If you sell online, you are probably aware of the importance of shoppers’ trust in your business. Almost a third of global shoppers rank a commerce site’s experience and trustworthiness over everything else when it comes to their decision to buy.
In the wake of the countless data privacy scandals over the last couple of years, the trust that people place in businesses has become closely tied to how well they believe those companies protect the privacy of their customers’ personal information.
Unfortunately, many organizations still fail in that area, with only half of global shoppers believing companies sufficiently respect the privacy of their personal data.
The legal framework and why you need a Privacy Notice
To address the negative impact that careless handling of personal data can have on society and the economy, several states and international organizations have recently adopted a range of laws and regulations to define the data privacy obligations of organizations who collect and use people’s personal information.
Foremost among these new rules is the General Data Protection Regulation (GDPR), enacted by the European Union, which impacts any organization whose data handling activities are carried out in the context of its establishment in the EU or of processing personal data of subjects who are in the Union. However, other states soon followed suit with very similar – and sometimes even more strict – data privacy laws of their own, such as the California Consumer Privacy Act of 2018, Brazil’s General Data Protection Law (LGPD) or India’s Draft Personal Data Protection Bill 2018 (PDPB).
What all of these data privacy regulations have in common is the requirement that any organization that collects (data controller) or processes on behalf of a data controller (data processor) people’s personally identifiable information (PII) display a “clear and comprehensive” privacy statement for the individuals whose data will be collected or used by the organization. Thus, the Privacy Notice you need to display on your website will be the foundation of your data protection regulatory compliance.
What should a Privacy Notice contain and how should you draft it?
1. Think of your customers when drafting your Privacy Notice. Nobody wants to read through opaque, complicated legal language and never-ending blocks of text. If your Privacy Notice is too hard to follow and comprehend, then it could be argued that a customer who simply ticks an “I agree” box has not really given their consent – since they don’t understand what they are consenting to.
The Privacy Notice needs to be organized in short, easy-to-follow sections, and be written in a way that is accessible to all. According to the regulations:
Write in a concise, transparent and easily accessible form, using clear and plain language (GDPR Article 12(1)).
Information shall be provided in a simple, clear and accessible manner, taking into account the physical-motor, perceptive, sensorial, intellectual and mental characteristics of the user, using audiovisual resources when appropriate, in order to provide the necessary information to the parents or the legal representative and that is appropriate for the children’s understanding. (LGPD Art. 14 §6)
2. What do you need to tell the customer in your Privacy Notice?
According to Article 13 of the GDPR, this is the information that must be provided to customers at the time their data are collected:
- The identity and contact details of the controller (the organization collecting the data)
- The data protection officer’s contact details (if there is one)
- Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing
- The recipients or categories of recipients of the collected personal data
- Details of international transfers of that data in question
- The period for which personal data will be stored or, if that is not possible, the criteria used to determine that period
- The rights of the data subject (i.e. your customer)- including the rights to access, rectify, require erasure, restrict processing or object to processing and data portability.
The California Consumer Privacy Act of 2018 includes slightly different consumer rights than those under GDPR, so If your business operates in California, you may want to consider a stand-alone notice dedicated to California residents:
- Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities
- The consequences of failing to provide data necessary to enter into a contract
- The existence of any automated decision making and profiling and the consequences for the data subject
- In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.
Brazil’s General Data Protection Law (Art. 9 ) takes a similar stance to the above:
The data subject has the right to facilitated access to information concerning the processing of her/his data, which much be made available in a clear, adequate and ostensible manner, concerning, among other characteristics provided in regulation for complying with the principle of free access:
I – the specific purpose of the processing;
II – the type and duration of the processing, being observed commercial and industrial secrecy;
III – identification of the controller;
IV – the controller’s contact information;
V – information regarding the shared use of data by the controller and the purpose;
VI – responsibilities of the agents that will carry out the processing; and
VII – the data subject’s rights.
3. Your customers should have as much visibility of your Privacy Notice as possible.
Don’t hide it in an obscure corner of your website where no one will find it. In addition, you shouldn’t aggregate the Privacy Notice together with other legal texts on your website – such as the terms and conditions of use, for example. Visitors should not be obliged to search for the information about how their data is processed among other unrelated legal statements.
Here’s what the Article 29 Working Party Guidelines on Transparency under GDPR say about the best practices for writing a Privacy Notice:
Poor Practice Examples
The following phrases are not sufficiently clear as to the purposes of processing:
- “We may use your personal data to develop new services” (as it is unclear what the “services” are or how the data will help develop them);
- “We may use your personal data for research purposes (as it is unclear what kind of “research” this refers to); and
- “We may use your personal data to offer personalized services” (as it is unclear what the “personalization” entails).
Good Practice Examples
- “We will retain your shopping history and use details of the products you have previously purchased to make suggestions to you for other products which we believe you will also be interested in” (it is clear what types of data will be processed, that the data subject will be subject to targeted advertisements for products, and that their data will be used to enable this);
- “We will retain and evaluate information on your recent visits to our website and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive” (it is clear what type of data will be processed and the type of analysis the controller is going to undertake);
- “We will keep a record of the articles on our website that you have clicked on and use that information to target advertising on this website to you that is relevant to your interests, which we have identified based on articles you have read” (it is clear what the personalization entails and how the interests attributed to the data subject have been identified).
4. Explain the legal grounds of processing your customers’ data, according to the applicable data protection laws in the countries where you do business. Why do you process individuals’ personal information? What do you need to do with that data and on what legal grounds are you entitled to collect it and use it?
Here’s a helpful outline of how legal grounds are defined in the GDPR versus India’s Draft Personal Data Protection Bill 2018, from Deloitte:
Source: https://www2.deloitte.com/content/dam/Deloitte/in/Documents/risk/in-ra-india-draft-personal-data-protection-bill-noexp.pdf
5. If you intend to use your customers’ personal data for any other purposes in addition to the one for which it was initially collected, always make those other purposes clear to the customers in the Privacy Notice.
Keep them in mind when you plan your marketing strategy and tactics and make sure they abide by what you have stated in the notice. If you need to expand the scope for which you use customers’ data at a later time, always update your Privacy Notice and inform everyone whose data you intend to process immediately, as you will need their explicit consent under your new data usage policy.
We hope these tips will keep you on the right side of the law concerning data privacy and protection, and help you foster a relationship of trust with your customers.
Watch our previous webinar if you need more help with GDPR compliance, and have a look at 2Checkout’s Legal Policies for an example of how to present your Privacy Notice and more.
