Last updated on 28 September 2022 by Stephen Titcombe (Legal writer at TermsFeed)
Personal information is essentially any information that identifies an individual. Common examples include names, sex, date of birth, physical addresses, social security numbers, and so on.
As an ecommerce business, it's virtually impossible for you to operate without collecting certain personal information from your customers, such as:
Keep in mind that you may be subject to privacy laws even without a business presence in such countries.
For example, if your ecommerce store is based in California but serves customers residing in the European Union, China, and Canada, you must comply with privacy regulations in all four regions.
It also lets customers know how you plan to store their information, who has access to it, third-party disclosures (if any), and what measures you have in place to guarantee the protection of their information.
Over the years, the concept of data protection and digital privacy has become increasingly important to governments and countries worldwide. In a bid to address this growing phenomenon, several privacy bills have been passed and enforced to protect personal information in respective regions of the world.
Some of the more prominent ones include:
Employing third-party services has become a nearly unavoidable practice among ecommerce businesses everywhere. They enable you to serve customers efficiently while avoiding the steep costs of developing in-house solutions (e.g., using ad platforms or payment processors).
Examples of such companies include:
You should also let customers know which third-party services you use and how they may collect and use personal information. Failure to comply will restrict you from employing these services.
Here's how Crashlytics illustrates this in section 2.6 of its Terms of Service:
You may wish to organize this information into categories for better clarification, such as:
Each category should list all types of information you collect (however extensive), as customers have the right to know. Also, keep in mind that most privacy regulations require that you only collect information strictly needed to run your business.
Here's how ecommerce giant Amazon presents this clause in its Privacy Notice:
Further down in the notice, Amazon provides examples of the specific types of information customers may supply:
Once you've identified the type of information you collect, the logical next step is to let customers know how you use that information. As an ecommerce retailer, you will probably use personal information to ship products to customers, provide personalized ads, process payments, retarget customers, and perform similar functions.
If the GDPR applies to you, this is also where you would identify the lawful basis for processing customer information.
Here's a well-structured list provided by Costco that details its purposes for collecting and processing personal information:
Running an ecommerce business will most likely involve sharing personal information with several third-party service providers. For example, you may share home addresses with your shipping partner, credit card details with your payment processor (e.g., PayPal), and demographic information with a marketing agency.
You may also include a business transfer section under this clause that details how customer information will be handled if your business merges with another or is fully acquired.
Amazon, once again, is doing this well. Here's how it describes this clause in its Privacy Notice agreement:
Cookies are small text files created by browsers and stored on users' devices when visiting a website. They are often used to store personal information, observe browsing habits, and provide a personalized experience for customers. For example, some cookies remember what products were added to customers' shopping carts on their previous visit.
Here's how eBay presents this clause in its Privacy Notice:
As an ecommerce retailer, this is one of the most critical areas you need to address since you handle delicate information, such as credit card details. To avoid the stringent penalties accompanying negligence, you must implement reasonable security measures to protect personal information from falling into the wrong hands.
You can accomplish this by:
Addressing this clause is not only a good business practice to adopt but is mandatory under most privacy laws such as the GDPR and CCPA.
Customers need to be aware of their rights to access, update, and delete their personal data as well as opt-out of sharing certain information with you or your third parties.
Here's a region-specific example from Staples that outlines additional rights for users residing in the EU or UK:
The foremost authority here is the Children's Online Privacy Protection Act (COPPA). If you fall under its scope, you must comply with all its requirements, the most important of which is seeking parental consent.
You should also include this clause even if you don't collect information from minors, as this can help limit your liability if you accidentally obtain their information.
Here's a good example from American Eagle:
Here's an example from QVC's account creation page:
Here's an example from Amazon:
Here's how Bloomberg Technology does this:
More specific Privacy Templates are available on our blog.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
28 September 2022