Data privacy is increasingly seen as a significant concern — some have even proclaimed it a human rights issue. Most countries have enacted some kind of customer protection that regulates how information is collected, stored and how it can be used.
It’s on companies to ensure that violations don’t occur. For ecommerce companies, privacy policies are especially relevant due to the digital nature of business.
Ecommerce privacy policies should clearly show how data is collected, where it is stored, how it is used and how it may be shared. This includes everything from phone numbers to stored credit card information to purchase history to ad interactions.
By 2023, 75% of consumers around the world will be covered by privacy regulations. This means that ecommerce websites must have processes and systems in place to meet legal requirements and protect the information of customers, employees and partners.
Online stores or those that use an ecommerce platform have numerous reasons for having a privacy statement, both regulatory and because it’s just good business.
It’s difficult for modern ecommerce stores to not collect at least basic personal information, like shipping addresses. However, it’s incumbent on the company to show that it won’t do anything underhanded with that data.
Clearly showing that you take customer data privacy seriously builds confidence in your company.
In the U.S. alone, there are hundreds of data privacy laws, covering the federal, state and municipal levels. Many international markets carry the same burden. Ecommerce platforms need to be aware of all applicable laws and how they may impact their business.
The CCPA is the most comprehensive data privacy legislation passed at the state level. Companies that collect personal information in the state of California must clearly disclose what information is collected and give customers the right to delete it upon request. This is in addition to the California Online Privacy Protection Act (CalOPPA), which was the state’s initial privacy legislation.
The CPRA builds on the CCPA to include rights to restrict the use of personal information, correct inaccurate information and limits the time certain information may be stored.
Virginia’s version of the CCPA holds some similarities to the European Union’s General Data Protection Regulation act. It requires businesses selling to citizens of Virginia to offer opt-in options for personal information.
Colorado was the third state to pass data privacy legislation and borrows from laws passed before. It includes the right to opt-out of targeted ads, know what information has been collected and delete information.
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act broadens consumer protections to include laws regarding the security of personal information.
The fourth state-level data privacy law is very similar to other legislation that came before it.
Connecticut’s law goes into effect July 1, 2023 and applies to organizations that control or possess personal data.
GDPR is the legislation that most modern data privacy laws are based on. It’s the most wide-ranging regulation passed to date and serves as the foundation for most privacy laws that have followed it. It includes protections around consent, notice of data breaches and rights to restrict how data is used.
Canada’s privacy protection legislation was actually initially passed in 2000 and has been amended several times to keep it up to date with changes in the use of data.
Based on the GDPR, the Brazilian law applies to all citizens of Brazil, even if a company is not based there.
Ecommerce privacy policies are remarkably similar to one another. Since businesses are all governed by the same laws, there are basic templates that can be followed.
Data collection should be transparent. You should clearly state what kind of information you collect, why you keep it and how data is used. This may include personal data, credit card details, payment information or even IP addresses.
Customers should be able to easily view what types of data a company has about them and be able to edit it as they see fit. This includes the option to delete information as well.
Cookies are data left by a website on a user’s device. If your site does this, you should clearly state so and give users the option to opt-out of accepting cookies.
You must clearly show when data may be released. This is often due to lawful requests, like a subpoena.
If you share or sell identifiers or data, you should clearly state the types of information that may be affected and enable users to opt out of this. Transparency is key here.
If business owners allow third parties (think Google Analytics, AdSense or YouTube) to monitor customer actions, your policy should disclose who they are and how data is used.
For third party services that handle things like payments, it should be clear that they are a separate entity. There should also be a link to the service provider’s policy as well.
If you use customer retargeting or remarketing practices, this must be included in the policy. Failing to do so does not disclose tracking activities.
There are specific laws around protections for minors. Including a policy specific to underage users covers this. The Children’s Online Privacy Protection Act (COPPA) covers this at the federal level.
Users should always have the option of not having their information tracked. This and other rights must be included in your policy and processes.
There should be a dedicated email address or contact information for any and all privacy inquiries.
An expert in privacy laws that understands the nuances of your business is often the best choice. Lawyers that regularly work with privacy issues and fully grasps the legal ramifications of data protection will provide good legal advice and build an effective legal document.
Store privacy policies must be publicly available and easily accessible by customers. These are some common locations ecommerce businesses place their policies.
A well-thought-out policy protects both the company and customer and builds trust that data will be used correctly.
It depends. Small companies that don’t regularly collect customer data may be able to use a free online tool and that will be enough. Larger companies may need to use a lawyer that will build a more comprehensive policy.