25 June 2019
To begin, make sure that you are aware of the different online privacy regulations that will apply to your business.
The Children's Online Privacy Protection Act (COPPA)
Although other laws exist that apply to online business, such as Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), this and almost any other international privacy regulation will be covered if you comply with the stipulations in the list above.
In this section, you can also introduce your business as the data controller for any information gathered by the site, list your physical location, and post an effective date.
iRostrum Online Auctions sets out all of the initial details in a concise manner, including the purpose of the policy, their physical address, an effective date, and assurances about privacy protection.
Here's how Sotheby's separates this section into three different sub-sections:
By doing it this way, you can list out the different types of information you collect in detail and let users know how you are collecting it. Be thorough. Don't leave anything out. Make sure you are aware of how cookies and other information-gathering technologies work on your website so that each can be included in the list. This promotes an environment of honesty and transparency between your business and its users.
In general, an auction website will be collecting the same types of information that any retail or e-commerce business would collect, so this section will remain standard as to which information and collection methods you will need to list.
If there is any extraneous information you collect beyond the standard personal, financial, and transactional details, be sure to include it in this section.
For example, Sotheby's makes video recordings of their live auctions, while eBay records which products users bid on so that they can show similar products to those users in the future. Both companies disclose this information in their Privacy Policies.
As the heading suggests, this clause describes how personal information is used after it is collected. On an auction website, this includes the procedures of listing, bidding, selling, and fulfilling. However, there are many more processes that go on behind the scenes.
For example, eBay includes an extensive list of information processing that includes backend troubleshooting, customer service and advertising functions.
Include each and every usage your website makes of personal information, even if it's routine fraud-protection mechanisms that your system implements automatically on the backend. Meticulousness in this area can limit your liability if any users take exception to how your company is using personal data.
If your website uses personalized advertising services such as Google Adwords, additional notifications will be required. This third-party clause is a good place to include a paragraph such as the following, also taken from the Auction.com Privacy Statement:
As eBay demonstrates here, the Cookies clause only needs a short description of your cookie usage and a link to your Cookies Policy. Ideally, the separate Cookies Policy would include a more detailed description of how cookies work, a cookies chart that describes which cookies you use, and a link to opt-out of all but the necessary functionality cookies.
Several internet privacy laws, including the GDPR, require that you inform your users of how they may access and control the personal data you hold about them. eBay satisfies this requirement with simple instructions on how to find a record of personal information:
Along with a description of how to find personal information within account settings, eBay reminds users that public listings may not be changed or removed in some situations. They go on to list users' rights in regards to their personal information.
The communications clause reminds users of their choices regarding correspondence.
First, list how your company stays in contact with users and for what reasons.
eBay describes their various methods for contacting individuals regarding buyer-seller disputes, account management, and fee collection. Messages regarding account and transactions are obligatory, so users may not opt-out of these types of communications:
Marketing communications, on the other hand, may not legally be sent to any users without their express consent. It is important to remind users of their right to unsubscribe from marketing communications and provide an easy method for them to unsubscribe if they wish.
Here's how eBay describes the options users have in regard to communications and marketing messages. They provide detailed instructions on how to unsubscribe, as well:
Auction services, as a rule, are not intended for minors because it is illegal for minors to enter into a binding contract such as a commitment to buy goods online. However, it is ideal to include the children under 13 clause in order to avoid liability under COPPA.
Reiterate that your services are not intended for children under the age of 13.
Auction.com makes this statement and provides a direct email to use in case a guardian believes that the website may have collected personal information from a child. This is all that is required under COPPA for websites that are not targeted to children:
Auction.com gives users three different ways to contact them regarding privacy issues:
According to Article 6 of the GDPR, you must have a lawful basis for processing the data of EU residents. For most websites, this legal basis is consent. If your legal basis for collecting EU user data is consent, then you need to make sure that your website follows GDPR guidelines for collecting the express consent of all EU users that visit your website.
In some cases, an auction website may use other legal bases for collecting user data. For example, a user who creates an account to bid in an auction is technically entering into a contract. A legal contract is also a legal basis for collecting personal data.
In this section, Gem Rock Auctions lists five different legal bases they use to process user data.
Among the rights listed in this example are the following rights for user data:
As suggested by the GDPR, Sotheby's also gives users instructions on how to get in touch in the event of privacy questions or concerns.
If EU user data will ever be transferred across international borders for any reason, you will need to incorporate an international data transfers clause. For an auction website that allows for international transactions, this clause will most likely be required. It is a disclosure that user data may be transferred internationally and a description of what type of safeguards or processes you follow to ensure the security of the data.
Sotheby's includes this disclosure, ensuring users that they have put into place "European Commission approved standard contractual clauses" to protect the data. They also remind data subjects where to find contact details for inquiries:
While an auction website will certainly need to address the dynamic privacy implications of a platform that supports international buyers and sellers, applicable privacy laws and requirements remain much the same for all online businesses.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.