How to Create a Privacy Policy for GDPR
Even if you haven’t heard of GDPR you have seen it’s effect via the bombardment of emails from vendors stating they have updated their privacy policy or the banners/pop-ups you need to click on before you visit a site indicating you accept cookies and their privacy policy! I’m not going to review what GDPR is — here’s a good article about it — but I am going to tell you how to craft a privacy policy for your ShopSite store.
First, you should review ShopSite’s Privacy Policy for our shopping cart software. The Policy will cover more features than a typical merchant will use in their store. For example, a number of payment gateways are listed but a typical store will usually only have one payment gateway such as Authorize.Net and a payment method or two such as PayPal or Amazon Pay. Similarly, if you use a tax service it will only be one provider and not two. You will want to list only the 3rd-parties that are used in your store.
So let’s use a fictional bike store in our example — Tim’s Tandem Bicycles (TTB). This store uses the following services:
- Authorize.Net and PayPal for payments
- USPS for shipping
- Avalara for Tax
- Google Analytics for website traffic analysis
- Constant Contact for newsletters
- ShopSite’s Customer Registration
- and shoppers can sign-up to follow on Facebook and Twitter
In addition, the store does not store credit cards. Any credit card data is held by the payment processors. Order data is retained for 1 year.
Ok, so our privacy policy could look like this:
Tim’s Tandem Bicycles (TTB) Privacy Policy
Protecting your privacy when using our website is important to us. Please note how your data will be used.
Data for Payment
TTB collects the following information for payment processing:
- Name
- Address (billing and shipping)
- IP
The information is collected so that payment can be processed and shipping can occur. The payment data will be shared with a payment processor as well as the order total and possibly order details such as the products ordered. Payment processors include:
- PayPal
- Authorize.net
Data for Shipping
In order to ship a physical good, a shipping address is needed as well as product weight, box sizes, and order totals. This information will be shared with USPS.
Data for Tax
Your shipping address and product details will be shared Avalara so that an accurate tax calculation can be made.
Data for Analytics
Pages browsed will be tracked by Google Analytics and will be logged by the Web Server. The information tracked and logged will include your IP.
Data collected when browsing the store
Your IP and cookie data will be shared with Facebook and Twitter should you click on their links. If you sign up for our newsletter your email and contact information will be shared with Constant Contact. If you fill out our Contact Us form we will collect your e-mail addresses so that we can reply to you.
Data Collected when Registering
Should you register at checkout your Billing, Shipping, and Order Details will be stored to enable easy check out the next time you order.
Cookies
Cookies are small files stored by your browser on your device. They are used to remember preferences and improve the browsing and checkout experience. Our shopping cart uses the following cookies:
- Shopping Basket Cookie – sets a basket ID to correlate to your temporary shopping cart file.
- Shopper Cookie – saves email, billing address and shipping address so that the next time you check out your address information is already populated. This cookie is created when you submit an order.
- Customer Registration Cookie – contains your name and whether or not you are logged in.
- Mini Cart Cookie – contains a list of products you have added to your cart. Used for displaying your shopping basket while you browse store pages.
Data Retention
Orders– When an order is completed the order information (including email, name, address, products, shipping method, etc.) is stored in a database. That information remains for up to one year.
Customer Registration – The data remains until you delete the orders or addresses.
Cookies –
- Shopping Basket and Mini Cart Cookies – remain for up to 7 days.
- Shopper Cookie – is kept for 1 year.
- Customer Registration Cookie – it will expire when you complete your order. If an order is not completed, the cookie will expire when the login time expires in 30 minutes.
Data Removal
Orders– contact us to remove order data.
Customer Registration – Contact us to remove your account.
Cookies – can be cleared by you. The method used depends on the browser and device. See wikiHow for more information.
Fulfilling Data Requests
Contact us if you need a copy of your Orders or Customer Registration data.
The above privacy policy has been modified to only include the services that TTB uses. Where some information is not collected by TTB (e.g. credit cards) it has been removed. In addition, some information has been added such as the collection of email addresses should the shopper fill out a form to contact the merchant. The Mobile cookie is not mentioned since the merchant is using a ShopSite Responsive Theme. Because TTB knows what kind of ShopSite store they are using (e.g. Pro, Manager, etc.) they know how long cookies are kept and can state so in the Privacy Statement.
TTB should now create a page (in or outside of ShopSite) and prominently link to their policy from their website. Of course, if there are other 3rd-party services that TTB uses that may collect user data (such as WordPress plugins) they should also note that in their policy.
The above privacy policy is an example and ShopSite makes no claim that it would completely satisfy your store’s GDPR requirements. You should, of course, review the GDPR and decide for yourself (or involve an attorney) regarding what you need to have in your privacy policy.