Privacy Compliance for Online Stores

With the proliferation of online transactions, the realm of e-commerce has witnessed an unprecedented rise in privacy and data protection concerns. This guide navigates through the labyrinth of privacy laws, offering comprehensive insights into compliance measures essential for safeguarding both customers and businesses.

The Complete Guide to Privacy Compliance for Online Stores

According to Statista, the number of people who shop online before the pandemic stood at around 451 million. In 2023, the figure rose to 540 million and is expected to reach 586 million by 2027. At the same time, privacy and data protection concerns have become more pervasive – especially when sensitive data, such as payment data, are at stake. People are more careful with sharing their data with businesses and more proactive in protecting their personal information.

As you can see, to be a successful e-commerce owner, you can’t ignore data protection and privacy compliance. In this guide, we explain what steps you can take to comply with privacy laws and protect your customers and your business.

Privacy Laws Overview

The first step to privacy compliance is understanding which privacy laws apply to you. Usually, privacy laws have an extraterritorial scope, meaning that they can apply also outside the country or region where they were issued.

As a general rule of thumb, you should comply with the laws:

• of the country (or countries) where you are based/you base your operations;
• of the country (or countries) where your users and customers are based.

For example, you may be in the United States, but you are shipping your products to people in the European Union. In this case, you would need to comply with the EU’s General Data Protection Regulation (GDPR), as well as the privacy law of your State.

There are many different privacy laws around the world, but here are some of the most famous:

• The European General Data Protection Regulation (GDPR): it’s the EU privacy law and it was issued in 2018. It aims to protect the data of European users and to regulate how businesses should collect, process, and protect personal information.
• The EU ePrivacy Directive (Cookie Law): it was first issued in 2002, and it regulates all aspects of electronic privacy, including email marketing and the use of cookies. It applies alongside the GDPR and may have additional requirements (see paragraph below).
• US State Privacy Laws: on the other hand, the United States still doesn’t have a federal privacy law, but many different laws that apply on a state level. You probably already know about the California Consumer Privacy Act (CCPA), but there are also the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), and many more.
• Brazil’s General Data Protection Law (LGPD): the LGPD is the Brazilian privacy law and it was issued in 2020. It’s somehow similar to the GDPR, and it aims to create a solid legal framework for the use of personal data in Brazil.

Then, if you own an e-commerce, you should also be aware of consumer protection laws. Consumer protection laws are regulations designed to safeguard consumers from unfair or deceptive business practices. They ensure that consumers have accurate information about products and services, and provide mechanisms for compensation in case of harm or dissatisfaction with a purchase.

The main legal requirements for e-commerce

Now let’s talk about what you should do in practice to comply with these laws. Before we start, please note that the legal requirements may vary from business to business, so take the following list as a starting point but be aware that there could be additional requirements.

Privacy Policy

The first thing you should provide to your customers is a privacy policy. The privacy policy is the document that informs your users about your data collection and processing activities, that is, why you’re collecting their data and how you do it.

If you own an online store, you’re most likely collecting data. Just think of the check-out process and all the information that you need from your customers to send them what they’ve purchased.

To be compliant, a privacy policy should at least include:

• what data you collect;
• why you collect the data;
• who you share the data with, or any third party like a payment provider or analytics service;
• all details about cookie usage;
• what are the user's rights under the applicable law;
• your contact information.

To see how all these elements come together, take a look at this privacy policy template for e-commerce.

Cookie and Consent Management

Second, your e-commerce is probably using cookies. Cookies are small files that websites install on the user’s browser or device and they can have different purposes: they can enhance the functionalities of your website, or help you show your users personalized ads. E-commerce websites often use cookies for analytics statistics, social buttons or remarketing services.

We’ve already mentioned the EU ePrivacy Directive (Cookie Law). If you are in the EU or you target EU-based users, and your website uses non-technical cookies, the Cookie Law requires you to:

• show a cookie consent banner when a user visits your website for the first time;
• provide a cookie policy, where you explain why your website is using cookies;
• block cookies from running before the consent is granted or when the consent is rejected;
• store your users’ cookie preferences.

In the US, under the California Consumer Privacy Act, non-technical cookies can be installed without the user’s consent, but you must always provide an easy way to opt-out (e.g., to withdraw their consent). This is usually done through a consent banner.

Terms and Conditions

Terms and Conditions are not related to the GDPR, but they’re often mandatory when it comes to online stores. Terms and Conditions are a contract between you and your customers, and they define the conditions under which your services or products can be used. They also outline all the necessary information regarding shipping, payments, warranty, the right of withdrawal, and cancellation, which are mandated by law. Terms and Conditions are a very useful document to have, because they help you protect your business and prevent potential problems.

Additional steps

Data privacy is not just a matter of legal documents. It also includes being proactive in protecting your user’s data and keeping them safe from unauthorized access. Unfortunately, every business can be a victim of a data breach, but taking the necessary technical and security measures can help you prevent it.

Here are a few steps you can take:

• Ensure secure browsing with an SSL certificate and HTTPS transmission.
• Keep data anonymized or encrypted.
• Back up the data.
• Define an appropriate plan of action in case of a data breach.

Moreover, remember that users have specific rights over their data that they can exercise at any time. For example, they can ask you to access any data you have about them or to erase the data altogether. For this reason, you must provide them with a clear and accessible way to send you these requests, and you must honor them promptly.

What are the consequences of non-compliance?

The legal consequences of non-compliance can include hefty fines (up to €20 million for GDPR!), as well as regulatory reprimands, periodic privacy audits, and liability damages.

As you can see, not complying with data protection laws can cost you dearly. All of these laws carry hefty fines for non-compliance, but it's not just about the money. Your business could lose its reputation, resulting in fewer customers: who wants to buy from an e-commerce that does not protect its customers' data?

For this reason, you should also look at compliance as a competitive advantage. A business that is transparent with its data practices, it’s also a business you can trust!

About iubenda

iubenda is a legal-tech scale-up founded in 2011, now trusted by over 100k clients in more than 100 countries. It provides compliance solutions to websites and apps to help them comply with privacy laws across multiple countries and legislations, such as the EU’s GDPR, the Cookie Law, or the US Privacy State Laws. iubenda’s solutions combine the expertise of an international legal team with the simplicity of a software solution.

Published on 26.03.2024 | The Complete Guide to Privacy Compliance for Online Stores | DW