At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 2.1. It's a Legal Obligation
- 2.2. It's Required by Third-Party Services
- 2.3. It Promotes Transparency
- 3.1. What type of personal information you collect
- 3.2. How you use personal information
- 3.3. How and why you share personal information
- 3.4. Cookies and similar technologies
- 3.5. How you protect personal information
- 3.6. Opt-Out Policy and Privacy Rights
- 3.7. How you handle children's personal information
- 3.8. Contact Information
- 4.1. Account Registration or Sign-up Page
- 4.2. Website Footers
- 4.3. Checkout Forms
- 4.4. Email Newsletter Sign-up Forms
Personal information is essentially any information that identifies an individual. Common examples include names, sex, date of birth, physical addresses, social security numbers, and so on.
As an ecommerce business, it's virtually impossible for you to operate without collecting certain personal information from your customers, such as:
- Email addresses
- Bank or credit card details
- Shipping addresses
- Purchase histories
- Phone numbers
- IP addresses or other tracking data
Keep in mind that you may be subject to privacy laws even without a business presence in such countries.
For example, if your ecommerce store is based in California but serves customers residing in the European Union, China, and Canada, you must comply with privacy regulations in all four regions.
It also lets customers know how you plan to store their information, who has access to it, third-party disclosures (if any), and what measures you have in place to guarantee the protection of their information.
It's a Legal Obligation
Over the years, the concept of data protection and digital privacy has become increasingly important to governments and countries worldwide. In a bid to address this growing phenomenon, several privacy bills have been passed and enforced to protect personal information in respective regions of the world.
Some of the more prominent ones include:
- The EU's General Data Protection Regulation (GDPR)
- The California Consumer Privacy Act (CCPA)
- The California Online Privacy Protection Act (CalOPPA)
- China's Personal Information Protection Law (PIPL)
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
- Australia's Privacy Act of 1988
- Brazil's Lei Geral de Proteção de Dados (LGPD)
It's Required by Third-Party Services
Employing third-party services has become a nearly unavoidable practice among ecommerce businesses everywhere. They enable you to serve customers efficiently while avoiding the steep costs of developing in-house solutions (e.g., using ad platforms or payment processors).
Examples of such companies include:
- Social Platforms (e.g., Facebook, Twitter, Youtube, etc.)
- Google Analytics
You should also let customers know which third-party services you use and how they may collect and use personal information. Failure to comply will restrict you from employing these services.
Here's how Crashlytics illustrates this in section 2.6 of its Terms of Service:
It Promotes Transparency
What type of personal information you collect
You may wish to organize this information into categories for better clarification, such as:
- Information you provide us
- Information collected automatically through our website
- Information gathered through cookies, pixels, and similar technologies
- Information obtained from external sources
Each category should list all types of information you collect (however extensive), as customers have the right to know. Also, keep in mind that most privacy regulations require that you only collect information strictly needed to run your business.
Here's how ecommerce giant Amazon presents this clause in its Privacy Notice:
Further down in the notice, Amazon provides examples of the specific types of information customers may supply:
How you use personal information
Once you've identified the type of information you collect, the logical next step is to let customers know how you use that information. As an ecommerce retailer, you will probably use personal information to ship products to customers, provide personalized ads, process payments, retarget customers, and perform similar functions.
If the GDPR applies to you, this is also where you would identify the lawful basis for processing customer information.
Here's a well-structured list provided by Costco that details its purposes for collecting and processing personal information:
How and why you share personal information
Running an ecommerce business will most likely involve sharing personal information with several third-party service providers. For example, you may share home addresses with your shipping partner, credit card details with your payment processor (e.g., PayPal), and demographic information with a marketing agency.
You may also include a business transfer section under this clause that details how customer information will be handled if your business merges with another or is fully acquired.
Amazon, once again, is doing this well. Here's how it describes this clause in its Privacy Notice agreement:
Cookies and similar technologies
Cookies are small text files created by browsers and stored on users' devices when visiting a website. They are often used to store personal information, observe browsing habits, and provide a personalized experience for customers. For example, some cookies remember what products were added to customers' shopping carts on their previous visit.
Here's how eBay presents this clause in its Privacy Notice:
How you protect personal information
As an ecommerce retailer, this is one of the most critical areas you need to address since you handle delicate information, such as credit card details. To avoid the stringent penalties accompanying negligence, you must implement reasonable security measures to protect personal information from falling into the wrong hands.
You can accomplish this by:
- Restricting access only to authorized personnel, and
- Employing organizational and technical measures to protect personal information (e.g., firewalls, encryption software, two-factor authentication, etc.)
Opt-Out Policy and Privacy Rights
Addressing this clause is not only a good business practice to adopt but is mandatory under most privacy laws such as the GDPR and CCPA.
Customers need to be aware of their rights to access, update, and delete their personal data as well as opt-out of sharing certain information with you or your third parties.
Here's a region-specific example from Staples that outlines additional rights for users residing in the EU or UK:
How you handle children's personal information
The foremost authority here is the Children's Online Privacy Protection Act (COPPA). If you fall under its scope, you must comply with all its requirements, the most important of which is seeking parental consent.
You should also include this clause even if you don't collect information from minors, as this can help limit your liability if you accidentally obtain their information.
Here's a good example from American Eagle:
Account Registration or Sign-up Page
Here's an example from QVC's account creation page:
Here's an example from Amazon:
Email Newsletter Sign-up Forms
Here's how Bloomberg Technology does this:
- The types of personal information you collect
- How you use personal information
- How and why you share personal information
- How you protect and secure personal information
- How you observe individual privacy rights and opt-out policy
- How your treat the personal information of minors
- Your contact details to address privacy concerns
More specific Privacy Templates are available on our blog.