Last updated on 24 May 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
If you've recently started an ecommerce business using WooCommerce, you're going to be focused on sales, suppliers, and investment. But you have other important duties too, such as complying with privacy law.
As an ecommerce business, you need to collect and process the personal information of your customers, your potential customers, and the visitors to your website.
There are probably two main ways in which you collect personal information:
You might also receive personal information from third parties, such as social media channels or subsidiary companies.
Your users provide the following types of personal information to you voluntarily:
Here's an example from ecommerce store Boodles:
Boodles explains that people might provide their personal information via the following channels:
In addition to the personal information your customers provide to you, there's also the personal information you automatically collect from visitors to your website. The means by which you collect this type of personal information might include:
The types of personal information you collect in this way might include:
Here's an example from PhotoBite:
You might be surprised to see some of these types of data listed as "personal information." However, personal information is defined very broadly, especially in places such as California, Canada, and the EU.
The table below describes some typical activities of an ecommerce business, together with the types of personal information it might need to collect for these purposes.
|Some typical activities of an ecommerce business:||Types of personal information it might need to collect for these purposes:|
|Communicating with a customer about their order or their customer service queries:||Name, email address, phone number|
|Processing a customer's order:||Name, shipping address, billing address, payment card details|
|Advertising:||Cookie ID, email address|
|Improving your website or app:||Analytics data, e.g. website usage|
|For security and fraud prevention:||IP address, cookie data|
|Setting up an account:||Username, password|
Here's how clothing retailer River Island explains some of the ways in which it uses personal information:
Practically every business needs to share personal information or to allow other companies to collect personal information on its behalf.
If you run a WooCommerce store, it's likely that your customers' personal information will be processed by third parties such as Wordpress, WooCommerce, and Stripe (which processes payments on behalf of WooCommerce Payments).
You might also share personal information with:
The business lists Wordpress, WooCommerce, Google Analytics, and MonsterInsights among the third parties with which it shares personal information.
You should also provide links to the Privacy Policies of your third-party service providers.
Here's how jewelry retailer Eileen Gatt does this:
Note that you don't necessarily have to identify your third parties service providers by name. It may be sufficient to list the types of third parties with which you share personal information (e.g. "payment processors," "mail carriers").
You should provide contact details for your company in case visitors have any questions about your privacy practices.
Here's an example from Kefi:
Note that Kefi has set up a dedicated email address to deal with privacy queries. This helps the business demonstrate to its customers it's taking their privacy seriously.
If you have customers in the US, your main concern should be complying with that state privacy law of California, specifically the California Online Privacy Protection Act (CalOPPA).
CalOPPA applies to all commercial websites that are accessible in California.
Here's an example of how Medtronic discloses how its website treats "Do Not Track" signals:
The EU has the highest privacy standards in the world, and the UK still enforces them despite having left the EU.
If you have customers in the European Economic Area (the EEA, which includes all 27 EU countries plus Iceland, Liechtenstein, and Norway) or the UK, you must comply with the General Data Protection Regulation (GDPR).
Here's how Bowles & Wyer explains how users can make a complaint to the UK's Data Protection Authority, the Information Commissioner's Office (ICO):
Note that the business encourages users to make a direct complaint before going to the ICO. This is perfectly reasonable.
Here's how Bayer Canada explains the right to access personal information under PIPEDA:
Here's our guide to privacy laws by country to help you out.
Here's how Woocommerce-powered clothing retailer The Neighbourgoods does this:
Here's how the WooCommerce-powered website Spike Island does this:
Here's how WooCommerce-powered website The Wellbeing Project does this:
Check the other legal requirements that might apply in your target markets.