Because tracking the customer requires collecting and using some of their private information, and most countries around the world have laws in place that mean you can’t just collect and use private customer information without telling them.
For example, in the US, the California Online Privacy Protection Act 2003 (CalOPPA) is the main law on data privacy. CalOPPA requires you to have an easily-found and distinctive link to your Privacy Policy, which must outline:
- The kinds of information gathered by the website
- How the information may be shared with other parties
- The policy’s effective date and a description of any changes since then
- How you deal with “do not track” requests
- The process the user can use to review and make changes to their stored information
In the EU, the law is more strict, with the EU Data Protection Directive currently in force, and the EU Data Protection Regulation coming into law soon. Under the Directive, when your website or software is collecting or processing “personal information” you need to comply. By using remarketing products, you’ll be collecting and processing “personal information” in the form of browsing history, identity, IP address, and possibly their location, among other things.
The Directive requires that if you are collecting this information and you are an EU-based company, then there are a number of principles and criteria that you need to comply with. For instance, you should:
- Identify who is collecting the data
- Notify your users of what information you are collecting, and why
- Ensure that all data collection is collected only for specified, explicit and legitimate purposes
- Ensure that any data collected is adequate, relevant and not excessive
- Ensure that data collected is accurate
- Allow users to view what data you hold on them and allow them to change or update it
- Notify your users of who else can view the data you hold on them
- Keep the data safe and secure
Under the new Regulation, it will no longer just apply to EU-based companies, but will instead apply to anyone dealing with the data of EU citizens.
If you are running an ecommerce store in the US, it’s likely that you will have customers from California, which means you need to comply with CalOPPA. If your ecommerce store is more international, EU law is one of the strictest laws around; if you comply with EU law, you’ll likely be meeting the standards of many of the other laws around the world as well.
The best way to notify your customers is by way of a Privacy Policy. Let’s take a look at what you need to include.