BigCommerce is an eCommerce software company that produces shopping cart software - a program that you can integrate into your website to allow visitors to make purchases.
By turning browsers into buyers, shopping cart software carries out a crucially important function on your website and also handles personal data on your customers' behalf.
Because you'll be working with payment information, using shopping cart software such as BigCommerce on your website is a big responsibility. It means you'll need to take some extra steps to ensure you are being transparent with your customers about how you and BigCommerce keep information safe.
- 1. BigCommerce Users Need a Privacy Policy
- 2. What's a Privacy Policy?
- 3. A Privacy Policy is Required by Law
- 3.1. California
- 3.2. The European Union (EU)
- 3.3. Canada
- 4. A Privacy Policy is Required by BigCommerce
- 5. How to Make Your Privacy Policy Comply with BigCommerce's Terms
- 5.1. Security of Payment Details
- 5.2. Privacy Shield
- 5.3. Security of Browser Information
- 5.4. "Do Not Track" (DNT) Signals
- 5.5. Abandoned Shopping Cart Feature
- 6. Details About Consent
- 6.1. All BigCommerce Users
- 6.2. BigCommerce Users Who Process Sensitive Data
- 7. Your Privacy Policy as a BigCommerce User
BigCommerce Users Need a Privacy Policy
If your company handles personal data in any way - for example by taking customer payments online - you need a Privacy Policy. In many places, a Privacy Policy is mandatory for any commercial business - you are legally required to have one.
What's a Privacy Policy?
A Privacy Policy is your company's opportunity to tell your customers:
- What sorts of personally identifiable information (also called personal data) you collect from them.
- How this data is collected, stored and used.
- Which other organizations or types of organisations you might be sharing this data with.
- How they can request to access or change this data.
A Privacy Policy is Required by Law
Here are some examples of legal jurisdictions that require companies who are processing personal data (anything that can be used to identify an individual) to have a Privacy Policy:
California
The California Online Privacy Protection Act 2003 (CalOPPA) requires companies operating a commercial website to have an easily accessible Privacy Policy. This Privacy Policy must, among other things:
- Explain what sorts of personal information the website collects.
- Explain how users can ask for their personal data to be changed.
- Let users know how changes to the Policy will be communicated.
The European Union (EU)
Privacy law in the EU is very highly developed, and the personal privacy of EU citizens is highly protected. The EU recently introduced the General Data Protection Regulation (GDPR). Companies breaching the GDPR (no matter where they're based) can receive huge fines (up to €20 million or 4 percent of global turnover).
Art. 12(1) of the GDPR states:
"The controller shall take appropriate measures to provide any information [...] relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language."
Canada
The main privacy law in Canada is the Personal Information Protection and Electronic Documents Act (PIPEDA). The Office of the Privacy Commissioner of Canada states that under PIPEDA,
"information about an organization's privacy policies and practices must be readily available to individuals upon request."
A Privacy Policy is Required by BigCommerce
BigCommerce has a Terms of Service agreement, which also incorporates various other policies and agreements. All users of its shopping cart software must agree to these terms.
Let's take a look at BigCommerce's Acceptable Use Policy Section 1.1:
This means that you can only use BigCommerce's software if you obey the laws of whichever country your website is operating in.
Aside from the general legal requirement to display a Privacy Policy, BigCommerce's Privacy Policy (also incorporated into its Terms of Service) states:
So if you want to use a BigCommerce service on your company's website, you need a legally compliant Privacy Policy.
- Click on the "Start the Privacy Policy Generator" button.
- At Step 1, select the Website option and click "Next step":
- Answer the questions about your website and click "Next step" when finished:
- Answer the questions about your business practices and click "Next step" when finished:
- Enter your email address where you'd like your policy sent, select translation versions and click "Generate My Privacy Policy." You'll be able to instantly access and download your new Privacy Policy:
How to Make Your Privacy Policy Comply with BigCommerce's Terms
As we've seen, having a Privacy Policy is essential to comply with many privacy laws. It's also a great way for you to ensure that:
- Your company can be sure that it's keeping its customers' data safe.
- Your company has systems in place so it can fulfil any data access or modification requests.
- Your company appears professional and transparent.
Different privacy laws have different requirements about what a Privacy Policy should cover. Broadly speaking, the GDPR is the most stringent privacy law in the world. Therefore, if you want to ensure that your company has an exemplary Privacy Policy, you can aim toward GDPR-compliance.
The guidance below covers things that your company should include in its Privacy Policy if it's a BigCommerce merchant (i.e. it uses a BigCommerce store on its website). You may also need to include other information depending on the nature of your company.
Security of Payment Details
BigCommerce's Terms of Service states:
This is important. If your website uses a BigCommerce store then your customers will be handing over their credit card details to BigCommerce.
You'll need to communicate this to your customers to comply with privacy laws.
For example, California's "Shine the Light" law (Cal. Civil Code. §§1798.83-1798.84) requires companies to disclose on request the details of any third parties with whom they share California residents' data.
Your company must let your customers know that their personal data (for example their credit card information) is being sent to a third party - BigCommerce - who will process it on your company's behalf.
Let's take a look at how toy retailer and BigCommerce merchant ToyWiz handles this in its Privacy Policy:
This is a very transparent approach, which goes above and beyond what is technically required. ToyWiz specifically names BigCommerce and goes to some lengths to reassure its customers about BigCommerce's compliance with data protection regulations.
Hush Puppies, which also uses a BigCommerce store platform, takes a different approach:
Hush Puppies is also very transparent here and lists every type of organization with whom it may be sharing customers' data with. However, it doesn't name BigCommerce specifically. This is perfectly acceptable, so long as the company is willing to give this information on request.
Privacy Shield
BigCommerce participates in the EU-US Privacy Shield program. In 2016, the European Commission formally decided that this program was a suitable way of transferring data from the EU to the US. You may wish to mention this in your Privacy Policy if you are serving customers based in the EU.
Here's how BigCommerce user Brock's Performance addresses this in its Privacy Policy:
Security of Browser Information
Privacy laws have implications for your use of your customers' browser information via tools such as cookies. Recital 30 of the GDPR explains why:
"Natural persons may be associated with online identifiers provided by their devices, [...] such as internet protocol addresses, cookie identifiers or other identifiers [...]. This may leave traces [...] may be used to create profiles of the natural persons and identify them."
This means that because cookies track browsing habits and collect login details, they could potentially be used to identify your customers. Therefore, cookies and other browser information can constitute personal data, and thus fall within the ambit of privacy laws like the GDPR.
Let's see what BigCommerce has to say about how it treats your customers' (who BigCommerce calls "Shoppers") browser information. This information is presented in BigCommerce's Privacy Policy.
BigCommerce is clear that they do process browser information via their shopping cart software. This means that if you have a BigCommerce store on your website, your Privacy Policy must mention that your customers' browser information will be processed.
Ford UK uses the BigCommerce platform. While BigCommerce is not specifically mentioned in its Privacy Policy, Ford UK has an extremely comprehensive approach to communicating information about its use of cookies. It provides its own Cookie Policy:
Ford UK's Cookies Policy helpfully explains how customers can disable cookies:
Here's how BigCommerce merchant Andie Swim explains its use of cookies in its Privacy Policy:
Here's another example from BigCommerce merchant CharliChair:
"Do Not Track" (DNT) Signals
Some browsers contain a setting known as Do Not Track (DNT) which, when enabled, signals users' preference not to be tracked via cookies and other such mechanisms. There is no legal requirement for websites to obey DNT signals.
CalOPPA, however, requires that companies:
"Disclose how the operator responds to Web browser "do not track" signals [...]"
BigCommerce complies with this requirement ain Section 10 of its own Privacy Policy:
Because BigCommerce states (earlier in this section) that their non-acknowledgement of DNT signals applies both to their website and their services, you'll need to include reference to this in your Privacy Policy if you need to ensure compliance with CalOPPA.
Abandoned Shopping Cart Feature
Imagine the following scenario: a customer is shopping on your company's website. He creates an account, finds a product he's interested in and clicks "Add to Cart." Then his phone rings, or his baby starts crying, or his boss looks over his shoulder, and he abandons the purchase.
BigCommerce has a helpful service where it will email a customer who has abandoned a shopping cart to remind them to complete the purchase. You might be wondering if this complies with the GDPR and other data laws, which have been interpreted as requiring a strong opt-in for receipt of direct marketing emails.
BigCommerce addresses this in its GDPR information and FAQs:
Here's how BigCommerce merchant Mineheart explains this in its Privacy Policy:
Details About Consent
Privacy laws require companies who are processing certain types of personal data to seek consent from their customers. The GDPR is well-known for being strict about how and when companies must gain the consent of their customers. You should comply with a high standard of privacy even if you don't have customers in the EU.
All BigCommerce Users
BigCommerce requires all of its merchants to seek consent to process the personal data of their customers, under Section 3.1.b of its Privacy Policy:
The UK's data protection authority, the Information Commissioner's Office (ICO), publishes guidance about what UK companies should include in a GDPR-compliant Privacy Policy.
They offer this advice:
This is how BigCommerce merchant Stamp'n'Storage displays the information about consent in its Privacy Policy:
BigCommerce Users Who Process Sensitive Data
Certain types of personal data are known as sensitive personal data or special category data. There is no fixed definition of what constitutes Sensitive Personal Data under US law, but it is clearly defined in Article 9 of the GDPR:
"racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation [,...]"
BigCommerce explicitly mentions merchants that collect sensitive personal data and requires them to obtain affirmative, explicit and informed consent, as well as allow shoppers to revoke their consent:
Here's how Carlsberg explains its policy on processing sensitive personal data:
You will need to provide contact details via which your customers can revoke (withdraw) their consent, or make other requests regarding their data. This can be your Data Protection Officer (DPO) if you have one, or just your general contact details if you don't.
Your Privacy Policy as a BigCommerce User
To use a BigCommerce store on your company's website, you'll need to display a Privacy Policy which:
- Is complaint with the privacy law of whichever countries or jurisdictions you're operating in.
- Lets your customers know that their personal data will be shared with a third party.
- You don't need to specify that this third party is BigCommerce, but there's no reason not to.
- Explains the way that BigCommerce uses their browser information such as cookies.
- You should mention how your store handles Do Not Track signals, especially if you serve California residents.
- You should mention that your customers can opt out of the Abandoned Shopping Cart feature, especially if you serve EU citizens.
- You should seek consent from your customers to process their personal data, and explain this in your Privacy Policy.
- If your company processes sensitive personal data, you should explain your basis for doing this.
- You should explain that it is possible for your customers to withdraw their consent, and provide your company's contact details in case they wish to do this.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.