- 1. Privacy Laws
- 2. Getting Started
- 3. Which Personal Information is Collected
- 4. How Personal Information is Used
- 5. Third-Party Sharing
- 6. Cookies
- 7. Access and Choices
- 8. Communications
- 9. Children Under 13
- 10. Changes to the Policy
- 11. Contact Information
- 12. EU Data Subjects
- 12.1. Legal Basis
- 12.2. Data Subject Rights
- 12.3. International Data Transfers
To begin, make sure that you are aware of the different online privacy regulations that will apply to your business.
- Your physical location and contact information
- Notification of EU users' rights in regard to their personal data
- What personal information you collect, how and why it's collected and if it's share with third parties
- Statement of the legal basis for collecting personal information and full compliance with that legal basis
- Information regarding international data transfers, if applicable
- Which types of personal information you collect and who you share the information with
- An easy, accessible way for users to review and make changes to their personal information
- An explanation of how your business responds to Do Not Track signals from web browsers
The Children's Online Privacy Protection Act (COPPA)
Although other laws exist that apply to online business, such as Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), this and almost any other international privacy regulation will be covered if you comply with the stipulations in the list above.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
In this section, you can also introduce your business as the data controller for any information gathered by the site, list your physical location, and post an effective date.
iRostrum Online Auctions sets out all of the initial details in a concise manner, including the purpose of the policy, their physical address, an effective date, and assurances about privacy protection.
Which Personal Information is Collected
Here's how Sotheby's separates this section into three different sub-sections:
- Information collected directly from the user
- Information collected from outside sources
- Information collected automatically
By doing it this way, you can list out the different types of information you collect in detail and let users know how you are collecting it. Be thorough. Don't leave anything out. Make sure you are aware of how cookies and other information-gathering technologies work on your website so that each can be included in the list. This promotes an environment of honesty and transparency between your business and its users.
In general, an auction website will be collecting the same types of information that any retail or e-commerce business would collect, so this section will remain standard as to which information and collection methods you will need to list.
If there is any extraneous information you collect beyond the standard personal, financial, and transactional details, be sure to include it in this section.
For example, Sotheby's makes video recordings of their live auctions, while eBay records which products users bid on so that they can show similar products to those users in the future. Both companies disclose this information in their Privacy Policies.
How Personal Information is Used
As the heading suggests, this clause describes how personal information is used after it is collected. On an auction website, this includes the procedures of listing, bidding, selling, and fulfilling. However, there are many more processes that go on behind the scenes.
For example, eBay includes an extensive list of information processing that includes backend troubleshooting, customer service and advertising functions.
Include each and every usage your website makes of personal information, even if it's routine fraud-protection mechanisms that your system implements automatically on the backend. Meticulousness in this area can limit your liability if any users take exception to how your company is using personal data.
If your website uses personalized advertising services such as Google Adwords, additional notifications will be required. This third-party clause is a good place to include a paragraph such as the following, also taken from the Auction.com Privacy Statement:
As eBay demonstrates here, the Cookies clause only needs a short description of your cookie usage and a link to your Cookies Policy. Ideally, the separate Cookies Policy would include a more detailed description of how cookies work, a cookies chart that describes which cookies you use, and a link to opt-out of all but the necessary functionality cookies.
Access and Choices
Several internet privacy laws, including the GDPR, require that you inform your users of how they may access and control the personal data you hold about them. eBay satisfies this requirement with simple instructions on how to find a record of personal information:
Along with a description of how to find personal information within account settings, eBay reminds users that public listings may not be changed or removed in some situations. They go on to list users' rights in regards to their personal information.
The communications clause reminds users of their choices regarding correspondence.
First, list how your company stays in contact with users and for what reasons.
eBay describes their various methods for contacting individuals regarding buyer-seller disputes, account management, and fee collection. Messages regarding account and transactions are obligatory, so users may not opt-out of these types of communications:
Marketing communications, on the other hand, may not legally be sent to any users without their express consent. It is important to remind users of their right to unsubscribe from marketing communications and provide an easy method for them to unsubscribe if they wish.
Here's how eBay describes the options users have in regard to communications and marketing messages. They provide detailed instructions on how to unsubscribe, as well:
Children Under 13
Auction services, as a rule, are not intended for minors because it is illegal for minors to enter into a binding contract such as a commitment to buy goods online. However, it is ideal to include the children under 13 clause in order to avoid liability under COPPA.
Reiterate that your services are not intended for children under the age of 13.
Auction.com makes this statement and provides a direct email to use in case a guardian believes that the website may have collected personal information from a child. This is all that is required under COPPA for websites that are not targeted to children:
Changes to the Policy
Auction.com gives users three different ways to contact them regarding privacy issues:
EU Data Subjects
- Your legal basis for processing personal information
- Data subjects' rights as stated by the GDPR
- Who your data protection officer or EU representative is, if applicable, or a dedicated contact method if EU data subjects wish to contact you regarding their privacy
- Any safeguards and processes you have in place for international data transfers, if applicable
According to Article 6 of the GDPR, you must have a lawful basis for processing the data of EU residents. For most websites, this legal basis is consent. If your legal basis for collecting EU user data is consent, then you need to make sure that your website follows GDPR guidelines for collecting the express consent of all EU users that visit your website.
In some cases, an auction website may use other legal bases for collecting user data. For example, a user who creates an account to bid in an auction is technically entering into a contract. A legal contract is also a legal basis for collecting personal data.
In this section, Gem Rock Auctions lists five different legal bases they use to process user data.
Data Subject Rights
Among the rights listed in this example are the following rights for user data:
- The right of access
- The right of erasure
- The right to object or withdraw consent
- The right or rectification
- The right to restrict processing
- The right to data portability
- The right to object to automated decision-making or profiling
- The right to report complaints to a local supervisory authority
As suggested by the GDPR, Sotheby's also gives users instructions on how to get in touch in the event of privacy questions or concerns.
International Data Transfers
If EU user data will ever be transferred across international borders for any reason, you will need to incorporate an international data transfers clause. For an auction website that allows for international transactions, this clause will most likely be required. It is a disclosure that user data may be transferred internationally and a description of what type of safeguards or processes you follow to ensure the security of the data.
Sotheby's includes this disclosure, ensuring users that they have put into place "European Commission approved standard contractual clauses" to protect the data. They also remind data subjects where to find contact details for inquiries:
While an auction website will certainly need to address the dynamic privacy implications of a platform that supports international buyers and sellers, applicable privacy laws and requirements remain much the same for all online businesses.