Last updated on 01 July 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
Perhaps you're a micro-sized business owner, or you just want to sell craft products you make at home. You don't have a legal department. You're not planning to do anything complicated with your customers' personal information.
Yes, you do. The law requires it, and so do privacy laws around the world.
Any sort of online commerce carries risks to customers' personal information. Plus, remember that you're working with Facebook: a company not well-known for its discretion with people's data.
When you sell products via your Facebook or Instagram store, you're collecting and processing your customers' personal information. In fact, you're processing the personal information of anyone who visits your store.
Some activities considered "processing personal information" include:
This brings your business activities within the scope of privacy laws around the world.
Because of the nature of the internet, national privacy laws aren't confined within national borders. If you have or you would like to have customers in any of the following regions, you'll need to comply with the relevant privacy laws:
Before you sign up to create a Facebook Page as a business, Facebook requires you to agree to its terms. These terms require that you notify your customers of how you collect and use their personal information.
Facebook has many terms for business users. Facebook and Instagram stores are both examples of "Facebook Commerce surfaces," covered by policies including Facebook's Terms of Service, the Commerce Product Seller Agreement, the Facebook Business Tools Terms, and many, many more.
And here's a section of the Facebook Business Tools Terms:
Here you're required to tell people how Facebook collects and uses their personal information for analytics and advertising purposes.
First of all, you need to let people know who you are, where you are based, and how they can get in touch with you.
Here's an example from Cake Owls:
If you're offering your products in the EU or the U.K., you'll need to add that you're the "controller" of your customers' personal information. Requirements for businesses operating in the EU and the U.K. are more extensive, as we'll see below.
You need to provide a list of all the personal information you collect. Think as broadly as possible. If you have a website, in addition to your Facebook or Instagram store, include details of any personal information you collect on your website, as well.
Personal information means names, addresses, and contact details. But it also means technical data collected from people's devices, like IP addresses, user IDs, and cookie data. For more information, see our article What is Personal Information Under Privacy Laws?
Here's how AerWorx lists all the types of personal information it collects:
If you have a website that uses third-party cookies, you may want to consider creating a separate Cookies Policy.
As well as explaining what personal information you collect, you must explain how you use personal information.
For example, you collect credit card information to process payments for your products. You collect shipping addresses, so you know where to send people's purchases.
But you have more complicated purposes for collecting personal information, too. For example, your Facebook Page collects technical data from people's devices. You use this to gain insights into their behaviors in your store and elsewhere on the web. We'll look at how to explain this below.
Here's an example from Collusion, setting out how and why the company uses people's contact details:
Remember: You shouldn't be collecting any personal information unless you have a clear business purpose for doing so.
Here's how Alarmy does this, regarding its use of analytics data provided by Facebook Insights:
If you're serving customers in the EU or the U.K., running a Facebook Page makes you a "joint controller" with Facebook. We'll look at this in more detail below.
When people submit their personal information to your Facebook or Instagram store, it's shared with Facebook. You probably also share personal information with other third parties, too.
Here's an example from Atlassian:
You don't necessarily need to identify the specific third parties with whom you share personal information. It may be enough to list the types of third parties with whom you share personal information.
When you visit a company's Facebook Page from a country in which the GDPR applies, you'll notice this "Information about Page Insights data" link in the corner:
This link explains how Facebook and the Page admin process personal information as "joint controllers."
In the EU or U.K., if you have a Facebook or Instagram store, you're a Facebook Page admin and your relationship with Facebook is governed by the Page Insights Controller Addendum. This agreement splits the GDPR's responsibilities between you, the Page admin, and Facebook.
Before processing personal information under the GDPR, you must determine your legal basis for processing.
We won't go into detail regarding the GDPR's six legal bases for processing in this article. We also can't advise on which legal basis is suitable for your processing of Page Insights data. Here are some resources to help you learn more about the GDPR's legal bases.
Here's how Daimler identifies its lawful basis for processing Page Insights data:
Facebook requires that you specify the "responsible data controller." This means your business.
Here's how Cake Owls does this:
You must inform people of their rights under the GDPR (known as the "data subject rights"). Facebook doesn't explicitly require this, but it is a legal requirement.
The GDPR allows people to request that you let people access and maintain control over the personal information you hold about them. As the data controller, it's your duty to fulfill these rights requests.
None of these rights is absolute: there are exceptions to each of them, and not all will apply in your situation.
For more information, see our article 8 User Rights Under the GDPR.
You must let people know that they can submit a request to exercise their data subject rights to your business. Provide an email address or web form that will enable people to do this.
If you receive a data subject rights request that relates to Facebook Insights data, you must forward this request to Facebook under the Page Insights Controller Addendum.
Finally, you must inform people that they have the right to make a complaint to a Data Protection Authority regarding the way you have handled their information.
Here's how Securys does this:
Your Data Protection Authority will vary depending on where you are based, or where you conduct the majority of your business. See our article about Data Protection Authorities for more information.
If you have customers in the EU or U.K., you must also explain:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022