E-commerce law is evolving as fast as your business opportunities. We know that sometimes it's hard to keep up with everything. This article is a quick guide on how to act legally when running an online store and implementing edrone.
Keep in mind, however, that the regulations in your country regarding e-commerce law may differ from the ones in Poland.
You are the data controller
When you run an online store, you decide for yourself what personal data of your customers you will acquire, how you will acquire it, what you will use it for, and to whom you will transfer the data (e.g. to edrone in connection with our cooperation) - These are the elements that make you the Administrator of your customers' personal data.
As a Personal Data Administrator, you should:
take care to process customers' personal data in accordance with the law the issue of data processing is regulated by the GDPR regulation, to a limited extent, the Personal Data Protection Act and other acts, but it is the GDPR that is the legal basis you need to know (REMEMBER - according to the GDPR, all operations on personal data will be their "processing", e.g. when you acquire a customer's personal data for the purpose of sending a newsletter, or send a message to a customer related to the purchasing process - you are processing their data);
fulfill your information obligation to your customers - that is, inform who will process their data, on what basis, for what purpose, whether they will be transferred to other entities (e.g. edrone), whether they will be transferred to third countries, etc. (here we are only signaling this problem-the information obligation is regulated by Article 13 of the GDPR);
take care of data security (you are the one who implements appropriate solutions to keep your customers' data safe, you are the one who keeps the required documentation, and if something happens to your customers' data - you may be responsible for it);
Where to start?
You, however, as the owner of an online store, will process customers' personal data, for example:
collecting newsletter signups;
collecting sign-ups for loyalty clubs, loyalty clubs, etc.;
and selling your products;
contacting customers through forms;
the ability for customers to add product reviews;
activities related to website traffic analytics, cookies, and other tracking files (we have prepared a separate article on cookies for you).
Marketing Consents (GDPR and other regulations)
As the GDPR is directly applicable throughout the European Union, if you read the previous section of this article you may have been assured that it is the same in your country, but e-commerce law is governed not only by the GDPR - which is the same throughout the European Union - but also by other national regulations.
Therefore, when reading this part of the article on marketing consents - remember that this is an example concerning the regulations in use in Poland - different regulations will apply in your country (probably they will be similar in substance, but you should check)
It is impossible to imagine running an online store without effective marketing activities. Most of them (e.g., sending newsletters) will involve the processing of personal data-i.e., WE WILL OPERATE UNDER GDPR, but not only GDPR, because the need to obtain consent for most marketing activities in Poland stems from the Telecommunications Law and the Law on the provision of electronic services.
According to GDPR, any processing of personal data requires an appropriate legal basis (Article 6 (1) of GDPR). Simply put-whatever we do with our customers' personal data, we must base our operations on the premises listed in the above-mentioned provision of GDPR. The most well-known premise is the consentRemember! Before you start processing your customers' personal data, check in art. 6 RODO, what premise listed there will correspond to your actions - without this, you cannot legally process your customers' data. to process the data subject's data, but there are others - such as the legitimate interest of the Controller, or the performance of a contract.
It would be logical if the appropriate basis for processing data for direct marketing is the consent of the data subject (Article 6(1)(a) GDPR) - but that would be a mistake!
This we already know - now we need to remember that, in addition to GDPR, regulations under the Telecommunications Law are relevant in the context of direct marketing and the Law on Provision of Electronic Services.
What does this mean for us? Simply put, if we want to send information
of a marketing nature in most cases - we will need the customer's consent.
What conditions should marketing consent meet?
For, a customer's consent to receive marketing content from us to be legal, it must be:
VOLUNTARY - the customer must be able to refuse to receive marketing content;
CONCRETE - the customer must know what marketing activities they are agreeing to and the scope of those activities (we don't collect blanket, blanket, confusing consents for the customer);
CONSCIOUS - the customer must know what they are actually consenting to;
UNIVERSAL- a clear affirmative action by the customer (checkboxes can no longer be checked by default, thus leaving no opportunity for self-checking);
EXPRESSED IN THE FORM OF A DECLARATION OR EXPRESS AFFIRMATIVE ACTION - when running a store, you have to show that the customer really did consent to marketing (in case of an audit, you will be the one who will have to show that the consents were properly collected).
In short, we cannot have any doubt that the customer wants to receive marketing content from us.
Tips for marketing consent
formulate consents in the simplest possible language;
in the consent clause, we add information that it can be withdrawn at any time
use the Double Opt-In model when obtaining consent (you will learn about its advantages later in this article);
Examples of marketing consent clauses
Below is an example of a marketing consent clause that can be used when setting up a store account:
⬜ I declare that I am at least 16 years old (*16 is the minimum age of a person,
⬜ I agree to process my personal data for marketing purposes and to receive commercial information from [store_name].
using telecommunication terminal equipment (e.g., telephone) and electronic communication means that I have voluntarily entered
(e.g., SMS or e-mail). ("optional field")
On the basis of this consent, we will be able to contact you via e.g. phone, SMS or e-mail (depending on what data you give us at registration) for the purpose of promoting [store_name]'s services or goods, including but not limited to presenting information about current promotions or marketing actions. At any time you can opt out of receiving commercial information from [store_name] by withdrawing your consent.
Example of marketing consent for newsletter subscription
Marketing activities are very often conducted through the Newsletter. Below is an example of a marketing consent for subscribing to the Newsletter:
⬜ I agree to receive free commercial information
Single opt-in, double opt-in - which model to choose when building a recipient base?
When building your Newsletter recipient base, you can use the following subscription models:
DOUBLE OPT-IN - the customer will receive a message with a link activating the Newsletter subscription, the so-called "registration confirmation message";
SINGLE OPT-IN - the customer will be immediately added to the Newsletter base without the need to confirm the subscription in the activation message.
We recommend choosing the Double Opt-in model - consisting of the fact that after entering a given email address in the Newsletter subscription form, an automatically generated message with an activation link will be sent to the user. After clicking on the received link, the user will be added to your subscriber base.
What should the registration confirmation email look like?
We present an example of the content of the email (in the double opt-in model) - Registration confirmation message:
Great! You're almost signed up for our exclusive newsletter. Before you click on the activation link, please read this information
You can always correct or rectify your data, revoke your consent at any time, or even request data transfer or deletion. The list of entities to whom we entrust your data is here. We do this in order to provide our services to the best of our ability. Your data will be kept for as long as necessary to secure your rights (e.g. the warranty period or statute of limitations when you buy a product). If you have any questions or concerns, please email us at email@example.com. Your safety and trust is most important to us!
P.S. Remember that you can always file a complaint with the President of the Office for Personal Data Protection, based in Warsaw, Poland.
Build your customer base legally
Can I combine email and text message consents?
No, we recommend separating consents. This practice is indicated as recommended in Polish and European jurisprudence.
Still need help?
If you still have any questions about processing your customers' personal data, marketing consents, or other e-commerce law issues go ahead and write to us at firstname.lastname@example.org