On this page
- 2. Laws on Collecting Personal Information
- 2.1. United States
- 2.2. European Union
- 2.3. Other Jurisdictions
- 3. Third Parties Your Ecommerce Store Shares Data With
- 3.1. Ecommerce Platforms
- 3.2. Payment Processors
- 3.3. App Marketplaces
- 3.4. Advertising Services
- 3.5. Email Marketing Services
- 3.6. Website Analytics Services
- 4.1. Types of Information You Collect
- 4.2. Your Reasons For Collecting Personal Information
- 4.3. Third Parties You Share Information With
- 4.4. Privacy Rights and Opt-outs
- 4.5. Other Required Information
- 5.1. On Your Website
- 5.2. In Your Mobile App
- 5.3. Other Locations
- 6. Case Study
Businesses are collecting more and more personal information from their customers. It's not just social media organizations and advertising companies that do this. Ecommerce stores also collect some pretty important personal information from their customers. This doesn't just refer to credit card details. Personal information means anything that can be used to identify a person.
Laws on Collecting Personal Information
DIfferent privacy laws define personal information in slightly different ways. It's important to remember that in many cases, you don't only have to obey the law of the country in which your business is based. You also have to obey the law of the countries where your customers live.
At the federal level, privacy law in the U.S. is very weak. U.S. states have passed laws which require companies to act in the event of a data breach.
For example, if you're planning to sell goods or services to Californians - or if your website collects the personal information of California residents - you'll need to comply with privacy laws including the California Online Privacy Protection Act (CalOPPA). This applies anywhere in the world - whether you're based in Los Angeles or Laos.
CalOPPA gives several examples of "personally identifiable information" (personal information), some of which you're likely to be collecting via your ecommerce store:
- A first and last name
- A home or other physical address
- An email address
- A telephone number
If you collect any of these and your website visitors (not necessarily your customers) include California residents you must comply with CalOPPA.
View our directory of U.S. state privacy laws for up to date status on current laws. CalOPPA is just an example of one.
The EU's General Data Protection Regulation (GDPR) is arguably the world's toughest privacy law. Its broad scope and wide territorial reach had many businesses scrambling to adjust their Privacy Policies and practices in the early part of 2018. Your business is affected if it provides goods or services to customers in the EU.
The GDPR defines "personal data" (personal information) as: "any information relating to an identified or identifiable natural person."
This has been interpreted very broadly by the EU's courts. In addition to the examples listed above, personal information under the GDPR includes:
- Cookie data
- IP addresses (including dynamic IP addresses)
- Any "online identifiers"
This is the type of information you can easily collect on your website even if you don't specifically ask your customers for it, and even if they don't make a purchase. You'll likely collect this sort of data in your log files, and if you run conversion rate optimization or website analytics.
You have to be very careful about people's personal information if you're hoping to attract EU visitors to your website.
The above examples are taken from two major economies. There are privacy laws that define personal information in a similar way in other countries, too, such as:
Note that this is not an exhaustive list.
As businesses collect greater amounts of personal information online, governments are increasingly introducing tighter controls. But the aim is not to prevent commerce or stifle innovation. So long as you're behaving legally responsibly, it's possible to take the necessary steps to comply with any privacy law.
Third Parties Your Ecommerce Store Shares Data With
Here's how BigCommerce addresses this:
2.1. Merchant Policies. Merchants should help Shoppers understand how the Merchant, BigCommerce and relevant third parties collect and process Shoppers' Personal Data. To that end, Merchants must:
process Personal Data in accordance with applicable laws and, to the extent required under such laws, provide notice to and obtain informed consent from Shoppers for the use and access of their Personal Data by BigCommerce and other third parties; and
if the Merchant is collecting any Sensitive Personal Data from Shoppers, obtain affirmative, explicit, and informed consent and allow such Shoppers to revoke their consent to the use and access of Sensitive Personal Data at any time.
"the categories of third-party persons or entities with whom the operator may share [....] personally identifiable information."
Under the GDPR, you must make your customers aware of:
"the recipients or categories of recipients of [their] personal data, if any."
Here's what Google says about how developers must handle their users' data:
You must be transparent in how you handle user data (for example, information collected from or about a user, including device information). That means disclosing the access, collection, use, handling, and sharing of user data from your app, and limiting the use of the data to the policy compliant purposes disclosed. Please be aware that any handling of personal and sensitive user data is also subject to additional requirements in the "Personal and Sensitive User Data" section below. These Google Play requirements are in addition to any requirements prescribed by applicable privacy and data protection laws.
And here's an extract from Apple's App Store Review Guidelines:
5.1.1 Data Collection and Storage
Identify what data, if any, the app/service collects, how it collects that data, and all uses of that data.
Explain its data retention/deletion policies and describe how a user can revoke consent and/or request deletion of the user's data.
There are privacy considerations when it comes to advertising, particularly with regard to practices like remarketing.
Email Marketing Services
Email direct marketing campaigns help ecommerce businesses acquire new customers and maintain loyalty among existing customers. It's important (in most contexts) that you gain your customers' consent for direct marketing.
If you're using a third-party email marketing service, it's also important that you make it clear that you'll be sharing your customers' data with this service.
- You will clearly post, maintain, and abide by a publicly accessible privacy notice on the digital properties from which the underlying data is collected that (a) satisfies the requirements of applicable Data Protection Laws, (b) describes your use of the Service, and includes a link to our Global Privacy Statement.
Website Analytics Services
You may wish to run analytics on your website in order to track your customers' and visitors' behavior. This can help you increase sales and drive traffic to your website.
The EU, in particular, is very clear that the types of information collected from individuals by web analytics can constitute personal information. Such services collect information about visitors' behavior on your site and what devices they use to access your site. This qualifies as "monitoring behavior" under EU law.
- What types of information you're collecting from them
- How you'll collect it
- What you'll use the information for
Types of Information You Collect
As noted above, all ecommerce stores will collect personal information from their customers in various ways. Take this opportunity to think carefully about what information you need, and how you're getting it.
Let's take a look at how Amazon UK does this. Amazon breaks the personal information it handles into three broad types:
- Information customers provide to Amazon
- Information Amazon collects from customers automatically
- Information Amazon receives about customers from other sources
Here's a sample of how Amazon customers might provide Amazon with personal information:
Then Amazon describes what personal information will be used, and how:
Your Reasons For Collecting Personal Information
You've explained what personal information you collect, and how you collect it. You also need to explain why you need this information, and what you'll be using it for.
If you have EU customers, you should also disclose the legal basis on which you're collecting and using each type of personal information. There are six legal bases, and you can only collect or use a person's personal information if you have a legal basis to do so.
Here's an example from eBay UK's Privacy Notice:
eBay first gives its legal basis (consent) for using these types of information. It then gives the reasons that it needs to collect this information.
Third Parties You Share Information With
Here's how Toys R Us UK does this:
Disclosure of Personal Information to Third Parties
We may disclose your personal information to third parties for the purpose for which the information was collected or for related purposes, for example, to complete a transaction on your behalf or provide you with a product that you purchased. We engage third-party contractors to perform services for us which involves the contractor handling personal information we hold. For example, we currently engage third-party contractors to:
- Deliver products purchased from this website.
- Provide electronic funds transfer services, credit card account processing and related services.
In these situations, the third-party contractor is strictly restricted from using any prohibited personal information about you except for the specific purpose for which we have supplied. We may also disclose your personal information to various law enforcement agencies and governments around the world for security, to comply with a subpoena, customs and immigration purposes. Google may receive information about transactions conducted on this site for the purpose of product reviews or service reviews. Other than the above, we will not disclose your personal information without your consent unless disclosure is either necessary to prevent a threat to life or health, authorised or required by law, reasonably necessary to enforce the law or necessary to investigate a suspected unlawful activity.
You can list out specific third parties if you know them and want to, but it's not a requirement.
Privacy Rights and Opt-outs
Here's an example of how to do this:
YOUR PRIVACY PREFERENCES
You can register or change your preferences to receive or not receive marketing communications from us by visiting our Manage Privacy Preferences page or emailing us. Please allow sufficient time for your preferences to be processed. Even if you opt out of receiving marketing messages, we may still contact you for transactional purposes like confirming or following up on an order or service request, asking you to review a product or service you have ordered, or notifying you of product recalls. If you later opt back into getting marketing communications from us, we will remove your information from our opt-out databases.
Registered website users can update their information at the Your Account section of our website. If you are not a registered website user, you can contact us by email.
As noted above, if you're using Google AdWords this service also requires you to provide an opt-out from remarketing.
This website has implemented Google Analytics display advertising features including remarketing, Google Display Network Impression Reporting, and Google Analytics Demographics and Interest Reporting. This website uses remarketing with Google Analytics to advertise online. These ads may be shown to third-party vendors, including Google, on sites across the Internet.
This website and third-party vendors, including Google, use first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick cookie) together to inform, optimize, and serve ads based on visitors past visits to this website. These cookies are also used together to report on ad impressions, ad services, and related visitor interactions with this site. This site uses data aggregated from Google's Interest-based advertising or 3rd-party audience data (such as age, gender, and interests) for general website reporting and improvement, and possibly for ad remarketing lists.
Using Ads Settings provided by Google, visitors of this site can opt-out of Google Analytics for Display Advertising and customize Google Display Network ads.
Google also provides website visitors Google Analytics' opt-outs for the web, which provides a browser add-on for opting out of Google Analytics tracking altogether.
The situation is more complicated if you have EU customers, who have a lot of control over what you can do with their personal information. The GDPR provides eight data rights that EU citizens can access in relation to their personal information. If you serve EU customers, it's your job to help facilitate these.
Here's an example of how these rights can be presented:
- Right of access - You have the right to request a copy of the personal information that we hold about you.
- Right to rectification - If you think any of your personal information that we hold is inaccurate, you have the right to request it is updated. We may ask you for evidence to show it is inaccurate.
- Right to erasure - (also known as the Right to be Forgotten) - You have the right to request that we delete your personal information that we hold.
- Right to restriction of processing - You have the right to request we restrict or suppress the personal data we hold about you.
- Right to data portability - You have the right to ask us to electronically transfer your personal information to another organization in certain circumstances.
Other Required Information
- Your contact details
- Information that your policy is likely to change and how users will be notified if it does
If you have customers in the EU, include information about the following:
- How long you store different types of personal information
- Your customers' right to lodge a complaint with a Data Protection Authority
- If you're relying on the legal basis of legitimate interests, details of your Legitimate Interests Assessment
- If you're transferring personal information from the EU to a non-EU country, you need to let your customers know about this.
If you have customers in California, include information about:
- How your website responds to Do Not Track (DNT) requests
- Do Not Sell My Personal Information request rights
On Your Website
Here's an example from Misfits Market:
Here's how Misfits Market handles this:
Here's an example that combines both of these, from Tervis:
In Your Mobile App
For example, in the Google Play Store it'll appear under the "Developer contact" section of the install page.
Here's an example from ecommerce app Shpock:
Here's an example from the Audible app:
Here's an example from the Google Play Books store:
Here's another from Amazon:
You can make this part of your standard email footer, like The Economist does:
We'll discuss Terms and Conditions in more detail in the next chapter.
- Canada's PIPEDA privacy law,
- Privacy law in the U.S., and
- The EU's GDPR
Baths by Bridget uses Google AdWords to run remarketing campaigns. This service uses targeted advertising cookies. The website also logs IP data about its visitors to test the website's functionality and find out how visitors are discovering the site.
The company uses a third party ecommerce store, BigCommerce, to fulfill sales. When making a purchase, customers need to provide their email address, name, billing address, shipping address, telephone number, and payment card details.
It also asks its customers to consent to receive direct marketing emails and uses Mailchimp to run email direct marketing campaigns.
Baths by Bridget takes advantage of BigCommerce's "abandoned cart" feature. If a customer has registered with the site, added a product to their shopping cart, but failed to complete the sale, they'll receive an email asking them if they want to go through with the purchase.
The contact details for Baths by Bridget (the "data controller" in EU terms)
How it collects information:
Some of it is volunteered by the customer, and some of it is collected via the customer's browser information
Why it needs this information:
- To fulfill sales
- To run effective advertising
- To improve the functionality and security of the website
Its legal basis for collecting the information:
- The legal basis for collecting payment information is to enter into and fulfill a contract with the customer
- The legal basis for running targeted advertising is that the customer has consented (if they have consented)
- The legal basis of improving the functionality of the website is that it is in Baths by Bridget's legitimate interests
What types of third parties it shares this information with:
- Google, and Google's third-party advertising partners in the case of cookie data
- An ecommerce platform (BigCommerce) in the case of shipping and billing data
- An automated email marketing service (MailChimp) in the case of email marketing
How long it will be storing personal information
The fact that it transfers its EU customers' personal information to a non-EU country (Canada)
The rights that its EU customers have over their personal data, and how to exercise these rights
How its website responds to Do Not Track requests
There may be additional requirements to meet as privacy laws develop. Consider this a living outline that will change depending on your unique circumstances and the current state of the laws of the land.