Privacy Policies, GDPR, Cookie policies, refund policy, return policy... the list is endless. How do you comply with all these laws?
The information provided below is meant as general knowledge and should NOT be taken as legal advice. Always confirm with local authorities the exact legal obligations of your business online.
Online sales can be a legal nightmare
The list of policies one could write is endless but in this article, we'll try to address the most common ones.
The General Data Protect Regulation came into effect on the 25th May 2018 and yet, almost 3 years later many businesses still don't understand it.
The law is simple;
If you store or process personal information in any way you need to have consent to do so.
A very common misbelief is that everyone needs to have that annoying popup to consent to data collection. In reality that is NOT true. If you have a website that doesn't collect any personal identifying information, you're exempt from GDPR.
GDPR also clearly states;
"If you have legal obligations to collect the data and the user understands it, you do NOT need to pro-actively obtain consent."
Another common misbelief is that you need to obtain consent to use third-party software on your website.
One last misbelief is that you need active consent to collect information such as "Email". Even though this is true, GDPR also states that almost any form of consent is acceptable. In cases such as the email capture form, it is enough to state how the information is going to be used, and in signing up for the service the user is actively giving consent.
"By signing up through this form, you are consenting to receive marketing material from XYZ ltd."
What is mandatory?
Whether you need to acquire consent or not, there still are some things that you need to adhere to, if you want to be GDPR compliant.
- The right to be forgotten - You need to be able to completely delete the user information or anonymize it unless obliged otherwise by criminal law.
- The right to update - You need to be able to update the user information as requested by the user.
- The right to access - You need to be able to present all the information about a given user if he/she requests it.
- Data Officer - You need to appoint a data officer, responsible for all the user data, and this person's contact information has to be public.
An example of this can be found on the Lifeboat's website: https://lifeboat.app/privacy
Refunds and Returns
Another common policy found in e-commerce websites is; Refunds & Returns. Even though not obligatory in every country, we still recommend having this on your website.
This policy needs to outline how you handle requests for refunds and returns.
"We accept returns if they are returned in their original packaging within 7 days of order delivery date."
This is a relatively old policy, which varies slightly from country to country however the basics remain the same;
- How are they used?
We do not store or process any personal information in cookies."
Do you sell Tabacco? Alcohol? Gambling-related items? Adult items? Guns or Ammunition?... This applies to you.
Even though online sales of these categories are permitted in some countries, it comes with additional obligations. The most common obligation is that you don't market nor sell these items to people below a specified age.
The most common approach is to have a popup block access to such websites until the age of the visitor is verified.
These kinds of popups however can be easily circumvented and don't offer a reliable way to confirm the visitor's age or location. For such merchandise, we recommend opting for verification during the checkout process. We also recommend having a clear policy on your website detailing why such visitors cannot purchase from your store and how you prevent such sales.
Take privacy seriously
Even though we debunked quite a few common misbeliefs in this article, one should still address privacy as an important pillar in your online sales.
Data leaks, unnecessary data collection, ... could quickly lead to a legal and PR nightmare, so don't take risks.
How does Lifeboat protect me?
Unlike other platforms, Lifeboat takes data privacy and security extremely seriously.
Data Leak Mitigation
- We isolate each online shop through software and hardware. In the case of one shop getting compromised, it would not affect the others using Lifeboat.
- Each shop comes with its dedicated database, and such databases are not accessible outside their network.
- Each shop's database is secured with multiple layers of firewalls, rotating passwords, and is constantly monitored for abnormal activity.
- Regular penetration testing is performed on all systems
- Access to the data is limited
- All communications are encrypted
- Cardholder information is not stored within our system
We hope that this article was helpful, if it was (or wasn't), let us know the comments below.