Creating a privacy policy: How to make your online shop GDPR-compliant

Nick Knuppe
Head of Product Marketing

European law requires that all online shops that do business in the EU display a privacy policy. Yet, it’s sometimes difficult for retailers to know exactly which details such a policy needs to include. This article tells you everything you need to know about creating a privacy policy. We’ll also look at which privacy protection rules from the GDPR might be important for e-commerce retailers like you.

What is a privacy policy for an online shop?

Every website that collects personal data must include a privacy policy. This policy informs your shop’s visitors about the type, scope and purpose of your data processing. It also explains users’ options for revoking consent to have their personal data stored.

If your online shop does not contain a privacy policy or if your policy is incomplete, you could be penalised by the data security authorities in your country. The legal basis for this in the European Union is the General Data Protection Regulation (GDPR).

What is the GDPR?

In 2016, the European Parliament adopted the EU General Data Protection Regulation. Under this new law, all e-commerce retailers selling in EU countries were required to make various changes to their online shop by no later than 25 May 2018. These changes related in particular to the following areas:

  • Data collection
  • Duties to inform
  • Sending newsletters
  • Order processing

The goal of the GDPR was to standardise online privacy protection throughout all EU member states. This benefits not only consumers, but also shop operators. For example, the one-stop shop (OSS) principle simplifies international e-commerce. Now, shop operators no longer need to coordinate with multiple privacy protection authorities regarding a single data process; instead, they can deal with just one central authority.

Why is a privacy policy important for your online shop?

Why is a privacy policy important for your online shop?

Every online shop collects data—and not just when you process an order. Your website contains tracking tools, social media plugins and cookies that collect information about your visitors. Your privacy policy, just like your company’s contact information, is a key requirement because it ensures that you are handling your customers’ data responsibly and not abusing the data collection process. If you don’t publish a privacy policy, you risk being penalised and even paying heavy fines.

In addition, a privacy policy is essential for gaining your customers’ trust. Shoppers want to know what kinds of data your online shop collects and whether their personal data is secure. Most shoppers will never buy from a site whose data security they do not trust. The main ways to build trust as an online retailer are to include a complete privacy policy, detailed contact information and secure payment methods on your site.

What should a privacy policy for e-commerce include?

Under the GDPR, all online shops must provide a privacy policy that is:

  • precise
  • transparent
  • easy to understand
  • easy to access

The first step is to make sure that your privacy policy is clearly visible and accessible from the footer on every page of your website. This allows customers to always review your privacy policy, even when they are in the middle of placing an order. The content must also be written using language that everyone can understand. In general, your site’s privacy policy needs to address four main topics:

1. Data controller and contact

In most online shops, the privacy policy begins with information about who is responsible for processing data. Under articles 13.1.a–b of the GDPR, shop operators have a duty to inform their customers by listing contact details for the following parties:

  • The data controller (the party in charge of collecting the data, usually your company)
  • The controller’s legal representative (usually the CEO or managing director of your company, if applicable)
  • The controller’s data security officer (if applicable)

2. Personal data

Many online shops also define “personal data” near the beginning of the privacy policy. This is not strictly required by the GDPR, but it does make the concept easier for customers to understand.

After that, you must explain:

  • … which data your shop collects and processes.
  • … at which point(s) the data collection takes place.
  • … for which purpose(s) this is done.
  • … who receives the data.
  • … for how long the data is stored.

For each type of data you collect, you must specify the legal basis. Most online retailers do so by referring to the specific article of the GDPR. For example, one common legal basis is article 6.1.f of the GDPR: ‘processing is necessary for the purposes of the legitimate interests pursued by the controller […]’. You must also specify what those legitimate interests are. For example, if you are collecting your visitors’ IP addresses, then use the following table to determine the legal basis and which legitimate interests you should cite:

Personal dataIP address
Time of collectionWhen the connection to your server is established
Legal basisArt. 6.1.f of the GDPR
Purpose and legitimate interestTo enable us to make our website available to you

4. Data subjects’ rights

The GDPR also requires online shops to inform users (data subjects) of their rights under the law. These include the following:

GDPR articleData subjects’ rightDescription
15Right to informationData subjects have the right to be informed of whether a shop operator is processing personal data . If so, then the shop operator must also list which types of personal data they process and describe the data processing in greater detail.
16Right to rectificationIf the data that your shop has stored about a customer is incorrect , then the customer has the right to request that you correct it.
17Right to erasure (‘right to be forgotten’)Customers can also request that their data be erased. You must comply if you no longer have a legitimate interest or legal basis for storing the data, or if other conditions under article 17 of the GDPR apply.
18Right to restriction of processingCustomers have the right to request that you restrict the processing of their data.
20Right to data portabilityThis right applies to data that is necessary for fulfilling a contractual obligation, or that your customers have granted their consent for you to process. It allows customers to request that you, the data controller, provide the collected data to them in a structured, conventional and electronically readable format that they can then transfer to other data controllers . Alternatively, the customer may ask that you transfer the data directly to another data controller.
21Right to objectIn certain cases , data subjects have the right to object to the processing of their personal data, even if the processing is considered legal under article 6 of the GDPR. Data subjects always have the right to object to their personal data being processed for the purpose of direct advertising .
77Right to file a complaint with an oversight authorityVisitors to your site may always make a complaint to the data protection authorities in your country if they have reason to believe that their data is being processed unlawfully .

Can I use a template to create the privacy policy for my online shop?

There is no general template that can be used for the privacy policy on every online shop. Since the GDPR does not specify precisely how online retailers should write their privacy policy, such policies take many forms. Some look a bit like general terms and conditions. Others are structured more like a FAQ page, which makes it clear and easy to understand. If you choose to take this approach, make sure your privacy policy answers these questions for the customer:

  • How do we collect your data?
  • What do we use your data for?
  • What are your rights as a data subject?

You can find templates online that can serve as examples when writing your privacy policy. Just remember that every shop operator processes user data differently, so you must always adapt the template to match your actual situation. It’s always a good idea to hire a legal expert to create a custom-made privacy policy for you, or at least to ask them to review your privacy policy. This will ensure that your policy is accurate and complete.

Are there other privacy protection rules that are important in e-commerce?

Are there other privacy protection rules that are important in e-commerce?

To make sure your shop is compliant with the GDPR, a privacy policy is a must. But there are some other rules that you must also consider. These rules relate to:

  • Web forms
  • Website encryption
  • Email marketing
  • Cookies
  • Social media plugins

Web forms

Are there other privacy protection rules that are important in e-commerce? - Web forms

When a customer wants to enter their personal data on your site (for example, during checkout or when signing up for your newsletter), they need to fill in a web form. To ensure that the web forms on your site comply with the GDPR, they must meet two important requirements: 

  • Data minimisation: As a shop operator, you are only allowed to request the minimum amount of data necessary for you to fulfil your contractual obligation (for example, to fill an order). So, during checkout, all you really need to ask is the customer’s name and address. If your customer only wants to sign up for your email newsletter, you cannot require them to also provide you with their postal address and phone number. 
  • Confidentiality: As an online retailer, you are obligated to make sure that all your customers’ personal data is protected from unauthorised or unlawful processing. That means that any transfer of data needs to be encrypted.

Website encryption

Are there other privacy protection rules that are important in e-commerce? - Website encryption

Article 32.1.a of the GDPR requires shop operators to ensure that their data transfer is encrypted. It’s a good idea to use the HTTPS protocol to secure communications on your website. You can also use an SSL certificate to ensure that…

  • … communication partners are authorised via an asymmetrical encryption process.
  • … data transfer is secured end-to-end with a symmetrical encryption process.
  • … the integrity of the transported data is not compromised.

To learn more about how to obtain an SSL certificate and which other security measures you can take, check out our article on eCommerce security.

Email marketing

Are there other privacy protection rules that are important in e-commerce? - Email marketing

Ever since the GDPR came into effect, online shops have been required to use a double opt-in process to gain the customer’s consent for processing their data (for example, when a customer signs up for your newsletter). That means a customer who is interested in receiving information or advertising from you must consent to this when they give you their contact information (for example, by ticking a box to indicate that they wish to receive advertising emails from you). After that, you must also send them a confirmation link via email, which they must click to complete the sign-up process. This means that they twice give their consent to receive future information/offers from you. If you don’t obtain this double consent, you are not allowed to send advertising or marketing messages to the customer’s email address. If the customer does not click on the confirmation link, you are not allowed to use or store their email address for marketing purposes. 

Cookies

Are there other privacy protection rules that are important in e-commerce? - Cookies

Cookies are another important topic when it comes to data security. Many online shops use cookies to create a more user-friendly experience. For example, cookies can store information so users do not have to fill in their details every time they visit the site. These include information such as:

  • Language settings
  • Items in the shopping cart
  • Login details

The EU Cookies Directive (2009/136/EC) is another piece of legislation that is closely related to the GDPR. Under this directive, a shop owner can only use cookies without the visitor’s consent if they are strictly necessary from a technical point of view. In addition, your website must always include a banner that informs visitors that it uses cookies. And you must always ask for the visitor’s consent in advance of using cookies that are not necessary to keep your site functioning properly.

The table below shows examples of which kinds of cookies are considered technically necessary and which are not:

Technically necessaryNot technically necessary
Session cookies for storing user settings, such as language preferencesTracking and analytics tools
Flash cookies to display page contentsAffiliate marketing services
Opt-out cookies that allow the user to withdraw their consent for you to use cookiesRemarketing and retargeting services
Payment cookies from integrated payment service providers (which are only used for completing a payment and are not used to analyse user behaviour)Social media plugins
Cookies from live chat systemsOnline map services

Social media plugins

Are there other privacy protection rules that are important in e-commerce? - Social media plugins

In the past, social media plugins could start collecting user data the moment a visitor arrived on your site. The GDPR changed all of that. Under the new rules, social media plugins must always be inactive by default when a user arrives on a site. When a plugin is correctly embedded on your site, it is a passive button that only becomes active when the user clicks on it. By clicking the button, the user gives their consent for their data to be transferred to whichever social media platform the plugin is for. After all, if a user clicks the button, it’s logical to assume that they wish to use it (for example, to share content from your website via social media).

Social media plugins are very common in e-commerce and usually appear in the form of Shariff buttons. In addition, you can use a two-click consent principle for social media buttons on your site (similar to the double opt-in principle for newsletters). Under the two-click system, the user first clicks the social media button they want to use. Then your shop explicitly asks if they consent to you transferring their data to the social media platform.

Order processing

As a shop operator, you probably work with many service providers, such as:

  • Payment service providers
  • SaaS suppliers
  • Cloud services

These service providers also process personal data related to your customers, so the GDPR requires you to enter into a data processing agreement (DPA) with each partner. Without a DPA, you have no legal grounds for transferring customer data to a third party. Although creating a DPA takes a little extra effort, it offers you more security than you had in the past. For example, a DPA clearly defines who is responsible in the event of a data leak.

Privacy protection in your online shop: a summary of things to consider

Every online shop collects personal data about its visitors. The GDPR is designed to keep this data safe. It provides a set of standard practices for all website operators in the European Union. It also sets specific rules for e-commerce retailers, particularly with regard to newsletters, social media buttons and web forms. It requires you to inform customers about your data processing practices and your privacy policy. Use the table below to help you create a fully GDPR-compliant privacy policy for your online shop.

ContentDescriptionExample
Data controlWho is responsible for collecting data in your online shop?The site owner; your company’s data security officer
Type and scope of data collectionWhich user data is collected and processed by your website?IP address, name and address
Type and scope of data collectionAt which point on your website does the data collection occur?When the user submits a contact form; when the site is accessed; when the user clicks a social media button
Type and scope of data collectionWhat happens to the data?It is stored for a set period of time
Type and scope of data collectionFor which purpose do you collect and process data?Marketing purposes; to complete an order
Type and scope of data collectionHow long is data stored?Until the order is completed; until the user opts out
Type and scope of data collectionIs the data shared with any third parties? If so, why?Google Analytics; your logistics partners
Type and scope of data collectionWhich measures have you put into place to ensure data security on your site?Use of HTTPS protocol
Legal basisWhat is the legal basis for your data collection?Art. 6.1.f of the GDPR
Right to objectWhen do users have the right to object to their data being processed?For direct advertising: anytime; for all other purposes: only when they have specific reasons
Other users’ rightsWhich other rights do your site’s visitors have?Right to be informed; right to rectification of data; ‘right to be forgotten’

Get better payments now.

Sign up