GDPR Privacy Policy for Ecommerce Stores

GDPR Privacy Policy for Ecommerce Stores

In March 2018, the General Data Protection Regulation (GDPR) came into force. It's the latest privacy law to be passed by the EU, the supranational political union that brought us the much-loved "cookie banner."

Many businesses have found that they have a lot of work to do in order to comply. It's easy to see why some find the law quite daunting. Firstly, it's over 50,000 words long. It threatens fines of up to €20 million. And it applies to companies all around the world - not just within the EU.

Don't be overwhelmed by your new obligations. We're going to take a look at how you can comply with this law, with a focus one of the most important tasks - producing a comprehensive Privacy Policy.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate". Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

What is the GDPR?

The GDPR achieves two main objectives:

  1. It sets out clear rules about how personal data should be processed
  2. It gives people in the EU more rights and greater control over their personal data

This is probably the most comprehensive data protection law the world has ever seen. And it doesn't only to EU businesses. It applies to anyone, from an individual website developer to a massive social media company, so long as they:

  • Offer goods and services to people in the EU, or
  • Monitor the behavior of people in the EU

This is regardless of whether they are established in the EU or not. That means companies all over the world have to comply, whether they're from the United States, Australia, or South Korea.

Why is the GDPR Important for Ecommerce Stores?

Why is the GDPR Important for Ecommerce Stores?

Ecommerce stores process personal data. They collect, store or otherwise use information that could potentially identify an individual. This means that they must abide by the GDPR.

In fact, ecommerce stores are a prime target for the GDPR. They actually process quite a lot of personal data. For example:

  • Names, email address, shipping addresses and other information that might be used to directly identify individuals.
  • Payment card details, and in some cases sensitive or revealing information that must be processed securely.
  • Technical information like IP addresses and cookies, that might be used to indirectly identify individuals.

All these things count as personal data under the EU's strict interpretation of the term. And therefore the GDPR applies to every aspect of how you handle it.

Conduct a privacy law self-audit with your ecommerce store so you know exactly what protected personal information your business collects and how it engages with it. You'll need to disclose this information to your customers in your Privacy Policy.

Producing a Compliant Privacy Policy

Producing a Compliant Privacy Policy

Most companies already have a Privacy Policy. For example, it's required under the California Online Privacy Protection Act (CalOPPA) for ecommerce stores that process the personal data of California residents. But the Privacy Policy requirements of the GDPR extend a lot further than the requirements of other privacy laws.

Let's take a look at what a GDPR-compliant Privacy Policy must include. We'll focus in particular on those parts that are relevant to ecommerce stores.

Contact Details

The GDPR requires you to disclose the identity and the contact details of the controller.

"The controller" means your ecommerce store, which is a "data controller" in EU jargon. A data controller is an entity that "determines the purposes and means of the processing of personal data."

So, for example, an ecommerce store might record someone's address via a web form in order to send them a product.

  • The "personal data" is the person's address.
  • The "means" of processing the personal data is recording it via a web form.
  • The "purpose" of processing the personal data is to send them their product.

The company has determined how and why to process personal data. It is a data controller.

You should also give the details of your EU Representative and Data Protection Officer (DPO), if you have appointed either.

Providing your company's name and contact details sounds simple enough. But it's still possible to get this wrong. The GDPR requires you to use "clear and plain language." Legalese is not allowed.

Take a look at how Chevrolet Europe has done this:

Chevrolet Europe Terms and Conditions: Data controller contact information clause

This isn't exactly bad, but it's not also not as easily understandable and simplified as it could be. There's no need to say "pursuant to Art. 27," for example. It can come across as complicated legalese, which the GDPR frowns upon when used in Privacy Policies that should be easily understandable to an average (non-lawyer) reader.

Here's another example from The Guardian, which includes two contact clauses in its Privacy Policy:

The Guardian Privacy Policy: Who we are and how to contact us data controller clause

This first clause discloses who the data controller is, provides contact information and lets users know that the controller is the party who is "responsible for deciding how and why" personal data is held and used.

The other contact clause lists the contact information for the data protection officer. It's noted that users should contact this person with any questions or concerns about how personal data is used:

The Guardian Privacy Policy: Contact the DPO clause

This is far more in-line with the rules around transparency and accessibility. The term "data controller" is used, but it's also explained, and users are invited to contact the DPO with issues related to their personal data.

Categories of Personal Data

You need to disclose what types of personal data you process. For example:

  • Name
  • Email address
  • Shipping address
  • Billing address
  • Payment card details
  • IP address (via server logs)

Here's how Amazon does this:

Amazon UK Privacy Notice: Excerpt of Examples of Information Collected clause

Note that certain cookies count as personal information. If you're using a service that provides targeting cookies for engaging in targeted advertising of your products on other websites, you will likely have agreed to disclose this in your Privacy Policy when you agreed to the advertising platform's Terms and Conditions.

Purposes and Lawful Bases

Processing of data under the GDPR may only occur for good reason. The good news for ecommerce stores is that selling people stuff counts as a good reason to process their personal data. Well, it's a little more complicated than that.

The GDPR's six lawful bases apply to every lawful act of data processing.

They are:

  • Consent
  • Contract
  • Legal obligation
  • Necessary to protect vital interests
  • Necessary for public interest or exercising official authority
  • Legitimate interests

Here they are, set out at Article 6:

Intersoft Consulting: GDPR Article 6: Lawfulness of processing

The lawful bases most commonly cited by ecommerce stores are:

  • Contract: when processing personal data is required in order to fulfill contractual obligations. Once a customer makes a purchase, your contract with them requires you to send their payment card details to a payment processor, send their shipping address to a mail carrier, etc.
  • Consent: when providing non-essential services that the customer can say easily "no" to. If you want your customer to sign up to your weekly marketing newsletter or allow you to use targeting cookies, you'll have to ask for permission.
  • Legitimate interests: when carrying out low-risk data processing that benefits your company and carries a minimal impact on or risk to your customer. You may be able to justify storing an encrypted list of IP addresses of the people who've visited your site, for the purposes of maintaining security.

Here's part of a Privacy Policy from coffee supplier Matthew Algie, to put this in context:

Matthew Algie Privacy Policy: What do we use your information for clause

At points (a) and (b), the company explains that it uses personal information as part of a contract, to supply its products and services.

At points (c) and (d), the company explains that it uses personal data of visitors to its websites to optimize the experience of those sites. Optimizing web activity, for example by setting cookies that save the content on web forms, is usually justifiable under legitimate interests.

Here's another example from Safe Prescriber:

Safe Prescriber Privacy Policy: Excerpt of How we may process information clause - Legal basis

Personal data used to make purchases is processed to carry out a contract. Personal data used to subscribe to email notifications is processed subject to consent.

Recipients of Personal Data

An ecommerce store will almost certainly be sharing personal data with third parties.

  • Payment processors like PayPal or Shopify
  • Email marketers like MailChimp or SendGrid
  • Mail carriers like UPS or FedEx
  • Ad services like Google or AdRoll

Some Privacy Policies seem to imply that "disclosure" of personal data is equivalent to "sale" of personal data. Take a look at this clause from coffee supplier Has Bean:

Has Bean Privacy Policy: Third party disclosure clause

Has Bean doesn't sell, trade or rent its customers' personal data - that's true. But by using payment card processors, mailing companies and analytics software, Has Bean does disclose this information to third parties. Has Bean does make this clear elsewhere in its Privacy Policy.

Here's a better example from SendPilot:.

SendPilot Privacy Policy: Third Party Recipients clause

Note that you aren't required to list the names of the companies you share data with. Only what type of company they are.

Third Country Transfers

The good news for non-EU businesses is that the GDPR does allow personal data to be transferred outside of the EU. This is, however, subject to some pretty strict safeguards. This will be relevant if you're:

  • A non-EU company with EU customers
  • An EU company working with non-EU third-party companies

Broadly speaking, the EU allows for international data transfers so long as either:

  • The receiving country is on the EU Commission's "adequate" list. Note that the United States is on the list, but only if the recipient is part of the Privacy Shield program.
  • The sender and recipient have a contract containing certain legally binding standard clauses.
  • The transfer is taking place within a multinational company that has adopted certain binding corporate rules.
  • As a last resort, and only under certain conditions, where the person has given consent.

Here's an example from Minotaur Flight Store, who appear to be attempting to rely on consent for international data transfers.

Minotaur Flight Store Privacy and Cookies Policy: International Data Transfers clause

There are arguably several problems with this, as far as the GDPR is concerned.

Consent for international transfers is only to be used under very strict conditions, and it isn't clear that these have been met. Besides which, a person cannot be told that they have expressly consented to something. They have to actually expressly consent to it.

Here's a better example from KEF:

KEF Privacy Policy: International Data Transfers clause

KEF discloses that it relies on standard contractual clauses and even tells its customers how they can get a copy of them.

Storage Periods

Your Privacy Policy should disclose how long you will store any personal data you collect or receive. The GDPR doesn't allow for personal data to just sit around in servers or filing cabinets forever. "Storage limitation" is an important principle.

Ecommerce stores will typically have to store names, account details, and shipping addresses. But you must also consider technical information like cookies, as well as IP addresses and possibly other log data.

You may not be responsible for storing or deleting payment card details if you use a third party payment processor.

You don't need to state how long you'll store data in terms of months or years. Sometimes the period is determined in other ways.

Here's part of a Privacy Policy from Air Things to put this in context:

Air Things Privacy Notice: Storage Period clause

Individual Data Rights

People in the EU have certain rights over their personal data. Data controllers (like ecommerce stores) must facilitate these rights.

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights relating to automated decision-making and profiling

In your Privacy Policy, you must inform people how they can exercise these rights.

You'll also need to know how to respond when users exercise their rights. For example, with the right of access you'll need to handle privacy access requests in a very specific way.

Some organizations provide a web form for individuals to make such requests, but providing an email address is sufficient.

Here's how Superdrug does this:

Superdrug Privacy Policy: Your Rights GDPR clause

The right to object is highly relevant to ecommerce stores, which will often send direct marketing emails. As Superdrug points out, this right can be exercised simply by using the email's unsubscribe facility.

You must also make your customers aware of their right to lodge a complaint with a Data Protection Authority. Here's how Amazon does this:

Amazon UK Privacy Notice: Excerpt of Contacts, Notices and Revisions clause

Principles of the GDPR

Principles of the GDPR

The GDPR contains principles which should permeate every aspect of the data-handling activities. Here they are in the GDPR, with key words highlighted:

EUR-Lex GDPR: Principles relating to processing of personal data highlighted

The principles are as follows:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

We're going to look at three of these principles and how they might might apply to the management of your ecommerce store.

Lawfulness, Fairness, and Transparency

You'll have done part of the work towards "transparency" by producing your Privacy Policy. It's also important to make sure you have a proper lawful basis for all data processing you do.

One area where ecommerce stores (and other businesses) can slip up is where they rely on the lawful basis of consent. Consent is only valid under certain conditions.

It must be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous
  • Given via a clear affirmative action

Here's an example of how to ask for consent for cookies from The Schneider Group:

The Schneider Group cookie consent notice with preference options

The user has genuine options and is not guided toward any choice in particular. Their consent, if given, would be clear and unambiguous.

At the opposite end of the spectrum, there's Cura:

Cura cookies consent banner notice

It may look like Cura is requesting consent, but there's no genuine choice here.

Data Minimization

The principle of data minimization requires that you don't collect any data you don't need. Ecommerce stores might slip up here when creating marketing mailing lists.

Here's an example from One Stop stores. This is what users are signing up for:

One Stop: Sign up for emails description box

And here's what they're asked to provide:

One Stop: Email sign-up information request form

Processing an individual's date of birth is arguably unnecessary in this context. To be fair, providing this is optional. But why ask for it at all? In the event of a data breach, this is just another item of personal data that could be compromised.

You only really need a person's email address in order to send them email.


Accountability sometimes isn't listed among the GDPR's principles (it inhabits a separate section from the others). But in many ways, it's the most important one.

You are accountable under the GDPR. You must understand and comply with your obligations under it.

For example, as we discussed above, ecommerce stores almost always need to engage other companies to process personal data on their behalf - payment processors, mail carriers, marketing companies, etc.

These are known as "data processors." Where you're passing on your customers' personal data to a data processor, you must have a Data Processing Agreement in place.

Many large data processors supply a Data Processing Agreement as part of their Terms of Service.

Here's a part of Shopify's:

Screenshot of Shopify Data Processing Addendum introduction section

And here's an excerpt from Hockeystick's:

Screenshot of Hockeystick Data Processing Agreement background section

You mustn't use a data processor without a Data Processing Agreement in place. And if you're provided with one, you must read it carefully and check that it complies with the GDPR.

In the event that your customers' data is compromised, you can't simply blame the data processor. You are accountable under the GDPR.

Summary of GDPR Privacy Policy for Ecommerce Stores

As an ecommerce store, getting your Privacy Policy right is essential. Consumers increasingly expect it, and the law unequivocally requires it.

Your Privacy Policy must contain at least the following things:

  • Your company's contact details, and those of your EU Representative and Data Protection Officer if you have appointed either
  • The categories of personal data you process
  • How and why you process personal data
  • Your lawful basis for each act of processing
  • The categories of companies with whom you share personal data
  • Details of any data transfers outside of the EU
  • How long you need to store personal data for
  • How you can help facilitate your users' data rights
  • How your users can make a complaint about your data protection practices

You must also remember to apply the principles of the GDPR to your data protection practices at all times.

If you update your Privacy Policy with material changes (which you likely will do at some point), you'll need to get familiar with Update Notices.