Privacy Policies, GDPR, Cookie policies, refund policy, return policy... the list is endless. How do you comply with all these laws?
Disclaimer
The information provided below is meant as general knowledge and should NOT be taken as legal advice. Always confirm with local authorities the exact legal obligations of your business online.
Online sales can be a legal nightmare
The list of policies one could write is endless but in this article, we'll try to address the most common ones.
GDPR
The General Data Protect Regulation came into effect on the 25th May 2018 and yet, almost 3 years later many businesses still don't understand it.
The law is simple;
If you store or process personal information in any way you need to have consent to do so.
A very common misbelief is that everyone needs to have that annoying popup to consent to data collection. In reality that is NOT true. If you have a website that doesn't collect any personal identifying information, you're exempt from GDPR.
GDPR also clearly states;
"If you have legal obligations to collect the data and the user understands it, you do NOT need to pro-actively obtain consent."
Third-party software
Another common misbelief is that you need to obtain consent to use third-party software on your website.
Even though there is software that collects personal information, most software nowadays stores data in an anonymous format. This exempts the software from acquiring consent. In these cases, we still advise you to list this software in your privacy policy and clearly state that the software uses an anonymization technique.
One last misbelief is that you need active consent to collect information such as "Email". Even though this is true, GDPR also states that almost any form of consent is acceptable. In cases such as the email capture form, it is enough to state how the information is going to be used, and in signing up for the service the user is actively giving consent.
Example;
"By signing up through this form, you are consenting to receive marketing material from XYZ ltd."
In summary, since in most countries you have a legal obligation to retain customer information for tax purposes, this exempts you from pro-actively obtaining consent. GDPR however has many areas where it's left up to interpretation therefore we still recommend having a clear Data Privacy Policy detailing what data you collect, how you collect it, how you store and use the customer data. We also recommend having a link to this policy on every page of your website.
What is mandatory?
Whether you need to acquire consent or not, there still are some things that you need to adhere to, if you want to be GDPR compliant.
- The right to be forgotten - You need to be able to completely delete the user information or anonymize it unless obliged otherwise by criminal law.
- The right to update - You need to be able to update the user information as requested by the user.
- The right to access - You need to be able to present all the information about a given user if he/she requests it.
- Data Officer - You need to appoint a data officer, responsible for all the user data, and this person's contact information has to be public.
An example of this can be found on the Lifeboat's website: https://lifeboat.app/privacy
Refunds and Returns
Another common policy found in e-commerce websites is; Refunds & Returns. Even though not obligatory in every country, we still recommend having this on your website.
This policy needs to outline how you handle requests for refunds and returns.
For Example;
"We accept returns if they are returned in their original packaging within 7 days of order delivery date."
Cookie Policy
This is a relatively old policy, which varies slightly from country to country however the basics remain the same;
- Does your site use cookies?
- How are they used?
In general, our recommendation is to avoid the use of cookies as much as possible, this is because many devices nowadays clear or block cookies. However, if you need to use them, clearly state what you do and how you use them.
For example:
"Our site uses cookies to determine if you are a repeat visitor or not, enabling us to show you more relevant content.
We do not store or process any personal information in cookies."
Age restrictions
Do you sell Tabacco? Alcohol? Gambling-related items? Adult items? Guns or Ammunition?... This applies to you.
Even though online sales of these categories are permitted in some countries, it comes with additional obligations. The most common obligation is that you don't market nor sell these items to people below a specified age.
The most common approach is to have a popup block access to such websites until the age of the visitor is verified.
These kinds of popups however can be easily circumvented and don't offer a reliable way to confirm the visitor's age or location. For such merchandise, we recommend opting for verification during the checkout process. We also recommend having a clear policy on your website detailing why such visitors cannot purchase from your store and how you prevent such sales.
Take privacy seriously
Even though we debunked quite a few common misbeliefs in this article, one should still address privacy as an important pillar in your online sales.
Data leaks, unnecessary data collection, ... could quickly lead to a legal and PR nightmare, so don't take risks.
How does Lifeboat protect me?
Unlike other platforms, Lifeboat takes data privacy and security extremely seriously.
Data Leak Mitigation
- We isolate each online shop through software and hardware. In the case of one shop getting compromised, it would not affect the others using Lifeboat.
- Each shop comes with its dedicated database, and such databases are not accessible outside their network.
- Each shop's database is secured with multiple layers of firewalls, rotating passwords, and is constantly monitored for abnormal activity.
PCI Compliance
- Regular penetration testing is performed on all systems
- Access to the data is limited
- All communications are encrypted
- Cardholder information is not stored within our system
We hope that this article was helpful, if it was (or wasn't), let us know the comments below.