If you have an e-commerce store, you must have a privacy policy that tells website visitors what personal information you collect and how it may be used.

privacy policy

If you sell products or services online in Canada, you’re not alone. Canada is the ninth largest market for e-commerce, with an expected increase of over 19 per cent in 2023. Many business owners have opened online shops to expand their potential customer bases.

As an online seller, you’re gathering personal information from customers when they complete a transaction and other online interactions. As a business owner, you have a responsibility to take reasonable precautions to protect that information and to share those details in a privacy policy posted on your website.

Let’s examine why a privacy policy is necessary, what it covers and what you should know to develop one for your e-commerce business.

What is a privacy policy?

A privacy policy is a detailed statement that outlines your intentions and responsibilities regarding any information you collect directly or indirectly from website visitors. It’s critical that your website have this policy posted, as it’s required by law and protects you and your customers.

The collection of personal information is governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA). Some provinces have similar private-sector privacy laws, in which case the provincial privacy law would cover businesses in that province.

If your business is federally regulated, it will be governed by PIPEDA. Schools, universities, hospitals and municipalities are typically covered by provincial privacy laws, though PIPEDA may apply in certain situations.

Who needs a privacy policy?

PIPEDA applies to “private-sector organizations across Canada that collect, use, or disclose personal information in the course of a commercial activity.” It also applies to businesses that operate in Canada and collect personal information from across provincial or national borders.

If you sell products or services online and collect personal information, you absolutely need a privacy policy. Even if you don’t collect data, it’s a good idea to have one because you can clearly outline that fact to your website visitors, who may be curious.

How do businesses collect information?

You may know how you’re deliberately collecting personal information from your website visitors. For instance, you may have a form on your website that allows people to contact you, or you may have a downloadable item that people can access in exchange for providing their email addresses.

But what about third-party services you use, such as an email platform that sends marketing emails or applications that track your website or social media marketing analytics? Does your website use cookies and do you know what they do? If not, now is the time to get clear on what’s needed to protect you and your customers. It’s possible you’re collecting more data than you realize.

What is considered personal information?

Personal information protected under PIPEDA includes information like a website visitor’s name, age or date of birth, ID numbers, income, ethnicity, blood type, employee files, credit records, medical records and loan records.

Many people don’t realize it also goes beyond those specifics to protect other private information, such as opinions, evaluations, comments, social status, disciplinary actions, the existence of a dispute between a merchant and consumer, and intentions (such as purchasing goods or services or changing jobs).

Ideally, you protect any data that can be used to directly identify your website visitors and customers, as well as data points that could be used in combination to identify someone.

What types of information are excluded from privacy law?

Some types of information aren’t protected under these privacy laws because there’s an expectation that they are accessible to the public.

This would include business contact information, including an employee’s name, title, business address, telephone number and email address — provided it is only collected, used or disclosed for business communication purposes.

It also extends to personal information collected for personal use, such as contact information for a greeting card list and information gathered by an organization for journalistic, artistic or literary purposes. Information collected by not-for-profit organizations and charity groups, political parties and associations — provided they are not engaging in commercial activities — is also excluded.

What about anti-spam legislation?

Canada also has laws to help protect people from unsolicited business communications, called Canada’s anti-spam legislation (CASL). Originally, CASL was created to cut down on the amount of unsolicited email marketing consumers received and to help reduce incidences of identity theft, phishing and the spread of malicious software through email scams.

Your business should adhere to CASL to ensure you collect consent before sending marketing messages by email. These practices will help show customers you respect and protect their information by giving them control over how and when you can use their email addresses.

Developing a privacy policy for e-commerce

Crafting a privacy policy for your business is not just imperative to demonstrate your willingness to be responsible to your customers. It also protects you by allowing you to disclose how you handle personal information and what customers consent to when they provide that information.

Pro tip: This is a good opportunity to explore what data you’re collecting and consider if you’re comfortable with how it’s being collected, stored and disclosed. If there are gaps, look for solutions to ensure you’re in compliance.

7 steps to create an e-commerce privacy policy

Here are steps you can take to consider all aspects of protecting customer data and craft your own privacy policy:

1.      Use plain language

It should be easy for any consumer or website visitor to read and understand. Outline what data is being collected and why (to conduct your business, such as purchases, but also secondary uses like marketing).

2.      Be transparent about disclosure

This includes mentioning the types of third-party companies you may deal with and where their data may be stored. Let customers know if their data may be stored outside Canada.

3.      Outline how long you’ll keep their information

You should only keep it as long as is necessary for business purposes. If you need to keep it longer for tax or accounting purposes, say so.

4.      Let people know how you safeguard data

Your customers want to know they can trust you to do what you can to protect them against fraud and identity theft. Familiarize yourself with e-business security, privacy, and legal requirements in Canada.

5.      Include your contact information

Your website visitors and customers should be able to contact someone within your organization with their privacy concerns. Identify clearly who they can contact and how to reach them, and provide direct contact information.

6.      Display your privacy policy

Your privacy policy should be displayed on a separate page on your website, so it’s easy to find. A smart idea is to link to it in your website footer, so it’s visible from all pages but not in your main navigation menu.

7.      Empower your customers by getting consent

Online customers should be able to consent to provide information, refuse to provide it, or change their minds and ask you to remove their data from your systems. They have the right to access that information and challenge its accuracy.

A privacy policy is a vital part of your e-commerce website and your responsibility to website visitors. Whether you’re gathering personal information directly or indirectly, both you and your customers are safer if you are proactive in protecting it.

We’ll help ensure your e-commerce store’s privacy policy covers all the bases. Book a consultation with a Postmedia expert to learn more.