What is an ecommerce privacy policy?
Also known as a “privacy statement”or “privacy declaration,” a privacy policy is a statement that explains how a company collects, handles, stores, shares, and protects customer’s personal and often sensitive information gathered through their interactions with a website.
The words “privacy policy” probably conjure up images of grayed-out, minuscule links at the bottom of a website. Truth be told, it’s probably ignored by most site visitors, but it’s a legal document that’s crucial for any website — especially for an ecommerce store. It not only reassures customers that their private data will be protected, but it also helps you meet regulatory requirements.
Since the privacy policy is a legal document, it can be tricky to understand as a retailer and confusing to write by yourself. You have to assess how you treat customer data, all while making sure that you’re acting in line with government regulations. Plus, you have to communicate your policy in a clear and transparent way that customers can understand.
Writing and implementing a privacy policy is no easy task, but the tips below will help you understand exactly what an ecommerce privacy policy is, why you need to create one, what your privacy policy should include, what data to collect, and how to comply with international guidelines.
Why you need to create a privacy policy
Before we get into how to craft your privacy policy, let’s first get into the why. Here are the top reasons a privacy policy is necessary for ecommerce businesses.
1. It’s required by law
First and foremost, a privacy policy is legally required by law in the United States, Canada, the European Union, Australia, and other jurisdictions around the world — which is further explained below.
In addition, ecommerce store owners need to both limit their risk as well as manage the expectations of their customers to avoid any misunderstandings.
2. It builds trust with customers
As an ecommerce store, you will undoubtedly be collecting personal information from customers and visitors to your site such as name, age, address, email and credit card details. For obvious reasons, many will want to know that this information is in safe hands, so an accessible privacy policy on the website will demonstrate your commitment to security while helping to build confidence in your website and business.
3. You need a privacy policy to use certain apps or services
Not only is a privacy policy critical to ensuring that you gain customer trust and that legal requirements are met, but many third-party apps and services also require it — like Google. In order to access certain services and tools like AdSense, Google Analytics, etc., Google requires that you have an up-to-date, comprehensive privacy policy in place on your website.
According to the Google Analytics terms of use:
“You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect traffic data, and You must not circumvent any privacy features (e.g., an opt-out) that are part of the Service.”
4. It gives you legal protection
Finally, a privacy policy also serves as protection from potential lawsuits from customers as well as other businesses. If your ecommerce site is sued, you can show that you have in place a publicly stated privacy policy that clearly declares what you do with the sensitive information collected.
What your privacy policy should include
An effective privacy policy will clearly identify the types of data collected through your store, how and why it’s collected, and how it’s recorded, stored and deleted. But there will also be factors that are unique to your ecommerce store that determine what specific privacy protections you need for your policy.
The details of your policy will depend on things like the way you advertise, the products you sell, who your customers are, how you collect payment information, and how payment processors and other third parties are involved with your site and your data.
For example, Gap.com’s checkout page requires unregistered “guest” shoppers to enter just an email address, but when they get to the checkout page, it requires they disclose a great deal of personally identifiable information.
All of that data is personal data, and should be disclosed in your ecommerce store privacy policy. (As what GAP does in its policy.)
When deciding what to include, start by making a list. While this will be individual to each merchant, there are general guidelines that every policy should follow, most of which are required by law.
1. What kind of information is collected
Specify the types of information that you collect from visitors and customers, and also talk about why you’re collecting that data and how users’ information is being used. For instance, if you’re collecting people’s email addresses, your privacy policy should explicitly say that, and mention that email addresses are required for communication purposes.
Walmart’s privacy policy does an excellent job here. The retailer talks about customer data in both general and specific terms, so users have a clear understanding of what data is being used and how Walmart handles their information.
You should also explain if data may be left on a user’s computer. One example are cookies, which are often used to track the viewing habits of visitors, make it easier for returning customers to log in and remembers what products were added to the shopping cart. If you offer the option of avoiding cookies, inform them of the website features that will not be available to them as a result.
Here’s an example from Storkie.
3. The circumstances in which data may be released
In certain occasions, you may have to comply with lawful requests (e.g., court orders, subpoenas, or warrants) to hand over user data. As such, your privacy policy must discuss the situations in which visitor or customer data may be released.
Walmart, once again, is doing this well. The company’s privacy policy explains that Walmart may share users’ personal information in special circumstances, and it even lists some examples of situations in which they may share user data.
If user data is sold or shared to third parties, your privacy policy should include an opt-out option for those customers who don’t want their information disclosed to others.
Also, if you allow third parties to monitor the activities of your customers — for example, Google Analytics, AdSense, AdRoll, YouTube — your privacy policy has to include a clause that identifies those third parties and how they collect and use your customers’ data.
Consider this example from GAP.
5. Users’ ability to view or modify their information
Your privacy policy should also contain a section detailing how customers can review the information a website has collected from them, as well as how they are able to change or delete that information.
It should give consumers a chance to change, edit, or delete their own personal data, as well as the choice to opt out of sharing their data with you. Here’s an example of an opt-out clause from Bed Bath & Beyond’s privacy policy:
6. A “Business Transfer” clause
It’s a good idea to include a section in your privacy policy that details what will occur if you sell or merge your business with another company. Known as a “Business Transfer” provision, this clause should discuss what would take place if the ownership of the business changes, and the steps that your company will take to transfer the ownership of user data.
As an example, have a look at Wayfair’s clause:
7. Age requirements
If you’re selling adult or sensitive products, you may need to have a clause specifying the minimum age for users to view your website.
Consider the privacy policy of the cannabis retailer MedMen which explicitly states their website is intended for mature audiences or who are over the age of 21. It also has a clause concerning children, which states that MedMen will delete a user’s personal information if they learn or suspect that the individual is under the age of 13.
8. Who to contact for privacy concerns
Your policy should also provide contact information for the people responsible for upholding your privacy procedures. Consider creating a special address for this purpose — e.g., “privacy@yourcompanyname[dot]com”
This is exactly what Kohl’s does in its privacy policy.
9. The policy’s effective date and last update
This one is pretty self-explanatory. Be sure to keep your privacy policy updated. Log any changes that you’ve made and always display when the last update took place.
Here’s an example from Nordstrom Rack:
How to create your privacy policy
Once you’ve created that list of what to include in your privacy policy, it’s time to put them into action. You have a couple of options when it comes to the actual creation of the policy, including:
Hire a lawyer
If you have the funds, you can hire an expert or a lawyer to help you draft your privacy policy. Many will often look around at competitor sites and tweak the policy to suit their own business. Make sure the lawyer has experience in international data protection law and check that they’re up-to-date with requirements.
If you’re on a budget but still want legal help, consider using a service such as LegalZoom, which enables you to schedule a consultation with an attorney.
For a flat fee, a LegalZoom Business Legal Plan lawyer will draft your documents. Pricing starts at $399, but note that this price applies to basic (i.e., information only) websites. Ecommerce website privacy policies will likely cost more.
Use an online privacy policy generator
There are a variety of online options that will generate a policy for your specific needs. However, you must be certain that the service offers custom options backed by verifiable legal expertise.
A great example of privacy policy generator is this one from TermsFeed. All you need to do is start the tool, enter the information about your website and app, then answer a few questions about your business. The Privacy Policy Generator will then create a custom document that you can download as both as HTML or text files.
DIY template
For those that barely have the time on their hands, let alone the finances, there are many sites out there that provide privacy policy templates which helps businesses owners to generate one rather quickly and pain-free. Use the information detailed here about legal requirements, and ensure that you’re meeting the requirements and that the information is correctly stated.
TermsFeed has a handy privacy policy template that you can download either as a PDF file or MS Word, Google document.
Know the privacy laws affecting your ecommerce store
Most countries have privacy legislation that require businesses to have a privacy policy in place, but some places have stricter rules than others. While they vary in some ways, one thing is for sure — if you operate a website anywhere in the world, it’s critical that you have a privacy policy in place that adheres to the laws in the regions where you operate and where your website users live.
The United States
In the US, the National Conference of State Legislatures (NCSL) published a guide to privacy laws in all 50 states and the US territories. This explains privacy state laws, customer browsing information, personal information collected and managed by ecommerce and other platforms, children’s online privacy, and privacy issues which might apply to online purchases and other online activities.
When it comes to children’s online privacy, the US has some of the strictest regulations thanks to the Children’s Online Privacy Protection Act (COPPA), which was passed to address the rapid growth of online marketing techniques that were targeting children.
It requires operators of websites geared towards kids under 13 years old to “obtain verifiable consent from parents prior to the collection, use, or disclosure of personal information from children.”
The Federal Trade Commission has provided a step-by-step plan for determining if your company is covered by COPPA — and how to comply with the Rule.
CalOPPA
While there is no single governing privacy law in the US, the strictest policy in the country belongs to California. CalOPPA isn’t a federal law, but chances are it still affects your website regardless of where you operate from because you most likely will attract California residents. It requires that all websites and apps clearly display their privacy policy.
A privacy policy must include the following information in order to comply with CalOPPA:
- Details of the types of personal data collected through the website or app
- Any affiliated organizations this data may be shared with
- A clear explanation of how users can request changes to any personal data that is collected
- How users will be informed of any changes to the privacy policy
- The privacy policy’s effective date
- What happens if a user makes a “Do Not Track” request
- Disclosure of third parties who collect personal data through the website or app
It’s also suggested that you include a “do not track” clause that informs users if their website or app will respond to a DNT request or not, which is a setting that can be activated on certain browsers to block behavioral tracking from third party services like Google Adwords.
Canada
Canada has the Personal Information Protection and Electronic Documents Act (PIPEDA). It’s a federal law that governs how businesses collect and use personal data.
PIPEDA states that any organization covered by the law must get the user’s consent whenever they collect or share the individual’s personal data. PIPEDA also gives users the right to access their personal details and they may challenge the accuracy of their data. Furthermore, the law mandates the information “can only be used for the purposes for which it was collected.” This means that if you are intending to use your visitors’ or customers’ data for another purpose, you need to obtain their permission again.
GDPR
In 2018, the existing EU Data Protection Directive which had been enforced since 1995 was replaced with the EU Data Protection Regulation (GDPR). The GDPR requires all companies operating in the EU — along with those that handle personal data of EU citizens — to have a privacy policy, ensuring personal information is obtained and processed fairly.
They’re much stricter about enforcement of GDPR than with previous regulations and will carry greater penalties for non-compliance. All regulations can be obtained here, but note that to comply, the privacy policy needs to be easily accessible and you have to obtain active consent from users before collecting any of their personal data.
Australia
While Australia’s Privacy Policy Act of 1988 requires all businesses collecting personal information online in Australia to have a privacy policy, it’s not quite as strict as that of the GDPR.
Current Australian law requires that if you use “cookies,” your privacy policy must disclose how the information is stored and what it is used for. However, unlike with the GDPR, notification and active consent isn’t required. If a significant amount of your business comes from the UK and EU, you might want to modify your website to generate a “cookie” notification pop-up for visitors from the UK and EU that needs to be clicked on.
Additional ecommerce privacy policy best practices
Aside from having relevant and accurate information in your privacy policy, you also want to present your policies in such a way that they’re easy to find and understand. This is particularly important in this day and age, when people are a lot more sensitive about their privacy.
Consider the following tips.
Make your privacy policy easy to find
Ensure that visitors can easily locate your privacy policy no matter where they are on your site. Follow the common practice of adding a privacy policy link in the footer of your site, so that it’s visible from any page.
You should also consider linking to your policy on relevant pages of your site — such as your Terms & Conditions, FAQs, etc.
Keep it simple
A privacy policy should be written in a straightforward language so that it is easy to understand and helps to instill a sense of trust. A policy that is complex and full of technical jargon may scare off visitors to your site.
Consider Nordstrom Rack’s privacy policy, which uses plain language when explaining its terms. The page even contains jump links so users can quickly navigate to the section of the document that concerns them.
Keep it updated
Your privacy policy isn’t something that you can just set and forget. Consumer privacy and protection laws change overtime, so your policies should evolve as well. Make it a point to review your agreement once a year and whenever new laws are enacted. And as mentioned earlier, see to it that your policy clearly states when it was last updated.
The bottom line
A privacy policy is a critical part of any website’s legal framework and should be made a top priority. Not only is a clear, compliant, easily accessible privacy policy necessary to protect you as an ecommerce company in terms of addressing misunderstandings and potential lawsuits, but it acts as an effective means of being transparent and credible, keeping you accountable for the sensitive data you collect, and building trust with your customers and visitors to your site.
You may also be interested in: