First, let’s look at two of the main jurisdictions that you may be in if you’re using the PinnacleCart solution for your eCommerce store.
In the US, there is no federal data privacy law that applies in a general sense. There is a health information privacy law (HIPPA) that applies federally, but the broadest data privacy law for online privacy is a state law: the California Online Privacy Protection Act. This act requires that you display a Privacy Policy clearly and prominently on your website, and that your Privacy Policy covers:
- The kinds of information your website or online marketing tactics collect;
- How the information may be shared;
- The process your customers can follow to review and change the information you have on them;
- How you respond to “do not track” requests; and
- The policy’s effective date and a description of any changes since then.
The EU is significantly stricter, and covers data protection in its EU Data Protection Directive. This Directive requires that any businesses based in the EU can only process “personal data” of customers if consent has been given for the processing of that data, or the processing is necessary for fulfilling a contract or legal obligation that the person is party to. For eCommerce stores, you would need to get consent.
“Personal data” can include:
- Location;
- Identity of the data subject; and
- Credit card and banking data.
For example, when a person purchases something from an eCommerce store, the store will require that person’s name, address, phone number, email address, and credit card details.
Your Privacy Policy also needs to detail:
- Your identity;
- The purpose or purposes for which you are collecting the data;
- The recipients or categories of recipients of the data,
- The existence of your customer’s right of access to and the right to rectify the data
- That you guarantee fair data processing in respect of the data subject.
The EU also has a new law coming into place, the EU Data Protection Regulation (the Regulation). The Regulation will cover the whole EU region in a more cohesive manner than the Directive, and will mean that individual states do not need to implement their own laws for it to take effect. It will also apply to anyone dealing with the personal data of EU citizens, and you won’t need to be a business based in the EU for it to apply to you.