Here’s a fundamental fact: As an ecommerce business, you cannot operate without collecting data about your customers. This includes the information required to complete basic transactions—customers’ home addresses, credit card or bank details, phone numbers, account passwords, purchase histories. It includes other information you collect directly from visitors—email addresses through opt-in forms, for example. But as we’ve just discussed, it includes more than the data you collect to execute transactions; it also includes the data you collect to improve user experience, optimize your online offerings, and serve up personalized ads.
Gathering that data requires monitoring IP addresses, browser clicks, page views, in-site navigation, ad interactions—all the indirectly–provided data that your ecommerce platform and supplemental analytics tools collect. It includes the browsing histories stored by browser cookies. It includes all the data your commerce platform’s software integrations (live chat, email campaigns, etc.) collect and manage. And more.
- exactly what information your website (and third-party providers) collects about visitors and customers—including whether cookies or other tracking software are used
- why you collect it (what specific purposes that data is used for)
- how that data is used—including under what conditions it might be shared or disclosed
- how it’s stored and what measures are in place to protect it
- how users can access, review, or contest the accuracy of the collected information
- how users can opt out of data collection or distribution if they so wish
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict data processing
- the right to data portability, the right to object
- rights in relation to automated decision-making.
These categories may be useful in helping you structure your policy—or at least in ensuring you cover all your bases. If you look at the policies of other businesses in your industry (and you should!), you’ll notice pretty quickly that they’re not all structured the same. There’s no particular order in which information has to be presented; what matters is that you cover all potential concerns consumers may have about their privacy while doing business with you. But you will begin to notice some patterns. Consider these patterns the norms for your industry, and use them as a starting point.
Finally, you might open your policy with your company’s principles for processing data. We’ll call this “the ethical approach.” Article 5 of the GDPR contains six principles according to which all personal data must be processed; perhaps you’ll acknowledge these in your policy. Or perhaps you’ll take a more personalized approach, listing your core beliefs about privacy, as Bibi’s Bakery does:
What personally identifiable information are you collecting and processing?
Email addresses, shipping addresses, credit card numbers, bank details, birth dates, phone numbers, IP addresses, login passwords, purchase history, date and time of site access, session duration, page views, product views, referring site, device used… the list of data you might be collecting is long. Regardless of how long your list is, you need a list.
The GDPR’s definition of “personal data” is broad enough that you might consider breaking down the data you collect into two different types: “data you provide to us” and “data our website collects,” or directly provided and indirectly provided data. Carbon38 breaks its data down into three categories (data users provide to the company, data users post publicly, and data the company’s website collects automatically):Kissmetrics itemizes the data it collects in a bullet-pointed, user-friendly format:
Depending on the complexities of your ecommerce site, you might categorize the data by collection methods (what data you collect when a customer makes a purchase; what data you collect when they send a message through a contact form; what data you collect when they create an account). The benefit of categorizing by method is it gives you the opportunity to describe how you treat data differently depending on the transaction—for instance, you might delete the data collected through a contact form once the query is answered, but you’ll hold on to the data collected through account creation until the customer closes their account with you.
If you use Google Analytics or AdSense, notify your users. (Google requires it.) Take a look at any plugins and third-party integrations you have, and review their privacy policies. (Perhaps you’ll link out to their policies from yours to cover your bases.) Describe how each tool collects information, and what it collects. Do the ad scripts running on your site collect demographic information? Do your social media integrations collect data on users’ followers? Do your commenting plugins collect and store commenters’ data? And so on.
Why are you collecting and processing that data?
You collect data for a variety of reasons—all of which, of course, need to be legally justifiable. As an eCommerce site, your legal bases for collecting information probably fall into one of these categories:
- consent (when, for example, users subscribe to your email)
- contractual necessity (when you can’t process their transaction without payment data)
- legitimate interests (when you keep their email addresses to follow up with products they might be interested in after they’ve placed an order with you)
- compliance with a legal obligation (when you suspect a fraudulent transaction)
- to ship their products
- to send updates on order statuses
- to respond to inquiries
- to improve site content or make future transactions fast and convenient for returning users
- to personalize visitor experiences and provide future content tailored to their interests
- to provide or improve customer assistance or technical support
- to send promotional messages or use for future email marketing campaigns
- to improve services, or for internal review
- to present tailored ads to consumers after they leave your store (you must disclose if you use third-party remarketing services!)
Here’s how Gap answers the “why” in its policy:
How long do you store the data?
There are plenty of reasons to retain records; but legally, you can’t retain personal data longer than you need it. This is the GDPR’s “storage limitation” principle. Tell users how long you’ll be retaining their data, and confirm which data only “passes through” but isn’t stored. For example, if credit card information is collected and stored by your payment processor rather than by your website, let visitors know this.
Granted, you might not be able to provide a specific time period (90 days, one calendar year). It may be a matter of how long the customer decides to keep their account open with you, for example. The point is to give them a timeframe and tell them the reason for retention within that frame. Do you need to retain records for state, federal, or provincial taxes? Does your payment processor store credit card information for future use? It might be useful (or required) to be specific. Herman Miller is short and to-the-point:
Whom do you share the data with?
Under the GDPR, your business is allowed to share personally identifiable information with third parties as long as it’s done legally and transparently. “Transparently,” of course, means you must provide visitors with details about the sharing. The GDPR doesn’t require that you name every company with whom you share data (though some companies—like Google—require you to name them); but it does require that you name the types of business you share with (“payment processors,” “shipping providers,” “affiliates”).
You probably share credit card data with your payment gateway, addresses with your shipping extensions, browsing and demographic data with your marketing extensions—indeed, any plugin or integration you use is likely gathering data from your site. Again, the more detail you offer, and the more transparent you are, the better. What data gets shared with these applications; what do they do with that data; what are their privacy policies? (And why do you use those applications to begin with?) Of course, you won’t ultimately have control over third-parties’ data uses; and you should say as much in your policy. Limit your liability up-front.
How do you secure the data?
We don’t have to remind you about the importance of security. Put visitors’ and customers’ minds at ease by telling them the steps you’ve taken to protect their information. Start by listing the security measures your ecommerce platform has in place. (With Commerce Plus, all data stored in our data centers have credential-level encryption.) What technologies does it use (SSL, encryption, secure passwords, firewalls), and what are those technologies in compliance with? Then move on to your payment gateways. If you’re using Commerce Plus, your clause might look like this:
Our company is hosted on the commerceplus.zoho.com platform, which allows us to sell our products to you. Your data may be stored through Commerce Plus’s data storage, databases, and applications. Commerce Plus stores your data on secure servers that are encrypted and protected by powerful IDS/IPS systems. Commerce Plus also comes with ISO/IEC 27001:2013 certification for Applications, Systems, People, Technology, and Processes and SOC 2 Type II compliance.
How can users opt out?
If visitors can withdraw consent, explain the steps they must take to do so—and remind them of the consequences of opting out. (For example, if visitors disable browser cookies, it may inhibit certain site features like cart memory.) The right to “opt out” is often addressed in a section detailing user control on the whole: choice, access, and redress. In other words, don’t just tell your visitors how to opt out; tell them how they can access and review the data you have about them, how they can request changes to (or corrections to, or deletions of) that data, and how they can get in touch with you to file a complaint. Here’s how Bed Bath & Beyond breaks it down:
You’ll decide the method of contact for privacy-specific requests. And remember, “data changes” are sometimes as simple as having users log into their own accounts to edit information. But make sure your “data controller”—who, if you’re a small business, is probably you—can be easily contacted. And make that contact information clear.
Naturally, we haven’t covered everything here. For example—depending on your product or target market—you might add a clause about minors who might visit your store (the definition of “minor” varies across jurisdictions). You might add a section called “definitions” if you find—again, depending on your product—that you have no choice but to use legal terminology or jargon in your policy. You should let users know that you may need to make changes to your policy: How will those changes will be communicated? (Users may simply need to regularly review your policy to stay up-to-date.) And so on.