How to Create a Privacy Policy for GDPR

Even if you haven’t heard of GDPR you have seen it’s effect via the bombardment of emails from vendors stating they have updated their privacy policy or the banners/pop-ups you need to click on before you visit a site indicating you accept cookies and their privacy policy!  I’m not going to review what GDPR is — here’s a good article about it — but I am going to tell you how to craft a privacy policy for your ShopSite store.


First, you should review ShopSite’s Privacy Policy for our shopping cart software.  The Policy will cover more features than a typical merchant will use in their store.  For example, a number of payment gateways are listed but a typical store will usually only have one payment gateway such as Authorize.Net and a payment method or two such as PayPal or Amazon Pay.  Similarly, if you use a tax service it will only be one provider and not two.  You will want to list only the 3rd-parties that are used in your store.

So let’s use a fictional bike store in our example — Tim’s Tandem Bicycles (TTB).  This store uses the following services:

  • Authorize.Net and PayPal for payments
  • USPS for shipping
  • Avalara for Tax
  • Google Analytics for website traffic analysis
  • Constant Contact for newsletters
  • ShopSite’s Customer Registration
  • and shoppers can sign-up to follow on Facebook and Twitter

In addition, the store does not store credit cards.  Any credit card data is held by the payment processors.  Order data is retained for 1 year.

Ok, so our privacy policy could look like this:

Tim’s Tandem Bicycles (TTB) Privacy Policy

Protecting your privacy when using our website is important to us.  Please note how your data will be used.

Data for Payment

TTB collects the following  information for payment processing:

  • Name
  • Email
  • Address (billing and shipping)
  • IP

The information is collected so that payment can be processed and shipping can occur. The payment data will be shared with a payment processor as well as the order total and possibly order details such as the products ordered. Payment processors include:

  • PayPal

Data for Shipping

In order to ship a physical good, a shipping address is needed as well as product weight, box sizes, and order totals. This information will be shared with USPS.

Data for Tax

Your shipping address and product details will be shared Avalara so that an accurate tax calculation can be made.

Data for Analytics

Pages browsed will be tracked by Google Analytics and will be logged by the Web Server. The information tracked and logged will include your IP.

Data collected when browsing the store

Your IP and cookie data will be shared with Facebook and Twitter should you click on their links.  If you sign up for our newsletter your email and contact information will be shared with Constant Contact.  If you fill out our Contact Us form we will collect your e-mail addresses so that we can reply to you.

Data Collected when Registering

Should you register at checkout your Billing, Shipping, and Order Details will be stored to enable easy check out the next time you order.


Cookies are small files stored by your browser on your device. They are used to remember preferences and improve the browsing and checkout experience.  Our shopping cart uses the following cookies:

  • Shopping Basket Cookie – sets a basket ID to correlate to your temporary shopping cart file.
  • Shopper Cookie – saves email, billing address and shipping address so that the next time you check out your address information is already populated. This cookie is created when you submit an order.
  • Customer Registration Cookie – contains your name and whether or not you are logged in.
  • Mini Cart Cookie – contains a list of products you have added to your cart. Used for displaying your shopping basket while you browse store pages.

Data Retention

Orders– When an order is completed the order information (including email, name, address, products, shipping method, etc.) is stored in a  database. That information remains for up to one year.

Customer Registration – The data remains until you delete the orders or addresses.

Cookies –

  • Shopping Basket and Mini Cart Cookies – remain for up to  7 days.
  • Shopper Cookie – is kept for 1 year.
  • Customer Registration Cookie – it will expire when you complete your order. If an order is not completed, the cookie will expire when the login time expires in 30 minutes.

Data Removal

Orders– contact us to remove order data.

Customer Registration – Contact us to remove your account.

Cookies – can be cleared by you. The method used depends on the browser and device. See wikiHow for more information.

Fulfilling Data Requests

Contact us if you need a copy of your Orders or Customer Registration data.


The above privacy policy has been modified to only include the services that TTB uses.  Where some information is not collected by TTB (e.g. credit cards) it has been removed.  In addition, some information has been added such as the collection of email addresses should the shopper fill out a form to contact the merchant.  The Mobile cookie is not mentioned since the merchant is using a ShopSite Responsive Theme.  Because TTB knows what kind of ShopSite store they are using (e.g. Pro, Manager, etc.) they know how long cookies are kept and can state so in the Privacy Statement.

TTB should now create a page (in or outside of ShopSite) and prominently link to their policy from their website.  Of course, if there are other 3rd-party services that TTB uses that may collect user data (such as WordPress plugins) they should also note that in their policy.

The above privacy policy is an example and ShopSite makes no claim that it would completely satisfy your store’s GDPR requirements.  You should, of course, review the GDPR and decide for yourself (or involve an attorney) regarding what you need to have in your privacy policy.

Top 5 eCommerce Posts for April

Getting Reacquainted with LinkedIn Ads – Practical Ecommerce
To be sure, LinkedIn should not account for your entire ad budget. But it’s worth getting reacquainted.

5 Reasons People Shop at Your Small Business – Constant Contact
It’s time to celebrate your success and remember some of the most common reasons people choose do business with you

Understanding Local SEO – Pair Networks
A subset of search engine optimization (SEO), local SEO focuses on attracting and converting local audiences online.

Sales tax showdown: FAQ on the Supreme Court case that could shape the future of online shopping -GeekWire
The U.S. Supreme Court is set to hear its first state sales tax case in more than 25 years this week and the verdict could have sweeping implications for e-commerce companies

How Are Shoppers and Merchants affected by TLS? – Nethosting
Most of us understand to look for a secure URL (e.g. https://) on a web page before we enter sensitive information like a password or credit card number

What is TLS and How Does It Affect My Customers?

PayPal, like many payment vendors, is “updating its services to require TLS 1.2 for all HTTPS connections.” Even non-payment vendors such as UPS are making the switchover. What is TLS, does it affect me and my customers,  and who/what is driving this change?



What is TLS?
Most of us understand to look for a secure URL (e.g. https://) on a web page before we enter sensitive information like a password or credit card number. Having the ‘s’ indicates that the page will receive your data securely via an encrypted communication between your browser and the server hosting that page. The more techie folks may know that the secure communication protocol originally used was called SSL (Secure Sockets Layer) and more recently TLS (Transport Layer Security.) Most of us may not realize that behind the scenes the protocols used for encrypting have been steadily updated to be even more secure. The latest and greatest update is for TLS version 1.2.

We all want the best security possible so, yay! — browsers, web servers, payment gateways, let’s all use TLS 1.2!  Yes, that is a good idea and that is what is currently in process to happen.  However, every piece of software involved in your web surfing experience needs to be updated to support the latest protocol.  For a few years now the newest versions of your web browser as well as many web servers have supported TLS 1.2 (as well as earlier versions of TLS and even SSL.)

Am I Affected?
As a web surfer, there is nothing you need to do as long as you have updated your web browser in the past few years (it is always good to keep your browser updated!) Likewise, most hosting providers are running a web server that supports TLS 1.2. The sticky point for end-to-end TLS support has been the payment gateways. It is a lot of work to upgrade their payment software and to ensure all 3rd-parties that communicate with their software support TLS 1.2. This includes Shopping Cart vendors and others. You don’t want to turn off support for protocols earlier than TLS 1.2 and have shoppers and merchants running older software mad that they cannot make online payments! Fortunately, this transition has been expected for several years now. In fact, PayPal originally announced the switchover for June of 2016, now it is scheduled for June of 2018.

Why TLS by June 2018?
What is special about this June for the switchover date? June 2018 is the deadline mandated by the Payment Card Industry (PCI) Security Council. The PCI council is sponsored by Visa and the other credit card companies and sets the standards that payment vendors like PayPal must adhere to. Not only does what they say carry a lot of weight, but payment vendors could face fines if they do not follow the recommendations.

Will Online Shopping be Disrupted?
What can we expect to happen after June 2018? A few shoppers will probably encounter online shops running older software and therefore not be able to complete an order. This was the experience at some shops using payment vendors that have already made the switchover. While all your big sites like Amazon, Wal*Mart, and others will not have a problem, there will be smaller merchants that have not kept their Shopping Cart software up to date. Luckily, most merchants are already running up to date software. For example, our Shopping Cart software — ShopSite version 12 sp2 r4 — has supported TLS 1.2 for nearly 2 years. Plenty of time for a merchant to plan and complete an upgrade. Of course, as soon as any merchant realizes their orders have stopped they will quickly update their site, so most of us will not see any problems at all!

Unless you, as a user, are running a really old web browser there is nothing that you need to do. As a merchant, you should check with your shopping cart vendor to ensure that you are running a version that will support TLS 1.2.

ShopSite Online Shopping Cart Software On YouTubeShopSite Online Shopping Cart Software BlogShopSite Online Shopping Cart Software on Google+ShopSite Online Shopping Cart Software On TwitterShopSite Online Shopping Cart Software On FacebookQuestions?888-373-4347E-commerce Blog ShopSite's E-commerce Blog Author