How to Prepare Your E-Commerce Privacy Policy

Online businesses can’t exist without data and personal information from customers. But collecting details that can identify an individual carries responsibility for e-commerce businesses. It’s critical for meeting legal requirements and developing customers who can trust your business.

Think about your own online shopping habits -- you want to know what data a company is collecting. And, you want to know it is safe and secure. Your customers feel the same way, and they want to know you are protecting their data.

Establishing a privacy policy for your online store gives customers peace of mind. Plus, it helps ensure you’re complying with privacy and data security laws.

Overview: What is an e-commerce privacy policy?

A privacy policy for an e-commerce website discloses how you plan to collect, store, share, and use the personal data you gather from shoppers. What is personal data? It’s information that can be traced to a person’s identity either from one piece of data or multiple data points used together.

The U.S. Office of Management and Budget (OMB) defines personally identifiable information as, “information that can distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.”

TheLawDictonary.com gives these examples as personal information.

• Name
• Email
• Physical or mailing address
• Social security number
• IP address
• Login ID
• Credit card information

When you’re selling online, your store is probably collecting other information too, such as website cookies, photographs, and customer support documentation stored on your servers or with third-party service providers. It’s important to notify customers this information is harvested, stored, and how it will be used.

Are you required to have a privacy policy for your e-commerce store?

Yes. The United States and many other countries worldwide require privacy policies for online stores and mobile apps. Any e-commerce business that collects personally identifiable information or data must give customers the choice to provide or deny including this information and the opportunity to change what is provided at a later time.

Shopping carts are the most obvious data collection points. But you can’t overlook the information you collect for e-commerce marketing purposes through opt-ins, subscriptions, website analytics, and more.

It’s important to know the laws pertaining to your state, other states, and countries where you do business. California passed the California Online Protection Act of 2003 (CalOPPA), which was the first in the country with broad requirements for privacy policies. This applies to any company selling in the state, even if the business is based elsewhere.

Internationally, the European Union (EU) implemented a data privacy law called GDPR in 2018. The law applies to U.S. businesses selling to shoppers in any of the countries located in the EU.

What to include in your e-commerce privacy policy

The size and scope of your business will guide the privacy policy for your e-commerce website. Amazon includes 14 links to details about their store privacy policy. Yours may not need to be that specific.

Amazon has a lengthy list of details in its privacy policy. Image source: Author

How information is collected

Technology makes it easy to collect information and data through e-commerce platforms.

Customers may not realize all the ways you are collecting their information. Think of the big picture and all the ways you’re collecting data. Walmart’s privacy policy includes information collected in five key ways.

• Provided directly by you or a member of your household
• Collected from a device associated with you or your household
• Collected through in-store technology
• Collected from another company within their family of companies
• Collected from an external third-party source

What information is collected

The list of information collected may be longer than first expected. The basics include personal identifiers such as name, address, purchase history, financial information, demographics, and ID numbers such as driver’s license numbers, social security numbers, etc.

However, some data collected is much more complex. Walmart.com includes biometric data such as fingerprints, iris and retina scans, background information, including criminal information, education information, and more, in its privacy disclosure.

Walmart identifies specifics of the data collected and the reasons. Image source: Author

How personal information will be used

Outline the specific ways a visitor’s personal information will, and might be, used in the business. A few examples may include for research and development purposes, to maintain an account, to fulfill orders, for marketing, and for third-party advertising. The more transparent you are about how the information will be used ensures you’re complying with laws, and transparency builds trust among customers.

State or international privacy laws

Besides federal privacy laws, California and the European Union have additional requirements. Include those details if selling into those areas.

4 e-commerce privacy policy best practices

Privacy policy disclosures can be overwhelming and complex depending on your business. These best practices can help you get started.

1. Create a privacy policy

Drafting a store privacy policy is the first step. E-commerce attorneys can assist in writing a privacy policy for e-commerce websites. Generic privacy policies for e-commerce are widely available online. E-commerce platforms often offer an e-commerce privacy policy template for users to get started.

Visit your competitor’s online stores or review your favorite online store’s privacy policy to get a sense of what to include in yours.

Templates like Shopify’s privacy policy generator can help you create a privacy policy. Image source: Author

2. Offer opt-in and opt-out

It’s often considered best practice to ask customers to opt in to sharing information rather than assuming they are okay with it and giving them a chance to opt out later. Even with an opt-in approach, you still need to give customers an option to rescind their initial agreement to share their data.

3. Make it easy to find

Include the privacy policy in obvious places on your website. Some companies include a link in the footer and app menus. Other options include checkout pages or when a customer initially signs up for an account. Placing it near often-looked-for information such as a return policy helps keep customers from getting frustrated having to navigate complex websites to find the needed information.

4. Update it

Creating a privacy policy isn’t just checking a box on a list of things to do. Avoid putting it on a shelf and letting it collect dust. To be legally compliant and keep customers satisfied requires regularly reviewing and updating your privacy policies. Companies working with third-party providers must stay current with changes to those terms and include any changes in their own privacy policy.

The bottom line

Your e-commerce business can’t function without customer data. While it’s necessary for operation, it’s your responsibility to make sure shoppers know what and how you’re collecting their information. Don’t view this as a simple courtesy to your clients -- it’s the law. Learning best practices can help you establish a policy that satisfies both criteria.