E-Commerce Privacy Policy and Information Security Best Practices

The more comfortable visitors to your website feel about the way you manage their personal information, the bigger the chance of them becoming your customers. To avoid possible misunderstandings and to assure consumers that you are doing your best to protect the personal information they provide on your website, your privacy policy and information security procedures should incorporate the best practices listed below.

1. Privacy Policy
   • Devise a clear, concise statement of your privacy policy. This practice, as well as the following one, may be subject to legal requirements and you need to ensure that you are in compliance. Even if there are no legal considerations to keep in mind, however, you will still need to adequately address consumer concerns about providing personal information. To do that, your privacy policy should answer the following questions:
     • What customer information is collected.
     • With whom the information is shared.
     • How customers can opt out.
   • Make your privacy statement easily available to visitors to your website through links on your website. Your customers should be able to quickly locate your privacy statement. Consider placing a link to your policy into your website’s header or footer which, in most cases, will make it accessible from every page of your website.
   • Register with a privacy organization and post a “seal of approval” on your website. Many new visitors to your website will want to check your customer service record and typically that involves searching for customer reviews online and checking out your profile with the Better Business Bureau. You should facilitate the due diligence process by providing a “seal of approval” from a major privacy program and assure consumers that you are serious about protecting their personal information and are taking the necessary measures to do so. In addition to the Better Business Bureau’s BBBOnLine Privacy, you can look at programs such as TRUSTe.
2. Information Security
   • Detail your website’s information security practices and controls in a separate page of your website and make it available to everyone. In particular:
     • Explain how card information is protected:
       • During transmission
       • While on your server, and
       • At your physical site
     • Place a link to your information security page in the header or footer of your website.
   • Provide visitors to your website with information on how they can protect themselves when shopping online. For example you can create a list of “7 tips for a safe online shopping” (which you can also use in your information security disclosure) that includes the following suggestions:
     • Secure your PC by keeping your operating system and browsers updated and use a good and up-to-date security program.
     • Do not click on links in promotional emails, but enter the URLs manually instead.
     • Get to know the merchant before you make a purchase. Look for customer reviews and seller ratings on websites such as Eopinions.com.
     • Pay by credit card to get the additional protection against fraud that most credit cards provide. Federal law limits cardholder liability for misuse of a credit card to $50 but many credit card companies will waive that limit.
     • Make sure you know what the actual price of your purchase is, including cost of the item, shipping, handling, and sales tax.
     • Read the privacy policy to understand what information the merchant is gathering, how it is using it, and whether you can opt out of it.
     • Understand the return and refund policies. These policies can vary significantly from merchant to merchant. Some stores have adopted a “no questions asked” approach, while others make it more difficult for consumers to return products.
   • If you are using Verified by Visa or MasterCard SecureCode, you should display their logos on your home page, security information pages, order and checkout pages.
   • Do not use email for transactions and advise customers against using it. Email is in most cases an unsecured way of transmitting information. You should strongly recommend to your customers that they do not send any sensitive information to you via email. You can communicate these warnings in both automated email responses to customer inquiries and regular email exchanges.

Image credit: Petaasiapacific.com.