Now that we’ve looked at advertising in Part 1, it’s time to consider the situations in which you may be directly contacting your customers to advertise or market your products, and collecting their information to do so.
Collecting customer information will be done in different ways online and offline, and has a number of different legal and privacy issues tied up in it that you need to consider. Let’s take a look.
Privacy issues when collecting customer information
Most countries around the world have some kind of privacy legislation in place that governs how you should collect personal information, store it, and protect it. These laws also usually set out what you need to tell your customers when you are collecting their information, such as the fact that you are collecting information, what you are collecting, and what you will do with that information.
Let’s examine a couple of pieces of legislation, from the U.S. and from the U.K.
So, what is the law?
The U.S. doesn’t have an overarching privacy law like many other countries, but they do have specific privacy legislation that applies to areas such as health information privacy (HIPAA) and protecting the private information of children (COPPA).
However, another piece of legislation, the California Online Privacy Protection Act of 2003, requires that your privacy policy on your website must outline:
- The types of data gathered,
- How the data may be shared with other parties,
- The process your customer can follow to review and make changes to the data you have on them, and
- The policy’s effective date and a description of any changes since then.
If you run an online store and are based in the U.S., it is highly likely that you have Californian customers over the internet, so it pays to comply with the Californian state law. If you have international users, you may also need to comply with E.U. and U.K. law, as well as the laws in other countries where you anticipate you may have customers.
The U.K. follows what is called the EU Data Protection Directive 1995, which sets out seven principles of data collection:
- Notice: Users should be given notice when their data is being collected
- Purpose: Data should only be used for what you say you will use it for
- Consent: User data should not be shared without your users’ consent
- Security: Collected data should be kept secure
- Disclosure: Users should be informed about who is collecting their data
- Access: Users should be allowed to access their data and make corrections to any inaccurate data
- Accountability: Users should have a method available to them to hold data collectors accountable for not following the above principles
Now, let’s look at how to comply with these laws in practice, both offline and online.
Offline data collection
In store, one of the main ways in which you might collect data is by asking your customers to sign up for a membership club or loyalty program.
Some of the information you might usually collect through a loyalty program could be customer name, mailing address, email address, cellphone number, or even their date of birth. This is all “personal information” for the purposes of most privacy legislation around the world.
To make sure that you comply with the privacy legislation in the U.K., make sure that you have a privacy policy for your business that your customers can access. In the U.S., while there is no privacy legislation that covers this kind of collection, it gives your customers confidence if you have policies in place to protect their personal information.
A privacy policy is a legal statement that explains how customer or user data is collected, used, managed, and disclosed. The privacy policy also explains to the customer how their privacy and personal information will be protected.
Your privacy policy should outline:
- What information you are collecting;
- Why you are collecting it;
- What you will use the information for;
- How you will keep the information secure;
- When you might release the information, and to whom;
- How your customers can amend or correct the information you hold on them; and
- What dispute resolution procedures are in place if there is a disagreement.
Online data collection
One of the most important legal steps you need to take when you set up a branch of your business online is to include a privacy policy on your website.
Your privacy policy on your website, like your offline policy, needs to contain the types of information listed above. As well as that information, some of the unique types of information that you may collect online (that you wouldn’t collect offline) are:
- customer’s internet domain;
- IP address;
- when your website was accessed;
- type of browser and operating system used;
- pages visited; and
- what site the customer came from.
Web forms will also be collecting user data, and if you use something like Google Analytics, even more data will be gathered behind the scenes.
You need to make sure that your privacy policy, whether online or offline, covers every type of information listed above, and is updated whenever anything changes.
Gaining customer agreement to your privacy policy
Both online and offline there are two ways of gaining agreement to your privacy policy: express agreement and implied agreement. Online, these are known as clickwrap (express agreement) and browsewrap (implied agreement).
Implied agreement in a physical store is gained by displaying your policies in prominent places, such as on the counter or on the door of your shop. This is usually sufficient for a legal agreement to be made between you and your customers, as long as you make sure that the policies are displayed in places where they will be brought to your customers’ attention and they will have plenty of opportunities to read them.
Express agreement is a stronger method of agreement, as it would be where your customer has explicitly signed or ticked a box saying “I agree to the privacy policy.” To implement this in practice, ask your customers to fill out a membership or loyalty form when they sign up with your store, rather than just taking their information. On the form you can ask them to tick a box or sign to say that they agree to your privacy policy.
Online, a browsewrap (implied agreement) method is commonly used by most websites. You have probably seen many websites displaying small links at the bottom of their pages to their Terms and their Privacy Policy. Here’s a visual example of what I mean:
You can see in the Art.com footer that Privacy Policy and Terms of Use are in small writing that is very difficult to see.
Unlike the implied agreement in your physical store, browsewrap methods like this are usually not enough online.
For a browsewrap method to be legally binding online, you need to display your policies prominently and frequently, which means that you can’t just put small links down the bottom. For this method to be effective, you could put the link at the top of the page and highlight it in bold, or with red text to draw your customer’s attention to it. It should also be displayed on every page that the customer visits.
For greater legal protection online, make sure that you use a clickwrap method. A clickwrap method is where you use a tick box (at the end of a web form or when the customer makes a user account), or have a statement above any user account Submit button saying “By clicking Submit you agree to our Privacy Policy and store Terms and Conditions.”
Here’s an example from YouTube of what I mean by using a tick box:
Here’s another example where you can see the clickwrap method is being used with a submit button:
Conclusion
In Part 1, we looked at advertising and how to ensure that you don’t inadvertently mislead your customers. Now, we’ve covered how to get their consent for gathering their information, and how to make sure that you comply with privacy laws and get agreement to your privacy policy.
At TermsFeed, we’ve set up free PDF templates that you can use to get started with a privacy policy agreement if you need to.
Next, Part 3 of this article looks at contacting your customers by email or post.
Does your website use the browsewrap or the clickwrap method?