Get to know your obligations as a business owner, for the data you collect and store for your customers, contacts and website visitors.

The legal side of business is boring.

Super, incredibly, put-you-to-sleep boring.

So boring this article needs a disclaimer!

But there are very good reasons to stay on the right side of the law – including some you might not expect!


No surprises here, but this article gets a big ol’ disclaimer!

I’m not a lawyer and none of the information in this article (or any linked pages or documents) should be interpreted as legal advice. Please do your own due diligence to determine if or how much of this information is relevant to your circumstances, and whether you should seek professional legal advice.

Customers are demanding privacy

For small businesses, the potential fines for not complying with privacy legislation would be shut-the-door-closing-down-sale devastating.

But fines aren’t the biggest reason to comply.

Customer expectations are.

More and more people are worrying about and taking control of their own data privacy. Just look at the outrage about Facebook!

We care!

Stricter, highly-publicized legislation makes even more people aware of or demanding stronger rights to privacy.

In a very short time, customers will expect all businesses to offer things like explicit consent, optional sign ups, downloadable data etc. Those who don’t will fall by the wayside even if they didn’t legally need to offer those things.

Start doing everything you can now and avoid playing catch up (or shutting shop) later.

What do privacy laws cover?

Around the world, privacy laws control what businesses need to tell people about the personal data they collect and what they can do with it.

They might control:

  • what type of information you can collect,
  • how you ask for permission,
  • what else you need to tell people when you’re collecting their data,
  • letting individuals access, edit or ask for their data to be deleted,
  • where you can store the data, or
  • who you can share the data with.

What is personal data?

Each piece of legislation defines “personal data” slightly differently, but in general, it’s any information you collect, store or access that can be used to identify an individual.

If you record a buyer’s name and address, then you’ve identified an individual. Any other information you keep for that same person, like their purchase history, is also their personal data.

This person’s behaviour on your website might also be stored inside Google Analytics, but if you can’t link it to their identity at all, then it’s not personal data.

Who do privacy laws apply to?

If you run a business today, you’re collecting people’s data. Privacy laws apply to you.

Often, you’re bound by the laws in your own country and those that cover the person whose data you’re collecting. It’s a lot to comply with!

Some laws have exceptions. For example, the Australian Privacy Principles (in our Privacy Act) normally only apply to businesses turning over more than $3 million annually.

But not all laws have exceptions, and many have different types of exceptions.

What is the GDPR and what does it mean for me?

The General Data Protection Regulation (GDPR) is the new European privacy law starting on May 25, 2018 that affects anyone who collects data from people inside the EU, no matter where your business is based.

If you’re thinking: I don’t have any European customers and I don’t ship there, so I’m ok – think again! You collect data about anyone who visits your shop. Unless you’re blocking European visitors entirely, it definitely does apply to you.

This law has teeth, with possible fines of up to 4% of global revenue (pretty massive if, say, Sony breached it) or 20 million Euros. Thankfully, there are also a series of warnings, reprimands and temporary “data bans” to be handed out well before any fines. Individuals can also sue for compensation for any damages they might suffer from a breach.

How is the GDPR new or different to existing laws?

Individuals have rights

The GDPR declares eight specific rights for individuals. Many of these already exist in European and other privacy legislation, but some are new.

Right to be informed

You must tell people what you’re collecting, what you’re going to do with it, how long you’re going to keep it and more, before you collect the data. It needs to be in plain language and very easy to find this information. Not hidden away in a privacy policy you never mention!

Rights to access / rectification / erasure / restriction / portability / objection

These are all rights that require your data tools to have certain features. Checking for these will be part of the data audit you’ll do.

People can request access to the data you hold on them at any time. They can also request to change the data, completely delete it, download it or ask you to temporarily stop using it entirely or for certain things, like marketing.

Reasons for collecting data

You must have a lawful reason for collecting someone’s personal data. The GDPR outlines eight of them, but only three are likely to apply to you. These are very similar to lawful reasons allowed by other privacy laws.


This is when you need to process specific data to fulfill a sale, such as a name and shipping details. Under this legal basis, you can only collect the data you need to do what you were paid to do, and can only use it for this reason.

If you want to collect other information about customers or use their data for marketing afterwards (or even to remind them to leave you a review!), you must use a different legal basis.

Legitimate interests

This is when you want to collect or use someone’s data for your business’s “legitimate interest”, in a way that that person would reasonably expect it to be used. You should use the data in the least intrusive way possible.

For example, sending a single follow up email after a purchase to ask for a review could be a) reasonably expected, and b) in your legitimate interests. Adding this person to your ongoing marketing list (without explicit consent) would not be reasonably expected.

This is a very flexible basis but easily open for interpretation and challenge! To decide if you can process data for your business’s “legitimate interests”, you might want to seek independent legal advice.


Consent is needed whenever you want to use someone’s data for marketing or anything unrelated to providing the specific product or service they paid for.

It can’t be a pre-condition of another service (like automatically adding all customers to your marketing list) and should be as “granular” as possible. For example, let people opt in separately to receiving “occasional discounts and access to sales” and “monthly blog posts”.

Your next steps

Understanding your obligations is one thing. Putting them into practice and getting compliant is another! Here’s what you’ll need to do:

1. Audit the personal data you collect and the tools you use to make sure they all comply.

2. Update what you tell people when you collect their data, including your privacy policy.

3. Update how you ask for and store consent for marketing & advertising.

Leave a Reply

Your email address will not be published. Required fields are marked *