- 2. Global Privacy Laws Affecting Ecommerce Stores
- 3.1. Do you require or allow customer registration?
- 3.2. Where do your customers live?
- 3.3. Do you collect information about your customers' product preferences or browsing histories?
- 3.4. Do minors visit your store?
- 3.5. Do you process payments through a third party?
- 3.6. Do you allow third parties to monitor the activities of your customers, such as Google Analytics, AdSense, AdRoll, YouTube or others?
- 3.7. Do you re-target your customers after they leave your site?
This includes information you collect directly, such as through opt-in forms and your shopping cart checkout page, and indirectly such as by monitoring browser clicks, time spent on a page, interaction with ads, etc.
TheLawDictionary.com defines personal information as "Any part of information that is recorded about an individual person. Includes the name, email, address, ethnicity, race, identifying number, employment history, etc."
In 2010, the US Office of Management and Budget (OMB) issued policy directive M-10-23, Guidance for Agency Use of Third-Party Websites and Applications. The directive includes a much broader definition of personally identifiable information, taking a position that any information that can be traced to a person's identity, either as a single data point or in combination with other data points, can be considered personally identifiable information and, thus, subject to protection.
Depending on the nature of your ecommerce business, your site might be collecting any or even all of the following protected private information:
- First and last name
- Date of birth
- Mailing address
- Email address
- Phone numbers
- Employment history
- Education history
- Credit card information
- Website cookies
- Social media accounts
- Customer support content
All ecommerce stores collecting personally identifiable information must allow online customers the option to provide or refuse to provide their personally identifiable information, as well as the option to change their mind.
- What information you collect directly and indirectly through your ecommerce store
- What information you might collect in the future
- The methods you use to collect, manage and share customer data
- Possible ways you might use customer data in the future
- How third parties such as Google Analytics, AdSense and others might be collecting and managing information from your customers
- Information customers give you directly, such as their name, address, email, phone and payment information
- Information you collect indirectly while they browse your store, such as with cookies, beacons and third party technologies
In the US, the National Conference of State Legislatures (NCSL) published a guide to privacy laws in all 50 states and the US territories.
The guide explains state laws on privacy, customer browsing information, personal information collected and managed by ecommerce and other platforms, online marketing to minors, and privacy issues which might apply to online purchases and other online activities.
Additionally, the state of California has the California Online Privacy Protection Act of 2003 (CalOPPA) affects ecommerce business owners that collect personally identifiable information about Californians.
As you can see, the requirements center around transparency, disclosure and making it easy for your customers to be aware of your practices and their rights when it comes to privacy.
Global Privacy Laws Affecting Ecommerce Stores
Privacy laws aren't isolated to the United States. In the EU, a wide-sweeping privacy regulation went into effect in May of 2018.
The General Data Protection Regulation, or GDPR, was written to provide maximum protection for the private information collected from people in the EU. The GDPR imposes unprecedented rules for ecommerce stores and other websites operating in the EU, whether or not the store or website is itself located in the EU.
Fines for non-compliance with GDPR are steep. They can be from two percent to up to four percent of "annual global turnover," or €20 Million, whichever is greater.
If your ecommerce business operates in the EU, whether an EU-based company or not, you need to know how GDPR affects you, how to comply with its requirements, and the penalties for failure to comply.
Let's take a look at some of the circumstances that require careful consideration.
Do you require or allow customer registration?
If you allow customers to register for access to your site, to sign up for an email newsletter, etc., you likely collect personally identifiable information about your customers such as a name, address, phone number, email address and so on.
Customer service and support tools such as live chat, email, and social media require the collection and management of directly and indirectly provided customer data.
The Gap's checkout page requires unregistered "guest" shoppers to enter an email address, and of course, the checkout page requires a great deal of personally identifiable information.
This sample clause provides a good example of how to comprehensively yet simply identify the types of information that might be collected:
You also need to provide your customers with an easy-to-find and simple-to-use way to opt out of sharing their personal information with you, even if they initially opted in.
Here's an example of an opt-out clause from the John Lewis Privacy Notice:
Note how it includes multiple methods of opting out of marketing communications, from within emails and through user accounts, to how to do so through the mobile app or via postal mail. The more options you provide, the better, since not everyone may have access to every method you provide.
Where do your customers live?
Familiarize yourself with privacy laws in jurisdictions where you do business. Most have very similar requirements, so don't think of this as daunting. In fact, if you satisfy the requirements of CalOPPA and the GDPR, you'll likely be in compliance with any other privacy law out there.
Do you collect information about your customers' product preferences or browsing histories?
This is typically referred to as information collected indirectly, and is usually done through cookies. Laws protecting this information are the same as laws protecting information customers provide directly.
Websites should provide a separate clause for information that may be collected indirectly, and at a minimum include this information within another relevant clause.
Here's a good example from Huawei:
Remember: You need to disclose all the ways in which you collect personal information from your customers. This means even if you do it indirectly, through cookies or through a similar method. If anything, it's even more important to disclose such things since for most customers it will be obvious that you're collecting their financial information but they may not be aware of you tracking how long they're staying on your website or using cookies to remember your login password.
Do minors visit your store?
COPPA, GDPR and most other privacy laws around the world provide special consideration for minors. While the age of what constitutes a minor varies, there is global concern for protecting minors from unknowingly putting themselves in harm's way.
Online bullying, data theft, human trafficking and other concerns make ecommerce stores particularly liable for protecting minors.
While DocuSign isn't an ecommerce store, it still provides a clause that addresses children:
The clause states that it doesn't knowingly collect information from minors and encourages minors not to use the service. This not only helps inform children that the service isn't for them, but it works to alleviate liablity in the event that a child does submit its personal information to DocuSign. The company can refer to the clause and use it as proof that it wasn't attempting to violate the law.
Do you process payments through a third party?
Are customers paying for your products with one-time payments or recurring payments such as a monthly or annual subscription?
Does your payments processor store customer payment information for future use?
The Gap provides a convenient and conspicuous dashboard inside the shopping cart with access to its Credit Card Safeguard policies:
Do you allow third parties to monitor the activities of your customers, such as Google Analytics, AdSense, AdRoll, YouTube or others?
Here is Gap's clause detailing the many ways third parties might be collecting and using customer data:
Note how it addresses a ton of areas in this clause where third-party sharing may occur including things like business transfers, use of service providers, loyalty programs, legal requirements and sharing by the users themselves through social media.
Do you re-target your customers after they leave your site?
One of the most popular forms of advertising online for ecommerce stores is customer remarketing, also called retargeting.
This allows you to remind your store visitors of what they liked in your store, what they left in their shopping cart, an order they may need to re-fill or even products you have that are similar to products your customers bought elsewhere.
Additionally, when setting up these tools, you will be required to follow the third party's requirements as well. Here's an example of a requirement from Google's AdWords agreement:
Remember that you also must provide your customers with an easy way to opt out of providing their information for all of these activities.
- Inform your store visitors about the private data you collect and manage.
- Give your visitors a choice to opt in and opt out.
- Give your visitors access to the information you and third parties collect.
- Inform your visitors of how you secure their data.
If you run an ecommerce store, you need to do the following to run it in accordance with privacy laws:
- Answer the questions related to your entity type and location.
- Answer the questions relating to what type of information you collect from your users.