I consent to … or data protection in e-commerce
26 November 2024 / Articles
📌 Running an online shop without processing customers’ personal data is impossible. Or rather, not only impossible, but also devoid of much sense. What you simply need to know is that such processing is regulated by the EU Data Protection Regulation (RODO) and involves, among other things,collecting, recording, storing, amending, sharing and deleting your customers’ data. You’ve certainly heard of RODO – since it’s in force (2018), information clauses can literally jump out even from the fridge.
So, wanting to be legally compliant, you need to remember to include in your e-commerce:
- an information clause/privacy policy,
- and, in some situations, consent clauses for data processing.
As a trader, you must inform your customers that you are processing their data at the latest at the time you collect the data, or in due time if you obtain the data through a third party. In practice, you can do this at the stage of creating an account, placing an order, sending an enquiry via a contact form or subscribing to a newsletter, among other things.
📌 You have various options for implementing the information obligation, you can, for example:
- include all (complete) information at each data collection point, or
- place short references in the aforementioned places redirecting you to the privacy policy, which will describe in detail the data processing processes within your shop.
👉 In practice, the second solution is most often chosen. It is simpler and definitely reduces the amount of text placed in each place where a customer can share their data with you.
Remember that taking consent for data processing is not always necessary or justified, and sometimesit is a mistake. In e-commerce shops, it is common to see consent checkboxes for processing personal data, e.g. to process an order placed. However, such an action is not correct. The regulations provide for various grounds for data processing – one of them being the necessity for the performance of the contract, i.e. precisely the delivery of the goods ordered by the customer. In this case, taking additional consent for the same will generate more problems than good for you.
For what purposes can you use customer data? 💻
Customer data is usually processed for account creation, order processing or statistics and marketing activities. In doing so, the regulations are quiteflexibleand do not define specific possible processing purposes.
📲 However, you should remember that your customers’ data:
- are not collected ‘for back-up’, but only for explicit and legitimate purposes that you define at the time of collection;
- are only collected to the extent necessary to fulfil the purposes, i.e. do not collect more data than you actually need;
- kept no longer than necessary;
- were secure – most high fines (yes, there are fines for breaches of RODO and they can be very high) are due to security breaches, which in addition can be fatal to your image and customer trust. Of course, the customer should be aware of the purposes for which you are processing their data. Inform him or her by placing a so-called information clause at the point where data collection starts.
📌 How to ‘slim down’ the purchase path to sell more effectively
Creating a user-friendly purchase path and eliminating excessive content is your goal. Keep consents as short as possible and shorten the required information obligations. This will help customers stay on your shop page longer and fill up the virtual shopping cart.
Regulations require a lot of different content to be included in the purchase path. However, you can simplify them by avoiding complicated legal language. Your customer will appreciate simple and understandable messages.
Example
The regulation requires you to collect consent for ‘the use of telecommunications terminal equipment for direct marketing purposes, in the form of text messages sent to the mobile phone number I have provided below, in accordance with the Telecommunications Law of 16 July 2004 (Journal of Laws No. 171, item 1800)’.
You can simplify the content to, for example, ‘I agree to receive newsletters in the form of SMS to the telephone number provided’.
Do you see the difference? 🧐
You have more options like this, if only when communicating the information clause required by RODO. You can include only brief references/hyperlinks at the data collection points linking to the comprehensive information provided, for example, in the privacy policy tab. Don’t let the data processing information take over the purchase path!
New sales channels, same consents and customer accounts
Yes, yes it is possible, however you must verify the documents you have and make sure they cover the planned activities. However, if the agreement you have concluded with the customer only concerns the maintenance of an account within a service available at a specific address, the launch of an account on a mobile app will require an adaptation of the consent and therefore an amendment to the terms and conditions. Once the consent has been extended accordingly, the customer will be able to use the account on the mobile appwithout having to register again.
The second document to review, besides the terms and conditions, is the information clause provided to the customer previously under the RODO. Make sure that the information in it was universal enough to also cover this channel. If not then it should be supplemented.
👉 Data collected in e-commerce versus stationary business
You may be wondering whether you can also use the data collected in your e-commerce shop for your stationary shop activities. The answer is yes. For example, you have launched a loyalty programme that entitles you to discounts, promotions or rewards received in the stationary shop, you can also include purchases made in the online shop. You want to carry out other marketing activities in stationary shops based on consents collected in the online shop, this is also possible. The current regulations favour such solutions.
👉 Usually, the consents obtained in e-commerce for data processing for marketing purposes are sufficient to be able to organise marketing campaigns also in the stationary shop.
The same is true for newsletter consent. You have consent for a newsletter concerning your online shop then you can include information about your stationary business in it. The idea is to obtain consent for a ‘general’ newsletter promoting your goods or services. Make sure that the information provided to the customer is asuniversalas possible – do not include provisions that limit the planned activities only to the online shop. This is important because the customer needs to know that his or her data collected in the online shop is also processed for stationary business purposes.
Too many consents, data and clauses? Not a problem, contact LBKP, the experts in new technology law who have prepared the legal section of our guide. They will be happy to answer your questions.
Need help with this topic?
Write to our expert
Articles in this category
Cyber Monday – how not to get ripped off? Cyber security for e-commerce customers
Cyber Monday – how not to get ripped off? Cyber security for e-commerce customers🛒 Mr buy, Mrs buy – consumer rights vs. B2B sales
🛒 Mr buy, Mrs buy – consumer rights vs. B2B salesThe internet has no borders – or the legal issues of selling services and products abroad
The internet has no borders – or the legal issues of selling services and products abroadDr Wojciech Lamik nominated in the Rising Stars 2024 competition
Dr Wojciech Lamik nominated in the Rising Stars 2024 competition