1. Set Clear Ownership
    First, identify who is responsible for your privacy policy. It could be an individual or a team. They are responsible for advocating privacy on behalf of site visitors and within your business. That includes understanding the myriad of regulatory compliance issues, collaborating with product and marketing teams as they roll out new capabilities, and being the clear point of contact when issues arise.
  2. Review Other Ecommerce Privacy Policies
    This is the brainstorming phase. See what and how other trusted online businesses communicate in their privacy policy statements. Research which systems and software collect personal data along a visitor’s journey on ecommerce sites. Understand procedures for how data is commonly used or with whom data is shared.

The key is to use what others do to build your baseline of knowledge. Don’t just copy other privacy statements. Taking that shortcut puts you at risk. What you are actually doing on your site is likely not entirely the same as others. You want your statements to conform to what you’re are collecting and using.

  1. Audit Your Privacy Practices
    Now that you have a baseline, you can dig into your own systems and procedures. Identify what types of data you collect from visitors when they browse your site and from customers when they purchase. For example, it is common for online stores to capture:

Personally identifiable information like name, email, shipping address;
Payments and financial data;
User names and passwords;
Site analytics and behavioral tracking, using cookies.
Then you should map where that data is stored and for how long it is kept. Sometimes the personal information simply passes through your site but is not stored on your systems, like credit card numbers that are secured by your payment gateway. You still need to know that.

And finally, how is the data used or shared with third parties. For example, email addresses are used in many different ways. What email system is used to send out triggered messages after a purchase is made? How is that different from sending out your email newsletter or promotions?

  1. Write Your Privacy Policy Statement
    Writing your privacy policy statement is the next step. You can certainly start with another website’s disclosure statement or use one of the many policy generators found online. You may also want to engage your lawyer. However, you need to customize for your practices. Again, don’t just copy someone else.

You should also keep your audience in mind. Something as complex and technical as privacy practices can quickly turn your statement into pages of legal jargon. Instead, organize your information clearly into brief, well-formatted sections that link to further details. Write in straightforward language that makes your policy easy to understand. Making your statement easy to read helps build trust.

Additionally, include phone and email contact information for privacy requests. Preferably that is a dedicated contact (like your privacy person from step 1, above), not the general support line. Readers of the policy may never use it, but their trust in you goes up significantly when they see a contact that is responsible for privacy.

  1. Post and Communicate
    Make your visitors aware of your privacy policy. Most websites link to their privacy policy statement in the footer. That typically fulfills your compliance obligations. But visitors can easily miss that link, which minimizes the opportunity to build trust.

Demonstrate that you collect shopper data responsibly right at the point where you ask for personal information. For example, include a privacy reminder when you ask for an email address on your newsletter opt-in form — see the “Privacy Policy” link in the example below, from Gap, the apparel retailer. Additionally, you can regularly reinforce their trust after they have shared personal information. Make sure to link to your privacy policy with each email that you send.