If you’ve been following the steps to get up to speed on data privacy, your final step is to update (or create) your shop’s Privacy Policy.

Do I need a Privacy Policy if I only sell on Etsy?

All shops should have their own privacy policy, even if only you sell on Etsy or don’t even have an email list! If you run a business with customers, you handle personal data.

Do I need a Privacy Policy if I’m not worried about the GDPR?

Yes, you should have your own privacy policy even if you don’t think the GDPR applies to you or if you’re not worried about it. Here’s why:

  1. Customers are expecting more transparency and honesty, regardless of the law.
  2. Other privacy laws almost certainly apply that require a privacy policy. “GDPR standards” should work for these too (though seek legal advice if you’re unsure).
  3. Certain features in Google Analytics (and other tools) require notices that Etsy doesn’t cover in their own privacy policy, such as Advertising Features.


I’m not a lawyer and none of the information in this article should be interpreted as legal advice. Please do your own due diligence to determine if or how much of this information is relevant to your circumstances, and whether you should seek professional legal advice.

First: Prepare your Data Audit

Before starting your privacy policy, review and update your Data Audit.

If you’ve decided to make any changes to what you collect or the tools you use, make sure your Audit reflects this.

7-Question Data Audit (plus how to choose GDPR-compliant tools)

Before you can take any action — update your privacy policy, add a new opt-in box or change your consent process — you need to know what data you currently collect and what you do with it. Luckily, it doesn’t need to take you all day. It’s just a simple record of the different sources…

Continue reading

Rules of a Privacy Policy

Your policies must be lawful.

You can’t give yourself permission to do just anything by putting it in your privacy policy. You must still have a lawful basis to collect & do what you want, including specific consent if you need it.

For example, you can’t add customers to your email marketing list automatically, even if your privacy policy says “If you buy from me, I’ll add your email to my marketing list. Then you can opt out if you don’t want to get shop updates.”

Yes, you’ve told them what you’ll do! But you still need specific consent for that marketing. Under the GDPR (if it applies), it’s probably not legal for you to follow that policy. (It also would be against the Etsy Terms, if you’re an Etsy seller!)

You must follow your policies.

Do what you say, and say what you’ll do. Easy!

Make sure you keep your privacy policy up to date, complete and accurate. If you say you don’t use emails to create advertising lists, then don’t. If you want to collect more details during checkout, add them.

They should be easy to find…

Include a link to your privacy policy directly from where people need to read it.

If you’re giving any other information (like a summary of your newsletter subscription policy on your sign up form), it should be legible and positioned somewhere the user is likely to see and read, like above the “submit” button. Don’t hide it away below the form in tiny font!

And easy to understand.

Legal documents can be complicated, but your privacy policy (and other information you give your visitors) should be understandable by regular people. A summary version or clear introductory statements are great ways to do this.

All this is important to make sure the consent they give you is valid! If they can’t easily find or understand your privacy policies, then they can’t consent to them.

Option 1:

How to write a Privacy Policy for your shop

If you’ve finished your Data & Tools Audit, you have all the information you need to write a really great privacy policy!

It should cover the following topics, in plain language that your visitors will understand.

How to contact me/us

As the Data Controller, you need to include your name, business name, email address and a postal address.

People can contact you with questions, complaints or to request access or changes to their data.

Information I/we collect

Be as specific as possible. Do you collect their email address, full name, shipping address? What else?

What will the person be doing when you collect it? (Checking out, viewing pages on your shop, signing up for your newsletter etc.)

How I/we use this information

Why do you collect it? What do you use it for?

What happens if they don’t give you the information? Will it stop you from providing a service or is it optional?

Your lawful bases

What is the GDPR lawful basis you’re using: contract, consent, legitimate interest?

If you rely on “legitimate interest” for anything, you should provide plenty of detail about how you’re justifying this usage. If relevant, reassure them that this usage is non-intrusive and secure.

What don’t you use it for?

If you don’t use certain data for a common purpose, take the opportunity to mention it. For example, if you don’t use your email marketing list to create advertising audiences. You would have had to explicitly say so if did do this (and probably get consent), but you can make your privacy policy feel more transparent and trustworthy if you include what you won’t do with their data.

How I/we share this information

Start by assuring the reader that you don’t sell or rent their data, and never share their data except for in certain circumstances. Normally, these will be:

  • where you’re legally required,
  • for important business reasons (like selling your business or to enable continuation of your business),
  • or to provide a product or service, including marketing and other information they’ve asked to receive.

If possible, you should list the specific companies or types of people (eg. staff) who might receive their data, and why you share it with them. You can also reassure users of the security of their data with these third parties.

Transferring data to other countries

This isn’t just about taking personal data outside of the EU or EEA. Other countries, like Australia, also need you to notify users when data is sent outside of their country.

  • Identify in what countries personal data will be processed and stored, and by what third parties.
  • If data is sent to the US, confirm that the service storing the data is certified for EU-US Privacy Shield.

Data Retention

How long will you store their data? You might have a legal obligation to store some information for a certain length of time. You might keep other information “as long as you need to provide the service”.

Be as specific as possible, where you do have a set amount of time.

Your rights

Inform people of the rights they might have to access, edit, stop processing/use, withdraw consent and delete their data.

(Make sure all the third parties you share data with have the necessary features to let you comply with these rights if you get a request!)

You can also remind people that they can lodge a complaint with a relevant authority. For the EU, this will be their local data protection authority.

Cookies & other tracking technology

A cookie policy is often presented as a separate document, but you can also include it with your privacy policy if it has its own separate section.

This policy explains what cookies (or other similar technology) your website uses and might place in their browser. It needs to cover:

  • What cookies are used
  • Their purpose
  • How the user can opt out (if possible)

You might also need to use a cookie consent tool to let users opt-in to non-essential cookies that affect personal data, such as personalized ads and analytics.

If you aren’t sure what cookies your shop uses, consider a cookie consent tool that also generates a cookie policy. It will detect all the cookies on your site automatically.

Your Etsy shop’s privacy policy

Read the Seller Handbook article

Etsy provides an example privacy policy that includes clauses specific to an Etsy shop. After completing your data audit, use their example to make sure you cover all the elements related to your use of Etsy.

You’ll probably need to add additional items, based on your data audit.

Write a Cookie policy

You won’t be able to use a cookie consent tool with your Etsy shop. And you won’t need to! Etsy’s built-in cookie consent options will also apply to the cookies we can set by turning on advertising or analytics in our shop settings.

We should still summarise the cookies used that we have some control over: Google AdWords, Facebook (ads) and Google Analytics.

We also need to include some information according to the terms of these tools. If you’ve turned on Advertising Features in Google Analytics to use demographics reports or remarketing, see my example policy.

Option 2:

Use a Privacy Policy generator

There are lots of specific privacy policy templates out there. There are also some services that generate a policy just for you, based on the information you provide.

Iubenda Privacy & Cookie Policy Generator

I recommend this specific tool because it’s automatically updated as laws change, around the world. They do this with their team of supporting lawyers.

I personally use this tool and you can see the privacy policy they generate for me here.

The free version lets you include up to 4 built-in methods of collecting data. For your shop, this might cover:

  • Taking payments in general
  • Using PayPal (specifically)
  • Using MailChimp
  • Using Google Analytics

You could even use Iubenda with Etsy by simply including a link to the Iubenda policy in your Etsy policies!

Why go pro?

Heads up: I quickly ran out of free methods. You’d be surprised how many things you need to include!

Their Pro version is $27 USD per year, which also includes an automatically generated, optional Cookie Policy. (This is probably one of the cheapest subscriptions you’ll have for your business!) With the Pro version, you can also add completely custom clauses, just in case their generated policy doesn’t cover everything you need to mention.

This is an affiliate link: you can get 10% off your first year and I’ll receive a small bonus.

SERIES: Data Privacy for Makers

These days, the internet is constantly abuzz with talk about data privacy. From Facebook scandals, to updated Privacy Policies, to new laws: it’s everywhere! So it’s perfect timing to get to know your obligations as a business owner, for the data you collect and store for your customers, contacts and website visitors. 🤩Quick Feedback How…

Continue reading


Quick Feedback

How useful was this article?

Click on a star to let me know!

I'm sorry this post wasn't useful for you!

Please tell me what's missing or confusing so I can fix it.

Your comments are anonymous and private.

Comments (2)

Nice article!

I just got a lawyer to create a compliant privacy policy for my Etsy shop. I thought this would be useful for other sellers as well, so I hired him a couple of hours more to make it a template and created a free privacy policy generator:


It was created by a licensed US lawyer. If you’d like, feel free to give it a try – it’s 100% free! All feedback is welcome 🙏

Leave a Reply

Your email address will not be published. Required fields are marked *