eForms Logo

E-Commerce Privacy Policy Template & Generator

Create a high-quality document now!

E-Commerce Privacy Policy Template & Generator
PDF Word ODT
4.0 Stars | 1 Ratings
22 Downloads

Updated February 01, 2023

An e-commerce privacy policy reveals to users how a business-related website collects and uses its data. Generally, e-commerce websites have more aggressive marketing tactics and are required to disclose how it uses personal information to market products and services to their users.

Is it required?

A privacy policy is required for an e-commerce website if:

  • European Union (GDPR) – Collection of personal data is obtained;
  • United States (CCPA)- Collection of personal information is obtained by California residents and meet any of the following:
    • Has annual revenues of more than $25 million;
    • Handles 50,000 or more annual consumers, households, or devices through the business’s commercial purpose; or
    • Derives 50% or more of its annual revenues from selling consumers’ personal information.
  • Canada (PIPEDA) – Collection of personal information by Canadien users collected crosses provincial or national borders. Does not apply to websites that operate within Alberta, British Columbia, or Quebec.

What Should be Included (8)

Under policies of both the USA and EU, a user has the right to know the types (or “categories”) of personal information that is being collected and how it is used.

To be compliant with such laws, it is best to include the following in a privacy policy:

  1. Personal Information Collected
  2. Purpose for Collection
  3. Right to Know
  4. Right to Delete
  5. Right to Opt-Out
  6. Right to Correct
  7. Right to Contact
  8. Cookie Policy

1. Personal Information Collected

California has broken down the types of personal information into 12 categories (the most common being a user’s personal name and e-mail).

Under EU law, it defines personal data as “any information relating to an identifiable person” (Article 4(1)).

Therefore, any website to be operating within the EU or USA must disclose all the types of personal information being collected.

2. Purpose for Collection

A privacy policy must mention the reason for collecting and using personal information.

Under EU law (GDPR, Article 6), the most common legal reason is for “the purposes of the legitimate interests pursued by the controller [WEBSITE].”

3. Right to Know

Under both California and EU law, the user has the right to know the following regarding their personal information:

  • Types being collected;
  • Where it is coming from;
  • Reason for collecting or using; and
  • The 3rd parties that it is being shared.

At any time, a user may make a request to obtain all such data if it is not mentioned in the privacy policy. Under EU law (GDPR, Article 15) this is known as a “Right of Access”

4. Right to Delete

A user has the legal right to request their personal information be deleted or erased from a website.

Under California law (CIV 1798.105), it must be a “verifiable request” made by a user with 45 days allotted for information to be deleted.

Under EU law (GDPR, Article 17), this is known as a “right to be forgotten” and the website has 1-month to process the request.

5. Right to Opt-Out

Unlike a deletion request, the right to opt-out, per California law (CIV 1798.120), allows a user to restrict the use of personal information for marketing purposes while allowing the website to retain their data.

For example, if a user would like to keep an account or profile on a website but requests to unsubscribe from their promotional emails.

Under EU law (GDPR, Article 18), this is known as the “right to restrict processing.”

6. Right to Correct

If there is personal information about a person that they would like to request to be corrected, it must be carried out by the website per California law (CIV 1798.106).

For example, if a website directory has the wrong phone number or address of a person, and the person would like it to be changed, the website must carry out this request.

7. Right to Contact

A website’s contact information must be made available for any requests related to a user’s privacy rights.

Under California law (CIV 1798.130), it is required for 2 or more methods of communication which includes a toll-free phone number (unless the website operates exclusively online with no physical locations).

8. Cookie Policy

A cookie policy is commonly included as part of a privacy policy and mentions its use of cookies and how they track users on the website.

Cookies are used to track users when they arrive on a website and give information related to:

  • Time on site (duration);
  • Pages visited;
  • Web interaction;
  • Products or services viewed (or “added to cart”);
  • Browser information;
  • Device ID;
  • Geolocation (IP address); and
  • Cross-user tracking to track a user from more than 1 device.

Where to Put a Privacy Policy? (on a website)

It is required that a privacy policy is placed in an easily accessible place for a user. This is commonly the footer of a website that is publicly available (no login or account required to view it).

Under EU law (GDPR, Article 7), having a privacy policy available at the time of collecting data is one of the “conditions for consent.”