Read on to learn about privacy policies for dropshipping websites, how to make one, where to place it, and the various privacy laws that affect dropshipping.
- What Is Dropshipping?
- Which Privacy Laws Affect Dropshipping?
What Is Dropshipping?
To begin, let’s talk about what dropshipping is.
Dropshipping is an eCommerce business model where the seller pays a third party, such as a wholesaler or manufacturer, to deliver products directly to the customers.
Here’s how the dropshipping process works:
- Your customer places an order through your eCommerce store.
- Your store automatically sends the order to your dropshipping partner.
- Your dropshipping partner prepares your customer’s order.
- Your dropshipping partner ships the order directly to your customer.
Dropshipping is particularly popular in international commerce. For instance, a supplier located in North America can pay wholesalers and manufacturers located in East Asia to directly ship products to customers to cut costs, time, and money.
Traditionally, suppliers had to spend a lot of time and money choosing, purchasing, and shipping inventory. However, with the dropshipping model, you don’t have to buy anything unless the customer has already paid you.
This business model also has many other benefits, including:
- Accessibility: Anyone can start dropshipping as long as they have access to wholesalers and manufacturers willing to dropship.
- Easier to test business models: Dropshipping is less committed since you don’t have the stock with you. As such, you can speed through different business ideas with limited downsides, which can teach you what your audience wants and how to market and choose in-demand products.
- Flexible location: You can run your dropshipping business from anywhere as long as you have an internet connection.
These privacy laws (covered in the next section) define personal information as any data used to identify, contact, or locate an individual, such as:
- Biometric data
- Credit card numbers
- Mobile numbers
- IP addresses
- Screen names
- Date of birth
- Sexual orientation
- Physical address
- Political affiliations
- Religious affiliations
- Passport numbers
- Full names
Which Privacy Laws Affect Dropshipping?
Many privacy laws around the world affect dropshipping. Some of the most important ones include:
General Data Protection Regulation (GDPR)
The European Union (EU)’s GDPR applies to any company that processes the personal data of EU residents. That means that if you offer goods or services to anyone who lives in the EU, UK, or Switzerland, you need to comply with the GDPR whether you have offices in those countries or not.
California Consumer Privacy Act (CCPA)
The CCPA requires some companies that do business with and collect the information of residents of California to have privacy policies. Specifically, it applies to big businesses that reach one or more of these thresholds:
- Have annual gross revenues of more than $25 million
- Make more than half of their revenue from selling Californian residents’ personal data
- Buy or sell personal data of more than 50,000 Californian residents per year
While some businesses may not be affected by the CCPA, you should always try to comply. Following the CCPA is always the right thing to do because your users deserve to have their privacy rights safeguarded.
The CCPA requires you to tell consumers:
- What data you have about them
- How you use this data
- How consumers can opt out of you selling their data
California Online Privacy Protection Act (CalOPPA)
Stop Hacks and Improve Electronic Data Security Act (SHIELD)
This New York law applies if you process the data of a New York resident, regardless of your location. It requires you to:
- Use reasonable technical, administrative, and physical safeguards to protect personal data
- Notify relevant state agencies and affected individuals of data breaches
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA is Canada’s privacy law. It requires private sector organizations and non-profit organizations that use and collect personal information to post privacy policies on their website when carrying out commercial activities.
Private sector organizations are partnerships, trade unions, associations, or corporations owned by a private individual rather than the government.
PIPEDA, unlike the GDPR, CCPA, and CalOPPA, has a much narrower scope. According to the Office of the Privacy Commissioner of Canada, it only applies to non-Canadian businesses with a “real and substantial connection” to Canada.
Personal Information Protection Law (PIPL)
China’s PIPL came into effect on November 1, 2021, and is one of the strictest privacy regimes in the world.
Personal Data Protection Acts in Other Countries
Step 2: Answer a few simple prompts and questions, and go through all of the steps until you reach “Final Details.”
A template also saves time since you don’t have to write anything from scratch if you like what’s already on the template. Furthermore, you’re free to change as little or as much of the template as needed.
Here are some tips if you want to go ahead with writing your own:
- Last updated date, introduction, and contact details
- Why you’re requesting personal information from consumers
- What types of personal information you collect
- The rights consumers have over their data
- How you process this information
- Who you’re sharing the information with
- How customers can contact you to opt out of data collection or for further information
You should cover these requirements in the following clauses:
Last Effective Date
Here’s an example from Modalyst, a dropshipping service:
Your Contact Details
An email address should do the trick in most cases, although larger companies with physical stores may also include postal addresses and telephone numbers.
Personal Data Collected
Talk about what kind of data you collect and for what reasons. Be as specific as possible when listing the types and categories of data you collect from consumers.
For example, if your dropshipping store collects email addresses, names, credit card numbers, and mobile phone numbers every time someone makes a purchase — you need to tell customers that you do so.
Here’s how Modalyst lists the kind of information it collects from customers:
How and When You Collect Personal Data
It’s not enough to just list what kinds of information you collect. Most privacy laws require you to explain how and when you collect personal data.
If you only use a few simple ways to collect data, this section doesn’t have to be very long. Like Modalyst, you can just write a sentence or two explaining when and how you gather information from customers:
As you can see, you need to be as thorough as possible. If you gather data whenever users subscribe to your newsletter and submit forms, for instance, you need to mention that.
If you have many ways of collecting data, particularly complex methods of gathering and processing data, you may need to disclose how and when you acquire this information.
How You Use Personal Data
Although you should be as detailed as possible, don’t overwhelm the reader. Instead, sort different data types into categories so customers will have an easier time processing this section.
As an example, check out what Modalyst did for their “How We Use Your Personal Information” section:
Consumer Privacy Rights
Next, list out the rights that customers have. But, don’t be overly broad — be specific about what rights consumers have and what they can do to exercise these rights.
The specific rights depend on what laws apply, but since anyone can buy products from your dropshipping store, you should consider as many jurisdictions as possible.
So, for example, if you have customers from the EU, you should list out EU citizens’ consumer privacy rights in this section even if you’re located in the US.
Similarly, if you have customers from California, you must inform Californian consumers that they have the right to opt out of data collection.
That’s what Modalyst did in theirs:
As you can see, Modalyst has listed out EU citizens’ right to amend, delete, or access their personal data at any time, which are consumer rights granted to them by the GDPR.
Information You Disclose or Share
Finally, you need to outline who you share your customers’ data with.
Some companies may share customers’ personal data with third parties and their affiliated partners. For example, some dropshipping businesses may share customers’ data with payment processing providers such as PayPal to process payments.
List out what information is sold or shared and under what circumstances. You should also be clear about the identities and natures of the third parties and partners with whom you share information.
Here’s how Levi Strauss & Co did it:
- Be clear and concise. Keep things simple and easy to understand. If you have a lot of information, consider using charts.
Once you’ve created your policy, you need to put it in a prominent area of your site or app. It must be easy to find so users can agree to its terms before sharing personal data with you.
In Other Policies
You should also put a link in other key documents, such as your shipping policy, acceptable use policy, and Terms of Service. This will enable customers to move quickly between policies to find the information they need without having to search through your site.
Points of Data Collection
Finally, you need to include a link to your policy at points of data collection to ensure that customers know what they’re consenting to before agreeing to share their personal information with you.
- Before a consumer completes a transaction
- When a customer creates an account
- When a consumer signs up to receive communications, newsletters, and marketing from you
Whenever you’re confused about what you should include, look at the laws that apply to your store and customers and go from there.