Privacy Policy for Facebook and Instagram Stores

Are you opening a Facebook or Instagram store? If so, you need a Privacy Policy.

To comply with privacy law and with Facebook's terms, you'll need a clear and comprehensive Privacy Policy explaining what personal information you collect, how you use it, and how you share it with Facebook.

In this article, we'll explain everything you need to include in your Privacy Policy so you can hit the ground running with your Facebook and Instagram store.

Do I Really Need a Privacy Policy for This?

Perhaps you're a micro-sized business owner, or you just want to sell craft products you make at home. You don't have a legal department. You're not planning to do anything complicated with your customers' personal information.

Do you really need a Privacy Policy for your Facebook and/or Instagram store?

Yes, you do. The law requires it, and so do privacy laws around the world.

Any sort of online commerce carries risks to customers' personal information. Plus, remember that you're working with Facebook: a company not well-known for its discretion with people's data.

Your Store and Privacy Law

When you sell products via your Facebook or Instagram store, you're collecting and processing your customers' personal information. In fact, you're processing the personal information of anyone who visits your store.

Some activities considered "processing personal information" include:

• Taking payments, whether via Checkout on Facebook or Instagram, or a third-party payment processor
• Collecting your customers' names and mailing addresses
• Using Facebook's Business Tools for advertising or analytics

This brings your business activities within the scope of privacy laws around the world.

Because of the nature of the internet, national privacy laws aren't confined within national borders. If you have or you would like to have customers in any of the following regions, you'll need to comply with the relevant privacy laws:

• United States: There's no federal privacy law in the U.S., but state laws in California and elsewhere apply all over the country.
• European Union: The EU's General Data Protection Regulation (GDPR) requires any business offering goods or services in the EU to create a Privacy Policy (and much more).
• United Kingdom: Although the U.K. has now left the EU, it has its own version of the GDPR, plus other relevant laws like the Data Protection Act 2018.
• Canada: Under the Personal Information Protection and Electronic Documents Act (PIPEDA), practically all private sector companies operating in Canada must create a Privacy Policy.

There are many more regions with general privacy laws requiring businesses to create a Privacy Policy.

Facebook's Terms for Business Users

Before you sign up to create a Facebook Page as a business, Facebook requires you to agree to its terms. These terms require that you notify your customers of how you collect and use their personal information.

Facebook has many terms for business users. Facebook and Instagram stores are both examples of "Facebook Commerce surfaces," covered by policies including Facebook's Terms of Service, the Commerce Product Seller Agreement, the Facebook Business Tools Terms, and many, many more.

You'll find several clauses that require you to create a Privacy Policy throughout these myriad terms. For example, there's this section of Facebook's Pages, Groups and Events Policy:

And here's a section of the Facebook Business Tools Terms:

Here you're required to tell people how Facebook collects and uses their personal information for analytics and advertising purposes.

The message is clear: You need a Privacy Policy to operate on Facebook's platform. But don't panic; Creating a Privacy Policy isn't as complicated as it might seem.

How to Create a Privacy Policy for Your Facebook or Instagram Store

All Facebook or Instagram stores are unique. But there's some information every Privacy Policy needs to cover to ensure it complies with the law and with Facebook's terms.

Here's the information you need to provide to ensure your Privacy Policy meets the required standards.

Contact Details for Your Business

First of all, you need to let people know who you are, where you are based, and how they can get in touch with you.

Here's an example from Cake Owls:

If you're offering your products in the EU or the U.K., you'll need to add that you're the "controller" of your customers' personal information. Requirements for businesses operating in the EU and the U.K. are more extensive, as we'll see below.

Personal Information that You Collect

You need to provide a list of all the personal information you collect. Think as broadly as possible. If you have a website, in addition to your Facebook or Instagram store, include details of any personal information you collect on your website, as well.

Personal information means names, addresses, and contact details. But it also means technical data collected from people's devices, like IP addresses, user IDs, and cookie data. For more information, see our article What is Personal Information Under Privacy Laws?

Here's how AerWorx lists all the types of personal information it collects:

If you have a website that uses third-party cookies, you may want to consider creating a separate Cookies Policy.

Your Purposes for Collecting Personal Information

As well as explaining what personal information you collect, you must explain how you use personal information.

For example, you collect credit card information to process payments for your products. You collect shipping addresses, so you know where to send people's purchases.

But you have more complicated purposes for collecting personal information, too. For example, your Facebook Page collects technical data from people's devices. You use this to gain insights into their behaviors in your store and elsewhere on the web. We'll look at how to explain this below.

Here's an example from Collusion, setting out how and why the company uses people's contact details:

Remember: You shouldn't be collecting any personal information unless you have a clear business purpose for doing so.

Your Use of Facebook Business Tools

Your Facebook or Instagram store uses Facebook Business Tools. Under the terms of use for these products, you need to explain how they work in your Privacy Policy.

Here's how Alarmy does this, regarding its use of analytics data provided by Facebook Insights:

If you're serving customers in the EU or the U.K., running a Facebook Page makes you a "joint controller" with Facebook. We'll look at this in more detail below.

How You Share Personal Information

When people submit their personal information to your Facebook or Instagram store, it's shared with Facebook. You probably also share personal information with other third parties, too.

Your Privacy Policy should set out how and why you share personal information with third parties.

Here's an example from Atlassian:

You don't necessarily need to identify the specific third parties with whom you share personal information. It may be enough to list the types of third parties with whom you share personal information.

If You're Serving EU or UK Customers

The Privacy Policy requirements we've set out above are the bare minimum and should be sufficient if you only serve customers in the United States. If you're based in or have customers in the EU, you'll need to comply with the GDPR's more extensive Privacy Policy requirements.

When you visit a company's Facebook Page from a country in which the GDPR applies, you'll notice this "Information about Page Insights data" link in the corner:

This link explains how Facebook and the Page admin process personal information as "joint controllers."

In the EU or U.K., if you have a Facebook or Instagram store, you're a Facebook Page admin and your relationship with Facebook is governed by the Page Insights Controller Addendum. This agreement splits the GDPR's responsibilities between you, the Page admin, and Facebook.

Here are some additional sections you should include in your Privacy Policy to comply with your side of this agreement.

Your Legal Basis for Processing

Before processing personal information under the GDPR, you must determine your legal basis for processing.

We won't go into detail regarding the GDPR's six legal bases for processing in this article. We also can't advise on which legal basis is suitable for your processing of Page Insights data. Here are some resources to help you learn more about the GDPR's legal bases.

• Lawful Basis for Processing Under the GDPR
• Three Part Test for Legitimate Interests Under the GDPR
• Cookie Consent: GDPR & EU Cookies Directive

Here's how Daimler identifies its lawful basis for processing Page Insights data:

Identity of the Data Controller

Facebook requires that you specify the "responsible data controller." This means your business.

Here's how Cake Owls does this:

Data Subject Rights

You must inform people of their rights under the GDPR (known as the "data subject rights"). Facebook doesn't explicitly require this, but it is a legal requirement.

The GDPR allows people to request that you let people access and maintain control over the personal information you hold about them. As the data controller, it's your duty to fulfill these rights requests.

Here are the six GDPR data subject rights. You must list these in your Privacy Policy, along with a brief explanation of each, even if you don't believe they are relevant to your business:

• The right to be informed: You must provide people with information about your processing of their personal information.
• The right of access: You must provide a person with access to their personal information on request.
• The right to rectification: You must correct any inaccurate or out-of-date personal information on request.
• The right to erasure: You must erase the personal information you hold about a person on request.
• The right to restrict processing: You must restrict your processing of a person's personal information on request.
• The right to data portability: You must provide a person with a portable, machine-readable copy of their personal information on request.
• The right to object: You must stop processing a person's personal information on request.
• Rights in relation to automated decision making and profiling: People have the right not to be subject to automated processing with legal or similarly significant effects.

None of these rights is absolute: there are exceptions to each of them, and not all will apply in your situation.

For more information, see our article 8 User Rights Under the GDPR.

You must let people know that they can submit a request to exercise their data subject rights to your business. Provide an email address or web form that will enable people to do this.

If you receive a data subject rights request that relates to Facebook Insights data, you must forward this request to Facebook under the Page Insights Controller Addendum.

Right to Make a Complaint

Finally, you must inform people that they have the right to make a complaint to a Data Protection Authority regarding the way you have handled their information.

Here's how Securys does this:

Your Data Protection Authority will vary depending on where you are based, or where you conduct the majority of your business. See our article about Data Protection Authorities for more information.

Summary

Your Facebook or Instagram store needs a Privacy Policy to help your customers understand how you process their personal information. You also need a Privacy Policy to comply with Facebook's terms and the law.

Your Privacy Policy must explain:

• Who you are (contact details for your business)
• What personal information you collect
• Your purposes for collecting personal information
• How you use Facebook Business Tools

If you have customers in the EU or U.K., you must also explain:

• Your legal basis for processing personal information
• The identity of the responsible data controller
• Your customers' data subject rights
• The right to make a complaint to a Data Protection Authority