Data privacy is increasingly seen as a significant concern — some have even proclaimed it a human rights issue. Most countries have enacted some kind of customer protection that regulates how information is collected, stored and how it can be used.
It’s on companies to ensure that violations don’t occur. For ecommerce companies, privacy policies are especially relevant due to the digital nature of business.
Ecommerce privacy policies should clearly show how data is collected, where it is stored, how it is used and how it may be shared. This includes everything from phone numbers to stored credit card information to purchase history to ad interactions.
By 2023, 75% of consumers around the world will be covered by privacy regulations. This means that ecommerce websites must have processes and systems in place to meet legal requirements and protect the information of customers, employees and partners.
Online stores or those that use an ecommerce platform have numerous reasons for having a privacy statement, both regulatory and because it’s just good business.
They’re required by law in many locations.
Certain apps require them.
It builds trust with users.
It’s difficult for modern ecommerce stores to not collect at least basic personal information, like shipping addresses. However, it’s incumbent on the company to show that it won’t do anything underhanded with that data.
Clearly showing that you take customer data privacy seriously builds confidence in your company.
Privacy Laws That Affect Ecommerce Stores
In the U.S. alone, there are hundreds of data privacy laws, covering the federal, state and municipal levels. Many international markets carry the same burden. Ecommerce platforms need to be aware of all applicable laws and how they may impact their business.
California Consumer Privacy Act (CCPA).
The CCPA is the most comprehensive data privacy legislation passed at the state level. Companies that collect personal information in the state of California must clearly disclose what information is collected and give customers the right to delete it upon request. This is in addition to the California Online Privacy Protection Act (CalOPPA), which was the state’s initial privacy legislation.
California Privacy Rights Act (CPRA).
The CPRA builds on the CCPA to include rights to restrict the use of personal information, correct inaccurate information and limits the time certain information may be stored.
Virginia's Consumer Data Protection Act (CDPA).
Virginia’s version of the CCPA holds some similarities to the European Union’s General Data Protection Regulation act. It requires businesses selling to citizens of Virginia to offer opt-in options for personal information.
Colorado Privacy Act (CPA).
Colorado was the third state to pass data privacy legislation and borrows from laws passed before. It includes the right to opt-out of targeted ads, know what information has been collected and delete information.
New York SHIELD Act.
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act broadens consumer protections to include laws regarding the security of personal information.
Utah Consumer Privacy Act.
The fourth state-level data privacy law is very similar to other legislation that came before it.
Connecticut’s data privacy law.
Connecticut’s law goes into effect July 1, 2023 and applies to organizations that control or possess personal data.
The EU’s GDPR.
GDPR is the legislation that most modern data privacy laws are based on. It’s the most wide-ranging regulation passed to date and serves as the foundation for most privacy laws that have followed it. It includes protections around consent, notice of data breaches and rights to restrict how data is used.
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
Canada’s privacy protection legislation was actually initially passed in 2000 and has been amended several times to keep it up to date with changes in the use of data.
Brazil's General Law for the Protection of Personal Data (LGPD).
Based on the GDPR, the Brazilian law applies to all citizens of Brazil, even if a company is not based there.
Ecommerce privacy policies are remarkably similar to one another. Since businesses are all governed by the same laws, there are basic templates that can be followed.
What kind of information is collected?
Data collection should be transparent. You should clearly state what kind of information you collect, why you keep it and how data is used. This may include personal data, credit card details, payment information or even IP addresses.
How can users view and/or modify their information?
Customers should be able to easily view what types of data a company has about them and be able to edit it as they see fit. This includes the option to delete information as well.
Your cookie policies.
Cookies are data left by a website on a user’s device. If your site does this, you should clearly state so and give users the option to opt-out of accepting cookies.
How/why data may be released?
You must clearly show when data may be released. This is often due to lawful requests, like a subpoena.
How collected info may be shared or potentially sold?
If you share or sell identifiers or data, you should clearly state the types of information that may be affected and enable users to opt out of this. Transparency is key here.
If business owners allow third parties (think Google Analytics, AdSense or YouTube) to monitor customer actions, your policy should disclose who they are and how data is used.
Do you utilize third-party payment processors?
For third party services that handle things like payments, it should be clear that they are a separate entity. There should also be a link to the service provider’s policy as well.
Do you use retargeting/remarketing tools?
If you use customer retargeting or remarketing practices, this must be included in the policy. Failing to do so does not disclose tracking activities.
There are specific laws around protections for minors. Including a policy specific to underage users covers this. The Children’s Online Privacy Protection Act (COPPA) covers this at the federal level.
Opt-out policy and privacy rights.
Users should always have the option of not having their information tracked. This and other rights must be included in your policy and processes.
Who to contact with privacy concerns.
There should be a dedicated email address or contact information for any and all privacy inquiries.
Use a lawyer.
An expert in privacy laws that understands the nuances of your business is often the best choice. Lawyers that regularly work with privacy issues and fully grasps the legal ramifications of data protection will provide good legal advice and build an effective legal document.
Store privacy policies must be publicly available and easily accessible by customers. These are some common locations ecommerce businesses place their policies.
Account creation or sign-up page.
In your checkout process.
Newsletter sign-up forms.
How to Increase Ecommerce Sales
Explore our collection of free resources designed to help you scale smarter and accelerate your online growth from $1 million to $100 million.
The Final Word
A well-thought-out policy protects both the company and customer and builds trust that data will be used correctly.