Every single website interacts with and collects data about their visitors in one way or another, but this is even more applicable when it comes to an ecommerce store. Ecommerce sites typically collect personal data such as names, email addresses, IP addresses, session activity and payment details, just to name a few examples.
- Inform users about private data collection and how it’s used
- Provide users with the choice to opt out of data collection
- Let users access the collected data or contest its accuracy
- Reassure users that their data is safe and secure
1. It’s required by law
In addition, ecommerce store owners need to both limit their risk as well as manage the expectations of their customers to avoid any misunderstandings.
2. It builds trust with customers
4. It gives you legal protection
The details of your policy will depend on things like the way you advertise, the products you sell, who your customers are, how you collect payment information, and how payment processors and other third parties are involved with your site and your data.
For example, Gap.com’s checkout page requires unregistered “guest” shoppers to enter just an email address, but when they get to the checkout page, it requires they disclose a great deal of personally identifiable information.
When deciding what to include, start by making a list. While this will be individual to each merchant, there are general guidelines that every policy should follow, most of which are required by law.
1. What kind of information is collected
2. Cookie policies
You should also explain if data may be left on a user’s computer. One example are cookies, which are often used to track the viewing habits of visitors, make it easier for returning customers to log in and remembers what products were added to the shopping cart. If you offer the option of avoiding cookies, inform them of the website features that will not be available to them as a result.
Here’s an example from Storkie.
3. The circumstances in which data may be released
4. How, if any, of the collected information, is shared or even sold.
Consider this example from GAP.
5. Users’ ability to view or modify their information
6. A “Business Transfer” clause
As an example, have a look at Wayfair’s clause:
7. Age requirements
If you’re selling adult or sensitive products, you may need to have a clause specifying the minimum age for users to view your website.
8. Who to contact for privacy concerns
Your policy should also provide contact information for the people responsible for upholding your privacy procedures. Consider creating a special address for this purpose — e.g., “[email protected][dot]com”
9. The policy’s effective date and last update
Here’s an example from Nordstrom Rack:
Hire a lawyer
If you’re on a budget but still want legal help, consider using a service such as LegalZoom, which enables you to schedule a consultation with an attorney.
For a flat fee, a LegalZoom Business Legal Plan lawyer will draft your documents. Pricing starts at $399, but note that this price applies to basic (i.e., information only) websites. Ecommerce website privacy policies will likely cost more.
There are a variety of online options that will generate a policy for your specific needs. However, you must be certain that the service offers custom options backed by verifiable legal expertise.
Know the privacy laws affecting your ecommerce store
The United States
In the US, the National Conference of State Legislatures (NCSL) published a guide to privacy laws in all 50 states and the US territories. This explains privacy state laws, customer browsing information, personal information collected and managed by ecommerce and other platforms, children’s online privacy, and privacy issues which might apply to online purchases and other online activities.
When it comes to children’s online privacy, the US has some of the strictest regulations thanks to the Children’s Online Privacy Protection Act (COPPA), which was passed to address the rapid growth of online marketing techniques that were targeting children.
It requires operators of websites geared towards kids under 13 years old to “obtain verifiable consent from parents prior to the collection, use, or disclosure of personal information from children.”
The Federal Trade Commission has provided a step-by-step plan for determining if your company is covered by COPPA — and how to comply with the Rule.
- Details of the types of personal data collected through the website or app
- Any affiliated organizations this data may be shared with
- A clear explanation of how users can request changes to any personal data that is collected
- What happens if a user makes a “Do Not Track” request
- Disclosure of third parties who collect personal data through the website or app
It’s also suggested that you include a “do not track” clause that informs users if their website or app will respond to a DNT request or not, which is a setting that can be activated on certain browsers to block behavioral tracking from third party services like Google Adwords.
Canada has the Personal Information Protection and Electronic Documents Act (PIPEDA). It’s a federal law that governs how businesses collect and use personal data.
PIPEDA states that any organization covered by the law must get the user’s consent whenever they collect or share the individual’s personal data. PIPEDA also gives users the right to access their personal details and they may challenge the accuracy of their data. Furthermore, the law mandates the information “can only be used for the purposes for which it was collected.” This means that if you are intending to use your visitors’ or customers’ data for another purpose, you need to obtain their permission again.
Consider the following tips.
You should also consider linking to your policy on relevant pages of your site — such as your Terms & Conditions, FAQs, etc.
Keep it simple
Keep it updated
The bottom line