Creating a Privacy Policy For an eCommerce Site

shuffles03

Hi,

I'm in the process of setting up an eCommerce platform and have a few legal document questions if anyone can help?

Privacy Policy

• Does this need to be drawn up by a legal expert or can this be done by ourselves?

• Having looked at countless websites, all state in their policies that they will never share a customers personal data (name, address etc.) with a third party. Is it enough to say that or do you have to have proof. If so, how would one prove this?

• On our platform, we will be collecting a customers name, email address, shipping address and telephone details. A customer will be required to enter these details at the checkout whether or not they have created an account with us. Are we required by European law to delete this information after a certain period of time? If so, how would we implement such a procedure?

Many thanks in advance.

mneylon

shuffles03 wrote: »

[*]Does this need to be drawn up by a legal expert or can this be done by ourselves?

Yes and no.
I wouldn't get a solicitor / lawyer to draft it from scratch, but I'd get them to approve one I'd drafted based on one of the IIA templates.

shuffles03 wrote: »

[*]Having looked at countless websites, all state in their policies that they will never share a customers personal data (name, address etc.) with a third party. Is it enough to say that or do you have to have proof. If so, how would one prove this?

Stating it should be enough. And obviously actually doing it (or not doing it!)

shuffles03 wrote: »

[*]On our platform, we will be collecting a customers name, email address, shipping address and telephone details. A customer will be required to enter these details at the checkout whether or not they have created an account with us. Are we required by European law to delete this information after a certain period of time? If so, how would we implement such a procedure?

Generally speaking you should collect as little information as possible and keep it for the shortest time possible.
Having said that, if you can justify the retention of PII you can retain it, but not indefinitely ..

You might want to consult the DPC https://www.dataprotection.ie/
their site has some very helpful guides and their staff are very helpful
How you'd implement any policy is going to depend on you..

HTH
Michele

shuffles03

Hi Michele,

Thanks for the detailed response and link to the Data Protection Commissioner site!

I gave them a call just there - very helpful altogether.

We broke it down into two parts.

1. One Time Customers (without an account)

• The industry standard for customer personal info. retention is 12 months.

• We would set it up so that our system would delete info after this period.

2. Customers With Accounts

• Customers with accounts can be seen as frequent purchasers.

• If we put the control of the account in the customers hands i.e. they must maintain their own account, password etc. as well as be able to close their account at any time, then the onus is on them.

• Our terms and privacy pages would document the above so that we are completely transparent.

Does that sound correct?

Quick question:
If someone signs up for an account with us and we apply the above (they're in control of their info + account, do we still have to delete order information off our system after a pre-determined amount of time in the same manner as a one time customer that does not have an account?

shuffles03

I just rang back and was given a different answer completely so I'm going to write them an email with a full breakdown of our site and how it works.

Just thinking there, we will only be taking customers personal information when they place an order. The information taken will only be connected to an actual order. Surely we would not have to delete orders after a specific period of time. We will not be taking payment details either.

mneylon

I'd be wary of getting the DPA too involved in this
They're setup to deal with complaints and offer "general" advice and guidance, rather than getting into the nitty gritty of what you are doing.

If you hold customer data then you are responsible for it - you can't shift the burden onto the customer entirely. Sure, they can be given access to keep it up date etc., but you are responsible for keeping it secure.
If you have a look at the data breaches over the last few years that's where the problems usually arise.
So, for example, let's say you have 20 thousand customers. Each one of those customer accounts would have at a minimum:

• Name
• Email address
• Phone number

You'll also find that people will look for details on orders months, if not years later if you're in a B2B environment.

So what I'd recommend you do is have a look at what other companies are doing - do a quick search for ecommerce privacy policy - that might be a good starting point

shuffles03

Hi,

Thanks for the response. You're absolutely right. They are designed to deal with complaints. Each time I have telephoned, I've received a different response with no concrete information.

I've had a look across various ecommerce websites as you suggested and I've written up my terms. A lot of websites don't give any details whatsoever. I've tried to provide as much information as possible.

We've also had an update to our platform. A user must setup an account before placing an order. As no payment happens on our platform this is done to prevent fraudulent ordering. In essence, no personal information will be transferred to us unless the customer agrees to setup an account and provide their information.

My main problem seems to be this;

When an end user places an order through our platform, their personal information will be attached to that order on our system. We cannot delete orders after a specific period of time for auditing purposes. With this in mind, I'm not sure how to approach the 'not storing personal information indefinitely' if we cannot delete past orders.

This is the policy I have written (I've deleted company specific sensitive information). I'd greatly appreciate any feedback whatsoever. also, thanks a million for all of the help so far!





Your privacy is extremely important to us and we promise never to release your personal details to anyone for mailing or marketing purposes.

We have developed this privacy statement because we want you to feel confident about the privacy and security of your personal details when you visit or use our website.

By visiting and/or ordering products on this website, you agree to the collection and use of your data as set out below.

Any access to your personal data is strictly controlled and limited only to the persons authorised to do so.

OUR PRIVACY POLICY

1. HOW WE COLLECT INFORMATION FROM YOU
[Company name] operates an ecommerce website which allows customers to browse and order products to be collected from their preferred stockist. When placing an order on our website we will ask you to setup an account and provide personal information for example your name and contact details. This process is necessary for [Company name] to fulfil any orders placed and to help prevent individuals from placing fraudulent orders. We may also collect information about your usage of the website and information about you from the messages you post to the website and the emails or other correspondence you send to us.

By accessing our website using mobile digital routes (but not limited to) mobile, tablet or other devices/technology, then you should expect that our data collection and usage as set out in this privacy policy will apply in that context too.

We may also collect information about where you are on the internet (eg the URL you came from, IP address, domain type), your browser type, the country where your computer is located, the pages of our website that were viewed during your visit, and any search terms that you entered on our website. Unless you have elected to remain anonymous through your device and/or platform settings, this information may be collected and used by us automatically. We may collect this information even if you do not register with us.

Customers should be aware that information disclosed while connected to the internet is transferred to us over a publicly available telecommunications network. [Company name] cannot be held responsible, and accept no liability, for unauthorised access to the public network and all information provided by customers is done entirely at the customers’ own risk.

2. USE OF YOUR INFORMATION
Your information will enable us to provide you with access to the relevant parts of our website and to supply the products you have requested. It will also enable us to contact you where necessary concerning our services. We will also use and analyse the information we collect so that we can administer, support, improve and develop our business, for any other purpose whether statistical or analytical and to help us prevent fraud.

We may use your information to contact you for your views on our services and to notify you occasionally about important changes or developments to our website or services.

If you do not want us to use your data in this way or change your mind about being contacted in the future, please let us know by completing and submitting the form on our Contact Us page.

Please note that by submitting comments and feedback regarding our website and our services, you consent to us to use such comments and feedback on our website and in any marketing or advertising materials. We will only identify you for this purpose by your first name and the city in which you reside.

We may use the information you give us about yourself and the information we collect via cookies when you use our online services to build up a picture of your interests. We may then use this information to try to make sure that when we send you marketing communications and when you visit our website to view our online services, you don’t miss offers and information that might interest you. For full details of our cookie policy, please click here.

If you follow us or interact with us on any of our pages on third party social media platforms, such as Facebook, Twitter or Instagram, the information that you provide will be subject to the third party’s privacy policy, as well as this privacy policy.

You agree that you do not object to us contacting you for any of the above purposes whether by telephone, email, or in writing and you confirm that you do not and will not consider any of the above as being a breach of any of your rights under the Privacy and Electronic Communications (EC Directive) Regulations 2003.

3. DIRECT MARKETING
We operate a strict opt-in policy for our customers. We will not send you any information unless you have requested it. The format of the communications you will receive from us will adhere strictly to the information you have provided only. If you wish to be removed from our list (opt-out), at any time, you can do so by clicking on the link at the bottom of each email communication you receive from us. You may also opt-out by letting us know using the contact details set out below or by completing and submitting the form on our Contact Us page.

4. HOW COOKIE TECHNOLOGY WORKS
A cookie is a small amount of data that is sent to your browser from a website’s computer and stored on your computer’s hard drive. On the [Company name] website we use cookies to understand site usage, to identify if you have visited the site before and to allow us to present you with product and service information based on your previous behaviour on the site.

How to disable cookies:
If you do not want a cookie to be created on your PC, your web browser will let you disable cookies. Some services may not be available on our website if you choose to disable cookies. For full details of our cookie policy, please click here.

5. SECURITY
Where you have chosen a password which allows you to access certain parts of our website, you are responsible for keeping this password confidential. We advise you not to share your password with anyone.

6. INFORMATION ACCESS
All registered users will have access to an account management system where they can edit their information. If you are concerned that the personal information we hold is not correct, please access your account where your personal information will be made available for review and change. [Company name] does not receive or store credit or debit card details.

7. CHANGES TO OUR PRIVACY POLICY
Any changes to our privacy policy will be posted to our website. You should check this policy each time you provide us with information or use our website.

8. CONTACT
Should you have any questions about our use of your information, you may contact us by completing and submitting the form on our Contact Us page.

mneylon

You've got a draft policy so take it to a decent solicitor and get them to review it for you.

And no, the DPA won't commit to most things - it's not their job to really

Best of luck