You’ve built a website or platform, prepared your products for sale, set up delivery, and are ready to launch. But there’s one more essential step — preparing your store policies, in particular publishing a Privacy Policy, without which it may even be difficult to connect payment systems.
So, what exactly is a Privacy Policy and who needs it?
A Privacy Policy is a document that describes in detail how an online store collects, processes, stores, and protects its users’ personal data. It explains what kind of information is collected and how this information is used. In addition, the Privacy Policy states whether data is shared with third parties and informs users of their rights to access, correct, and delete their data.
You’ve probably heard of GDPR, CCPA, and local laws on personal data processing. These acts regulate how personal data can be collected, used, and stored. They impose additional obligations on online stores, including the mandatory publication of a Privacy Policy/Privacy Notice.
You might think that GDPR (as the key regulation) doesn’t apply to you because your business is not located in the EU and you don’t supply goods or services to the EU, nor do you monitor the behavior of users within the EU. However, if you work with clients from the EU, even if your business is outside its borders, these laws may still apply to you. Violating them can result in significant fines.
Moreover, even aside from territorial scope, preparing and publishing a Privacy Policy is important to ensure your website or app complies with the requirements of the platforms and tools you use.
For example, since 2018, the App Store requires every app to have a Privacy Policy that identifies all the data collected by you or your third-party partners before the app can be submitted for review. Furthermore, the App Store’s section 5.1 “Privacy” of the App Review Guidelines clearly sets requirements for privacy policies.
Specifically: “All apps must include a link to their privacy policy in the App Store Connect metadata and make this link accessible directly in the app, in a user-friendly location.”
Google Play also requires all Android apps to have a Privacy Policy. Failure to comply may result in the app being blocked. For instance, in 2021 Google blocked over 2 million apps for violating privacy requirements.
If you use tools like Google Analytics, Google Ads, or collect data through cookies, you must have a Privacy Policy that clearly states what data you collect and how you use it.
Having a Privacy Policy not only protects you from legal issues but also improves your search engine ranking, as Google and other platforms favor websites that provide transparency and security to users.
Let’s take a look at what must be included in your Privacy Policy:
1. Types of Data You Collect or Process
You must state what data your website or app collects. This may include name, shipping address, phone number, email, gender, and date of birth. Stores also often retain purchase history, product preferences, and technical information such as IP address, device type, operating system, and browser. To determine exactly what types of data you collect, it’s best to analyze your website. You can contact us, and we’ll be happy to assist you.
2. Purposes for Collecting Data
Explain why this information is collected. Is it for legal compliance or to protect the interests of the individual? If so, you should provide a clear statement explaining how and which laws require the collection of personal data. Is the information collected to improve service quality, marketing strategy, or for other purposes? Or perhaps to perform a task carried out in the public interest or under “legitimate interests”?
3. How You Collect Information
Specify exactly how the data is collected — through registration, purchases, forms, or via cookies. This helps users understand how their information reaches you.
4. User Rights
Indicate what rights users have regarding their data — the right to access their personal data, correct it, delete it (“the right to be forgotten”), restrict processing, as well as data portability. Users also have the right to object to data processing and the right to protection against automated decision-making, including profiling.
5. Data Retention Period
Explain how long you will retain users’ personal data and what will happen to the data after this period ends.
6. Contact Information
Don’t forget to provide information on how users can contact you regarding privacy matters, such as an email address or feedback form. While not legally mandatory, having a dedicated email address is recommended. It’s also advisable to include a postal address and phone number. Providing communication channels for customers is another way companies can avoid legal issues in the future.
7. Updates to the Privacy Policy
State how often the Privacy Policy will be updated and where users can find the most current version of the document.
If you want your Privacy Policy to comply with all requirements and be professionally drafted, Fidustria is ready to help! Contact us for a consultation — we’ll ensure your website meets all the requirements of applicable legislation.