- More customers expect transparency and honesty, regardless of the law.
I’m not a lawyer and none of the information in this article should be interpreted as legal advice. Please do your own due diligence to determine if or how much of this information is relevant to your circumstances, and whether you should seek professional legal advice.
Jump straight to it…
FIrst: Prepare your Data Audit
If you’ve decided to make any changes to what you collect or the tools you use, make sure your Audit reflects this.Skip straight to how to write your policy
Your policies must be lawful.
Yes, you’ve told them what you’ll do! But you still need specific consent for that marketing. Under the GDPR (if it applies), it’s probably not legal for you to follow that policy. (It also would be against the Etsy Terms, if you’re an Etsy seller!)
You must follow your policies.
Do what you say, and say what you’ll do. Easy!
They should be easy to find…
If you’re giving any other information (like a summary of your newsletter subscription policy on your sign up form), it should be legible and positioned somewhere the user is likely to see and read, like above the “submit” button. Don’t hide it away below the form in tiny font!
And easy to understand.
All this is important to make sure the consent they give you is valid! If they can’t easily find or understand your privacy policies, then they can’t consent to them.
It should cover the following topics, in plain language that your visitors will understand.
How to contact me/us
As the Data Controller, you need to include your name, business name, email address and a postal address.
People can contact you with questions, complaints or to request access or changes to their data.
Information I/we collect
Be as specific as possible. Do you collect their email address, full name, shipping address? What else?
What will the person be doing when you collect it? (Checking out, viewing pages on your shop, signing up for your newsletter etc.)
How I/we use this information
Why do you collect it? What do you use it for?
What happens if they don’t give you the information? Will it stop you from providing a service or is it optional?
Your lawful bases
What is the GDPR lawful basis you’re using: contract, consent, legitimate interest?
If you rely on “legitimate interest” for anything, you should provide plenty of detail about how you’re justifying this usage. If relevant, reassure them that this usage is non-intrusive and secure.
What don’t you use it for?
How I/we share this information
Start by assuring the reader that you don’t sell or rent their data, and never share their data except for in certain circumstances. Normally, these will be:
- where you’re legally required,
- for important business reasons (like selling your business or to enable continuation of your business),
- or to provide a product or service, including marketing and other information they’ve asked to receive.
If possible, you should list the specific companies or types of people (eg. staff) who might receive their data, and why you share it with them. You can also reassure users of the security of their data with these third parties.
Transferring data to other countries
This isn’t just about taking personal data outside of the EU or EEA. Other countries, like Australia, also need you to notify users when data is sent outside of their country.
- Identify in what countries personal data will be processed and stored, and by what third parties.
- If data is sent to the US, confirm that the service storing the data is certified for EU-US Privacy Shield.
How long will you store their data? You might have a legal obligation to store some information for a certain length of time. You might keep other information “as long as you need to provide the service”.
Be as specific as possible, where you do have a set amount of time.
Inform people of the rights they might have to access, edit, stop processing/use, withdraw consent and delete their data.
(Make sure all the third parties you share data with have the necessary features to let you comply with these rights if you get a request!)
You can also remind people that they can lodge a complaint with a relevant authority. For the EU, this will be their local data protection authority.
Cookies & other tracking technology
This policy explains what cookies (or other similar technology) your website uses and might place in their browser. It needs to cover:
- What cookies are used
- Their purpose
- How the user can opt out (if possible)
You might also need to use a cookie consent tool to let users opt-in to non-essential cookies that affect personal data, such as personalized ads and analytics.
- UK ICO’s privacy notice checklist (pre-GDPR but gives good info about where to show your notices and how to present it)
Read the Seller Handbook article
You’ll probably need to add additional items, based on your data audit.
You won’t be able to use a cookie consent tool with your Etsy shop. And you won’t need to! Etsy’s built-in cookie consent options will also apply to the cookies we can set by turning on advertising or analytics in our shop settings.
We should still summarise the cookies used that we have some control over: Google AdWords, Facebook (ads) and Google Analytics.
We also need to include some information according to the terms of these tools. If you’ve turned on Advertising Features in Google Analytics to use demographics reports or remarketing, see my example policy.
I recommend this specific tool because it’s automatically updated as laws change, around the world. They do this with their team of supporting lawyers.
The free version lets you include up to 4 built-in methods of collecting data. For your shop, this might cover:
- Taking payments in general
- Using PayPal (specifically)
- Using MailChimp
- Using Google Analytics
This is an affiliate link: you can get 10% off your first year and I’ll receive a small bonus.