Privacy is a primary concern for your customers and for legislators around the world, so your company's privacy policy cannot be an afterthought. It must reflect a sincere commitment to privacy and a desire to meet the highest legal standards.

So how do you get a privacy policy for your online store? Frankly, you probably have three options.

  • Hire an attorney to write a privacy policy for your business
  • Use a privacy policy generator
  • Write your own using examples

All three of these approaches will work to a lesser or greater extent, and for many small and mid-sized ecommerce businesses, simply using a privacy policy generator may be simplest and most direct choice.

No matter which of these options you choose for your ecommerce business, it is helpful to understand what sections should be included in your company's privacy policy, particularly in light of new data privacy laws like the European Union's comprehensive General Data Protection Regulation (GDPR), which is influencing privacy law globally.

With this in mind, here is a general outline for your company's privacy policy. This outline is meant to meet the requirements of the GDPR which may be the most specific data privacy legislation currently in effect. Complying with it, therefore, should ensure compliance with nearly any other jurisdiction's privacy policy requirements.

Note that these are not specific section titles, but rather concepts that should be communicated in your privacy policy in a way that is easy for your customers to understand.

  • Identification
  • Data Collection
  • Data Use (Processing)
  • Data Storage
  • Data Sharing
  • Data Control

 

Identification: Include Company & Contact Information

Your privacy policy should explicitly identify your business. The 3dcart privacy policy generator, as an example, puts this information right at the top of the page with both the policy title and an introductory paragraph.

Company Name Privacy Policy

This Privacy Policy describes how we handle personal information collected, used, and shared when a visitor or customers access Company Name.

Your customers should also be able to contact your business with questions or concerns about privacy and personal data.

Here is an example contact information paragraph. It describes several of the reasons a customer might want to contact your business about privacy then provides both an email address and a physical address shoppers can use to contact your company.

Questions and Contact Information

If you would like to: access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information contact our Data Protection Officer at your-email-address@your-company.com or by mail at Your Company, 123 Your Address Road, Your City, Your State 10000.

 

Data Collection, Use & Storage

Using clear and concise language, your company's privacy policy should let shoppers know what data will be collected, what your company will do with that data, and how long data will be kept. Here is an example.

When you purchase something from our store, as part of the buying and selling process, we collect the personal information you give us such as your name, address and email address. Data collected during a transaction is stored securely for 36 months.

When you browse our store, we also automatically receive your computer Internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system. Browsing data is keep for up to 90 days from the date of your last visit.

Email marketing (if applicable):

With your permission, we may send you emails about our store, new products and other updates.

Your ecommerce business should also describe what payment information is collected during a transaction and how it is shared with payment processors.

The example below makes this clear to customers. Notice that it describes what information is collected, "your credit card data," and how long it is stored.

If you choose a direct payment gateway to complete your purchase, the online store transmits your credit card data. The store data is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted.

Oh, and don't forget about cookies. In addition to displaying a cookie notice to visitors, you'll want to include specific language about cookie use and tracking.

Our website uses “Cookies” as data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit https://www.allaboutcookies.org.

Please note that we do not alter our Site’s data collection and use practices when we see a Do Not Track signal from your browser.

If you are a European resident, you have the right to access personal information we hold about you and to ask that your personal information be corrected, updated, or deleted. If you would like to exercise this right, please contact us through the contact information below.

Additionally, if you are a European resident we note that we are processing your information in order to fulfill contracts we might have with you (for example if you make an order through the Site), or otherwise to pursue our legitimate business interests listed above.  Additionally, please note that your information will be transferred outside of Europe, including to Canada and the United States.

In the context of data storage, include a section describing the security measures your business has taken. Here is an example from the security section of a privacy policy built using a privacy generator.

To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.

If you provide us with your credit card information, the information is encrypted using secure socket layer technology (SSL) and stored with AES-256 encryption.  Although no method of transmission over the Internet or electronic storage is 100% secure, we follow all PCI-DSS requirements and implement additional generally accepted industry standards.

 

Data Sharing

Your privacy policy needs to be explicit about when and with whom data is shared. This includes the use of tools like Google Analytics or Google Tag Manager and third-party email or marketing services like MailChimp.

Include a paragraph or list that enumerates each of the third-parties your business shares data with, what data is shared, and why it is shared.

For example, see mysupermarket.co.uk's privacy policy. It includes a table with details about data sharing. One entry is for an affiliate platform, Awin. This entry includes a simple sentence explaining the relationship.

We participate in affiliate marketing programs set up by Supermarkets and run on their behalf by Awin

Next, the user is explicitly told that it is a partial internet protocol (IP) address that is shared with Awin, and finally, Supermarkets includes a link to Awin's privacy policy.

You should do something very similar with your privacy policy.

 

Data Control

The GDPR gives users specific rights to control personal data. For example, a user on your website can request access to the personal data you have collected about them, correct any errors in the personal data you have collected, or require you to permanently delete the personal data you have collected in certain circumstances.

It can be a good idea to specifically mention these rights in your privacy policy, perhaps, in conjunction with the contact information you provide.

Want more information on Privacy Policies and how to set up your website for GDPR compliance? Download our free toolkit below.

Free report: The Real Cost of Running a Shopify Store