I Hereby Consent to … Personal Data Protection in E-commerce

📌 Running an online store without processing customers’ personal data isn’t just impossible; it’s also impractical. What you need to know is that processing this data is regulated by the EU’s General Data Protection Regulation (GDPR). This includes collecting, recording, storing, modifying, sharing and deleting your customers’ personal data. You’ve likely heard of GDPR—since it came into effect in 2018, those information clauses seem to pop up everywhere, even from your fridge. 

To comply with the law, you must include the following in your e-commerce platform: 

• an information clause or privacy policy, and 

• in certain situations, consent clauses for data processing. 

As a business owner, you need to inform customers that you’re processing their data no later than when you collect it, or within a reasonable timeframe if you obtain it through a third party. In practice, you can do this during account creation, when placing an order, submitting an inquiry via a contact form or signing up for a newsletter. 

📌  You have a few options for meeting the information obligation. You can: 

• provide all the necessary details at each data collection point, or 

• include brief references at these points that direct customers to your privacy policy, which outlines the data processing procedures for your store in detail. 

👉 In practice, the second option is most chosen. It’s simpler and significantly reduces the amount of text at each point where customers may provide their data. 

Remember that obtaining consent for data processing isn’t always necessary or appropriate and sometimes it can be a mistake. In e-commerce stores, you often see checkboxes for consent to process personal data, such as for order fulfillment. However, this approach isn’t correct. Provisions allow for different bases for data processing, one of which is the necessity to fulfill a contrac – like delivering the goods a customer has ordered. In such cases, asking for additional consent for the same purpose can create more issues than benefits. 

For What Purposes Can You Use Customer Data? 💻

Customer data is typically processed for creating accounts, fulfilling orders and conducting statistical and marketing activities. Provisions are quite flexible and do not define specific purposes for data processing. 

 📲 However, you should keep in mind that customer data should: 

• Not be collected “just in case”, but only for clear and specific purposes that you define at the time of collection. 

• Be collected only to the extent necessary to achieve those purposes—avoid gathering more data than you actually need. 

• Be stored only for as long as necessary. 

• Be kept secure—most significant fines (yes, GDPR violations can result in hefty penalties) come from security breaches, which can also severely damage your reputation and erode customer trust. Furthermore, customers should be aware of how their data will be used. Ensure they are informed by including an information clause at the point of data collection. 

📌 How to Increase Sales by Streamlining the Path to Purchase 

Aim to create a user-friendly path to purchase by minimising unnecessary content. Collect the shortest consents possible and reduce the required information obligations. This will help keep customers on your site longer and encourage them to complete their purchases. 

Although provisions require various pieces of information during the path to purchase process, you can simplify this by avoiding complex legal language. Clear and straightforward messages will be more appreciated by your customers. 

Example 

A provision might require consent for “the use of telecommunications equipment for direct marketing purposes, in the form of text messages sent to the mobile phone number provided below, in accordance with the Telecommunications Law Act of 16 July 2004 (Journal of Laws No. 171, item 1800). 

You can simplify this to: “I hereby consent to receive SMS newsletters at the phone number provided.” 

Do you see the difference? 😊 

You have similar opportunities for simplification, such as with the GDPR-required information clause. Instead of crowding the path to purchase process with lengthy details, you can use brief references or hyperlinks that direct customers to more comprehensive information in your privacy policy. Don’t let data processing information overwhelm the path to purchase experience!  

👉 New Sales Channels, Same Consents and Customer Accounts 

Yes, it’s possible, but you need to check your existing documents to make sure they cover your new activities. If your agreement with the customer only covers an account on a specific website, setting up an account in a mobile app will require updating the consent, which means you’ll need to revise the terms of service. Once the consent is updated, the customer can use their account in the mobile app without having to re-register. 

In addition to the terms of service, review the GDPR-required information clause provided to the customer. Ensure that it’s broad enough to cover the new channel. If not, it will need to be updated. 

👉 Data Collected Online and In-Store Operations 

You might wonder if data collected from your online store can also be used for your stationary stores. The answer is yes. For instance, if you’ve implemented a loyalty program offering discounts, promotions or rewards redeemable in your stationary stores, you can include online purchases in this program. Similarly, if you want to carry out marketing activities in your stationary stores based on consents collected online, that’s also allowed. Applicable provisions support these practices. 

Typically, consents obtained for data processing in e-commerce for marketing purposes are also sufficient for running marketing campaigns in your stationary store. 

The same applies to newsletter consents. If you have consent for a newsletter related to your online store, you can also include information about your stationary business. The goal is to obtain consent for a “general” newsletter that promotes your products or services. Ensure that the information you provide is broad and not limited to just the online store. This is important because customers need to be aware that their data collected through the online store will also be used for purposes related to your stationary business. 

Overwhelmed by consents, data and clauses? No worries. Reach out to LBKP, the new technologies law experts who crafted the legal section of our guide. They’ll be happy to help with any questions you have.