If you sell online, you are probably aware of the importance of shoppers’ trust in your business. Almost a third of global shoppers rank a commerce site’s experience and trustworthiness over everything else when it comes to their decision to buy.
In the wake of the countless data privacy scandals over the last couple of years, the trust that people place in businesses has become closely tied to how well they believe those companies protect the privacy of their customers’ personal information.
Unfortunately, many organizations still fail in that area, with only half of global shoppers believing companies sufficiently respect the privacy of their personal data.
To address the negative impact that careless handling of personal data can have on society and the economy, several states and international organizations have recently adopted a range of laws and regulations to define the data privacy obligations of organizations who collect and use people’s personal information.
Foremost among these new rules is the General Data Protection Regulation (GDPR), enacted by the European Union, which impacts any organization whose data handling activities are carried out in the context of its establishment in the EU or of processing personal data of subjects who are in the Union. However, other states soon followed suit with very similar – and sometimes even more strict – data privacy laws of their own, such as the California Consumer Privacy Act of 2018, Brazil’s General Data Protection Law (LGPD) or India’s Draft Personal Data Protection Bill 2018 (PDPB).
What all of these data privacy regulations have in common is the requirement that any organization that collects (data controller) or processes on behalf of a data controller (data processor) people’s personally identifiable information (PII) display a “clear and comprehensive” privacy statement for the individuals whose data will be collected or used by the organization. Thus, the Privacy Notice you need to display on your website will be the foundation of your data protection regulatory compliance.
1. Think of your customers when drafting your Privacy Notice. Nobody wants to read through opaque, complicated legal language and never-ending blocks of text. If your Privacy Notice is too hard to follow and comprehend, then it could be argued that a customer who simply ticks an “I agree” box has not really given their consent – since they don’t understand what they are consenting to.
The Privacy Notice needs to be organized in short, easy-to-follow sections, and be written in a way that is accessible to all. According to the regulations:
Write in a concise, transparent and easily accessible form, using clear and plain language (GDPR Article 12(1)).
Information shall be provided in a simple, clear and accessible manner, taking into account the physical-motor, perceptive, sensorial, intellectual and mental characteristics of the user, using audiovisual resources when appropriate, in order to provide the necessary information to the parents or the legal representative and that is appropriate for the children’s understanding. (LGPD Art. 14 §6)
2. What do you need to tell the customer in your Privacy Notice?
According to Article 13 of the GDPR, this is the information that must be provided to customers at the time their data are collected:
The California Consumer Privacy Act of 2018 includes slightly different consumer rights than those under GDPR, so If your business operates in California, you may want to consider a stand-alone notice dedicated to California residents:
Brazil’s General Data Protection Law (Art. 9 ) takes a similar stance to the above:
The data subject has the right to facilitated access to information concerning the processing of her/his data, which much be made available in a clear, adequate and ostensible manner, concerning, among other characteristics provided in regulation for complying with the principle of free access:
I – the specific purpose of the processing;
II – the type and duration of the processing, being observed commercial and industrial secrecy;
III – identification of the controller;
IV – the controller’s contact information;
V – information regarding the shared use of data by the controller and the purpose;
VI – responsibilities of the agents that will carry out the processing; and
VII – the data subject’s rights.
3. Your customers should have as much visibility of your Privacy Notice as possible.
Don’t hide it in an obscure corner of your website where no one will find it. In addition, you shouldn’t aggregate the Privacy Notice together with other legal texts on your website – such as the terms and conditions of use, for example. Visitors should not be obliged to search for the information about how their data is processed among other unrelated legal statements.
Here’s what the Article 29 Working Party Guidelines on Transparency under GDPR say about the best practices for writing a Privacy Notice:
The following phrases are not sufficiently clear as to the purposes of processing:
4. Explain the legal grounds of processing your customers’ data, according to the applicable data protection laws in the countries where you do business. Why do you process individuals’ personal information? What do you need to do with that data and on what legal grounds are you entitled to collect it and use it?
5. If you intend to use your customers’ personal data for any other purposes in addition to the one for which it was initially collected, always make those other purposes clear to the customers in the Privacy Notice.
Keep them in mind when you plan your marketing strategy and tactics and make sure they abide by what you have stated in the notice. If you need to expand the scope for which you use customers’ data at a later time, always update your Privacy Notice and inform everyone whose data you intend to process immediately, as you will need their explicit consent under your new data usage policy.
We hope these tips will keep you on the right side of the law concerning data privacy and protection, and help you foster a relationship of trust with your customers.