Data privacy is increasingly seen as a significant concern — some have even proclaimed it a human rights issue. Most countries have enacted some kind of customer protection that regulates how information is collected, stored and how it can be used.
It’s on companies to ensure that violations don’t occur. For ecommerce companies, privacy policies are especially relevant due to the digital nature of business.
Ecommerce privacy policies should clearly show how data is collected, where it is stored, how it is used and how it may be shared. This includes everything from phone numbers to stored credit card information to purchase history to ad interactions.
By 2023, 75% of consumers around the world will be covered by privacy regulations. This means that ecommerce websites must have processes and systems in place to meet legal requirements and protect the information of customers, employees and partners.
Why Do You Need an Ecommerce Privacy Policy?
Online stores or those that use an ecommerce platform have numerous reasons for having a privacy statement, both regulatory and because it’s just good business.
They’re required by law in many locations.
There are certain regions where having a privacy policy isn’t optional. In many countries, including the United States and the European Union, they are required by law. If you collect information and are doing business in a regulated market may also protect companies from other bad actors.
Certain apps require them.
Some companies, like Apple and Google, require a privacy policy before selling on their markets. Google’s policy expands to all their services, from Google Analytics to AdSense.
It builds trust with users.
It’s difficult for modern ecommerce stores to not collect at least basic personal information, like shipping addresses. However, it’s incumbent on the company to show that it won’t do anything underhanded with that data.
Clearly showing that you take customer data privacy seriously builds confidence in your company.
Privacy Laws That Affect Ecommerce Stores
In the U.S. alone, there are hundreds of data privacy laws, covering the federal, state and municipal levels. Many international markets carry the same burden. Ecommerce platforms need to be aware of all applicable laws and how they may impact their business.
California Consumer Privacy Act (CCPA).
The CCPA is the most comprehensive data privacy legislation passed at the state level. Companies that collect personal information in the state of California must clearly disclose what information is collected and give customers the right to delete it upon request. This is in addition to the California Online Privacy Protection Act (CalOPPA), which was the state’s initial privacy legislation.
California Privacy Rights Act (CPRA).
The CPRA builds on the CCPA to include rights to restrict the use of personal information, correct inaccurate information and limits the time certain information may be stored.
Virginia's Consumer Data Protection Act (CDPA).
Virginia’s version of the CCPA holds some similarities to the European Union’s General Data Protection Regulation act. It requires businesses selling to citizens of Virginia to offer opt-in options for personal information.
Colorado Privacy Act (CPA).
Colorado was the third state to pass data privacy legislation and borrows from laws passed before. It includes the right to opt-out of targeted ads, know what information has been collected and delete information.
New York SHIELD Act.
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act broadens consumer protections to include laws regarding the security of personal information.
Utah Consumer Privacy Act.
The fourth state-level data privacy law is very similar to other legislation that came before it.
Connecticut’s data privacy law.
Connecticut’s law goes into effect July 1, 2023 and applies to organizations that control or possess personal data.
The EU’s GDPR.
GDPR is the legislation that most modern data privacy laws are based on. It’s the most wide-ranging regulation passed to date and serves as the foundation for most privacy laws that have followed it. It includes protections around consent, notice of data breaches and rights to restrict how data is used.
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
Canada’s privacy protection legislation was actually initially passed in 2000 and has been amended several times to keep it up to date with changes in the use of data.
Brazil's General Law for the Protection of Personal Data (LGPD).
Based on the GDPR, the Brazilian law applies to all citizens of Brazil, even if a company is not based there.
What Should an Ecommerce Privacy Policy Include?
Ecommerce privacy policies are remarkably similar to one another. Since businesses are all governed by the same laws, there are basic templates that can be followed.
What kind of information is collected?
Data collection should be transparent. You should clearly state what kind of information you collect, why you keep it and how data is used. This may include personal data, credit card details, payment information or even IP addresses.
How can users view and/or modify their information?
Customers should be able to easily view what types of data a company has about them and be able to edit it as they see fit. This includes the option to delete information as well.
Your cookie policies.
Cookies are data left by a website on a user’s device. If your site does this, you should clearly state so and give users the option to opt-out of accepting cookies.
How/why data may be released?
You must clearly show when data may be released. This is often due to lawful requests, like a subpoena.
How collected info may be shared or potentially sold?
If you share or sell identifiers or data, you should clearly state the types of information that may be affected and enable users to opt out of this. Transparency is key here.
Third-party tools
If business owners allow third parties (think Google Analytics, AdSense or YouTube) to monitor customer actions, your policy should disclose who they are and how data is used.
Do you utilize third-party payment processors?
For third party services that handle things like payments, it should be clear that they are a separate entity. There should also be a link to the service provider’s policy as well.
Do you use retargeting/remarketing tools?
If you use customer retargeting or remarketing practices, this must be included in the policy. Failing to do so does not disclose tracking activities.
Age requirements.
There are specific laws around protections for minors. Including a policy specific to underage users covers this. The Children’s Online Privacy Protection Act (COPPA) covers this at the federal level.
Opt-out policy and privacy rights.
Users should always have the option of not having their information tracked. This and other rights must be included in your policy and processes.
Who to contact with privacy concerns.
There should be a dedicated email address or contact information for any and all privacy inquiries.
How to Create an Ecommerce Privacy Policy
Creating a legally-sound privacy policy may sound like a daunting task, but it doesn’t have to be.
Use a lawyer.
An expert in privacy laws that understands the nuances of your business is often the best choice. Lawyers that regularly work with privacy issues and fully grasps the legal ramifications of data protection will provide good legal advice and build an effective legal document.
Use an online privacy policy generator.
You can automate almost anything today and building a privacy policy is one of them. Online tools like Free Privacy Policy make it easy to build a basic policy.
DIY template.
There are also privacy policy templates available online that enable ecommerce businesses to build out a privacy policy based on certain parameters. This “Mad Libs” approach is an easy way to create a standard policy.
Where Do I Put My Privacy Policy?
Store privacy policies must be publicly available and easily accessible by customers. These are some common locations ecommerce businesses place their policies.
Footer template.
Including a privacy policy link in the footer means that it’s available on almost every page of your website. This is the most common place privacy policies and disclaimers are located. Mobile apps and mobile devices may have a different functionality that must be considered as well.
Account creation or sign-up page.
If you’re asking website visitors to register with and sign-in to your site, including the privacy policy as part of this process makes sense. Here, you’re asking customers to interact with your site and share personal information, so having the privacy policy as part of this is natural. This is often done with a notification on the user’s web browser.
In your checkout process.
Like the above, the checkout process includes the collection of data, including payment information. It’s natural to include the privacy policy as part of the shopping cart.
Newsletter sign-up forms.
Signing up for newsletters means collecting information like email addresses. Including the privacy policy transparently shows what will be done with customer information and makes clear what kind of marketing communications they may receive.
How to Increase Ecommerce Sales
Explore our collection of free resources designed to help you scale smarter and accelerate your online growth from $1 million to $100 million.
The Final Word
For many companies, like your ecommerce store, including privacy policies is mandatory. Legislation around data and privacy protection is only increasing and a failure to have a sound privacy policy now puts companies at risk in the future.
A well-thought-out policy protects both the company and customer and builds trust that data will be used correctly.