There are a lot of discussions these days about privacy and personal data protection laws, but how does that apply to your ecommerce business?
Since the topic has been trending, especially after the creation and enforcement of laws that regulate aspects related to the protection of personal data, such as the European General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Proteção de Dados (LGPD) and the California Consumer Privacy Act (CCPA) in the United States, many consumers have started to pay closer attention to how their data is used by companies.
For example, on an ecommerce website, if a seller wants to be able to complete the sale and deliver the products purchased online, they will have to collect and store certain personal data, such as:
- Email address;
- Identification document;
- Credit card data.
The seller should also inform the legal basis used for processing the customers’ personal data. In that case, the data processing will be deemed imperative for the due fulfillment of the sales agreement executed by the parties, since collecting and using the personal data collected is inherent to the completion of the agreement obligations.
Goodbye, complicated and hard-to-understand policies!
Gone are the days of long, confusing or complex policies that the consumers had a hard time understanding. Nowadays, the recommendation is that the ecommerce business should provide a policy that:
- Is clear about how users’ and consumers’ personal data is collected, processed and handled;
- Clarifies whether the data is shared with third parties and, if so, for what purposes and who these third parties are;
- Establishes how long the data is kept by the platform, for what reasons and when it will be deleted;
- Clarifies the users’ and consumers’ rights and how to exercise them;
- Applies design techniques to make it easy to read and understand.
The seller should try to understand how the flow of personal data works within the platform, mapping which data is collected, in order to be able to write a policy that corresponds to their internal processes. They should also check with the service providers with whom the personal data is shared how they process such data. Finally, to enable a clear understanding of the policy text, spelling out and even explaining the meaning of some common terms — such as data subjects, controller, processing and processor — may be a good idea.
Here at VTEX, we make much of this information available to our clients on the VTEX Trust Hub, which you can check out here.