E-commerce and privacy: How private is 'private'?

To the uninitiated, law can often seem like a different language – and nowhere is this truer than with online data protection. For the average internet user, it’s easy to feel as if there is some barely concealed conspiracy going on, with Facebook, Google, and Amazon all selling their personal data to the highest bidder for nefarious purposes.

If you’re someone who knows how online data protection works, you may scoff at this notion – and you might be right to. Still, scoffing does nothing to ease the fears of the 79 per cent of the British public who believe their online data is under threat and want more personal control over it.

There is genuine cause for concern when it comes to some of the big names. Facebook, in particular, has essentially privatised a lot of its users’ private information, at least according to a law professor from Columbia University. And, away from the big companies, there is also a reason to worry about the law surrounding e-commerce. Being a relatively new industry, there are a lot of legal grey areas.

Just to give you an idea of how recent this legal issue is, the two laws that all e-commerce sites should follow were both written less than 20 years ago: the Data Protection Act 1998 (which was updated on the 1 December 2016) and the Electronic Commerce (EC Directive) Regulations 2002.

As a result, more important than explaining to customers that their data is safe is making sure that their data actually is safe. Recognising this gulf between the law as it currently stands and the very legitimate concerns of customers is the first step.

Defining e-commerce

The way e-commerce is defined is intentionally vague and there is a good reason for this. After all, the definition of e-commerce was created in 2002, way before the days of, say, Uber, and yet it is still very much applicable to the online taxi service. In short, any exchange of money for a service that happens online counts as e-commerce. As such, any company engaging in these activities is bound by the EC directive to protect their customers’ information according to their privacy policy.

What’s worth noting here is that the law applies to the privacy policy that an e-commerce company creates and that its customers agree to. In other words, though people may criticise Facebook for doing what it does with its users’ information, it does make a lot of this abundantly clear in its privacy policy: ‘We collect the content and other information you provide when you use our services, including when you sign up for an account, create or share, and message or communicate with others. This can include information in or about the content you provide, such as the location of a photo or the date a file was created. We also collect information about how you use our services, such as the types of content you view or engage with or the frequency and duration of your activities.’

Facebook goes on to outline precisely what it does with its users’ information and, in doing so, it is obeying the law.

However, people accept Facebook’s extremely lax privacy policy for one very simple reason: the service is free. For e-commerce businesses, privacy policies should be – and, indeed, often are – a lot stricter.

Yes, you could get your customers to agree to a privacy policy which allows you to sell a lot of the information they give you. Yes, you would have the law on your side. However, you wouldn’t have your customers on your side, you wouldn’t have the 79 per cent of the public who worry about their private information on your side and, as a result, it would likely be extremely bad for your business.

So, while there’s no law stopping a business like Facebook from doing what it does, there are expectations from customers and the rest of the business world about what should be included in a privacy policy. These include things like a clear cookie policy and a clear policy on collected information usage. Also, unlike Facebook, e-commerce sites are bargaining with customers – they are trying to sell them a service and, as such, they should be willing to negotiate with customers on their privacy policy.

The key thing to remember here is the difference between what is legal and what is moral, between what customers expect and what e-commerce sites can get away with. It’s also important to remember that a privacy policy is a contract which differs from site to site. This means that if you disagree with your customer about what ‘privacy’ means, then you need to respect that. Otherwise, they can (and probably will) go elsewhere.

Carl Parslow is a partner and head of property and personal law at Parslows

@ParslowsJersey www.parslowsjersey.com