If you’re running an eCommerce store, it’s likely that you’ll be collecting customer information via your website.  This is commonly done, both to collect marketing and advertising information, and also to complete sales transactions and send items to your customers.  As you’re collecting this information, however, it’s good to keep the best practice privacy principles in mind. 

ECommerce stores need to be careful of what private information they collect from customers.  There are numerous pieces of privacy legislation around the world that require you to notify your customers of certain things when you collect their information. Let’s take a look.

Privacy in the US and EU

Best Practice Privacy PrinciplesBest Practice Privacy Principles







Images: USA Flag Textured, D. Williams (left); Drapeau de l’Union Européenne, Campus France (right)

First, let’s look at two of the main jurisdictions that you may be in if you’re using the PinnacleCart solution for your eCommerce store.

In the US, there is no federal data privacy law that applies in a general sense. There is a health information privacy law (HIPPA) that applies federally, but the broadest data privacy law for online privacy is a state law: the California Online Privacy Protection Act. This act requires that you display a Privacy Policy clearly and prominently on your website, and that your Privacy Policy covers:

  • The kinds of information your website or online marketing tactics collect;
  • How the information may be shared;
  • The process your customers can follow to review and change the information you have on them;
  • How you respond to “do not track” requests; and
  • The policy’s effective date and a description of any changes since then.

The EU is significantly stricter, and covers data protection in its EU Data Protection Directive. This Directive requires that any businesses based in the EU can only process “personal data” of customers if consent has been given for the processing of that data, or the processing is necessary for fulfilling a contract or legal obligation that the person is party to. For eCommerce stores, you would need to get consent.

“Personal data” can include:

  • Location;
  • Identity of the data subject; and
  • Credit card and banking data.

For example, when a person purchases something from an eCommerce store, the store will require that person’s name, address, phone number, email address, and credit card details.

Your Privacy Policy also needs to detail:

  • Your identity;
  • The purpose or purposes for which you are collecting the data;
  • The recipients or categories of recipients of the data,
  • The existence of your customer’s right of access to and the right to rectify the data
  • That you guarantee fair data processing in respect of the data subject.

The EU also has a new law coming into place, the EU Data Protection Regulation (the Regulation). The Regulation will cover the whole EU region in a more cohesive manner than the Directive, and will mean that individual states do not need to implement their own laws for it to take effect. It will also apply to anyone dealing with the personal data of EU citizens, and you won’t need to be a business based in the EU for it to apply to you.

Your Privacy Policy and Notifying Your Customers

Now, based on the above US and EU laws, the Privacy Policy for your eCommerce store should cover:

  • Who you are (the company collecting the information);
  • What types of information you will be collecting for your eCommerce store;
  • How you will protect and store the information;
  • What you will do with that information and when you may share it with others;
  • How the customer can review the information you hold;
  • How the customer can change that information;
  • How you respond to “do not track” requests;
  • The policy’s effective date and a description of any changes since then; and
  • Dispute resolution information.

When you’re covering the circumstances in which you may share customer information with others, remember to include information on payment gateways and payment processors. If you use PayPal, or Visa or Mastercard payment processors, you’ll need to disclose in your Privacy Policy that you share customer information (their credit card details, name, and address) with these third parties.

Next let’s take a look at where to display your Privacy Policy.

There are two main ways that most eCommerce stores display their Privacy Policies, one is good, and one is bad. The bad method is called browsewrap, while the good method is called clickwrap.

Browsewrap is when the customer is expected to find the Privacy Policy on your eCommerce store website, open it, read it, and agree to it. Most courts have found that browsewrap methods are not legally binding, as the customer is not given reasonable or sufficient notice (they have to do all the work themselves!). Here’s an example of what browsewrap usually looks like, from Business Wire:

Best Practice Privacy Principles

Browsewrap is not one of the best practice privacy principles as it is not always legally binding.


Clickwrap is much better, and unlike browsewrap it’s actually legally binding. Clickwrap is when the user is presented with a link to the Privacy Policy, and provided an opportunity to agree to it by way of an “I agree” button or check-box. Here’s an example of what clickwrap would look like for your eCommerce store Privacy Policy, from Ebay:

Ebay Privacy Policy Clickwrap

Clickwrap is a great example of the best practice privacy principles.

In the Ebay example, you can see that it contains a statement indicating that when the customer clicks “Create account and continue”, they are agreeing to the User Agreement and Privacy Policy.

Here’s another example, from The Weather Channel, with a check-box:

Best Practice Privacy Principles

Check-boxes are a great way to make use of the best practice privacy principles.

You can see that the check-box allows the customer to indicate that they agree to the Terms of Service and Privacy Policy. Note that in both examples, links are provided to the legal documents so that customers can easily open them and read them, and they are clear on what the “I Agree” button or check-box is relating to.


Remember that setting up these best practice privacy principles for your eCommerce store is easy to do.  In just a few small steps, your eCommerce store will be in line with the law and ready to meet your privacy obligations.

Have questions on the best practice privacy principles in your area?  We’d love to help you so leave a comment below!


Guest blogger Leah Hamilton is a qualified solicitor and writer working at TermsFeed (https://termsfeed.com), where businesses can create legal agreements in minutes using the Generator.


Back to the Pinnacle Cart Homepage