Nearly every website is subject to various privacy laws around the world, including ecommerce websites. If you own or operate an ecommerce website or store, you must comply with privacy laws where your online shoppers live.
If you're feeling lost in the legislation, this article will go into detail about Privacy Policies, the rules and regulations enforcing them, and how you can ensure your site is compliant with all applicable laws.
- 2. Why are Privacy Policies Required?
- 3. Know the Privacy Laws Affecting Your Ecommerce Store
- 3.1. CalOPPA and Your Ecommerce Store
- 3.2. The GDPR and Your Ecommerce Store
- 3.3. Third Party Requirements Affecting Your Ecommerce Store
Protection of personal consumer information is the goal of privacy laws. Because more and more websites are collecting personal information to perform or improve online services, laws have been enacted to control and protect that information.
Your ecommerce store likely collects names and email addresses for customer registration, and address and payment details for transactions. But this is only the beginning.
Your store almost certainly interacts with third-party technologies such as Google Analytics, AdSense or a blog platform or live chat tool. Third party services such as these collect additional information from your online shoppers, such as IP addresses, locations, browsing activities and more.
All of this information is protected by privacy laws.
It also should provide contact information for the departments and individuals responsible for upholding your privacy procedures, as well as instructions for customers to access, modify or transfer their personal data.
Furthermore, it should give consumers a chance to change, edit or delete their own personal data, as well as the choice to opt out of sharing their data with you.
Why are Privacy Policies Required?
Know the Privacy Laws Affecting Your Ecommerce Store
If you're in the US, it might surprise you to learn that there are no overall federal privacy protection laws in place for ecommerce stores.
This differs quite drastically from other countries like Canada, Australia and the member states of the EU where there are strict laws in place to protect consumer data and privacy.
However, the state of California enacted one of the strictest privacy laws anywhere in the world. The California Online Privacy Protection Act of 2003 (CalOPPA) applies to any commercial website (like your ecommerce store) that collects personal information from California residents.
This means that regardless of whether your ecommerce store is based in California or not, you must comply with CalOPPA if California residents visit your online store.
CalOPPA and Your Ecommerce Store
- The types of personal information that is collected by your store.
- Whether you share personal information with third parties and why.
- How website visitors can request to edit, transfer or erase their personal information.
- How your site intends to respond to Do Not Track requests.
- Information regarding your complaints/disputes procedures.
Grocery retailer ALDI provides a separate clause addressing California residents and a link to this clause from its home page footer. Here's a look at the footer link:
The GDPR and Your Ecommerce Store
Another important law to be aware of is the General Data Protection Regulation, or GDPR, in effect as of May, 2018.
The GDPR was enacted to provide higher levels of privacy protection and rights to EU consumers. It aims to do this by introducing stricter rules and tougher penalties for any business found to be in violation of the law.
The benefits of this are twofold:
- With stricter rules, consumers can feel more assured that their personal data won't be used for any unscrupulous activity and they will have higher levels of control over their data.
- Increased penalties act as an incentive for businesses to ensure they're compliant with the GDPR.
Though the GDPR was created and implemented by the EU, it very likely applies to your online store even if you're based outside of the EU.
If your store controls and/or processes data provided by consumers living in the EU, you are required to comply with the GDPR.
The best way to determine whether the GDPR applies to your ecommerce store is by asking yourself if your company is operating in the EU market.
Don't make the mistake of thinking that just because you have no significant presence within the EU, you aren't reaching its citizens. If you offer goods and services to the EU, or if your site has collected data on EU citizens, you must comply with the GDPR.
- It must be easy to read and understand by an average reader, without including any overly technical or legal jargon.
- It should contain contact information for the Data Controller or Data Protection Officer (if applicable) who's responsible for overseeing your compliance with the law.
- It should disclose whether the collected data will be used for automated decisions made on behalf of your company.
- It should let your users know about the rights they're entitled to under the GDPR, like the right to view and edit their personal data.
- It should disclose whether users are obligated to provide personal data (such as an email address) in order to properly use your services.
- It should explain whether collected data will be shared with third-party services or affiliated organizations, and why.
The GDPR includes strict and broad requirements for educating EU residents about how you use their personal data and what rights your EU users have in regard to this.
Third Party Requirements Affecting Your Ecommerce Store
The moment someone visits your ecommerce store or app, personal data and browsing information is collected and processed. Some examples of the data commonly collected are:
- Browser history. Most online stores collect user browser history to enhance the browsing experience such as with personalized advertisements or remembering user activities.
- Website logins. When a user registers for an account with your store, your site is able to collect and store that login information. If cookies are enabled by the user, the login and account information are automatically remembered for the shopper's convenience the next time the user visits your store.
- User location. Most ecommerce stores have the ability to collect IP addresses from the computers or mobile devices that access them and IP addresses are considered to be personal information.
- Other Personal information. Personal information pertains to anything that could potentially identify someone, such as an individual's name, address, gender, birthdate, place of birth, contact information, ID number, credit records, financial information, medical history and even marital status.
Here's an example taken from Indigo Fair's online store, with information about the types of data it collects.
The section is rather detailed, distinguishing the types of information collected by the methods used to collect it. These methods include information shoppers voluntarily give to the company, information collected automatically and information collected from other websites.
Privacy laws require you to disclose all of the types of personal information you collect from your online shoppers and how you collect it. They also require you to disclose why you collect personal data.
Why is the Data Collected?
Data tracking and management is important to every ecommerce store, particularly for marketing and transaction purposes.
The more data you have about your customers, the more knowledge you have about them, and the more you can tailor your product advertising to better suit them.
Knowing what products your shoppers view, which ones they purchase, their preferred payment methods and sites they visit when they leave your store gives you powerful information to entice them to return.
This type of data allows you to remarket to your shoppers with ads tailored to their browsing behaviors and preferences, and make future purchases fast and convenient for them.
However, privacy laws require you to let users know how their data is used.
Data Collection for Online Purchases
MOO also includes a clause for Payment Information, which is a good idea for all ecommerce stores. Because risks to consumers of identity theft or financial account hacking is of such a concern, letting your customers know how you handle their payment information is good for customer relations.
Data Collection for Marketing
Data also can be collected for a purpose known as 'remarketing' or 'retargeting' campaigns. This is a clever and increasingly popular way for businesses to reconnect with shoppers who have visited an ecommerce store, whether or not they made a purchase.
- Answer a few questions about your business:
- Add your website or app information:
- Answer a few questions about what information you collect from your users:
- Select options for how your users can contact you:
- It must explain why that data is needed.
- It must be easy to find, and accessible from a clearly visible link.
- It must be written in plain and simple language so the average reader can understand it.
- You must let users know they can opt out of sharing their personal data with you and revoke consent.
- It must include the most recent effective date of the policy.
- If you target EU residents, you may need a separate Cookies Policy, as well as a separate link to your Cookies Policy.
- If you target California residents, you need to disclose your procedures for handling Do Not Track requests.
By familiarizing yourself with the privacy laws governing your ecommerce store and following these guidelines, you will be positioned to protect yourself from legal liabilities.