Last updated on 01 July 2022 by Jocelyn Mackie (Former civil litigation attorney. Content legal strategist at TermsFeed)
Ecommerce and SaaS embrace the subscription plan as a way to make their products accessible to users. But the need for billing, shipping, and personal information to customize the experience makes these services more intrusive than others offered online.
Privacy policies are required by law in most jurisdictions. These laws affect any company that collects personally identifiable information from its customers.
This type of information includes:
This is true no matter where you operate since consumer privacy protection is universally embraced.
The United States does not have a federal privacy law, but state law is catching up. California, Delaware, and Nevada all have their own privacy laws and Illinois has a privacy law specific to location tracking.
Australia, Canada, and the UK all enacted federal laws that require Privacy Policies as have India, Malaysia, and other nations.
These requirements include:
This includes addressing any automatic data collection through cookies and tracking software.
Due to the volume of information they collect, subscription plans are more invasive than other types of online services. These are the specific privacy concerns that arise from them.
Ecommerce subscriptions cannot exist without collecting personal information. Otherwise, there is no way for a service to ship items to a consumer.
When a user signs up for a subscription service, they must submit their name, shipping address, and payment information. Subscriptions for clothing and beauty products also contain personal preferences. Some users may consider these details sensitive and they require reassurance as well as legal protection in case of a privacy breach.
Also, some subscription plans offer special rewards and incentives around a customer's birthday. While participation is usually voluntary, that is an additional piece of personal information that the service must keep safe.
Another unique aspect is that the subscription service uses this information every month. It is not a matter of a user submitting the data once and it remaining in storage for the future. The data is used each time the service makes payment charges and ships the product. This constant use can leave information vulnerable so companies must make an effort to keep personal data private and secure.
Subscriptions are available for software as a service (SaaS), too. Microsoft, DropBox, and Spotify all offer software products in addition to their monthly subscriptions.
Ecommerce mainly requires this data for payment and shipment.
SaaS has additional concerns and will also collect:
There is overlap in ecommerce and SaaS Privacy Policies, but these provisions are the most important for each type.
Ecommerce services list the data collected but may divide it into two categories. One includes the data required to use the service and the other is any optional data if the user wants enhanced services.
Ipsy takes this approach. It starts with information required to join. This focuses on beauty preferences, email addresses, and date of birth:
If a user decides to start an Ipsy subscription, the service requests additional information, such as shipping addresses and billing information:
Cratejoy, a subscription service that offers monthly boxes for everything from clothing to board games, takes a similar approach. In plain language, it states that membership depends on users providing an email address and screen name. However, to enjoy additional services, users must provide billing information, addresses, and even telephone numbers:
Some services require social media accounts for login and tracking. Not only do they need to inform users of the information they collect directly but also any data they find through users providing social media information.
Stitchfix allows users to link their social media accounts to the service to make sharing easier. It informs users that doing this allows the service to see what is posted:
Ipsy mentions social media with other third party service providers who may view or collect the information. Users may sever this link by disconnecting Ipsy from the third party application or social media platform:
Sephora makes it clear to users that it tracks Facebook "likes" and may adjust its suggestions based on them:
Sephora names specific entities:
Subscriptions are often customized to the user. To provide the most relevant products, that requires additional information collected through tracking.
This includes device information. Knowing the type of device used to access the site and how well the browser operates helps subscription services customize to customer interests and fix any website issues.
Cratejoy has the same practice and since it distributes an app for its services as well, the tracking information clause also indicates how that app functions:
This is a good reminder that even if you track data to provide a better customer service, you still need to inform users that this is your practice. It is a good habit since laws regarding tracking cookies are gaining traction worldwide.
Like personal tastes and browser preferences, location information is used to create a more personal experience for the user. However, laws like Illinois' Geolocation Privacy Protection Act, require that you inform consumers that you collect general location data and if you wish for more specificity, you secure users' consent or permission first.
Spotify demonstrates perfectly how to comply with this. It starts off with information needed to use the service. It refers to this as the first category and it includes non-specific location information:
Spotify mentions location information again in a second category of collected data. This is only collected if the user authorizes it:
In each category, Spotify explains why it collects this data. Not only does this assure legal compliance, but it helps consumers make informed decisions on whether they want a subscription to this service.
This is similar to consumer preference tracking with ecommerce sites. Rather than being based on product reviews or comments made on social media, these preferences are tracked within the SaaS website or app.
When third parties are involved in SaaS subscriptions, it's usually to extend services. This gives users more options when using the SaaS.
Allowing those options involves sharing personal data. For example, VHX Corporation works with Roku and iOS to run Vimeo and Netflix channels through their platforms. That is often how users watch these services on their television sets rather than a mobile device or computer:
This section may also work as it does with ecommerce subscriptions. In that case, this clause would disclose any affiliate partners or service providers.
SaaS subscriptions collect device information to see how their software works. This allows for improvements, and if a user requires technical support, the data helps them diagnose the problem.
VHX Corporation explains this under "Information We Collect" and adds that this is collected automatically:
Dropbox also addresses this issue:
Microsoft presents this information in a bulleted list. This is easy to read and helps users understand why it collects this information:
It also makes it easier for you if your collection practices change. You can simply add or delete a list item.
Most of these provisions explain how the cookies operate and the information they collect. Dropbox summarizes this briefly:
Microsoft also uses plain language and explains cookies well. If users want additional details, they only need to click on the "read more" link:
Many users appreciate the convenience and variety of subscription plans. They often expect to reveal more personal information to enjoy these services and will be ok with that. However, it is still your responsibility to protect that information and never collect more than you need. This keeps you in compliance with current privacy laws and enhances goodwill between you and your users.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022