Surely you have visited many websites and remember a pop-up that asks you about cookies, or more specifically asks for your consent (or not) for the installation of cookies , or if you have looked in more detail, you have probably seen in the bottom a link to the privacy policy and cookies and, in some cases, one more with the terms and conditions.
And now you may be wondering what you really have to do with all these issues… Or do you already have your website for your online store and have not yet thought about the legal issues due to fear or technical limitations? Perhaps you simply want to understand if what you have done so far is enough.
Either way, you’ve come to the right place.
In this article, we will explain in a detailed and accessible way (I promise, without legal jargon!) the 3 key steps for a website or E-commerce to comply with data protection laws.
And, of course, we will give you some tips that you should not miss!
First a bit of context . With the entry into force of the General Data Protection Regulation (RGPD), the effects of sanctions by the Spanish Data Protection Agency have increased and, according to GDPR Enforcement Tracker , a monitor of fines and sanctions that data protection authorities have imposed under the EU GDPR, Spain has been, by total number of fines, the number one country with the most sanctions imposed.
Hence the need to pay close attention and take care of your business and interests, making sure you have a website with all these matters in order.
1) A brief overview of the GDPR
The RGPD or General Data Protection Regulation, which came into force on May 25, 2018, is one of the laws with the most impact in this sector, accompanied by the ePrivacy Directive. In summary, it indicates the principles that must be respected to process personal data lawfully (including the collection, use and protection thereof).
The objective of the RGPD is to reinforce the data protection of all the people whose personal data is within its scope of application , in order to reestablish control over them. In force since 2002, the ePrivacy Directive (or Cookie Law) complements the GDPR and is still applicable today, it was designed to implement specific guidelines regarding the processing of data by electronic means, including email marketing and the use of cookies
1.1. Does GDPR affect you?
This is the first thing to know.
The RGPD generally affects organizations, companies, individuals, public authorities and other entities that:
- are established in the European Union,
- offer goods or services (even free) to people in the EU,
- track the behavior of people in the EU, either directly or through a third party.
Therefore, the GDPR applies to a large number of businesses and professionals that meet the requirements listed above, which means that the GDPR is likely to apply to your business even when you are not established in the EU (even if you manage a small website and not a large company, you must respect all these requirements)
1.2. Do you process personal data?
Most likely, yes. Why? Because under the GDPR, personal data means any data relating to an identified or identifiable living person.
Therefore, this data includes information that, when collected in the aggregate, can identify an individual. For example:
- surname and first name,
- personal email address and IP address,
- The ubication.
1.3. What should I do then?
You must inform your users that you are collecting their data.
Otherwise, you run the risk of incurring economic and/or legal sanctions, not to mention that the credibility of your brand may also be affected.
To do this, you need a privacy policy that contains the following information:
- Who owns the website or app?
- What data is collected? How are they collected?
- On what legal basis is the collection based (for example, consent, necessity for the provision of the service, a legal obligation, etc.)? What are the specific purposes (for example, analysis, marketing, etc.) of the data collection?
- What third parties will have access to the information (for example, through social media widgets)?
- What are the rights of users (access, deletion, blocking of data)?
Remember that the policy must be written in simple language, presented clearly and easily accessible from any page of the website.
In short, a series of legal and technical limitations… What if you need to modify the document (which is normally drawn up by lawyers) later? Please note that a privacy policy is a living document that must be updated as necessary to comply with the law. → You must always be up to date!
TIP : look for online tools that allow you to customize the clauses according to your business in a simple and intuitive way, since the laws are constantly changing and you cannot stay without being able to update your documents or spend a new amount of money to have them updated.
2) Cookies: what should I do?
You must have a cookie policy and a cookie banner or notice .
Why? Websites often use cookies that can have many purposes, such as providing statistics for analysis purposes, social media buttons or remarketing services, and therefore you must show all this information to your users.
In general, this means that you must have a cookie policy and a cookie management solution.
This means that if you use cookies and have users in the EU, you must:
- Inform your users about the use of cookies on your website or app (or by any third-party service used by your website or app);
- explain, clearly and comprehensively, how cookies work and what they are used for;
- Obtain informed user consent before installing certain categories of cookies on your device.
You will need to display a cookie banner on a user’s first visit, implement a cookie policy, and allow the user to provide consent. You must not install any cookies (except exempt cookies) until you have obtained the user’s consent.
But what exactly are cookies?
A cookie is a small piece of data that is sent from a website or an application and is often stored on a user’s computer through their web browser. The ePrivacy Directive or Cookie Law requires the informed consent of users before storing certain categories (or types) of cookies on a user’s device and/or tracking it. This typically involves informing the user via a cookie notice, blocking scripts from running before consent is collected, and linking to a full cookie policy.
2.1. How does this affect me?
If you are subject to the ePrivacy Directive or Cookie Law (which is probably the case), you must have a cookie bannerthat you must show on your website or application on the user’s first visit, with which you inform him about the cookies that are on your website, his rights in this regard, as well as requesting his consent and blocking cookies before obtaining the consent. In addition, this allows you to create and keep updated a record of the consents collected. Without them, the collected consents are not considered valid. Additionally, the RGPD requires that you have a record of the consent of each user that must include when and how it was obtained; the information provided to the user at that time and the legal conditions applicable at the time of acquisition of consent.
3) And in the specific case of E-commerce?
A terms and conditions document is highly recommended for the owners of an E-commerce, because it helps you to handle the problems that may arise in relation to the users and, more importantly, it helps you to prevent conflicts by establishing a legally binding agreement between you and your customers. The terms and conditions include mandatory information on consumer rights, return, withdrawal or cancellation policies, conditions of sale and methods of payment, shipping, delivery, etc. (As required by consumer protection laws).
When you use the terms and conditions, be sure to include things like:
- Company identification (seller contact details)
- Disclaimers and Limitation of Liability
- Description of the service provided by your website or app
- Shipping, Processing, and Return Policies
- Warranty information (if applicable)
- Indicate the existence of the right of withdrawal (if applicable)
- The delivery conditions of the product/service
- Information regarding payment methods
Remember that a terms and conditions document helps you establish and make clear the conditions of your business and, therefore, helps you protect your interests. The recommendation is to add it to the footer of your website and make it always visible.
4) Conclusions
There are many ways to comply with all these legal matters, from lawyers who draft clauses and documents, which are not a very practical option and, in general, are more expensive, to platforms with legal teams behind them that allow you to configure clauses according to your model. of business and needs and that it is the most cost-effective option, since they are based on self-management, that is, you can configure it yourself with pre-designed clauses and adaptable to all types of businesses. In addition, the advantage of having several languages is added (remember that legal documents must be available in the languages in which you have your website).
5) Recommendations
- Evaluate and identify data processing points on your website and in your business.
- Practice transparency.
- Make relevant disclosures, keep them up to date, and clearly identify yourself.
- Minimize data usage* (only treat what you need).
- Have a consent management platform on your website.
- Obtain consent from users in the European Union
- Keep the legally required records and receipts
