About

Legal Guides for Ecommerce

Legal Guides for Ecommerce

On this page

Privacy Policy and Ecommerce Businesses

While some policies like Terms and Conditions or Return and Refund Policies are strongly recommended, a Privacy Policy (sometimes called a Privacy Notice, Privacy Statement or Data Policy) is a legal requirement, and is also mandatory under the terms of some third-party ecommerce platforms.

Businesses are collecting more and more personal information from their customers. It's not just social media organizations and advertising companies that do this. Ecommerce stores also collect some pretty important personal information from their customers. This doesn't just refer to credit card details. Personal information means anything that can be used to identify a person.

Laws on Collecting Personal Information

DIfferent privacy laws define personal information in slightly different ways. It's important to remember that in many cases, you don't only have to obey the law of the country in which your business is based. You also have to obey the law of the countries where your customers live.

United States

United States Flag

At the federal level, privacy law in the U.S. is very weak. U.S. states have passed laws which require companies to act in the event of a data breach.

For example, if you're planning to sell goods or services to Californians - or if your website collects the personal information of California residents - you'll need to comply with privacy laws including the California Online Privacy Protection Act (CalOPPA). This applies anywhere in the world - whether you're based in Los Angeles or Laos.

CalOPPA gives several examples of "personally identifiable information" (personal information), some of which you're likely to be collecting via your ecommerce store:

  • A first and last name
  • A home or other physical address
  • An email address
  • A telephone number

If you collect any of these and your website visitors (not necessarily your customers) include California residents you must comply with CalOPPA.

View our directory of U.S. state privacy laws for up to date status on current laws. CalOPPA is just an example of one.

European Union

Flag of EU

The EU's General Data Protection Regulation (GDPR) is arguably the world's toughest privacy law. Its broad scope and wide territorial reach had many businesses scrambling to adjust their Privacy Policies and practices in the early part of 2018. Your business is affected if it provides goods or services to customers in the EU.

The GDPR defines "personal data" (personal information) as: "any information relating to an identified or identifiable natural person."

This has been interpreted very broadly by the EU's courts. In addition to the examples listed above, personal information under the GDPR includes:

  • Cookie data
  • IP addresses (including dynamic IP addresses)
  • Any "online identifiers"

This is the type of information you can easily collect on your website even if you don't specifically ask your customers for it, and even if they don't make a purchase. You'll likely collect this sort of data in your log files, and if you run conversion rate optimization or website analytics.

You have to be very careful about people's personal information if you're hoping to attract EU visitors to your website.

Other Jurisdictions

The above examples are taken from two major economies. There are privacy laws that define personal information in a similar way in other countries, too, such as:

Note that this is not an exhaustive list.

As businesses collect greater amounts of personal information online, governments are increasingly introducing tighter controls. But the aim is not to prevent commerce or stifle innovation. So long as you're behaving legally responsibly, it's possible to take the necessary steps to comply with any privacy law.

Third Parties Your Ecommerce Store Shares Data With

Running an ecommerce store isn't something your business will do alone. There's a host of different services out there designed to help your business thrive. Having a Privacy Policy is often a requirement for using these services.

When your customers interact with these services on your website, you're asking them to share their personal information with a third party. This is something you need to be clear about in your Privacy Policy.

Ecommerce Platforms

Having a Privacy Policy is a requirement if you're using a third-party ecommerce platform. The legally-binding Terms and Conditions you agree to when you sign up to use the platform will usually contain a clause about this.

Here's how BigCommerce addresses this:

BigCommerce Privacy Policy: Merchants clause with Privacy Policy highlighted

2. Merchants.

2.1. Merchant Policies. Merchants should help Shoppers understand how the Merchant, BigCommerce and relevant third parties collect and process Shoppers' Personal Data. To that end, Merchants must:

  • post an accurate privacy policy on their storefront that complies with all applicable laws and regulations;

  • process Personal Data in accordance with applicable laws and, to the extent required under such laws, provide notice to and obtain informed consent from Shoppers for the use and access of their Personal Data by BigCommerce and other third parties; and

  • if the Merchant is collecting any Sensitive Personal Data from Shoppers, obtain affirmative, explicit, and informed consent and allow such Shoppers to revoke their consent to the use and access of Sensitive Personal Data at any time.

Payment Processors

Even if you aren't using a third-party ecommerce platform and instead are opting to integrate a payment processor like PayPal or Stripe into your website, you'll need a Privacy Policy. Your customers need to be completely clear on who you're sharing their data with.

This is a requirement under a number of privacy laws including CalOPPA, which states that your Privacy Policy must disclose:

"the categories of third-party persons or entities with whom the operator may share [....] personally identifiable information."

Under the GDPR, you must make your customers aware of:

"the recipients or categories of recipients of [their] personal data, if any."

App Marketplaces

If your ecommerce store has a mobile application, you'll need a Privacy Policy to get your app into Google Play Store (Android) or Apple's App Store (iPhone).

Here's what Google says about how developers must handle their users' data:

Google Play: Privacy Security and Deception - User Data requirements section

User Data

You must be transparent in how you handle user data (for example, information collected from or about a user, including device information). That means disclosing the access, collection, use, handling, and sharing of user data from your app, and limiting the use of the data to the policy compliant purposes disclosed. Please be aware that any handling of personal and sensitive user data is also subject to additional requirements in the "Personal and Sensitive User Data" section below. These Google Play requirements are in addition to any requirements prescribed by applicable privacy and data protection laws.

And here's an extract from Apple's App Store Review Guidelines:

Apple App Store Review Guidelines: Data Collection and Storage section - Privacy Policy Link required section highlighted

5.1.1 Data Collection and Storage

(i) Privacy Policies: All apps must include a link to their privacy policy in the App Store Connect metadata field and within the app in an easily accessible manner. The privacy policy must clearly and explicitly:

  • Identify what data, if any, the app/service collects, how it collects that data, and all uses of that data.

  • Confirm that any third party with whom an app shares user data (in compliance with these Guidelines) - such as analytics tools, advertising networks and third party SDKs, as well as any parent, subsidiary or other related entities that will have access to user data - will provide the same or equal protection of user data as stated in the app's privacy policy and required by these Guidelines.

  • Explain its data retention/deletion policies and describe how a user can revoke consent and/or request deletion of the user's data.

Advertising Services

There are privacy considerations when it comes to advertising, particularly with regard to practices like remarketing.

If you use services such as any of the following, review their requirements for your Privacy Policy:

Email Marketing Services

Email direct marketing campaigns help ecommerce businesses acquire new customers and maintain loyalty among existing customers. It's important (in most contexts) that you gain your customers' consent for direct marketing.

If you're using a third-party email marketing service, it's also important that you make it clear that you'll be sharing your customers' data with this service.

A Privacy Policy is a requirement under the terms of some of these companies. For example, here's what Mailchimp requires in its terms:

Mailchimp Terms of Use: Privacy Policy requirement

  1. You will clearly post, maintain, and abide by a publicly accessible privacy notice on the digital properties from which the underlying data is collected that (a) satisfies the requirements of applicable Data Protection Laws, (b) describes your use of the Service, and includes a link to our Global Privacy Statement.

Website Analytics Services

You may wish to run analytics on your website in order to track your customers' and visitors' behavior. This can help you increase sales and drive traffic to your website.

The EU, in particular, is very clear that the types of information collected from individuals by web analytics can constitute personal information. Such services collect information about visitors' behavior on your site and what devices they use to access your site. This qualifies as "monitoring behavior" under EU law.

Besides which, maintaining a Privacy Policy is a prerequisite of using some analytics services, such as Google Analytics:

Google Analytics Terms of Service: Updated Privacy clause

7. Privacy.

You will not and will not assist or permit any third party to pass information, hashed or otherwise, to Google that Google could use or recognize as personally identifiable information, except where permitted by, and subject to, the policies or terms of Google Analytics features made available to You, and only if, any information passed to Google for such Google Analytics feature is hashed using industry standards. You will have and abide by an appropriate Privacy Policy and will comply with all applicable laws, policies, and regulations relating to the collection of information from Users. You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies, identifiers for mobile devices (e.g., Android Advertising Identifier or Advertising Identifier for iOS) or similar technology used to collect data. You must disclose the use of Google Analytics, and how it collects and processes data. This can be done by displaying a prominent link to the site "How Google uses from sites or apps that use our services", (located at www.google.com/policies/privacy/partners/ , or any other URL that Google may provide from time to time). You will use commercially reasonable efforts to ensure that a User is provided with clear and comprehensive information about, and consents to, the storing and accessing of cookies or other information on the User's device where such activity occurs in connection with the Service and where providing such information and obtaining such consent is required by law.

What Your Privacy Policy Should Cover

To ensure that you're handling your customers' personal data in a way that complies with any of the laws we've discussed, you'll need to have a Privacy Policy. You must make your Privacy Policy available to your customers so that they know, amongst other things:

  • What types of information you're collecting from them
  • How you'll collect it
  • What you'll use the information for

Writing a Privacy Policy is about more than just providing transparent information to your customers. It's a process that will help you make sure that your privacy practices are legal, ethical and safe.

Let's take a look at the things your ecommerce store's Privacy Policy will need to include.

Types of Information You Collect

As noted above, all ecommerce stores will collect personal information from their customers in various ways. Take this opportunity to think carefully about what information you need, and how you're getting it.

Your Privacy Policy should spell out exactly what types of information you collect, and how you collect it.

Let's take a look at how Amazon UK does this. Amazon breaks the personal information it handles into three broad types:

  1. Information customers provide to Amazon
  2. Information Amazon collects from customers automatically
  3. Information Amazon receives about customers from other sources

Here's a sample of how Amazon customers might provide Amazon with personal information:

Amazon UK Privacy Notice: Excerpt of Examples of Information You Give Us When You Use Amazon Services clause: How information is given

Then Amazon describes what personal information will be used, and how:

Amazon UK Privacy Notice: For What Purposes Does Amazon Europe Process Your Personal Information clause excerpt

Your Reasons For Collecting Personal Information

You've explained what personal information you collect, and how you collect it. You also need to explain why you need this information, and what you'll be using it for.

If you have EU customers, you should also disclose the legal basis on which you're collecting and using each type of personal information. There are six legal bases, and you can only collect or use a person's personal information if you have a legal basis to do so.

Here's an example from eBay UK's Privacy Notice:

eBay UK User Privacy Notice: Purposes and legal basis for data processing and categories of recipients clause

We process your personal data for various purposes and based on several different legal bases that allow this processing. For example, we process your personal data to provide and improve our Services, to provide you with a personalised user experience on this website, to contact you about your eBay account and our Services, to provide customer service, to provide you with personalised advertising and marketing communications, and to detect, prevent, mitigate and investigate fraudulent or illegal activity. We also share your information with third parties, including service providers acting on our behalf, for these purposes. In addition, we may share your personal data among eBay Affiliates in order to fulfil our contract with you under the User Agreement and, if applicable, the Payments Terms of Use.

eBay first gives its legal basis (consent) for using these types of information. It then gives the reasons that it needs to collect this information.

Third Parties You Share Information With

As noted above, a lot of different companies are likely to come into possession of your customers' personal information. In your Privacy Policy, it's only necessary to reveal the types of third parties you'll be sharing your customers' data with.

Here's how Toys R Us UK does this:

Toys R Us UK Privacy Statement: Disclosure of Personal Information to Third Parties clause

Disclosure of Personal Information to Third Parties

We may disclose your personal information to third parties for the purpose for which the information was collected or for related purposes, for example, to complete a transaction on your behalf or provide you with a product that you purchased. We engage third-party contractors to perform services for us which involves the contractor handling personal information we hold. For example, we currently engage third-party contractors to:

  • Deliver products purchased from this website.
  • Provide electronic funds transfer services, credit card account processing and related services.

In these situations, the third-party contractor is strictly restricted from using any prohibited personal information about you except for the specific purpose for which we have supplied. We may also disclose your personal information to various law enforcement agencies and governments around the world for security, to comply with a subpoena, customs and immigration purposes. Google may receive information about transactions conducted on this site for the purpose of product reviews or service reviews. Other than the above, we will not disclose your personal information without your consent unless disclosure is either necessary to prevent a threat to life or health, authorised or required by law, reasonably necessary to enforce the law or necessary to investigate a suspected unlawful activity.

You can list out specific third parties if you know them and want to, but it's not a requirement.

Privacy Rights and Opt-outs

No matter where your customers are based, your Privacy Policy should contain information about how they can opt out of receiving certain communications from you.

Here's an example of how to do this:

Home Depot Privacy Policy: Your Privacy Preferences clause

YOUR PRIVACY PREFERENCES

You can register or change your preferences to receive or not receive marketing communications from us by visiting our Manage Privacy Preferences page or emailing us. Please allow sufficient time for your preferences to be processed. Even if you opt out of receiving marketing messages, we may still contact you for transactional purposes like confirming or following up on an order or service request, asking you to review a product or service you have ordered, or notifying you of product recalls. If you later opt back into getting marketing communications from us, we will remove your information from our opt-out databases.

Registered website users can update their information at the Your Account section of our website. If you are not a registered website user, you can contact us by email.

To manage how we use cookies and other tracking tools, please click here.

As noted above, if you're using Google AdWords this service also requires you to provide an opt-out from remarketing.

Grey Ltd Interiors does this with a separate Google Privacy Policy:

Screenshot of full text of Grey Ltd Google Privacy Policy

PRIVACY POLICY

GOOGLE PRIVACY POLICY

This website has implemented Google Analytics display advertising features including remarketing, Google Display Network Impression Reporting, and Google Analytics Demographics and Interest Reporting. This website uses remarketing with Google Analytics to advertise online. These ads may be shown to third-party vendors, including Google, on sites across the Internet.

This website and third-party vendors, including Google, use first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick cookie) together to inform, optimize, and serve ads based on visitors past visits to this website. These cookies are also used together to report on ad impressions, ad services, and related visitor interactions with this site. This site uses data aggregated from Google's Interest-based advertising or 3rd-party audience data (such as age, gender, and interests) for general website reporting and improvement, and possibly for ad remarketing lists.

Using Ads Settings provided by Google, visitors of this site can opt-out of Google Analytics for Display Advertising and customize Google Display Network ads.

Google also provides website visitors Google Analytics' opt-outs for the web, which provides a browser add-on for opting out of Google Analytics tracking altogether.

The situation is more complicated if you have EU customers, who have a lot of control over what you can do with their personal information. The GDPR provides eight data rights that EU citizens can access in relation to their personal information. If you serve EU customers, it's your job to help facilitate these.

Here's an example of how these rights can be presented:

Next Privacy Policy: Data subject rights clause

  • Right of access - You have the right to request a copy of the personal information that we hold about you.
  • Right to rectification - If you think any of your personal information that we hold is inaccurate, you have the right to request it is updated. We may ask you for evidence to show it is inaccurate.
  • Right to erasure - (also known as the Right to be Forgotten) - You have the right to request that we delete your personal information that we hold.
  • Right to restriction of processing - You have the right to request we restrict or suppress the personal data we hold about you.
  • Right to data portability - You have the right to ask us to electronically transfer your personal information to another organization in certain circumstances.

Other Required Information

In addition to the above, your Privacy Policy should contain the following information:

If you have customers in the EU, include information about the following:

  • How long you store different types of personal information
  • Your customers' right to lodge a complaint with a Data Protection Authority
  • If you're relying on the legal basis of legitimate interests, details of your Legitimate Interests Assessment
  • If you're transferring personal information from the EU to a non-EU country, you need to let your customers know about this.

If you have customers in California, include information about:

Where to Display Your Privacy Policy on Your Ecommerce Store

Once you've written your Privacy Policy, you'll need to make it accessible to your customers. There are several ways you can do this.

On Your Website

A common best practice and way to help ensure compliance is to link to your Privacy Policy on your website's landing page. Typically this will be in a footer that persists on every page.

Here's an example from Misfits Market:

Misfits Market website footer with Privacy Policy link highlighted

You should present your Privacy Policy when your customers sign up for an account, and/or at the sign-in screen.

Here's how Misfits Market handles this:

Misfits Market sign-up form with Privacy Policy link highlighted

Another place to display your Privacy Policy on your website is at checkout if you have an ecommerce component, as well as when you request users give you their information for marketing purposes.

Here's an example that combines both of these, from Tervis:

Tervis checkout form with Privacy Policy link highlighted

In Your Mobile App

App marketplaces such as Google Play Store and Apple's App Store have particular requirements about where to place your Privacy Policy within their app.

For example, in the Google Play Store it'll appear under the "Developer contact" section of the install page.

Screenshot of Amazon Shopping app Google Play Store listing

You'll also need to present your new customers with your Privacy Policy when they sign up to use your service.

Here's an example from ecommerce app Shpock:

Shpock app sign-up and accept Terms of Service and Privacy Policy screen

You should also make your Privacy Policy accessible from within the app, for example from the "About" or "Help" menu.

Here's an example from the Audible app:

Screenshot of Audible app Settings menu with Privacy Notice highlighted

Your customers should have the chance to read your Privacy Policy when making a purchase through your app.

Here's an example from the Google Play Books store:

Screenshot of Google Play Books store checkout page

Here's another from Amazon:

Screenshot of Amazon app checkout page

Other Locations

When you send your customers emails, you should include a link to your Privacy Policy in the emails. You should make especially sure that it's present in marketing emails.

You can make this part of your standard email footer, like The Economist does:

Screenshot of the email footer from The Economist with Privacy Policy link highlighted

You should also ensure that you link to your Privacy Policy within other legal agreements like your Terms and Conditions agreement.

For example, Walmart includes a section about its Privacy Policy in its Terms of Use:

Walmart Terms of Use: Privacy clause

13. Privacy

You acknowledge that any personal information that you provide through the Walmart Sites will be used by Walmart in accordance with Walmart's Privacy Policy (available at http://corporate.walmart.com/privacy-security/walmart-privacy-policy), which may be updated by Walmart from time to time. If you purchase an item on Walmart.com sold by a Marketplace Retailer or a Walmart supplier, Walmart may share certain information with that Marketplace Retailer or supplier to permit the Marketplace Retailer or supplier, as applicable, to fulfill and ship your order, process returns, and provide customer service.

Linking to your Privacy Policy in your Terms and Conditions agreement is a good way to make sure that your customers have an opportunity to read both.

As mentioned, a Privacy Policy is legally mandatory, but a Terms and Conditions agreement isn't.

We'll discuss Terms and Conditions in more detail in the next chapter.

Case Study

Baths by Bridget is a Canadian bathroom company that sells baths, sinks, and showers. It ships domestically in Canada, and also to the U.S., the UK, and Germany. Baths by Bridget, therefore, has to write a Privacy Policy that complies with:

  • Canada's PIPEDA privacy law,
  • Privacy law in the U.S., and
  • The EU's GDPR

Baths by Bridget uses Google AdWords to run remarketing campaigns. This service uses targeted advertising cookies. The website also logs IP data about its visitors to test the website's functionality and find out how visitors are discovering the site.

The company uses a third party ecommerce store, BigCommerce, to fulfill sales. When making a purchase, customers need to provide their email address, name, billing address, shipping address, telephone number, and payment card details.

It also asks its customers to consent to receive direct marketing emails and uses Mailchimp to run email direct marketing campaigns.

Baths by Bridget takes advantage of BigCommerce's "abandoned cart" feature. If a customer has registered with the site, added a product to their shopping cart, but failed to complete the sale, they'll receive an email asking them if they want to go through with the purchase.

In its Privacy Policy, Baths by Bridget needs to make certain things clear:

  • The contact details for Baths by Bridget (the "data controller" in EU terms)

  • How it collects information:

    • Some of it is volunteered by the customer, and some of it is collected via the customer's browser information

  • Why it needs this information:

    • To fulfill sales
    • To run effective advertising
    • To improve the functionality and security of the website

  • Its legal basis for collecting the information:

    • The legal basis for collecting payment information is to enter into and fulfill a contract with the customer
    • The legal basis for running targeted advertising is that the customer has consented (if they have consented)
    • The legal basis of improving the functionality of the website is that it is in Baths by Bridget's legitimate interests

  • What types of third parties it shares this information with:

    • Google, and Google's third-party advertising partners in the case of cookie data
    • An ecommerce platform (BigCommerce) in the case of shipping and billing data
    • An automated email marketing service (MailChimp) in the case of email marketing

  • How long it will be storing personal information

  • The fact that it transfers its EU customers' personal information to a non-EU country (Canada)

  • The rights that its EU customers have over their personal data, and how to exercise these rights

  • How its website responds to Do Not Track requests

There may be additional requirements to meet as privacy laws develop. Consider this a living outline that will change depending on your unique circumstances and the current state of the laws of the land.

Previous

Chapter 2: Creating Your Own Store vs Using a Third Party Platform

Next

Chapter 4: Terms and Conditions and Ecommerce Businesses