Why Ecommerce Stores Have More Data Obligations
Online retailers collect more personal information than most businesses. A typical ecommerce transaction involves not just contact details, but sensitive payment and shipping information. Under the Privacy Act 1988, ecommerce stores must carefully disclose how this data is collected, stored, and used.
Data types ecommerce platforms collect:
- Purchase history: Product names, quantities, order dates, amounts paid
- Payment information: Credit card details, billing addresses, transaction IDs (though processors handle this)
- Shipping addresses: Full residential addresses, phone numbers for delivery
- Account data: Names, emails, password hashes, login history
- Behavioural data: Browsing history, items viewed, abandoned cart contents
- Email address for marketing: Newsletter signups and promotional preferences
- IP addresses and cookies: Tracked via analytics and retargeting pixels
Each of these requires specific disclosure in your Privacy Policy under the Privacy Act.
Payment Data: The PCI DSS Compliance Note
If you accept credit cards on your website, you're subject to PCI DSS (Payment Card Industry Data Security Standard), a global security standard for payment data. This is separate from privacy law but often confused with it.
Important clarification: Even if you use Stripe, Shopify Payments, or PayPal, you are responsible for PCI compliance. These processors handle the actual card data, but you're still liable for how you store and transmit customer information.
Your Privacy Policy must state:
- Which payment processor you use (Stripe, PayPal, Square, etc.)
- How payment data is stored: "We do not store credit card details. Payment processing is handled by [Processor Name]."
- Security measures: SSL encryption, PCI DSS compliance, secure transmission
- Data retention: How long transaction records are kept for reconciliation and tax purposes
Retargeting Pixels & Abandoned Cart Tracking
Most ecommerce stores use retargeting pixels from Meta (Facebook Pixel), Google Ads, or similar platforms to show ads to customers who abandoned their carts or browsed products. Under Australian privacy law, you must disclose this practice.
What pixels collect:
- Meta Pixel: Tracks page views, products viewed, items added to cart, purchases
- Google Ads conversion tag: Tracks completed purchases and transaction value
- Pinterest Tag: Tracks ecommerce behaviour for retargeting
Your Privacy Policy must include a section like: "We use Meta Pixel to track visitor behaviour for retargeting. This allows us to show you ads on Facebook and Instagram for products you've viewed. For more information, visit [Meta's Privacy Policy link]."
Email Marketing & The Spam Act 2003
If you send marketing emails to customers, you must comply with the Spam Act 2003. This is separate from privacy law but often regulated together:
- Consent is required: Before sending marketing emails, you must have explicit consent from the customer
- Unsubscribe must be easy: Every marketing email must have an unsubscribe link
- Contact details required: Your email must include your business name and contact address
In your Privacy Policy, explain how you collect email addresses for marketing (e.g., "You can opt in to our newsletter at checkout or in your account settings") and how to unsubscribe.
Returns, Refunds & Account Deletion Rights
Ecommerce businesses often struggle with data retention after customer returns or refunds. Your Privacy Policy must address:
- Returns process: When a customer returns a product, what data do you keep? Their address, order history, etc.
- Refund data: How long you keep transaction records for refund tracking and chargeback protection (typically 3-6 months for chargebacks)
- Account deletion: What happens when a customer requests their account be deleted? Do you delete: order history, contact information, payment records?
- Tax and accounting retention: You may legally be required to keep customer data for 5 years for tax purposes under Australian tax law
Example Privacy Policy text: "We retain customer order history for 5 years for tax and compliance purposes. You can request deletion of your personal account, but transaction records for chargebacks and tax purposes are kept for 12 months after purchase."
Loyalty Programs & Data Retention
If you run a loyalty or rewards program, this affects privacy obligations:
- Extra data collection: Loyalty programs typically collect more personal data: birthdate, purchase frequency, preferences, phone number
- Extended retention: You'll need to keep loyalty member data longer than regular customers (often for the life of their membership)
- Third-party sharing: If you use a loyalty platform (e.g., Loyalty Lion, LoyaltyLion), you're sharing data with them — must be disclosed
Your Privacy Policy should include a section: "Our loyalty program collects additional data including [specify]. This data is retained for [period] or until program membership ends."
Cookies & Cookie Disclosure
Australia doesn't have a mandatory cookie law like GDPR, but good practice is to disclose your cookie use in your Privacy Policy:
- Essential cookies: For cart, checkout, authentication (required for site function)
- Analytics cookies: Google Analytics, Hotjar (track user behaviour)
- Marketing cookies: Meta Pixel, Google Ads (enable retargeting)
- Third-party cookies: From social media widgets, embedded content
Link to your cookie policy from your Privacy Policy if you have a separate one.
Information to Prepare Before Generating
- Your business name and ABN
- Physical business address
- Primary contact email for privacy inquiries
- Payment processors you use (Stripe, Shopify Payments, PayPal, etc.)
- Retargeting platforms (Meta Pixel, Google Ads, etc.)
- Email marketing platform (Mailchimp, Klaviyo, etc.) if applicable
- Analytics tools (Google Analytics, Hotjar, etc.)
- Loyalty program details (if applicable)
- Data retention policies: How long you keep customer data after refunds, returns, account deletion
- Countries where data is stored (e.g., "Stripe in US, Google Analytics globally")