Your new auction website is almost ready to launch, but you don't have your Privacy Policy in place. Without a Privacy Policy that satisfies all applicable privacy laws, your new online enterprise could quickly bring in more punitive fines than it's worth.

As you create a Privacy Policy for an auction platform, it will be necessary to take into account the specific aspects of privacy hat will concern all buyers, sellers, browsers, and bidders that use the service.

Privacy Laws

Privacy Policy laws

To begin, make sure that you are aware of the different online privacy regulations that will apply to your business.

Here are the regulations that will most likely affect an international online auction platform and its Privacy Policy:

  1. The EU General Data Protection Regulation (GDPR) requires an intelligible Privacy Policy written in clear, plain language that includes the following:

    • Your physical location and contact information
    • Notification of EU users' rights in regard to their personal data
    • What personal information you collect, how and why it's collected and if it's share with third parties
    • Statement of the legal basis for collecting personal information and full compliance with that legal basis
    • Information regarding international data transfers, if applicable
  2. The California Online Privacy Protection Act (CalOPPA) requires a conspicuously posted Privacy Policy that includes the following:

    • Which types of personal information you collect and who you share the information with
    • An easy, accessible way for users to review and make changes to their personal information
    • How you will notify users when the Privacy Policy is updated or changed
    • An effective date posted in the Privacy Policy
    • An explanation of how your business responds to Do Not Track signals from web browsers
  3. The Children's Online Privacy Protection Act (COPPA)

    • Since auction websites are not targeted to children, the Privacy Policy will only need a disclaimer that the services are not intended for children

Although other laws exist that apply to online business, such as Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), this and almost any other international privacy regulation will be covered if you comply with the stipulations in the list above.

Getting Started

The first few paragraphs of your Privacy Policy will serve as an introduction. Let visitors know the purpose and intent of the policy. Most online businesses use the introduction to assure visitors of their commitment to privacy and security in regard to personal information.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

In this section, you can also introduce your business as the data controller for any information gathered by the site, list your physical location, and post an effective date.

Here's an example of a Privacy Policy introduction from online auction platform iRostrum:

iRostrum Privacy Policy introduction

iRostrum Online Auctions sets out all of the initial details in a concise manner, including the purpose of the policy, their physical address, an effective date, and assurances about privacy protection.

Which Personal Information is Collected

One of the most important objectives of the Privacy Policy is to list out exactly which information you collect from users. Most websites break this down into several different categories of information, and several different clauses.

Here's how Sotheby's separates this section into three different sub-sections:

  • Information collected directly from the user
  • Information collected from outside sources
  • Information collected automatically
  • Sotheby's Privacy Policy: Information collected clauses

By doing it this way, you can list out the different types of information you collect in detail and let users know how you are collecting it. Be thorough. Don't leave anything out. Make sure you are aware of how cookies and other information-gathering technologies work on your website so that each can be included in the list. This promotes an environment of honesty and transparency between your business and its users.

In general, an auction website will be collecting the same types of information that any retail or e-commerce business would collect, so this section will remain standard as to which information and collection methods you will need to list.

If there is any extraneous information you collect beyond the standard personal, financial, and transactional details, be sure to include it in this section.

For example, Sotheby's makes video recordings of their live auctions, while eBay records which products users bid on so that they can show similar products to those users in the future. Both companies disclose this information in their Privacy Policies.

How Personal Information is Used

As the heading suggests, this clause describes how personal information is used after it is collected. On an auction website, this includes the procedures of listing, bidding, selling, and fulfilling. However, there are many more processes that go on behind the scenes.

For example, eBay includes an extensive list of information processing that includes backend troubleshooting, customer service and advertising functions.

eBay Privacy Notice: How we use your personal information clause

Include each and every usage your website makes of personal information, even if it's routine fraud-protection mechanisms that your system implements automatically on the backend. Meticulousness in this area can limit your liability if any users take exception to how your company is using personal data.

Third-Party Sharing

There is always some necessity for third-party sharing of user information, whether it be for payment processing purposes or simply to share a buyer's email with a seller during a transaction. With user consent, this is usually acceptable as long as each reason for third-party sharing is listed within your Privacy Policy. describes how they share information to fulfill transactions, such as sharing buyer information with sellers, as well as the different third-party sharing strategies they use to implement marketing practices. Note that they also mention data sharing to satisfy legal requests and business transfers, both of which are important to state in any Privacy Policy. Privacy Statement: Disclosure of Your Information clause

If your website uses personalized advertising services such as Google Adwords, additional notifications will be required. This third-party clause is a good place to include a paragraph such as the following, also taken from the Privacy Statement: Privacy Statement: Tailored Advertising clause

Third-party remarketing and advertising providers like Google require a paragraph like this one to be included in the Privacy Policy if you implement their services. Also required are instructions and links to opt-out of personalized advertising, as shown in the paragraph pictured here.


Cookies are almost always a necessity for websites that allow users to bid on and buy products. Since the cookies disclosure can be a lengthy topic, it is recommend that you formulate a detailed, separate Cookies Policy. However, there should be a small paragraph within the Privacy Policy to introduce the subject.

As eBay demonstrates here, the Cookies clause only needs a short description of your cookie usage and a link to your Cookies Policy. Ideally, the separate Cookies Policy would include a more detailed description of how cookies work, a cookies chart that describes which cookies you use, and a link to opt-out of all but the necessary functionality cookies.

eBay Privacy Notice: Cookies and Similar Technologies clause

Access and Choices

Several internet privacy laws, including the GDPR, require that you inform your users of how they may access and control the personal data you hold about them. eBay satisfies this requirement with simple instructions on how to find a record of personal information:

eBay Privacy Notice: Ways you can access, control and correct your personal information clause

Along with a description of how to find personal information within account settings, eBay reminds users that public listings may not be changed or removed in some situations. They go on to list users' rights in regards to their personal information.


The communications clause reminds users of their choices regarding correspondence.

First, list how your company stays in contact with users and for what reasons.

eBay describes their various methods for contacting individuals regarding buyer-seller disputes, account management, and fee collection. Messages regarding account and transactions are obligatory, so users may not opt-out of these types of communications:

eBay Privacy Notice: Communications clause

Marketing communications, on the other hand, may not legally be sent to any users without their express consent. It is important to remind users of their right to unsubscribe from marketing communications and provide an easy method for them to unsubscribe if they wish.

Here's how eBay describes the options users have in regard to communications and marketing messages. They provide detailed instructions on how to unsubscribe, as well:

eBay Privacy  Notice: Communications preferences and marketing clauses

Children Under 13

Auction services, as a rule, are not intended for minors because it is illegal for minors to enter into a binding contract such as a commitment to buy goods online. However, it is ideal to include the children under 13 clause in order to avoid liability under COPPA.

Reiterate that your services are not intended for children under the age of 13. makes this statement and provides a direct email to use in case a guardian believes that the website may have collected personal information from a child. This is all that is required under COPPA for websites that are not targeted to children: Privacy Statement: Children's information clause

Changes to the Policy

Your Privacy Policy will change and adapt with the times. Let users know that changes to the policy are inevitable and notify them of how they will be informed of any changes regarding user privacy.

Here's how eBid recounts the various methods they use to inform users of Privacy Policy amendments.

eBid Privacy Policy: Amendments clause

Contact Information

Finally, if your Privacy Policy did not provide dedicated contact information within the introduction, include it at the end. Some companies even include contact information several times within the policy to ensure that they are the first to learn of any privacy complaints. gives users three different ways to contact them regarding privacy issues: Privacy Statement: Contacting Us clause

EU Data Subjects

The GDPR requires some specific notifications be included in your Privacy Policy if anyone from the European Union uses your website. Even if your services are not necessarily offered internationally, if your website collects so much as an IP address from an EU user (called a data subject by the GDPR), you will be required to list the following:

  • Your legal basis for processing personal information
  • Data subjects' rights as stated by the GDPR
  • Who your data protection officer or EU representative is, if applicable, or a dedicated contact method if EU data subjects wish to contact you regarding their privacy
  • Any safeguards and processes you have in place for international data transfers, if applicable

According to Article 6 of the GDPR, you must have a lawful basis for processing the data of EU residents. For most websites, this legal basis is consent. If your legal basis for collecting EU user data is consent, then you need to make sure that your website follows GDPR guidelines for collecting the express consent of all EU users that visit your website.

In some cases, an auction website may use other legal bases for collecting user data. For example, a user who creates an account to bid in an auction is technically entering into a contract. A legal contract is also a legal basis for collecting personal data.

Here is an example of how several legal bases could be laid out in a Privacy Policy:

Gem Rock Auctions Privacy Policy: Legal basis for processing clause

In this section, Gem Rock Auctions lists five different legal bases they use to process user data.

Research the parameters of your own legal basis and make sure that your practices meet the GDPR requirements to qualify for that legal basis. Once you have the details confirmed, include them in your Privacy Policy.

Data Subject Rights

The GDPR lays out a range of user rights for EU-based data subjects. These rights must be listed within your Privacy Policy. The Sotheby's Privacy Policy keeps this clause brief, yet thorough:

Sotheby's Privacy Policy: Your rights clause - GDPR

Among the rights listed in this example are the following rights for user data:

  • The right of access
  • The right of erasure
  • The right to object or withdraw consent
  • The right or rectification
  • The right to restrict processing
  • The right to data portability
  • The right to object to automated decision-making or profiling
  • The right to report complaints to a local supervisory authority

As suggested by the GDPR, Sotheby's also gives users instructions on how to get in touch in the event of privacy questions or concerns.

International Data Transfers

If EU user data will ever be transferred across international borders for any reason, you will need to incorporate an international data transfers clause. For an auction website that allows for international transactions, this clause will most likely be required. It is a disclosure that user data may be transferred internationally and a description of what type of safeguards or processes you follow to ensure the security of the data.

Sotheby's includes this disclosure, ensuring users that they have put into place "European Commission approved standard contractual clauses" to protect the data. They also remind data subjects where to find contact details for inquiries:

Sotheby's Privacy Policy: Data Transfers clause

While an auction website will certainly need to address the dynamic privacy implications of a platform that supports international buyers and sellers, applicable privacy laws and requirements remain much the same for all online businesses.

As long as your Privacy Policy satisfies all legal requirements and creates an open, transparent environment that promotes user privacy, it will be sufficient for your auction website.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy