6 Steps to an Effective Ecommerce Privacy Policy

Online privacy is essential for ecommerce visitors and customers. The frequent headlines of security breaches and inappropriate data use by major companies have consumers more vigilant than ever about their privacy protection. Posting a privacy policy statement on your ecommerce site is a significant way to earn their trust. However, an effective privacy policy is not just a disclosure statement.

An ecommerce privacy policy is your everyday practice of collecting, managing, and using data from site visitors. What you do — not what you say — is most important. What you say provides the necessary transparency and awareness to visitors. Comprehensive privacy practices are what government agencies and consumer protection groups require when setting and enforcing compliance.

An ecommerce privacy policy is your everyday practice of collecting, managing, and using data from site visitors. What you do — not what you say — is most important.

Unfortunately, creating a privacy policy is not that easy for ecommerce businesses. Regulations vary among countries and among U.S. states. You can quickly spend a lot of time and money trying to stay on top of it all. And that’s before actually implementing your privacy practices and communicating them to your shoppers.

Here are six steps ecommerce businesses can take to create an effective privacy policy that can keep you, your visitors, and the regulators happy.

1. Set Clear Ownership

First, identify who is responsible for your privacy policy. It could be an individual or a team. They are responsible for advocating privacy on behalf of site visitors and within your business. That includes understanding the myriad of regulatory compliance issues, collaborating with product and marketing teams as they roll out new capabilities, and being the clear point of contact when issues arise.

2. Review Other Ecommerce Privacy Policies

This is the brainstorming phase. See what and how other trusted online businesses communicate in their privacy policy statements. Research which systems and software collect personal data along a visitor’s journey on ecommerce sites. Understand procedures for how data is commonly used or with whom data is shared.

The key is to use what others do to build your baseline of knowledge. Don’t just copy other privacy statements. Taking that shortcut puts you at risk. What you are actually doing on your site is likely not entirely the same as others. You want your statements to conform to what you’re are collecting and using.

3. Audit Your Privacy Practices

Now that you have a baseline, you can dig into your own systems and procedures. Identify what types of data you collect from visitors when they browse your site and from customers when they purchase. For example, it is common for online stores to capture:

  • Personally identifiable information like name, email, shipping address;
  • Payments and financial data;
  • User names and passwords;
  • Site analytics and behavioral tracking, using cookies.

Then you should map where that data is stored and for how long it is kept. Sometimes the personal information simply passes through your site but is not stored on your systems, like credit card numbers that are secured by your payment gateway. You still need to know that.

And finally, how is the data used or shared with third parties. For example, email addresses are used in many different ways. What email system is used to send out triggered messages after a purchase is made? How is that different from sending out your email newsletter or promotions?

4. Write Your Privacy Policy Statement

Writing your privacy policy statement is the next step. You can certainly start with another website’s disclosure statement or use one of the many policy generators found online. You may also want to engage your lawyer. However, you need to customize for your practices. Again, don’t just copy someone else.

You should also keep your audience in mind. Something as complex and technical as privacy practices can quickly turn your statement into pages of legal jargon. Instead, organize your information clearly into brief, well-formatted sections that link to further details. Write in straightforward language that makes your policy easy to understand. Making your statement easy to read helps build trust.

Additionally, include phone and email contact information for privacy requests. Preferably that is a dedicated contact (like your privacy person from step 1, above), not the general support line. Readers of the policy may never use it, but their trust in you goes up significantly when they see a contact that is responsible for privacy.

5. Post and Communicate

Make your visitors aware of your privacy policy. Most websites link to their privacy policy statement in the footer. That typically fulfills your compliance obligations. But visitors can easily miss that link, which minimizes the opportunity to build trust.

Demonstrate that you collect shopper data responsibly right at the point where you ask for personal information. For example, include a privacy reminder when you ask for an email address on your newsletter opt-in form — see the “Privacy Policy” link in the example below, from Gap, the apparel retailer. Additionally, you can regularly reinforce their trust after they have shared personal information. Make sure to link to your privacy policy with each email that you send.

Gap includes a "Privacy Policy" link directly on its email signup form.

Gap includes a “Privacy Policy” link directly on its email signup form.

6. Maintain and Update

Your online business and your marketing techniques likely change regularly. Ensure that your privacy policy accurately reflects an updated view of your data practices. TRUSTe, the data privacy management provider, states that it is important to review your privacy policies at least annually, even if you believe that nothing has changed. That review should involve all teams that handle customer data, including operations, computer systems, marketing, legal, customer support, and management.

When you make a material change to your privacy policy, post that update wherever your policy is communicated and send an email notification to your subscriber list. Keep it brief, show that you care about privacy, and link to your updated policy. That notice may not be as exciting as your Black Friday sale. But it doesn’t have to be a stiff, either.

Bob Angus
Bob Angus
Bio   •   RSS Feed