Six Steps to an Effective E-Commerce Privacy Notice
Good products and a good privacy notices are two things every e-commerce company needs to be successful.
Thanks to the best practices that consumer privacy laws like the European Union’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act have helped usher in, any business that collects and processes the personal information of its customers online needs to provide transparency into its data management practices.
The best (and often legally required) way to do this is to create a readily accessible privacy notice. In the past, many companies used templates, free downloads, or standard agreements from their site host for their policies. But because almost all modern consumer privacy laws mandate that privacy policies accurately describe what data is collected and how it is used, that one-size-fits-all approach won’t cut it anymore.
But don’t let that overwhelm you!
Creating a compliant privacy notice doesn’t have to be difficult. Here are six tips for drafting a privacy notice that’s as awesome as the products your e-commerce company sells:
- Define the types of information being collected and why
- Figure out how data is collected, stored, and protected
- Track who data is being shared with
- Determine which privacy laws are applicable
- Adapt your practices to match compliance obligations
- Write a notice that’s short and easy to understand
Note that in our list, writing your notice is actually the last thing you should do.
This might seem a little counterintuitive—and it’s pretty normal for companies to write a notice and then try to cram their data management practices into that artificial framework.
But to be effective, not to mention compliant, a privacy notice needs to precisely explain what happens to your users’ information. You can’t do that if you don’t understand what’s happening in the first place.
So flip the script and do the legwork of tracking how data flows through your system ahead of time. The end result will be more accurate, and the writing process will be easier and far more effective.
Keep reading to learn how to get the most out of each step.
Step 1: Determine which privacy laws are applicable
Once you understand how your company uses and needs to use data, you’re ready to see how it matches up with whichever privacy laws you’re subject to (hint: there may be more than one).
Step 2: Define what you’re collecting and why
Thanks to the tireless efforts of consumer privacy advocates, the days of businesses collecting anything and everything about their users with zero accountability are long gone. Today, companies are being asked to disclose every type of information they collect and every single way they use it.
Beyond that, most privacy laws require extra protections and disclosures for “special categories” of data that they define as “sensitive.” Examples of “sensitive personal information” include:
- Medical history
- Biometric data
- Sexual orientation
- Religious or political beliefs
- Trade or union membership
- Precise geolocation
However, you need to know more than just what you’re collecting. You also need to understand why you’re collecting it. Data minimization—collecting the minimum amount of data needed to complete an operation and only collecting information you have a clear use case for—is now a best practice and a compliance obligation for privacy and risk management.
This means you can’t collect information you don’t need, and you can’t save information for one reason and use it for another. Unfortunately, unless you’ve overhauled your data practices recently, odds are you probably do both.
Step 3: Figure out how data is collected, processed, and stored
Cookies, surveys, web forms, newsletter sign-ups, and event registrations—there are many different ways to collect data from your customers. And customers have to be notified before you can use a single one of them, which means you have to know which methods your site employs.
Most privacy laws also stipulate that businesses must protect their customers’ data using “reasonable security measures.” Nowadays, companies are also responsible for what happens to information when it’s being processed by one of their third-party vendors or being saved for later use.
Cybersecurity and privacy aren’t the same things, but they work in tandem to keep data safe. Understanding how the data you gather is collected, processed, and stored will show you where your cybersecurity and privacy practices need to be improved.
Step 4: Track who data is being shared with
Most parents wouldn’t let their kids hang out with whoever they want whenever they want. You should treat your customers’ information the same way. That means you need to know who has access to it, both internally and from the outside. This is especially important because, in the eyes of the law and your customers, your company is liable if sensitive personal data is exposed in a breach.
Pardon this interruption for a quick word about data inventories
A data inventory, sometimes called a data map, is a highly effective way to accomplish steps 1–3. In a data inventory, you follow a record on its journey through your system from collection to deletion. This tool will help you understand what your data management practices look like and where there are risks that can be mitigated.
Okay. Back to your regularly scheduled programming.
Step 5: Adapt your practices to match your obligations
A data inventory will likely reveal practices you need to implement to establish compliance. But innovative companies don’t just focus on compliance. Instead, they use best practices as their guide and maintain a commitment to putting their customers first.
With new privacy laws being passed every year and existing laws constantly being amended, this “best practice” approach is the best bet for future-proofing your operations and ensuring your teams can respond in an agile way to whatever changes come down the line.
Step 6: Write your notice
Writing a privacy notice should be easy when you understand how your data management practices work on a micro and macro level. Here are a few pointers:
- Use language that matches your brand and is easy to understand (no legal jargon!)
- Make it easy to find on your site
- Ensure it accurately describes how you’re using and sharing your customers’ information
- Include methods users can use to contact you with questions or individual rights/data subject access requests
- Review your notice regularly (at least every 12 months) to keep it updated
Want to go the extra step? Add a summary to your privacy notice. Privacy notices can be long and detailed, but giving your readers a Cliff Notes version is a smart brand move to make.
Bonus tip: Use an expert
Managing privacy can be complex, but it doesn’t have to be complicated. If you need help writing an effective privacy notice or want assistance with any other part of your privacy program, let the experts at Red Clover Advisors help.
As passionate privacy professionals with backgrounds in business and marketing, we excel at helping our clients develop pragmatic strategies that balance the demands of privacy best practices with the realities of daily operations.
Schedule a call today to see what we can do for you.