Privacy Policy for BigCommerce

BigCommerce is an eCommerce software company that produces shopping cart software - a program that you can integrate into your website to allow visitors to make purchases.

By turning browsers into buyers, shopping cart software carries out a crucially important function on your website and also handles personal data on your customers' behalf.

Because you'll be working with payment information, using shopping cart software such as BigCommerce on your website is a big responsibility. It means you'll need to take some extra steps to ensure you are being transparent with your customers about how you and BigCommerce keep information safe.

BigCommerce Users Need a Privacy Policy

If your company handles personal data in any way - for example by taking customer payments online - you need a Privacy Policy. In many places, a Privacy Policy is mandatory for any commercial business - you are legally required to have one.

What's a Privacy Policy?

A Privacy Policy is your company's opportunity to tell your customers:

• What sorts of personally identifiable information (also called personal data) you collect from them.
• How this data is collected, stored and used.
• Which other organizations or types of organisations you might be sharing this data with.
• How they can request to access or change this data.

A Privacy Policy is Required by Law

Here are some examples of legal jurisdictions that require companies who are processing personal data (anything that can be used to identify an individual) to have a Privacy Policy:

California

The California Online Privacy Protection Act 2003 (CalOPPA) requires companies operating a commercial website to have an easily accessible Privacy Policy. This Privacy Policy must, among other things:

• Explain what sorts of personal information the website collects.
• Explain how users can ask for their personal data to be changed.
• Let users know how changes to the Policy will be communicated.

The European Union (EU)

Privacy law in the EU is very highly developed, and the personal privacy of EU citizens is highly protected. The EU recently introduced the General Data Protection Regulation (GDPR). Companies breaching the GDPR (no matter where they're based) can receive huge fines (up to €20 million or 4 percent of global turnover).

Art. 12(1) of the GDPR states:

"The controller shall take appropriate measures to provide any information [...] relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language."

Canada

The main privacy law in Canada is the Personal Information Protection and Electronic Documents Act (PIPEDA). The Office of the Privacy Commissioner of Canada states that under PIPEDA,

"information about an organization's privacy policies and practices must be readily available to individuals upon request."

A Privacy Policy is Required by BigCommerce

BigCommerce has a Terms of Service agreement, which also incorporates various other policies and agreements. All users of its shopping cart software must agree to these terms.

Let's take a look at BigCommerce's Acceptable Use Policy Section 1.1:

This means that you can only use BigCommerce's software if you obey the laws of whichever country your website is operating in.

Aside from the general legal requirement to display a Privacy Policy, BigCommerce's Privacy Policy (also incorporated into its Terms of Service) states:

So if you want to use a BigCommerce service on your company's website, you need a legally compliant Privacy Policy.

How to Make Your Privacy Policy Comply with BigCommerce's Terms

As we've seen, having a Privacy Policy is essential to comply with many privacy laws. It's also a great way for you to ensure that:

• Your company can be sure that it's keeping its customers' data safe.
• Your company has systems in place so it can fulfil any data access or modification requests.
• Your company appears professional and transparent.

Different privacy laws have different requirements about what a Privacy Policy should cover. Broadly speaking, the GDPR is the most stringent privacy law in the world. Therefore, if you want to ensure that your company has an exemplary Privacy Policy, you can aim toward GDPR-compliance.

The guidance below covers things that your company should include in its Privacy Policy if it's a BigCommerce merchant (i.e. it uses a BigCommerce store on its website). You may also need to include other information depending on the nature of your company.

Security of Payment Details

BigCommerce's Terms of Service states:

This is important. If your website uses a BigCommerce store then your customers will be handing over their credit card details to BigCommerce.

You'll need to communicate this to your customers to comply with privacy laws.

For example, California's "Shine the Light" law (Cal. Civil Code. § §1798.83-1798.84) requires companies to disclose on request the details of any third parties with whom they share California residents' data.

Your company must let your customers know that their personal data (for example their credit card information) is being sent to a third party - BigCommerce - who will process it on your company's behalf.

Let's take a look at how toy retailer and BigCommerce merchant ToyWiz handles this in its Privacy Policy:

This is a very transparent approach, which goes above and beyond what is technically required. ToyWiz specifically names BigCommerce and goes to some lengths to reassure its customers about BigCommerce's compliance with data protection regulations.

Here's a different approach:

This is a very transparent method, as it lists every type of organization with whom it may be sharing customers' data with. However, it doesn't name BigCommerce specifically. This is perfectly acceptable, so long as the company is willing to give this information on request.

EU-U.S. Data Privacy Framework

BigCommerce participated in the EU-U.S. Privacy Shield Framework, which used to be an acceptable method for transfers of data. However, it has since been invalidated and replaced by the EU-U.S. Data Privacy Framework.

Security of Browser Information

Privacy laws have implications for your use of your customers' browser information via tools such as cookies. Recital 30 of the GDPR explains why:

"Natural persons may be associated with online identifiers provided by their devices, [...] such as internet protocol addresses, cookie identifiers or other identifiers [...]. This may leave traces [...] may be used to create profiles of the natural persons and identify them."

This means that because cookies track browsing habits and collect login details, they could potentially be used to identify your customers. Therefore, cookies and other browser information can constitute personal data, and thus fall within the ambit of privacy laws like the GDPR.

Let's see what BigCommerce has to say about how it treats your customers' (who BigCommerce calls "Shoppers") browser information. This information is presented in BigCommerce's Privacy Policy.

BigCommerce is clear that they do process browser information via their shopping cart software. This means that if you have a BigCommerce store on your website, your Privacy Policy must mention that your customers' browser information will be processed.

Ford UK uses the BigCommerce platform. While BigCommerce is not specifically mentioned in its Privacy Policy, Ford UK has an extremely comprehensive approach to communicating information about its use of cookies. It provides its own Cookie Policy:

Ford UK's Cookies Policy helpfully explains how customers can disable cookies:

Here's how BigCommerce merchant Andie Swim explains its use of cookies in its Privacy Policy:

Here's another example:

"Do Not Track" (DNT) Signals

Some browsers contain a setting known as Do Not Track (DNT) which, when enabled, signals users' preference not to be tracked via cookies and other such mechanisms. There is no legal requirement for websites to obey DNT signals.

CalOPPA, however, requires that companies:

"Disclose how the operator responds to Web browser "do not track" signals [...]"

BigCommerce complies with this requirement in its own Privacy Policy:

Because BigCommerce states (earlier in this section) that their non-acknowledgement of DNT signals applies both to their website and their services, you'll need to include reference to this in your Privacy Policy if you need to ensure compliance with CalOPPA.

Abandoned Shopping Cart Feature

Imagine the following scenario: a customer is shopping on your company's website. He creates an account, finds a product he's interested in and clicks "Add to Cart." Then his phone rings, or his baby starts crying, or his boss looks over his shoulder, and he abandons the purchase.

BigCommerce has a helpful service where it will email a customer who has abandoned a shopping cart to remind them to complete the purchase. You might be wondering if this complies with the GDPR and other data laws, which have been interpreted as requiring a strong opt-in for receipt of direct marketing emails.

BigCommerce addresses this in its GDPR information and FAQs:

Here's how you can explain this in a Privacy Policy:

Details About Consent

Privacy laws require companies who are processing certain types of personal data to seek consent from their customers. The GDPR is well-known for being strict about how and when companies must gain the consent of their customers. You should comply with a high standard of privacy even if you don't have customers in the EU.

All BigCommerce Users

BigCommerce requires all of its merchants to seek consent to process the personal data of their customers, under Section 2.1 of its Privacy Policy.

The UK's data protection authority, the Information Commissioner's Office (ICO), publishes guidance about what UK companies should include in a GDPR-compliant Privacy Policy.

They offer this advice:

This is how you can display information about consent in a Privacy Policy:

BigCommerce Users Who Process Sensitive Data

Certain types of personal data are known as sensitive personal data or special category data. There is no fixed definition of what constitutes Sensitive Personal Data under US law, but it is clearly defined in Article 9 of the GDPR:

"racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation [,...]"

BigCommerce explicitly mentions merchants that collect sensitive personal data and requires them to obtain affirmative, explicit and informed consent, as well as allow shoppers to revoke their consent:

Here's an example of how to explain this:

You will need to provide contact details via which your customers can revoke (withdraw) their consent, or make other requests regarding their data. This can be your Data Protection Officer (DPO) if you have one, or just your general contact details if you don't.

Your Privacy Policy as a BigCommerce User

To use a BigCommerce store on your company's website, you'll need to display a Privacy Policy which:

• Is complaint with the privacy law of whichever countries or jurisdictions you're operating in.
• Lets your customers know that their personal data will be shared with a third party.
• You don't need to specify that this third party is BigCommerce, but there's no reason not to.
• Explains the way that BigCommerce uses their browser information such as cookies.
• You should mention how your store handles Do Not Track signals, especially if you serve California residents.
• You should mention that your customers can opt out of the Abandoned Shopping Cart feature, especially if you serve EU citizens.

• You should seek consent from your customers to process their personal data, and explain this in your Privacy Policy.

  • If your company processes sensitive personal data, you should explain your basis for doing this.
  • You should explain that it is possible for your customers to withdraw their consent, and provide your company's contact details in case they wish to do this.

How to Add a Privacy Policy on BigCommerce

Here are the steps to add a Privacy Policy page on BigCommerce:

1. Log in to BigCommerce.

2. From the BigCommerce Dashboard, go to the Storefront:

   

3. Select Web Pages:

   

4. Click the Create a Web Page button:

   

5. Under Page Type, leave the default: Contain content created using the WYSIWYG editor below:

   

6. Type "Privacy Policy" as the Page Name under Web Page Details:

   

7. In the Page Content editor, select the HTML:

   

8. The HTML Source Editor will open. Add your Privacy Policy text.

   If you do not have a Privacy Policy, you can use our Privacy Policy Generator and create one within minutes.

   On the download page, scroll to the Copy your Privacy Policy section and click on the Copy this to clipboard button:

   

9. Paste the HTML of your Privacy Policy in the HTML Source Editor:

   

10. Click Update:

    

11. When done, click the Save & Exit button at the bottom of the page:

    

12. Your newly created Privacy Policy page will show up on the View Web Page list as Normal Page:

    

13. Use the View Store option to preview changes:

    

14. The Privacy Policy page is added in the header navigation:

    

15. It's also added in the footer navigation:

    

How to Link to a Privacy Policy on BigCommerce

Here are the steps to add a Privacy Policy URL on BigCommerce:

1. Log in to BigCommerce.

2. From the BigCommerce Dashboard, go to the Storefront:

   

3. Select Web Pages:

   

4. Click the Create a Web Page button:

   

5. Under Page Type, select the Link to another website or document option:

   

6. Type "Privacy Policy" as the Page Name under Web Page Details:

   

7. Add the link to your Privacy Policy next to the Link field.

   To get the Privacy Policy URL, go to the TermsFeed Privacy Policy Generator to create a Privacy Policy and get the hosted Privacy Policy URL.

   Once you have a Privacy Policy created by TermsFeed, click Copy from the Link to your Privacy Policy section to copy the URL:

   

8. Paste your Privacy Policy link:

   

9. When done, click the Save & Exit button at the bottom of the page:

   

10. Your newly created Privacy Policy page will show up on the View Web Page list as a "Web Site Link" page:

    

11. Use the View Store option to preview changes:

    

12. The Privacy Policy page is added in the header navigation:

    

13. It's also added in the footer navigation: