eCommerce can be a key part of a small business’ revenue and growth strategy. Whether you’re selling your craft creations or engine parts, your eCommerce website is how customers find you and purchase your products, allowing you to make money, pay your salary and grow your revenue. While compliance was probably not one of the functions that you had in mind when you started selling products online, it is nevertheless a critical function for your business to be aware of. For your eCommerce website, privacy compliance directly applies to your business. That is because privacy laws in the United States may require your website to have a Privacy Policy that makes very specific disclosures. Failing to comply with privacy laws pose a direct threat to your business: non-compliance could potentially result in significant fines and lawsuits that threaten your bottom line.
This article will discuss the following topics:
- How eCommerce websites collect Personally Identifiable Information
- What laws require eCommerce websites to have a Privacy Policy
- Fines for non-compliance with privacy laws, and
- Where your eCommerce business can get an affordable Privacy Policy solution.
How eCommerce websites collect Personally Identifiable Information
When websites collect Personally Identifiable Information (PII), privacy laws may govern how that information is collected, used and disclosed to others. PII is defined as any information that directly or indirectly identifies or relates to a specific person.
Examples of PII include the following:
- Name
- Physical address
- Email address
- Phone number, and
- Payment information, such as credit card numbers.
eCommerce websites usually collect PII via the following means:
- Contact forms for customers to contact you and inquire about your business and any of the products that you sell
- Newsletter sign up forms, where users can sign up to get emails about new products or sales
- Order forms, where users can input their PII to purchase an item from you, and
- Payment processing pages, where users can also make payments.
If PII is collected via any of the above methods, your eCommerce website may be required by law to have a Privacy Policy.
What laws require you to have a Privacy Policy?
Privacy laws are generally enacted in order to protect consumers, specifically with respect to protecting their right to control their PII and knowing who has access to potentially sensitive information. Privacy laws are unique, however, for their broad reach. Not only may privacy laws apply to businesses in the jurisdiction where the law was passed, but anywhere in which the business’s website can be accessed. Because your website may be accessed by consumers across the United States and the world, your business needs to be aware of the major privacy laws governing the use of consumer PII. These laws include the following:
- California Consumer Privacy Act (CCPA)
- California Online Privacy Protection Act (CalOPPA)
- Nevada Revised Statutes Chapter 603A
- Delaware Online Privacy and Protection Act (DOPPA)
- Europe’s General Data Protection Regulation (GDPR)
The laws above require businesses to have a Privacy Policy on their websites. The Privacy Policy must make specific disclosures pertaining to the collection and disclosure of customer PII. Our article on laws requiring Privacy Policies contains more information on what privacy laws may apply to your eCommerce website.
Privacy laws, such as the CCPA cited above, now provide consumers with private rights of action against businesses under certain circumstances, allowing consumers to sue businesses directly for non-compliance. If businesses mishandle PII and inadvertently disclose the information to unauthorized parties, your business could be subject to lawsuits and heavy fines.
Privacy laws, as a whole, are constantly changing and continue to expand consumer rights over PII. If businesses do not evolve and adapt to these fast-paced changes, the risk of heavy fines and lawsuits only increases. Thus, it is important for businesses to have a plan in place to ensure their website’s Privacy Policy complies with applicable privacy laws. Over a dozen other states have proposed their own unique privacy laws and penalties for non-compliance. We recommend that you not only have a Privacy Policy but you also have a strategy to keep it up to date when the laws change.
Fines for non-compliance
Should businesses fail to implement a compliant Privacy Policy on its website, heavy fines may result. Noncompliance under applicable privacy laws can result in fines between $2,500 per violation to €20,000,000 or more in total under European law. Because fines are calculated on a “per violation” basis, your business may be subject to high fines irrespective of whether your website only receives a few dozen visitors per week.
Where to get a Privacy Policy for your eCommerce website
Oftentimes, small businesses may be facing excessive costs for implementing compliant Privacy Policies, especially considering the cost of hiring an attorney to write the Privacy Policy. We recommend Termageddon, a Privacy Policy generator that will create a customized Privacy Policy for your website and keep it updated whenever privacy laws change.