Seller Handbook

Advice and inspiration for successfully running your Etsy shop

Seller Handbook

How to Write On-Point Privacy Policies

Get tips on crafting your own GDPR-compliant privacy policy.

By Niamh O'Connor 23 Apr, 2018

When running a creative business, it’s important to respect your buyers’ privacy rights and follow data protection laws. As a business owner, you receive certain personal information about customers when they place an order or contact you about a potential order, such as name, postal address, email address, and phone number. The European General Data Protection Regulation (GDPR) and other local data protection laws guard how this kind of personal information is collected and used, and protect the privacy rights of online shoppers. Under these laws, buyers are entitled to certain information, including when, why, how, by whom, and for what purpose personal information is collected, used, and shared.

If you’re a seller based in the European Union or you offer your listings to buyers there, the GDPR applies to you, which means you’re required to have a privacy policy for your shop. Many other countries have also adopted data protection laws similar to the GDPR, so whether or not you sell to Europe, we recommend that all sellers create a privacy policy. Data protection laws are complex, and local legal requirements may vary, so if you’re uncertain whether the GDPR or any other data protection laws currently apply to you, or would like advice on your specific obligations, consult with an attorney about local laws and how they apply to your shop.

Read on to learn more about leading practices for sending marketing messages and creating a privacy policy for your Etsy shop — plus an example of what the privacy policy of a typical Etsy seller might look like.

Leading Practices for Marketing Messages

There are a few things you should know before using email addresses to contact your buyers, such as sending a newsletter or advertising new products. Under the laws of many countries, including those in Europe, you often need prior “express consent” from your buyers to send them marketing or promotional messages. Express consent means that you can only send marketing messages to a buyer if they have indicated their consent for you to do so through a clear affirmative action, such as a buyer agreeing in an Etsy Convo or email to receive marketing messages from you. Even if you get a buyer’s email address through Etsy to help fulfill the transaction, you’re required to get the buyer’s express consent before sending them marketing messages. Remember that even once you have express consent to send marketing messages, you must respect requests to opt out of receiving further marketing messages from you, as consent can be revoked at any time.

Keep in mind that sending unsolicited advertising or promotions through Etsy Convos is not allowed under Etsy's policies. It is also a criminal offense in some countries. Before using buyers’ personal information for any purpose other than fulfilling orders, providing customer service, and sending marketing messages where you have obtained the buyer’s express consent, you should seek legal advice.

Creating a Privacy Policy for Your Shop

Giving your buyers information about how and why you’re going to use their personal information is the heart of a privacy policy. For instance, Etsy has a privacy policy which details what information Etsy collects and receives as well as how and why that information is used and shared. Soon, we’ll provide an additional field in your Etsy shop policies where you can create a privacy policy that will be visible to buyers. We'll let you know as soon as that field is available.

Below is a sample privacy policy you might find in a seller’s shop. It’s designed to help guide you as you create a privacy policy for your Etsy shop. Throughout, we’ll point out which parts of the policy address requirements of the GDPR. The specific needs and practices of each Etsy shop are different, so you should customise this sample policy to reflect the needs and practices of your shop.

Etsy Seller: Nathan Martin, Paris Nathan's Privacy Policy

Nathan Martin is based in France and has been selling jewellery on Etsy since 2014. He sells mainly to buyers in France, Germany, and Italy, but offers his items for sale world-wide. In the past six months, Nathan’s business has started to take off, and he recently started using a third-party shipping provider to help fulfill his orders. He uses Google Cloud to host some of his buyers’ personal information.

The GDPR requires that Nathan provide certain information to his buyers in his privacy policy, including:

  • the personal information he collects;
  • the legal bases he relies on to collect, use, and share personal information;
  • the third parties with whom he shares personal information;
  • the length of time he keeps personal information;
  • if he’s transferring personal information outside of Europe (for example, if he moves his business to the United States and continues to sell to buyers in Europe, or uses a third party provider located outside of Europe, or uses Google Cloud to host some of his buyers’ information), how the transfer will be handled;
  • his buyers’ rights regarding his use of their personal information; and
  • how his buyers can contact him with privacy-related requests.

Visit this EU GDPR help site and read Articles 13 and 14 for more details on the information that must be included in your privacy policy to comply with the GDPR.

Based on GDPR requirements, here’s how Nathan might introduce his privacy policy to his buyers:

This Privacy Policy describes how and when I collect, use, and share information when you purchase an item from me, contact me, or otherwise use my services through Etsy.com or its related sites and services.

This Privacy Policy does not apply to the practices of third parties that I do not own or control, including Etsy or any third party services you access through Etsy. You can reference the Etsy Privacy Policy to learn more about its privacy practices. Nathan should then go on to include information on the following:

1. Personal information he collects

Nathan should go on to explain what information he collects from buyers, why he needs the information, how he uses it to fulfill orders, the third parties with whom he shares the information, and the length of time he keeps the information. Here's an example:

Information I Collect

To fulfil your order, you must provide me with certain information (which you authorised Etsy to provide to me), such as your name, email address, postal address, payment information, and the details of the product that you’re ordering. You may also choose to provide me with additional personal information (for a custom order of jewellery, for example), if you contact me directly.

2. The legal bases he relies on to collect, use, and share personal information

The GDPR requires that you explain the legal bases you rely on to collect, use, and share personal information. The legal bases may include a buyer’s affirmative consent to receive marketing messages, compliance with legal obligations, and a seller’s use of the personal information in their legitimate interests (improving their services, for example). Throughout his privacy policy, Nathan should be as clear as possible about where and why he's relying on these different legal bases. For example:

Why I Need Your Information and How I Use It

I rely on a number of legal bases to collect, use, and share your information, including:

  • as needed to provide my services, such as when I use your information to fulfil your order, to settle disputes, or to provide customer support;
  • when you have provided your affirmative consent, which you may revoke at any time, such as by signing up for my mailing list;
  • if necessary to comply with a legal obligation or court order or in connection with a legal claim, such as retaining information about your purchases if required by tax law; and
  • as necessary for the purpose of my legitimate interests, if those legitimate interests are not overridden by your rights or interests, such as 1) providing and improving my services. I use your information to provide the services you requested and in my legitimate interest to improve my services; and 2) Compliance with the Etsy Seller Policy and Terms of Use. I use your information as necessary to comply with my obligations under the Etsy Seller Policy and Terms of Use.

3. The third parties with whom he shares personal information

The GDPR requires that you disclose the details of any personal information you share with third parties. Nathan should explain to his buyers why, when, and with whom he may share buyers’ personal information. For example:

Information Sharing and Disclosure

Information about my customers is important to my business. I share your personal information for very limited reasons and in limited circumstances, as follows:

  • Etsy. I share information with Etsy as necessary to provide you my services and comply with my obligations under both the Etsy Seller Policy and Etsy Terms of Use.
  • Service providers. I engage certain trusted third parties to perform functions and provide services to my shop, such as delivery companies. I will share your personal information with these third parties, but only to the extent necessary to perform these services.
  • Business transfers. If I sell or merge my business, I may disclose your information as part of that transaction, only to the extent permitted by law.
  • Compliance with laws. I may collect, use, retain, and share your information if I have a good faith belief that it is reasonably necessary to: (a) respond to legal process or to government requests; (b) enforce my agreements, terms and policies; (c) prevent, investigate, and address fraud and other illegal activity, security, or technical issues; or (d) protect the rights, property, and safety of my customers, or others.

4. The length of time he keeps personal information

The GDPR requires you to disclose the period of time during which you will store personal information. Nathan should consider how long he needs to retain information for business purposes and to comply with any legal or tax obligations, and keep in mind that data shouldn't be kept for any longer than necessary. For example:

Data Retention

I retain your personal information only for as long as necessary to provide you with my services and as described in my Privacy Policy. However, I may also be required to retain this information to comply with my legal and regulatory obligations, to resolve disputes, and to enforce my agreements. I generally keep your data for the following time period: 4 years.

5. If transferring personal information outside of Europe, how the transfer will be handled

GDPR requires you to disclose if you transfer personal information outside of the EU and the legal bases you rely on to do so, such as consent and contractual necessity. Nathan uses Google Cloud, which is Privacy Shield certified, so he should explain to his buyers that he relies on Privacy Shield as the legal basis for the transfer of his buyers’ personal information outside of the EU. For example:

Transfers of Personal Information Outside the EU

I may store and process your information through third-party hosting services in the US and other jurisdictions. As a result, I may transfer your personal information to a jurisdiction with different data protection and government surveillance laws than your jurisdiction. If I am deemed to transfer information about you outside of the EU, I rely on Privacy Shield as the legal basis for the transfer, as Google Cloud is Privacy Shield certified.

6. His buyers’ rights regarding his use of their personal information and his contact details

Based on GDPR requirements, Nathan should finish by explaining to his buyers their rights regarding the information they provide to him on Etsy. Nathan should also provide his contact details and explain to his buyers that he is the data controller of their personal information. For example:

Your Rights

If you reside in certain territories, including the EU, you have a number of rights in relation to your personal information. While some of these rights apply generally, certain rights apply only in certain limited cases. I describe these rights below:

  • Access. You may have the right to access and receive a copy of the personal information I hold about you by contacting me using the contact information below.
  • Change, restrict, delete. You may also have rights to change, restrict my use of, or delete your personal information. Absent exceptional circumstances (like where I am required to store data for legal reasons) I will generally delete your personal information upon request.
  • Object. You can object to (i) my processing of some of your information based on my legitimate interests and (ii) receiving marketing messages from me after providing your express consent to receive them. In such cases, I will delete your personal information unless I have compelling and legitimate grounds to continue using that information or if it is needed for legal reasons.
  • Complain. If you reside in the EU and wish to raise a concern about my use of your information (and without prejudice to any other rights you may have), you have the right to do so with your local data protection authority.

How to Contact Me

For purposes of EU data protection law, I, Nathan Martin, am the data controller of your personal information. If you have any questions or concerns, you may contact me at nmartin@mail.com. Alternately, you may mail me at:

Nathan Martin 32b rue du Faubourg, Paris 75008

*If a customer contacts you to access, correct or delete personal information held by Etsy, you may contact Etsy at Etsy.com/help for assistance, or request that the customer send a request directly to Etsy.

Nathan’s privacy policy is intended to be a guide to the information that should be included in a privacy policy. If you use this policy as a template for your own, you should customise it so it makes sense for your shop. You can replace the details in his policy with yours, including your name, business name, email address, and newsletter settings (if you have an email newsletter). The sections entitled “Why I Need Your Information and How I Use It” and “Transfers of Personal Information Outside the EU” must be customised based on how you operate your shop. Adjust the wording to reflect the voice of your brand and add or remove information to reflect specific facets of your business. For example, if you’re a business owner, you can change the pronouns from “I” and “me” to “we” and “us” to more accurately represent your Etsy shop.

Sticking to these best practices for marketing messages and creating a privacy policy for your business will help you to comply with your obligations under the GDPR, and will signal to buyers that you take privacy seriously and have your customers’ best interests at heart. For more tips on building a positive business perception, read 6 Ways to Build Trust With Buyers.

Friendly disclaimer: This information is for educational and informational purposes only. The content should not be construed as legal advice. It is not intended to create, and receipt of it does not constitute, an lawyer-client relationship. The author and Etsy, Inc. disclaim all responsibility for any and all losses, damages, or causes of action that may arise or be connected with the use of these materials. Please consult a licensed lawyer in your area with specific legal questions or concerns.

Author

Niamh O'Connor

Niamh O'Connor is a member of Etsy’s in-house legal team.

Continue reading in Legal