privacy policy

By Geoffrey Scott

Most entrepreneurs running ecommerce stores are experts on their product, understand key areas of digital marketing, and have a vision for how they’d like to develop their business into the future. However, website security and legal compliance are often more tertiary matters – noted, but (generally) neglected. This is a big mistake.

As Facebook, Google, Amazon, and other tech giants continue to make highly visible (and widely criticized) ethical errors, now is not the time to neglect things like user privacy and safe data collection practices. Doing so will inevitably lead to legal trouble. Embrace the following four strategies for legally protecting your website, however, and you’ll be able to comply with the law and avoid getting fined as well.

Way #1: Familiarize Yourself with the Legal Landscape

If you’ve read any news regarding internet privacy over the past year, you’ve likely noticed a swath of acronyms and foreboding titles like “The ePrivacy Regulation.” Understanding the scope of these and how they apply to your business are big steps toward legally protecting your website.

Here are the three primary pieces of privacy legislation for you to be aware of as an online business owner today:

  1. The General Data Protection Regulation (GDPR)

The GDPR firmly puts the EU at the forefront of online user privacy worldwide, specifically by demanding companies become more transparent with how they use and handle the personal information of customers and people who navigate their websites. Anyone who targets EU consumers is affected by the GDPR.

Allowing users access to this data is no longer a nice gesture, it’s the law. Violating the GDPR’s stringent policies can cost a company up to 4% of their annual global turnover or 20 million euros (whichever is greater).

  1. The ePrivacy Regulation (ePR)

The ePrivacy Regulation is a critical update of the 2002 ePrivacy Directive. It addresses user privacy rights regarding online communication (messaging systems, apps, etc.), while also taking into consideration how things like bluetooth and other forms of technology have become integrated into our daily lives (and how to protect our privacy while using such devices).

Similar to the GDPR, the ePrivacy Regulation applies to anyone who markets and sells their products/services to members of the EU. It works in conjunction with the GDPR to cover all aspects of digital privacy, and helps set a precedent for further pro-user legislation across the globe.

  1. The California Consumer Privacy Act (CCPA)

The CCPA is a huge step for the United States in terms of online privacy rights for Americans. It applies to anyone who conducts business with Californians, and places certain regulations on data collection that bear a strong resemblance to those established by Europe’s GDPR.

Businesses are already starting to ramp up for this piece of legislation, which officially goes into effect on January 1st, 2020. Allowing users to access their data upon request and making sure they consent prior to any form of data collection (or use of cookies) are two key elements of the CCPA.

Many companies and lawyers project that the CCPA is only the first of many incoming U.S. privacy laws on the horizon. Making sure your business is prepared for these laws (ones that have been passed, and ones that are being discussed) is the only surefire way to avoid lawsuits in the future.

Way #2: Cover Your Bases – Employ Every Relevant Legal Policy

Depending on the product you sell and the types of information you collect, you’ll need (or are advised to have) a:

  1. Privacy policy (required in Europe & U.S.)
  2. Terms & conditions (highly recommended in Europe & U.S.)
  3. Cookie policy (required in Europe, required in U.S. by Jan. 1, 2020 for anyone marketing to Californians via the CCPA)
  4. Return/refund policy (Depends on business model)

Privacy Policy

Privacy policies are a legal requirement for ecommerce businesses in Europe and the U.S., so having one is naturally a huge part of safeguarding your website (from fines and lawsuits to user backlash). Yours should be easy to access, written in plain English, and make it explicitly clear how your company processes user data.

Getting a lawyer to write a privacy policy out for your company is one strategy, or if you have the time you could learn how to construct your own (it needs to be comprehensible for the layman, afterall). Just remember that when putting together a user-friendly privacy policy you should at the very least include the following:

  • what user data is stored
  • how long data is kept
  • why you store specific types of data
  • how users can access their data (which includes the opportunity to delete or alter it if they want)
  • Descriptions of third-party service providers you share information with
  • Your use of cookies (can link to a separate cookie policy)
  • Your address and contact information (making it explicitly clear where the business is physically located)
  • An effective date regarding revisions that are implemented at any point

Terms & Conditions

Having a terms and conditions (also known as a “terms of service” or “terms of use”) isn’t required by law, but it can do a lot to help you stay out of trouble with your users. Not to mention, some people have even sued companies (Barnes and Noble, for instance) for not making their terms clear enough. It’s certainly a good idea to avoid similar mistakes.

The main tenets of a T&C include:

  • Limiting your legal liability when errors appear on your website
  • Limiting your liability for offensive user-posted content
  • Mentioning the relevant governing law to which your site adheres
  • Pointing out your copyright and trademarks

Whereas a privacy policy is mandated for all ecommerce businesses, listing out your terms and conditions is only highly encouraged. However, if you allow user comments and want to lay greater claim to your brand name, it’s advised to implement your own. And remember to make sure terms are visible, so you can protect your company from potential litigation down the road.

Cookie Policy

Cookie policies are already legally required for European businesses, and will become a growing fixture for American ones (thanks in part to the recently passed CCPA). Cookie policies outline:

  • What cookies are (in easy-to-understand English)
  • Which types are employed by your website
  • Descriptions that clearly explain the types of cookies your website uses
  • Descriptions of which cookies your third-party providers use
  • A brief explanation about why cookies are being used on your site (generally, to improve the user experience)
  • Clear instructions that lets users know how they can opt out of cookie collection

Having such a cookie policy, even if it’s not written into law where you operate yet, is a smart, preemptive method for achieving legal compliance. Plus by the start of 2020, if you collect any user data from CA residents, it will become compulsory.

Return/Refund Policy

Having a return policy in place, even if you don’t accept returns under any condition, can still be beneficial for your business. Customers appreciate the transparency, and you have something concrete to point to in the event a dispute arises regarding a purchase.

It can also yield positive financial results. One poll found that 91% of consumers take a company’s return policy into consideration when buying something online, so be sure to consider this when deciding to implement your own or not.

In some states, specific laws regarding returns dictate how businesses put their own together. For other states, it’s up to the retailer to decide. Figuring out what’s best (and legal) for your own website will help safeguard you from litigation, and encourage customers to make purchases as well. A definitive win-win scenario.

Way #3: Get Proper Consent for ALL Data Collection

Your website policies aren’t truly effective if the user never encounters them at any point during their time on site. This is where user consent comes in.

There are five legal grounds for processing data other than consent (meaning that if one of these conditions is met, then you do not need consent to legally process the information). They include:

1. Legitimate Interest. As long as your processing doesn’t impact the rights and legal freedoms of your users, you can do so without their consent. This would include areas like fraud prevention, market research, and internal administration practices (payroll, for instance).

2. Contractual Necessity. If it’s 100% necessary to gather user data to fulfill a contract, it’s also legally acceptable (such as processing a credit card and user contact information to generate an account for them).

3. Vital Interest of the User. If data collection could determine the life or death of a user, it is legally condoned.

4. Legal Obligation. Compliance with the law is another legal grounds for processing without consent (a subpoena, for example).

5. Public Interest. Only really applies to governmental entities – data can be processed if it’s for the good of the public in some way.

If your processing practices don’t fall under one of the previously listed categories, you need user consent before doing so.

Requirements for Legal Consent Requests

The concept of user consent has changed with the implementation of the GDPR. For it to hold up in court, it must be:

  • Freely given: Your user must choose to give consent; not be tricked into doing so.
  • Informed: It must be perfectly clear to your user why you are asking for consent, so that they can grasp the full extent of the data you plan on collecting.
  • Unambiguous: Your users must be fully aware that they are consenting to the collection of their data.
  • Specific: You should make every consent request specific as possible. For instance, asking users to accept cookies should not be lumped in with a newsletter sign-up.
  • Affirmative (Opt-in) Action: A manual action must be performed by your users in order to obtain their consent. Prechecked boxes are not acceptable, however unchecked boxes are okay if they are then checked. Other acceptable forms of affirmative action include clicking radio button and setting user preferences.

Explicit vs. Unambiguous Consent

There are two types of consent, and which you need to process data is determined by the type of information you’re collecting from your users.

Explicit Consent

If you collect sensitive personal information from EU citizens (which includes things like political/religious beliefs, biometric data, ethnic background, and more), only a written or oral agreement (“explicit consent”) counts as true consent.

Checking a box that has a clear written statement of intent counts as an example of explicit consent. Note how the following example requires a user to manually check the unchecked box, provides a clear statement as to what they’re agreeing to, and links to relevant policies to make things transparent for their users:

LegalTemplate’s form builder

Unambiguous Consent

If you only plan on collecting personal information (like email addresses, names, location data, IP addresses, etc), unambiguous consent is acceptable. Similar to explicit consent, it requires an affirmative action to be deemed legitimate. However, statements regarding what you’re collecting don’t need to be as blatantly obvious.

This particular signup form requires the user to type in their email and hit the subscribe button. However, it doesn’t explicitly state that the user is signing up for a newsletter, so it’s not considered explicit consent.

PayMotile’s blog

Cookie Consent

Most data doesn’t start getting processed until the “sign-up” or “check-out” stage of a website, so it’s possible that your business already addresses consent to your privacy policy in some way. However, cookies are a different matter.

Cookie collection usually begins as soon as a user lands on your website, and getting their consent at that this juncture is now the law. This means that they must be aware of your cookie policy from the very beginning, unlike your privacy policy which may not be applicable until a later stage.

One strategy for getting users to consent to your cookie policy is to implement a consent banner that floats at the bottom of your page, like this:

Black Cat Firework’s website

Furthermore, it’s now the law to let customers know how you plan to use their cookies (and ways to change their settings at any point). Such details should be laid out in your cookie policy and privacy policy, as well as made easier to access through tools like the aforementioned consent banner.

Way #4: Understand your Plugins & Third-Party Services

Running a successful ecommerce business today is nearly impossible without the help of third-party services and plugins. However, while such services and plugins are largely positive in nature, they can work against you if you’re not careful.

Here are three actionable steps you can take to make sure your third party providers are worthy of your trust:

Read Their Privacy Policy

You should be concerned about the data being processed by every third party provider you work with, because you are liable if they run afoul with the law. It may seem tedious, but be sure to read their privacy policy and find out how seriously they treat data collection.

When exploring the content of their policy, be sure they answer the following questions:

  • What types of data do they plan on collecting from your users?
  • Do they collect data from all of your users, or only certain demographics?
  • Will they use it temporarily, or will it be held on indefinitely? (if the latter, be very wary of letting them gather the data of your users)
  • Do they keep this data for themselves or share it with others?

Every service and plugin you incorporate into your business could potentially cost you money and energy in legal fees, so be sure to invest the time and energy necessary so you can avoid them to the best of your ability.

Reach Out for Clarification

If you start to get weighed down with legal jargon while evaluating the privacy policies of third-party providers, it never hurts to contact them and clear things up. In addition to asking the previously listed questions, some potential ones you could mention include:

  • At what point (if ever) do you intend on accessing the personal information of our users?
  • How will you go about accessing this information?
  • Have you taken steps to comply with major privacy laws like the GDPR, the CCPA, and CalOPPA? (if they don’t know what you’re talking about, it’s definitely a bad sign)

You can also consider sending each third party service provider a due diligence questionnaire to fully assess what data they are storing and what they plan to do with such information. It may seem severe, but so are the penalties for letting these companies abuse the data of your users

Negotiate Your Contract (if possible)

You don’t need to simply accept the terms of a contract established by a third party service provider whom you haven’t entered a contractual relationship with yet. You are well within your rights to negotiate the terms, in order to ensure their compliance with data security regulations and the law.

Audit Their Data Collection Practices

Once you’ve come to terms and are working with a variety of third party providers (Google Analytics, PayPal, Gravity Forms, etc.), don’t become complacent. With an understanding of their collection practices, you should monitor each provider to be sure they stick to the rules laid out in their privacy policies.

Depending on your resources, consider implementing an annual, bi-annual, or quarterly audit system. Audits can be handled by your own team (ideally comprised of tech savvy individuals), or you could outsource this work. Making sure third parties practice what they preach ultimately falls on you, so it’s important to incorporate these checks into your business.


In many ways, starting a website and turning it into a full-time business has never been easier. However, paired with many of the conveniences ecommerce business owners enjoy today is a growing number of privacy laws that have the potential to financially cripple them if not adequately addressed.

Thankfully, pro-user legislation like the GDPR and CCPA will eventually benefit not only online consumers, but also the businesses that serve them. A more transparent online world is good for everyone, and will help ensure users keep trusting the websites they visit (and buying stuff). Some companies may get hammered by these new laws, but if you legally safeguard your website with transparent policies, proper data collection practices, and work exclusively with trusted third parties, yours won’t be one of them.

Geoffrey Scott is a payments consultant at, where he works regularly with business owners from a diverse range of industries to help them find dependable payment processing solutions. He also specializes in data & privacy management, and helps his clients on a daily basis by writing informative pieces outlining ways they can better secure their business while operating online. He also enjoys cold brew coffee, fiction novels, and the occasional Mario Kart tournament.

Privacy Policy stock photo by Jevanto Productions/Shutterstock