Are You Breaking the Rules? Data Privacy in eCommerce

With all the developments around data privacy issues, it is only natural for website owners to wonder whether they happen to be doing something illegal: will the internet police be onto me?

Sticking to a legal framework that changes more often than the weather is certainly a challenge, especially for small businesses.

This article is part of a series set up up to give you a hand in determining whether your company is doing things right. Today's first edition explores the ground rules of data privacy in eCommerce, taking the the European Union Directive as the main point of reference.

We want to stress that we are not lawyers and your practices in data collection are solely your own responsibility. This post is intended to give you an idea of the concepts on which the ever changing regulations are based, and to link to the resources you can use to stay up to date with the enforced rules.

Whether you’re working for a mega company or you just have a small online store, there are certain boundaries that you should be aware of when it comes to processing your visitors’ information. If you cross these borders you might not only damage your own reputation but also run the risk of incurring a fine, or worse.

Here are five main rules around data privacy to stick to:



1. When you need information, ask for it – don’t steal it

Even the tiniest piece of information relating to someone who visits your website doesn’t belong to you. This golden rule was introduced by the European Convention on Human Rights and it means that you are simply not allowed to collect and save information without obtaining permission from the user to do so.

Some of you might be wondering about the famous “cookies” which apparently collect visitor information without their consent. The rules on these keep changing, so we recommend you to add this website to your favorites and take a look once in a while.


That said, here are the key cookie-facts you should be aware of:

I. Some cookies do not require consent from the visitor under certain conditions, such as those used to keep track of users’ input in forms, shopping carts (session ID cookies) and user interface customization cookies (for example language preferences).

II. In the same way, first party services (such as analytics or Live Chat) don't generate a privacy risk, as long as you provide information about the cookies you are using as well as privacy safeguards.



2. Don't overuse it

As tempting as it might seem, using your visitors’ information for multiple purposes is just not acceptable. Consider the example: a visitor reads your blog and signs up to receive your weekly newsletter. Now that you have the e-mail address you might be thinking it wouldn’t hurt to send this visitor a service offer, right? Wrong! You are only allowed to use data for the specific purpose it was given to you.

Further, if someone gives you their information for a short-term reason, such as sending a quote or making specific questions, once resolved, in the same way, you are not allowed to keep their data any longer (unless they allow you to). Avoid keeping information for longer periods than you really need.



3. Never share it without consent

When it comes to user data, sharing isn't caring. Passing around visitors' information to friends, partners or neighbouring companies is another thing you mustn’t do. Information is confidential and you should keep it under lock and key.

Once again, the legitimacy of using cookies may be questioned. For certain third-party services such as Google Analytics or Userlike Live Chat, visitors’ behaviour is tracked and stored by other companies.

Looking further into this matter, we meet the Data Protection Directive, which says that it’s legal to collect and process data by the controller (website owner) or third party when there exists legitimate interest, not affecting or infringing the individual’s privacy rights.

In this and similar cases, a “reasonable balance” should be agreed upon between your own interests and your customers’ rights.



4. Display your privacy policy publicly

Showing off your Privacy Policy is not only something you do just because you’re supposed to, but also because it will add trust value to your online business.

On this disclaimer you can add relevant information such as required information people should give you to be able to register on your website, the way you process your users’ data, the purpose of storing their information (if that is the case and a public announcement on confidentiality.

In some countries you are required to add information about the 'data collecting' third party services you are using in your website, such as Google Analytics and Userlike Live Chat. Most services will have such a text available that you can copy and paste inside your privacy policy, such as this one for Userlike.



5. Whatever you do with it counts

Apart from the list above there are many other ways in which you can break the rules without even noticing: From checking out private information, making changes or editing without user consent, or even by deleting something without permission.

There are certain categories of content which are strictly forbidden for sharing, being considered “Sensitive Data”. Even though collecting some of this data might seem innocent in certain contexts, you must be aware that you are prohibited on storing personal data related to one’s ethnic origins, political opinions, religious choices, trade-union membership and health/sex-life related categories (unless an exception criteria is met).



Especially for those smaller entrepreneurs who have a tough time finding the resources to hire legal advisors, keeping up with these constant regulation developments is not easy. To help you, we recommend you keep an eye on the following resources:



European Comission Data Protection Platform

Information Comissioner’s Office (for UK based companies)

Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG for German based companies)



About Userlike

Userlike is live chat software for websites, allowing companies to chat with their (potential) customers directly over the website. Look here for more information.