What’s the law?

If you are based in the US, there is no general privacy law or data protection law for e-commerce stores or websites. However, the California Online Privacy Protection Act of 2003 requires that operators of commercial websites are required to display a Privacy Policy.

This legal agreement must detail:

  • The kinds of information gathered (by your website)
  • How the information may be shared or disclosed
  • The process your customers can follow to review and change the information you have on them
  • The policy’s effective date and a description of any changes since then

If you are based in the US, it’s highly likely that you have Californian customers, so it’s important to comply with the Californian state law.

The law in the UK and Europe is similar, but more comprehensive. So if there’s a possibility that some of your customers are from the UK or Europe, ensure that you follow these privacy laws.

The European Union set out the EU Data Protection Directive 1995, and member states like the UK have implemented this directive in their local laws.

In the UK, this Directive is covered by UK’s privacy law, the Data Protection Act 1998. The data collection principles covered by both of these pieces of legislation are:

  • Customers must be notified when you are collecting their data (do that through a Privacy Policy agreement hosted and linked from your online store pages)
  • Personal data should only be collected for specific (and lawful) purposes
  • The data collected should be adequate for the purpose
  • Personal data should be accurate and kept up to date
  • Personal data should not be kept for longer than necessary
  • Appropriate security measures should be put in place to protect customer data
  • Personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory also ensures an adequate level of protection for that data

Canadian law is also similar, with their laws contained in the Personal Information Protection and Electronic Documents Act 2000 (PIPEDA). PIPEDA requires organizations to:

  • Obtain consent when they collect, use or disclose customer personal information
  • Supply customers with a product or a service even if they refuse consent for the collection, use or disclosure of personal information, unless that information is essential to the transaction
  • Collect information by fair and lawful means
  • Have personal information policies that are clear, understandable and readily available

Now let’s look at what types of information you may be collecting, and how you can comply with the above laws.

The Privacy Policy for your store

What to add in the agreement

It’s certain that your e-commerce store will collect information from your customer as soon as they browse your store, such as their IP address, what time they opened your store page, how long they stayed on a specific page (aggregated data or not).

As an example, if you use Google Analytics: this tool from Google collects, even more, information, such as what pages they browsed through, their location, and even their gender.

Here are some examples of some of the things Google Analytics collects for an e-commerce store: pages / session, avg. session duration, language, country / territory, and so on.

[business-directory-quick-search]