Creating a Privacy Policy for Ecommerce Stores

If you sell products or services online, your ecommerce store must include an easy to find and easy to understand Privacy Policy.

Your Privacy Policy must be written specifically for current rules and regulations in force everywhere your customers reside, whether or not you or your business or commerce store is physically located in those jurisdictions.

This article discusses the laws governing privacy protection laws in the U.S. and abroad, and what ecommerce stores should consider when drafting a Privacy Policy.

What is a Privacy Policy for Ecommerce Stores?

A Privacy Policy outlines your methods for collecting, storing, using and sharing personal information from your online customers.

This includes information you collect directly, such as through opt-in forms and your shopping cart checkout page, and indirectly such as by monitoring browser clicks, time spent on a page, interaction with ads, etc.

TheLawDictionary.com defines personal information as "Any part of information that is recorded about an individual person. Includes the name, email, address, ethnicity, race, identifying number, employment history, etc."

In 2010, the U.S. Office of Management and Budget (OMB) issued policy directive M-10-23, Guidance for Agency Use of Third-Party Websites and Applications. The directive includes a much broader definition of personally identifiable information, taking a position that any information that can be traced to a person's identity, either as a single data point or in combination with other data points, can be considered personally identifiable information and, thus, subject to protection.

Depending on the nature of your ecommerce business, your site might be collecting any or even all of the following protected private information:

• First and last name
• Gender
• Date of birth
• Mailing address
• Email address
• Phone numbers
• Employment history
• Education history
• Credit card information
• Website cookies
• Social media accounts
• Customer support content

All ecommerce stores collecting personally identifiable information must allow online customers the option to provide or refuse to provide their personally identifiable information, as well as the option to change their mind.

What Should a Privacy Policy for Ecommerce Stores Include?

A Privacy Policy for your ecommerce store is a critical component to limiting your liability and ensuring compliance with local, state, federal and international privacy laws. The information you include in your Privacy Policy for your ecommerce store should be comprehensive, though written plainly so your average site visitor can understand your policies and their rights.

At minimum, your Privacy Policy should disclose:

1. What information you collect directly and indirectly through your ecommerce store
2. What information you might collect in the future
3. The methods you use to collect, manage and share customer data
4. Possible ways you might use customer data in the future
5. How third parties such as Google Analytics, AdSense and others might be collecting and managing information from your customers

Your Privacy Policy should itemize a comprehensive list of data your site collects from customers, erring on the side of providing more information, not less.

A good Privacy Policy should inform your online shoppers that they might be making their personally identifiable information available to you directly or indirectly, and it should explain the difference.

For example:

• Information customers give you directly, such as their name, address, email, phone and payment information
• Information you collect indirectly while they browse your store, such as with cookies, beacons and third party technologies

Why a Privacy Policy is Required for Ecommerce Stores

Ecommerce stores are required to have a Privacy Policy because by nature of their functioning they collect a variety of legally-protected personal information including mailing addresses and financial/payment information.

In the U.S., the National Conference of State Legislatures (NCSL) published a guide to privacy laws in all 50 states and the U.S. territories.

The guide explains state laws on privacy, customer browsing information, personal information collected and managed by ecommerce and other platforms, online marketing to minors, and privacy issues which might apply to online purchases and other online activities.

Additionally, the state of California has the California Online Privacy Protection Act of 2003 (CalOPPA) affects ecommerce business owners that collect personally identifiable information about Californians.

CalOPPA requires websites, including ecommerce stores, to post a Privacy Policy in a conspicuous location on the website, and to structure the policy in such a way that the typical customer can understand it.

If your ecommerce store is located in or attracts visitors from California, you need to structure your Privacy Policy in order to adhere to the following recommendations issued by the state Attorney General:

As you can see, the requirements center around transparency, disclosure and making it easy for your customers to be aware of your practices and their rights when it comes to privacy.

Global Privacy Laws Affecting Ecommerce Stores

A number of global privacy laws affect ecommerce stores including the General Data Protection Regulation, or GDPR.

The GDPR was written to provide maximum protection for the private information collected from people in the EU. The GDPR imposes unprecedented rules for ecommerce stores and other websites operating in the EU, whether or not the store or website is itself located in the EU.

Fines for non-compliance with GDPR are steep. They can be from two percent to up to four percent of "annual global turnover," or €20 Million, whichever is greater.

If your ecommerce business operates in the EU, whether an EU-based company or not, you need to know how GDPR affects you, how to comply with its requirements, and the penalties for failure to comply.

Why Your ecommerce Site Needs a Unique Privacy Policy

Many factors unique to your ecommerce store determine the specific privacy protections you need to have in place. The products you sell, the customers you serve, how you collect payment information, how you advertise, and how payment processors and other third parties interact with your site and your data all impact the details of your Privacy Policy.

Let's take a look at some of the circumstances that require careful consideration.

Do you require or allow customer registration?

If you allow customers to register for access to your site, to sign up for an email newsletter, etc., you likely collect personally identifiable information about your customers such as a name, address, phone number, email address and so on.

Customer service and support tools such as live chat, email, and social media require the collection and management of directly and indirectly provided customer data.

The Gap's checkout page requires unregistered "guest" shoppers to enter an email address, and of course, the checkout page requires a great deal of personally identifiable information.

All of this information is personal information and should be addressed in your ecommerce store Privacy Policy.

This sample clause provides a good example of how to comprehensively yet simply identify the types of information that might be collected:

You also need to provide your customers with an easy-to-find and simple-to-use way to opt out of sharing their personal information with you, even if they initially opted in.

Here's an example of an opt-out clause from the John Lewis Privacy Notice:

Note how it includes multiple methods of opting out of marketing communications, from within emails and through user accounts, to how to do so through the mobile app or via postal mail. The more options you provide, the better, since not everyone may have access to every method you provide.

Where do your customers live?

Your Privacy Policy must address the laws of every jurisdiction where your customers live in addition to the laws where your store is headquartered. Ensuring your Privacy Policy includes clauses required by every jurisdiction where your customers and website visitors live is critical.

Familiarize yourself with privacy laws in jurisdictions where you do business. Most have very similar requirements, so don't think of this as daunting. In fact, if you satisfy the requirements of CalOPPA and the GDPR, you'll likely be in compliance with any other privacy law out there.

Do you collect information about your customers' product preferences or browsing histories?

This is typically referred to as information collected indirectly, and is usually done through cookies. Laws protecting this information are the same as laws protecting information customers provide directly.

Websites should provide a separate clause for information that may be collected indirectly, and at a minimum include this information within another relevant clause.

Here's a good example from Huawei:

Remember: You need to disclose all the ways in which you collect personal information from your customers. This means even if you do it indirectly, through cookies or through a similar method. If anything, it's even more important to disclose such things since for most customers it will be obvious that you're collecting their financial information but they may not be aware of you tracking how long they're staying on your website or using cookies to remember your login password.

Do minors visit your store?

COPPA, the GDPR and many other privacy laws around the world provide special consideration for minors. While the age of what constitutes a minor varies, there is global concern for protecting minors from unknowingly putting themselves in harm's way.

Online bullying, data theft, human trafficking and other concerns make ecommerce stores particularly liable for protecting minors.

If you sell products legally restricted by age, market to minors directly or attract minors to your site indirectly, you should include a specific clause for minors in your Privacy Policy.

While DocuSign isn't an ecommerce store, it still provides a clause that addresses children:

The clause states that it doesn't knowingly collect information from minors and encourages minors not to use the service. This not only helps inform children that the service isn't for them, but it works to alleviate liablity in the event that a child does submit its personal information to DocuSign. The company can refer to the clause and use it as proof that it wasn't attempting to violate the law.

Do you process payments through a third party?

Are customers paying for your products with one-time payments or recurring payments such as a monthly or annual subscription? Does your payments processor store customer payment information for future use? If yes to either of these, your Privacy Policy needs to disclose this.

Additionally, it's not illegal for you to store customer payment information on your own servers. But you must ensure you are complying with Payment Card Industry (PCI) rules and regulations and this should be disclosed in your Privacy Policy.

The Gap provides a convenient and conspicuous dashboard inside the shopping cart with access to its Credit Card Safeguard policies:

Check the Terms of Use in place with any third-party payment processors you use to see if they explicitly require you to disclose any specific information in your Privacy Policy.

Do you allow third parties to monitor the activities of your customers, such as Google Analytics, AdSense, AdRoll, YouTube or others?

If you do or if you might in the future, your Privacy Policy needs to include a clause identifying those third parties and the way they collect and use your customers' data.

Here is Gap's clause detailing the many ways third parties might be collecting and using customer data:

Note how it addresses a ton of areas in this clause where third-party sharing may occur including things like business transfers, use of service providers, loyalty programs, legal requirements and sharing by the users themselves through social media.

Do you re-target your customers after they leave your site?

One of the most popular forms of advertising online for ecommerce stores is customer remarketing, also called retargeting. And if you do it, you're required to have a Privacy Policy that discloses that.

This allows you to remind your store visitors of what they liked in your store, what they left in their shopping cart, an order they may need to re-fill or even products you have that are similar to products your customers bought elsewhere.

Technology that makes remarketing possible uses personal customer data both directly and indirectly. If you are using remarketing technology, your Privacy Policy must fully explain this.

Additionally, when setting up these tools, you will be required to follow the third party's requirements as well. Here's an example of a requirement from Google's AdWords agreement:

Remember that you also must provide your customers with an easy way to opt out of providing their information for all of these activities.

Including a clause in your Privacy Policy acknowledging that you provide opt out and how to opt out will help limit your liability. See this example:

How to Create a Privacy Policy for Your Ecommerce Store

The rule of thumb when creating an ecommerce store Privacy Policy is to accomplish four key goals:

1. Inform your store visitors about the private data you collect and manage.
2. Give your visitors a choice to opt in and opt out.
3. Give your visitors access to the information you and third parties collect.
4. Inform your visitors of how you secure their data.

Most sites post their Privacy Policy in the footer, along with other important links:

Because the email list opt-in form is presented in the same footer as the Privacy Policy link, this presentation is meeting regulations and commonly accepted best practices by displaying the Privacy Policy link in the same space as where information is requested from your users.

Another good idea is to display a link to your Privacy Policy everywhere else you collect personal information directly from your customers, such as on registration forms, list opt-in forms, live chat widgets, support request forms and your checkout page.

Privy provides simple capture tools for getting opt-in and giving one-click access to your Privacy Policy in one simple and conspicuous way, such as this "See our Privacy Policy" link.

This simple but effective form allows you to engage your visitors to join your list and presents your Privacy Policy with one-click access at a point where a user would want to view it.

Here's an example of how to include a link to your Privacy Policy on a checkout screen of your ecommerce site:

Creating a Privacy Policy for your ecommerce store can seem like a daunting task. With the ability to reach a global audience through your ecommerce store and the vast sea of rules and regulations around the world, it's a good idea to seek professional help to make sure your Privacy Policy is fully compliant.

If you run an ecommerce store, you need to do the following to run it in accordance with privacy laws:

1. Have a Privacy Policy.
2. Make sure your Privacy Policy adheres to the legal requirements of where your customers are (such as having a CalOPPA-compliant Do Not Track clause if you have California shoppers, and following GDPR-guidelines if you have customers in the EU).
3. Review any Privacy Policy requirements your third-party service providers may have listed in their Terms of Use.
4. Display your Privacy Policy where it can be easily found and relevant, such as in the footer as well as within app menus, on the account registration/log-in page, final checkout page and where you ask users to sign up for any direct marketing you engage in.
5. Keep your Privacy Policy accurate and up to date. Consider using Privacy Policy Update Notices for material changes.