On this page
Growing Your Ecommerce Store
Privacy runs through every aspect of ecommerce. Alongside the more conventional ways of promoting your ecommerce store, you might decide to use innovative marketing tools such as analytics, session recording and remarketing. There are additional, more complex privacy implications when it comes to using these tools.
Analytics is a broad term encompassing a number of different techniques used to measure and analyze data about your website. This data may or may not constitute personal information, depending on:
- The nature of the data you collect
- How personal information is defined under the relevant privacy laws
- The steps you take to ensure that individuals are not personally identifiable from the data you collect from them
There are two important principles that you should try to remember at all times:
- You must maintain control over what you're collecting, and
- You must be transparent with your customers about it
Analytics and Privacy Law
Analytics platforms use third-party cookies. It's essential that you're upfront about this, and seek consent where necessary.
Here's how you can implement this:
It's best to get consent to use Google Analytics if you have EU customers.
Here's how TrendMD does this:
Note that it's just as easy to select "Yes" as it is to select "No." This is a really good practice under the GDPR.
It's also possible to make various adjustments to how you collect analytics data in order to minimize the amount of personal information you're collecting.
Under Article 25 of the GDPR, you must keep the amount of personal information you collect to an absolute minimum.
Analytics software provider Adobe Analytics allows users to label the different types of data they collect so as to maintain control over how it is used:
Session Recording Tools
Session recording is a type of analytics technology which allows you to view your customers' activity on your website in detail by actually recording and replaying their session as they move their mouse pointer around, click links and enter information into forms.
This can allow you to see exactly where visitors might get "stuck" on your website, shows which areas of your website might be difficult to find, and helps you put analytics data into context.
As you can imagine, there are serious implications here for your customers' privacy. If the proper safeguards aren't put in place, it will seem like you are "spying" on people as they move around your site.
Session Recording Tools and Privacy Law
The companies offering session recording tools are very conscious of this potential privacy threat, and many pride themselves on apparently being GDPR-compliant. EU privacy law is seldom straightforward, but many of these services have clearly done their homework.
Note that "third parties" here refers to third parties other than the company itself - which is, of course, a third party in relation to your customers.
You can provide some instructions to your clients in a way that ensures they are using the software in a legally compliant way:
You can also explain such things like all IP addresses being anonymized or excluded automatically within the EU. For businesses operating outside of the EU, IP address anonymization is optional.
When EU courts rule on what constitutes personal information, they tend to make very broad interpretations. Monitoring your customers' behavior on your site can render them identifiable under certain circumstances, even where safeguards are in place. Therefore, it is safest to earn your customers' consent for session recording technology.
Different session recording services approach GDPR compliance in different ways. Tracking tool Hotjar, which also offers session recording, has drawn up a Data Processing Agreement:
It's necessary under Article 28 of the GDPR for a data controller to have a legally binding agreement with any data processors. Hotjar has set this out very explicitly for its clients.
Another similar service, Inspectlet, has conducted a Privacy Impact Assessment in order to ensure GDPR compliance. This is a requirement under Article 35 of the GDPR for processing involving new technology.
Here's part of Inspectlet's Privacy Impact Assessment where it discusses the measures it takes to anonymize IP addresses:
Technical and security measures
All data is encrypted during transmission and collected data is stored encrypted at rest using AES encryption. If the Customer has enabled IP address anonymization, the last two octets of the IP address will be removed and not be available to the user nor Inspectlet. Backups of data collected are made routinely and tested occasionally to verify restore procedure functionality. All data is physically stored only in AWS data centers meeting ISO 27001 compliance.
Inspectlet has decided that removing the last two octets of IP addresses will help ensure that users' personal information is not revealed. This is one of the methods suggested by the Internet Engineering Task Force's Internet Area Working Group (IntArea) for anonymizing log data in a GDPR compliant way:
Session recording technology does represent a considerable privacy risk if not used carefully. However, the examples above show that companies offering such tools do take privacy seriously.
Remarketing (retargeting) is a method of using cookies to display ads to your users after they've left your site.
If you've ever added a product to your cart and then abandoned the purchase, you might have spent the next few weeks noticing ads for that product pop up in unexpected places. This is no coincidence. The ecommerce store most likely placed a cookie on your device that followed you around the ad network to tempt you into completing the sale.
This is a highly effective marketing technique, but your customers might find it a little creepy. However, with the right privacy protections in place you should be able to put their minds at rest.
Remarketing and Privacy Law
Here's how Clickseed fulfills this requirement:
This website uses Google AdWords & Facebook Remarketing Tags
You can opt-out of remarketing by visiting the links below:
For Google: https://support.google.com/ads/answer/2662922?hl=en
For Facebook: https://www.facebook.com/ads/website_custom_audiences/
You should give your customers a choice about whether they want to be subject to remarketing. You can do this by seeking their consent in the same way that you've sought their consent for other types of cookies.
You then can use a tool such as Google Tag Manager to ensure that you're excluding customers from remarketing where they have not opted in (or perhaps where they have opted out, if they're outside of the EU).
Perfect Pasta is an Italian food company that sells dried pasta through its ecommerce store. It hopes to promote its business and improve its website through the use of analytics and tracking technologies.
Perfect Pasta should be sure to:
- Make absolutely sure that any third-party services it uses to provide this service are GDPR-compliant
- Only conduct business with such third parties under a clear and legally-binding contract
- Earn its customers' consent to be subject to such marketing techniques
- Offer any customers that have opted in a clear method by which to opt out
- Use such technologies in a responsible way that keeps the amount of personal information collected to a minimum
Note From the Editors
As your business grows and changes, and as you enter into new business relationships, your company's policies will remain the backbone of your dealings with the public and with legal authorities. Paying attention now and creating the most compliant policies in line with legal requirements will help you consistently save time, effort and money in the future so you can focus on the more enjoyable, exciting aspects of running your unique business.
We wish you the best in your business endeavors, and want to remind you that you can return to the relevant chapters of this book at any time to make sure you're getting it right. And you can always visit our TermsFeed blog for the most up-to-date and relevant information on the ever-changing legal and regulatory landscape.