, you must explain how you use personal information.
For example, you collect credit card information to process payments for your products. You collect shipping addresses, so you know where to send people's purchases.
But you have more complicated purposes for collecting personal information, too. For example, your Facebook Page collects technical data from people's devices. You use this to gain insights into their behaviors in your store and elsewhere on the web. We'll look at how to explain this below.
Here's an example from Collusion, setting out how and why the company uses people's contact details:
Remember: You shouldn't be collecting any personal information unless you have a clear business purpose for doing so.
Your Use of Facebook Business Tools
Here's how Alarmy does this, regarding its use of analytics data provided by Facebook Insights:
If you're serving customers in the EU or the U.K., running a Facebook Page makes you a "joint controller" with Facebook. We'll look at this in more detail below.
How You Share Personal Information
When people submit their personal information to your Facebook or Instagram store, it's shared with Facebook. You probably also share personal information with other third parties, too.
Here's an example from Atlassian:
You don't necessarily need to identify the specific third parties with whom you share personal information. It may be enough to list the types of third parties with whom you share personal information.
If You're Serving EU or UK Customers
When you visit a company's Facebook Page from a country in which the GDPR applies, you'll notice this "Information about Page Insights data" link in the corner:
This link explains how Facebook and the Page admin process personal information as "joint controllers."
In the EU or U.K., if you have a Facebook or Instagram store, you're a Facebook Page admin and your relationship with Facebook is governed by the Page Insights Controller Addendum. This agreement splits the GDPR's responsibilities between you, the Page admin, and Facebook.
Your Legal Basis for Processing
Before processing personal information under the GDPR, you must determine your legal basis for processing.
We won't go into detail regarding the GDPR's six legal bases for processing in this article. We also can't advise on which legal basis is suitable for your processing of Page Insights data. Here are some resources to help you learn more about the GDPR's legal bases.
- Lawful Basis for Processing Under the GDPR
- Three Part Test for Legitimate Interests Under the GDPR
- Cookie Consent: GDPR & EU Cookies Directive
Here's how Daimler identifies its lawful basis for processing Page Insights data:
Identity of the Data Controller
Facebook requires that you specify the "responsible data controller." This means your business.
Here's how Cake Owls does this:
Data Subject Rights
You must inform people of their rights under the GDPR (known as the "data subject rights"). Facebook doesn't explicitly require this, but it is a legal requirement.
The GDPR allows people to request that you let people access and maintain control over the personal information you hold about them. As the data controller, it's your duty to fulfill these rights requests.
- The right to be informed: You must provide people with information about your processing of their personal information.
- The right of access: You must provide a person with access to their personal information on request.
- The right to rectification: You must correct any inaccurate or out-of-date personal information on request.
- The right to erasure: You must erase the personal information you hold about a person on request.
- The right to restrict processing: You must restrict your processing of a person's personal information on request.
- The right to data portability: You must provide a person with a portable, machine-readable copy of their personal information on request.
- The right to object: You must stop processing a person's personal information on request.
- Rights in relation to automated decision making and profiling: People have the right not to be subject to automated processing with legal or similarly significant effects.
None of these rights is absolute: there are exceptions to each of them, and not all will apply in your situation.
For more information, see our article 8 User Rights Under the GDPR.
You must let people know that they can submit a request to exercise their data subject rights to your business. Provide an email address or web form that will enable people to do this.
If you receive a data subject rights request that relates to Facebook Insights data, you must forward this request to Facebook under the Page Insights Controller Addendum.
Right to Make a Complaint
Finally, you must inform people that they have the right to make a complaint to a Data Protection Authority regarding the way you have handled their information.
Here's how Securys does this:
Your Data Protection Authority will vary depending on where you are based, or where you conduct the majority of your business. See our article about Data Protection Authorities for more information.
- Who you are (contact details for your business)
- What personal information you collect
- Your purposes for collecting personal information
- How you use Facebook Business Tools
If you have customers in the EU or U.K., you must also explain:
- Your legal basis for processing personal information
- The identity of the responsible data controller
- Your customers' data subject rights
- The right to make a complaint to a Data Protection Authority