The privacy policy is well-defined by many international laws: "It is a statement that declares a website's or company's policy on collecting, storing and releasing information about a visitor". Information about a visitor may include name, date of birth, address, contact information, marital status, previous purchases, payment info etc. Basically, anything that can be used to identify the person in question. This statement's purpose is to inform the client of what information is going to be gathered about him, how it's going to be stored and under which circumstances it will be released.

Now, since the privacy policy has to be written in respect to legal jurisdiction and also meet the requirements across different geographical regions, it is not a uniform document. It has to be custom tailored for each use. The privacy policy can be used by governments, but they also found an application in the private sector and commercial transactions.

Today, the privacy policy in commercial transactions is commonly used on eCommerce websites. This is simply because online privacy became very important for online customers and visitors of eCommerce websites. It doesn't only cover an online establishment's legal side, but it also makes the customers feel safer. It provides transparency and increases visitors' awareness. Besides, consumer protection groups require that online shops disclose their data collection and distribution practices in privacy policy statements.

Creating a good privacy policy is not an easy task. As we have said, regulations vary from country to country and for businesses selling on international markets, such as eCommerce businesses, this may be even more difficult.

Law requirements

It is a fact that technology has an effect on human rights. Especially today, when people spend much of their online time browsing and shopping for various products and services. Back in 1968, the Council of Europe studied these effects. Just one year later, Convention 108 was introduced. In 1973 we had the first Privacy Law - the Swedish Data Act. Germany followed with the Data Protection Act in 1977 and many others on the old continent were to follow these examples.

The first similar notions across the ocean were brought forth in the 1970s in both US and Canada. The Congress of the USA passed the Fair Credit Reporting Act and in Canada, the government updated the Canadian Human Rights Act. All of these acts and notions are the roots of what we today know as privacy policy in the eCommerce industry.

Privacy policy is a legal document in privacy law, and as such it must be posted on an eCommerce website. The regulatory bodies and the requirements differ from country to country, as we have already stated. But if eCommerce businesses are selling their goods or services across the globe, they have to present a privacy policy to website visitors respecting the laws of countries in their market share.

The general guidelines can be found in the privacy and personal data protection documentation published by the Organization for Economic Co-operation and Development (OECD). Operating in a cross-border environment brings a lot of responsibilities. This is why it is very important to pay attention to privacy policy statements found on your eCommerce website.

The matter at hand is actually very complex. Let's take the United States as an example. The privacy policy is regulated by both federal and state law. At the federal level, the privacy policy requirement is based on the age of the website visitor, while at the state level the requirements are based on the state from which the website visitor originates. All the possible disputes in this area are handled by the Federal Trade Commission (FTC).

Back in 2008 a big name in the online retail industry, Life is Good, INC. and Life is good Retail, Inc. settled FTC charges that it failed to safeguard consumer sensitive information. This was a violation of federal law.

The bottom line in this article section would be that privacy policy statements are mandatory for eCommerce websites since they are collecting data that can be used to identify an individual. Privacy policy should not be taken lightly. Many governmental institutions advise that eCommerce companies implement an information security program and to use independent third-party security professionals on a regular yearly basis.

Payment processing

Since the eCommerce industry is based on online payment processing, it is important to address this in the privacy policy statement. The online purchasing process requires customers to disclose sensitive personal data. In this case, we are not only talking about the data that can be used to find out who they are or where they live, but also the credit card data. If this information leaks, there could be devastating consequences for both the online retailer and people who used their services.

The most important thing to explore and get familiar with when in eCommerce waters, is definitely Payment Card Industry Compliance. PCI compliance has one standard, in particular, PCI Data Security Standard that dictates to all online retailers how to store, process and transmit all credit card data.

eCommerce payment processing

Visa, MasterCard, and JCB International are just some of the organizations that make the PCI Security Standards Council organization. Their primary concern is how to enhance payment account data security.

Any online shop has to meet all PCI Data Security Standard requirements:

  • Build and Maintain a Secure Network and Systems
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

Make sure to check each requirement of PCI DSS and implement all technologies that will allow you to handle this type of user data on your eCommerce website. As we can see, meeting these requirements is very important and will protect any online business should any such unfortunate events take place. When one has met all the requirements and has clearly stated everything in the privacy policy for each customer visiting his website, it minimizes the risk of getting into an expensive lawsuit.

Since many things in this area are not carved in stone, it is strongly advised to stay tuned to the latest developments in the field. For instance, you can read authoritative insights on the legal and regulatory issues affecting online business.

Where to display privacy policy

Privacy policy is a form of legal agreement. It should be easily accessible to a customer on an eCommerce website. It is inefficient to place the privacy policy hidden somewhere deep in the architecture of your website. Users should be able to clearly see it and access without the need to go through multiple pages of an eCommerce website. Besides, adding a link to the privacy policy to a website will not affect its design in any way, since it can be just a small text link.

In most eCommerce websites the link to privacy policy can be found in the footer section of the website. This is considered to be the most common spot to place a link to the privacy policy. This is simply because the footer of the page is displayed on every page of the website (home page, product page, checkout page, and so on). Some eCommerce websites require user registration before customers are able to make purchases. In this case, it is important to make the privacy policy visible for users that are browsing the website unregistered.

Privacy policy in the footer placement

The privacy policy link can also be placed on any forms where website visitors have to enter some of their personal data in order to create an account, get a special discount, gain access to additional content, subscribe to email notifications, sign-up for a newsletter, etc.

Some of the eCommerce establishments use clickwrap agreements. These are usually placed on the checkout page. This way, the eCommerce businesses ensure that the customers will have to take an action to agree to the transaction services agreement, services agreement, terms and conditions and privacy policy. This can be done by notifying the customer that they agree to all of the things stated above by clicking on the "place order" button or by checking an "I agree to..." checkbox on the checkout page.

For instance, eBay uses a submit form to link their user agreement and privacy policy. This way, eBay ensures that every user agrees to their privacy policy and user agreement before they can register with eBay.

Privacy policy clickwrap placement

The best practices to follow when you run an eCommerce website go as follows:

  • Make sure that the link to the privacy policy is placed on all web pages of your online shop;
  • The footer of the web page is the most common place to put the link to the privacy policy;
  • If your website includes any forms where users have to enter their private data in order to access or gain something for free, make sure to include a link to your privacy policy;
  • Consider using the clickwrap agreement technique if users can register an account on your eCommerce website.

10 easy steps to an effective eCommerce privacy policy

Get familiar with standards

In each industry, there are standards that have to be met. Doing business online is nothing new, and fortunately, there are many resources online that can get you on the right track when it comes to privacy policies. When you get familiar with the privacy policy in general, you will get the bigger picture of why it is needed and what you can do to implement it on your online store.

Decide who will be responsible

Before you start devising strategies for your eCommerce business, make sure to decide who will be responsible for your privacy policy. If you have a lawyer on board, this can be their task from now on. But keep in mind that this is a highly complex task and that some established online retailers outsource this to teams of professionals. This is simply because there are countless regulatory compliance issues that have to be understood and resolved within boundaries set by laws.

Follow the examples

As we have already stated, eCommerce is not a new concept. There are dozen eCommerce websites online that have already implemented privacy policy statements. It is important to understand which software tools and/or systems are collecting user data while they are on the website. It's also important to pay attention to how data is stored and used and which services share the data by using security protocols.

Don't copy-paste privacy policy statements

Each privacy policy statement should be unique. It should apply to your online shop specifically. Why is this important? Well, by using someone else's privacy policy statement, you are exposing your business and yourself to an unnecessary risk, because there is a chance that the "borrowed" privacy policy statement doesn't cover all the instances of how your eCommerce website collects, stores, uses and shares user data.

Check the privacy practices of your eCommerce website

This is an incredibly important step towards building an effective eCommerce privacy policy. In this step, you should get familiar with how your website works. If you were not directly involved in its development, make sure to contact the web developers who worked on it. You should make a list of data your website collects while visitors are browsing through products and when they make a purchase.

Here are the most common data entries collected by eCommerce websites:

  • Personal user information such as shipping address, phone number, email, name, etc.;
  • Financial and payment data: credit card number, CVV, expiration date, etc.;
  • Data collected by cookies: behavior tracking and other site analytics;
  • Usernames and passwords if websites require registration.
  • Make Sure to know What Happens with the Data
  • The most important things regarding user data include the following: where it is stored, how long it stays stored and how it will be used and/or shared. It is important to know whether your site just uses payment processing info as a gateway and doesn't store it at all, or it stores this confidential data.
  • Some sites allow users to store their credit card info, and if this is the case with yours, you will need to add this to the privacy policy statement. You will also need to implement advanced security measures to protect user data privacy.

In some scenarios, data is shared with some third parties. It is important to know who these parties are and what is going to be shared. If this is the case, it should be clearly stated in the privacy policy that the data is going to be shared, as well as with who and why.

Provide contact information in the privacy policy

This is a good practice and it will certainly help you building trust with your customers. You can simply add a contact phone number and/or email address for anyone who has privacy requests and concerns. This contact information refers customers to a person who was in charge of writing your privacy policy. This person is the most viable one to provide accurate answers to concerned customers.

Post it on your eCommerce website

Compliance obligations will be met if you post a link to the privacy policy in the footer of your website. But if you want to appear more reliable and to build better client relations, you should definitely put it in a place where customers will spot it easily. You can add a privacy policy reminder whenever a user has to enter private data and make a purchase. This can be a simple text link that will not affect your website design and overall layout of the elements.

Keep it updated

Privacy laws are subject to change. It is important to stay tuned to the latest changes made to laws that apply to your business model. The privacy policy on your eCommerce website should always accurately reflect the latest privacy policy laws. Make sure to update the privacy policy statement if some website updates change any of its data practices. The best way to achieve this is to schedule regular privacy policy revisions. This should be done at least once annually.

In order to further build trust with your customers, you can send them an email to notify them about the changes made to your privacy policy statement. This email should not contain the privacy policy, it should be brief, informative and with a link to your privacy policy.

Writing a privacy policy statement

You can get the privacy policy for free by copying it from other web shops or by using one of the free privacy policy templates. We have already mentioned the downsides and risks of this. Another way to have it written is to hire a lawyer or a team of lawyers who can write a customized one that covers your web shop practices. Of course, in most cases, it will be very expensive and not always worth it especially for smaller businesses or those who are just starting out.

A much better approach is to use an online generator. It will guide you through a series of questions to ensure the final policy is applicable to your eCommerce business and how you run it.

To write an effective privacy policy for eCommerce purposes, you should have your target audience in mind. By doing so, you will make sure that everyone can clearly understand this statement. You can include links to relevant laws in order to make it understandable. By reaching out to your customers in this way you will increase their trust.

The privacy policy is a mandatory legal statement for eCommerce websites. This is why this matter should be addressed with care. Its primary purpose is to inform the customers about all of your data practices before they disclose any of their personal data while they are on your website. Once you have written or had it written, make sure that it is found on each web page of your online shop.

And don't forget to keep it updated. This way, you will not only minimize the risk of getting sued and be subject to numerous penalties, but you will also build trust with your customers and increase customer satisfaction and retention rates.