How to Create an Ecommerce Privacy Policy

Over the past few years, a series of stories have hit the press regarding online privacy — the biggest being about Edward Snowden and the NSA. However, smaller stories that have faded from the nightly news have also arisen. Facebook acknowledged its manipulation of users’ viewable content for psychological studies. The names of patients and the hospital codes for which they were treated were published on a hospital’s website in California and were available for over a year. Target and other companies have been hit with security breaches by outside sources as well.

Although there have been multiple cases where private information has been published online without consent, such as the hospital case, many people are unaware when they have given consent to have their information collected or what laws exist to protect them online. For instance, what Facebook did, while possibly unethical, was likely legal under its terms of use and privacy policies. While consumers should be more conscious of such policies since it is their data being collected and used, for business owners, the need to understand privacy policy laws is even more pertinent. Failure to follow the proper rules and regulations can end in fines, penalties, and lack of faith in the company by consumers.

While consumers should be more conscious of such policies since it is their data being collected and used, for business owners, the need to understand privacy policy laws is even more pertinent.

Creating a Privacy Policy

When a business owner creates a website, the first thing that she needs to determine is the target market. This plays a role in what state’s or country’s laws will govern the privacy policies needed for the site. For example, if a business owner is only going to cater to U.S. citizens, he may not have to worry about Canadian or European Union privacy laws. However, if the business owner will target citizens of both the United States and France, he would have to worry about laws in the U.S. and the E.U., even if the business is located in the U.S.

Regarding privacy policies, both Canada and the European Union have fairly extensive laws in place regarding the information that can be collected from Canadian and E.U. citizens, what can be done with that information, and even how that information can be stored. Due to the complexities of these laws, prior to including the E.U. or Canada in a business owner’s target market, it is essential that the business owner speak with someone versed in Canadian and E.U. privacy laws to ensure that the business is not violating any rules or regulations. Failure to follow the laws can come with legal dealings, fines, and penalties.

State Laws Important in U.S.

Unlike the E.U. and Canada, the United States only has a federal law regarding the privacy of individuals who are under the age of 13 online – the Children’s Online Privacy Protection Act. While there are general principles that apply to advertising to individuals over the age of 13 (for instance, there are truth in advertising laws that prohibit untruthful claims online), there is no national law about what must be included in privacy policies like the E.U. and Canada have. Instead, website operators have to comply with a patchwork quilt of laws that vary from state to state. Luckily, the few states that do have rules tend to have similar themes throughout their laws and most of them mirror portions of California’s privacy policy law.

The most commonly found state laws regarding privacy policies deal with privacy policies for government sites. The majority of these laws requires government websites to have privacy policies but do not address whether private websites must have privacy policies. As of the time of this writing, at least 17 states have laws regarding government sites. For my home state of Colorado, the laws state that each governmental entity must have a privacy policy that declares “support for the protection of individual privacy,” but the policy must also include information as to how the Colorado Open Records Act applies to data collected on the site so that individuals know that information may not truly be private.

The rest of the laws in states vary in both what they cover and whom they apply to. For instance, both Arizona and California have laws regarding releasing of information about what a person has read on an e-reader. However, Arizona’s law applies to libraries whereas California’s law applies to online booksellers as well as libraries that impact not only a governmental entity, but also privately owned entities.

California’s Privacy Laws Are Key

Rather than trying to comply with various state laws, most companies look to California, as it is currently the only state with a comprehensive privacy policy law. In addition, with California having the largest population of any state, the chances that a California citizen will use a company’s website are already high, making compliance with California law even more important. Lastly, as mentioned above, even for the states that do address privacy policies in some fashion, the basics of those laws tend to be included in California’s privacy policy law. If you conform to California’s laws, there is a good chance that you will also conform to other state laws. But you should still be sure.

California’s privacy policy law covers multiple areas. First, California law states that any operator of a commercial website that collects personally identifying information about its users must “conspicuously post its privacy policy on its Web site.” Further, it must disclose what types of data it collects, who it shares that data with, and how updates to its privacy policy are shared with users. Most recently, California updated its law to state that website owners must include information about how they deal with “do not track” requests by users who wish to restrict the collection of their information by the website.

Clearly Explain Data Collection to Users

The best advice for companies that collect data from consumers online is to clearly post what data they are collecting from users, how they are using it, who they are sharing it with, and what they do with it. For instance, if a business owner collects someone’s email address to add the person to, say, a Constant Contact email list, the privacy policy should reflect this so that a user can decide whether to submit her email address to the company. With ecommerce sites, information about how credit card data is collected, who collects it and how it is stored is essential. For example, many companies will state that they do not collect credit card information but that a third party (such as PayPal or Authorize.Net) collects it and will provide a link to that company’s privacy policy. Disclosing how phone numbers are used is vital if the number will actually be called or texted, as regulations outside of privacy policies may exist, such as federal and state “do not call” laws.

Privacy Policies Will Evolve

As the law advances regarding privacy policies, it is important to make sure your privacy policy also advances. Like other aspects of your website, the privacy policy should be frequently updated to conform with the latest laws and your current business model and activities. In addition, make sure your privacy policy is tailored for your site. If you copy a policy from another site and you are not conforming with that policy, you could be in violation of California’s laws and of general deceptive trade practices laws of many states.

Elizabeth Lewis
Elizabeth Lewis
Bio   •   RSS Feed