eCommerce Laws: How Private Are Your Privacy Policies?

The internet is arguably the greatest global phenomenon of the last thirty years, connecting businesses to customers all over the world. In recent times, the rise in online shopping has seen the eCommerce industry go from strength to strength. In fact, 95% of UK residents use the internet to purchase goods, carrying out online transactions every single day.

For small businesses and startups, the rewards of establishing an online presence have never been greater. However, the shift towards internet retailing has not come without its legal implications. Business lawyers have taken on an increasing number of internet-based clients, dealing with cases ranging from simple copyright infringements to more worrying privacy policy violations.

The latter has caused particular concern, with 79% of us apprehensive about our online privacy. As well as the usual data protection information, small business legal advice now focuses increasingly on the eCommerce sector, promoting the importance of watertight policy agreements. While the future of your business may lie in the virtual storefront of the internet, if your website isn’t legal, you aren’t going to reap the benefits for very long.

Which Online Businesses Need a Privacy Policy?

First things first, it’s good to know whether you’re going to contravene any privacy policy laws from the off. In the UK, all personal data is protected by the Data Protection Act (1998), which applies to businesses of all types, whether online or offline. As an extension to this, the government revised the laws to include specific eCommerce legislation in the Electronic Commerce (EC Directive) Regulations (2002).

While these laws have long, bureaucratic names, they all boil down to one thing: transparency. In accordance with the EU’s directives, virtually all eCommerce businesses must declare the ways in which they collate and disseminate consumer details. In fact, any business that can be effectively termed as an ‘information society service’ must comply with these regulations.

But what exactly is an information society service? The terminology seems to be deliberately oblique and even business lawyers have a hard time describing exactly what it encompasses. But, for the sake of brevity, we can effectively define it as any company that receives money in return for providing an electronic service that stores and processes user data at their request.

In reality, this covers more than just eCommerce sites, as many businesses operate via some form of electronic data transfer. This is why it’s best to seek business legal advice before you sign off on any project that involves the collection of customer details. Any commercial lawyer worth his salt will be able to work out where your business lies in relation to these laws, since even services such as advertising and search engines can be affected by the directive.

What Information Will You Need to Declare on Your eCommerce Site?

Privacy policy infringements aren’t uncommon in the world of eCommerce and it’s not just startups that have fallen foul of EU legislation. In 2012, Google violated several data protection rules by consolidating almost sixty individual privacy policies into just one. While this might not seem like an obvious infringement, the subsequent changes allowed Google to slip the alterations in its data sharing policies past unassuming customers. In the process, Google lost the transparency present in the originals and kept users in the dark over the exact nature in which their details would be handled.

Google’s swaying power ultimately allowed it to get away with very few sanctions, but the likelihood of your business achieving a similar coup is slim. Business lawyers regularly take on new cases where user data has been mishandled and the course of action is, more often than not, damage limitation. It’s essential that you follow business legal advice and remain as transparent as possible with eCommerce data. After all, how many consumers do you know that are willing to do business with a shady proprietor?

No matter the size, purpose or direction of your business, you should always ensure you’re providing the minimum required information:

  • Business and Trading Name – all eCommerce sites are required to reveal both the name of their service and/or the name of the company they are trading under. For example, ‘ is the trading name of ABC enterprises’.
  • Email Address – since you’re operating online, the inability to produce an email address on request is no longer a viable option. A direct line of communication is required between you and the consumer. In many cases, a commercial lawyer may also decide that a more immediate point of contact is necessary, such as a mobile or landline number. Sites that provide a contact form without any alternative means of communication may risk infringing data protection laws.
  • Geographic Address – this one is fairly self-explanatory. eCommerce sites must provide an actual concrete location for their customers. This needn’t be a registered building the company is housed in, but must be a property that indicates which country’s laws will apply to the service provided.
  • Registration Number – confirmation that your business is a registered trademark or company. eCommerce sites that can’t provide these details are usually avoided.
  • VAT Number – if your products or services are subject to VAT, then state this upfront. Your VAT number must be easily accessible to customers and your prices must clearly show whether tax and delivery costs are included in the displayed figures.

As long as these details are accessible, unambiguous and permanently displayed, you shouldn’t find yourself in direct violation of any eCommerce laws. Now, all that’s left to declare is the manner in which you will be using customer data.

How Will You Be Handling Personal Details?

It’s important to remember that user details can only be used for the legitimate purpose they were first intended for. In general, data handling is restricted to the following circumstances:

  • Consent is given by each individual user for your business to collect and use their data.
  • Personal information is necessary to legal processes, which cannot be upheld without it.
  • Data processing is carried out with the legitimate interests of you or any third party companies that have been disclosed to the consumer.
  • Processing personal information will protect the interest of the user.
  • Access is granted to the user so that they can make corrections or delete any data that is incomplete or inaccurate and in contradiction to any privacy laws.

In all cases, businesses must take reasonable care to update or erase any information that is found to contravene these circumstances. If in doubt over a specific customer, it’s best to talk through your options with a commercial lawyer, who will help you update your privacy policy accordingly. Even just one violation can land you in hot water, especially if that consumer decides to press charges.

You must also abide by the specific eCommerce laws of every member state you provide a service for. For example, if you attracted customers from both the UK and Spain, you’d need to comply with the specific data protection laws of each country. Because of this, eCommerce businesses would be required to provide terms and conditions in both English and Spanish. On top of this, you’d also need to ensure that there were no extra directives in Spanish law that prevented you from trading or collecting personal details from its citizens.

You must also be adaptable in your approach to privacy and, as we’ve already mentioned, as transparent as possible with your reasons for using customer data. There’s no point using obscure or unnecessary terminology to construct your policies. Being clear, concise and open will prove to your customers that you are willing to do business on their terms.

Above all, there are a few things you should always include in every privacy policy:

  • User Expectations – if you are collecting data from vulnerable demographics such as young people, state very clearly how you will be using the information you retain and what you expect from your users, e.g. parental supervision.
  • Cookies – almost all eCommerce sites use tracking software in some capacity. If you are one of them, clear up for your users exactly what you are hoping to gain from extracting this data.
  • Information Usage – tell customers what their information will be used for. Always put a positive spin on it by mentioning how it will improve your website’s functions, optimise user experience and make payment more efficient.
  • Notification of Changes – if you are prone to making changes to the way you operate or handle your business, explain to your customers how they will be notified of any pending alterations.

Complying with data protection laws can often feel overwhelming, especially if you’re not versed in commercial law yourself. However, it’s important to remember that these laws aren’t in place to make the lives of business owners difficult; they are there simply to protect paying customers. As long as you remain transparent, seek relevant business legal advice and cover all your bases, your privacy policies should hold up under even the most intense scrutiny.

Author Bio: Carl Parslow is the managing partner of Parslows, commercial lawyers in Jersey. He has twenty years of experience practicing law and was initially called to the English Bar in 1996. He is an Honorary Librarian of the Law Society of Jersey and serves on several Law Society committees. Carl is extremely experienced in law relating to SME, eCommerce and property. You can find out more about Carl via his LinkedIn profile.