Privacy Policy for Dropshipping Websites and Stores

By: Masha Komnenic CIPP/E, CIPM, CIPT, FIP Masha Komnenic CIPP/E, CIPM, CIPT, FIP | Updated on: March 16, 2022

Build Your Free Privacy Policy
Privacy-Policy-for-Dropshipping-01

If you have a dropshipping store, you need a robust dropshipping privacy policy to comply with data processing laws. A well-written privacy policy for your dropshipping store will also inform customers about their rights and help you gain credibility.

Read on to learn about privacy policies for dropshipping websites, how to make one, where to place it, and the various privacy laws that affect dropshipping.

Table of Contents
  1. What Is Dropshipping?
  2. Does Your Dropshipping Business Need a Privacy Policy?
  3. Which Privacy Laws Affect Dropshipping?
  4. How to Create a Dropshipping Privacy Policy
  5. What To Include in Your Dropshipping Privacy Policy
  6. Tips for Making a Good Dropshipping Privacy Policy
  7. Where To Put Your Dropshipping Privacy Policy
  8. Summary

What Is Dropshipping?

To begin, let’s talk about what dropshipping is.

Dropshipping is an eCommerce business model where the seller pays a third party, such as a wholesaler or manufacturer, to deliver products directly to the customers.

Here’s how the dropshipping process works:

  1. Your customer places an order through your eCommerce store.
  2. Your store automatically sends the order to your dropshipping partner.
  3. Your dropshipping partner prepares your customer’s order.
  4. Your dropshipping partner ships the order directly to your customer.

Dropshipping is particularly popular in international commerce. For instance, a supplier located in North America can pay wholesalers and manufacturers located in East Asia to directly ship products to customers to cut costs, time, and money.

Traditionally, suppliers had to spend a lot of time and money choosing, purchasing, and shipping inventory. However, with the dropshipping model, you don’t have to buy anything unless the customer has already paid you.

This business model also has many other benefits, including:

  • Accessibility: Anyone can start dropshipping as long as they have access to wholesalers and manufacturers willing to dropship.
  • Easier to test business models: Dropshipping is less committed since you don’t have the stock with you. As such, you can speed through different business ideas with limited downsides, which can teach you what your audience wants and how to market and choose in-demand products.
  • Flexible location: You can run your dropshipping business from anywhere as long as you have an internet connection.

Does Your Dropshipping Business Need a Privacy Policy?

Yes, your dropshipping business needs a privacy policy. The law requires it and it’s the ethical thing to do.

A comprehensive dropshipping privacy policy will protect you from liability since you’re collecting customers’ personally identifiable information.

Whenever someone buys a product from your shop, they will be giving you personal information that identifies them. To protect their identity, privacy laws worldwide now require you to create an easily accessible dropshipping privacy policy on your site.

These privacy laws (covered in the next section) define personal information as any data used to identify, contact, or locate an individual, such as:

  • Biometric data
  • Credit card numbers
  • Mobile numbers
  • IP addresses
  • Screen names
  • Date of birth
  • Sexual orientation
  • Physical address
  • Political affiliations
  • Religious affiliations
  • Passport numbers
  • Full names

Which Privacy Laws Affect Dropshipping?

Many privacy laws around the world affect dropshipping. Some of the most important ones include:

General Data Protection Regulation (GDPR)

The European Union (EU)’s GDPR applies to any company that processes the personal data of EU residents. That means that if you offer goods or services to anyone who lives in the EU, UK, or Switzerland, you need to comply with the GDPR whether you have offices in those countries or not.

To comply with the GDPR’s strict standards, you need to have a GDPR-compliant privacy policy for your dropshipping business that customers can access at any time.

California Consumer Privacy Act (CCPA)

The CCPA requires some companies that do business with and collect the information of residents of California to have privacy policies. Specifically, it applies to big businesses that reach one or more of these thresholds:

  • Have annual gross revenues of more than $25 million
  • Make more than half of their revenue from selling Californian residents’ personal data
  • Buy or sell personal data of more than 50,000 Californian residents per year

While some businesses may not be affected by the CCPA, you should always try to comply. Following the CCPA is always the right thing to do because your users deserve to have their privacy rights safeguarded.

The CCPA requires you to tell consumers:

  • What data you have about them
  • How you use this data
  • How consumers can opt out of you selling their data

California Online Privacy Protection Act (CalOPPA)

CalOPPA requires every commercial website owner, including dropshippers, to have a privacy policy. It requires you to:

  • Inform your customers whenever you update your privacy policy. As such, you should put the last effective date of your privacy policy at the top of your webpage, so customers know whether they’re looking at the newest version of the policy. You should also tell customers how they can receive updates about your dropshipping business’s privacy policy.
  • Put a link to your privacy policy in a conspicuous area of your site.  Section 22577 of CalOPPA requires you to make links to your privacy policy stand out from the surrounding text (i.e., by having a different font, color, or size).

Stop Hacks and Improve Electronic Data Security Act (SHIELD)

This New York law applies if you process the data of a New York resident, regardless of your location. It requires you to:

  • Use reasonable technical, administrative, and physical safeguards to protect personal data
  • Notify relevant state agencies and affected individuals of data breaches

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is Canada’s privacy law. It requires private sector organizations and non-profit organizations that use and collect personal information to post privacy policies on their website when carrying out commercial activities.

Private sector organizations are partnerships, trade unions, associations, or corporations owned by a private individual rather than the government.

PIPEDA, unlike the GDPR, CCPA, and CalOPPA, has a much narrower scope. According to the Office of the Privacy Commissioner of Canada, it only applies to non-Canadian businesses with a “real and substantial connection” to Canada.

Personal Information Protection Law (PIPL)

China’s PIPL came into effect on November 1, 2021, and is one of the strictest privacy regimes in the world.

Like the GDPR, the PIPL affects any site or company that collects deals with the information of Chinese residents. It prohibits you from handling personal information in coercive and misleading ways. This means you need a transparent dropshipping privacy policy to comply with PIPL. Otherwise, your customers won’t be able to understand how you handle their personal data.

Personal Data Protection Acts in Other Countries

Some Asian countries, such as Singapore, South Korea, and Malaysia, have personal data protection acts (PDPAs) that require companies to have privacy policies.

How to Create a Dropshipping Privacy Policy

Here are three ways to create a privacy policy for a dropshipping website and business:

Managed Solution

A managed solution is the simplest way to create a privacy policy for a dropshipping website. All you have to do is answer a series of questions about your business and how you will process consumers’ data. The app will then use your answers to create a finished policy.

Create a Dropshipping Privacy Policy Using Termly

Here’s how you can use Termly’s generator to create a comprehensive and compliant privacy policy for your dropshipping business.

Step 1: Go to Termly’s privacy policy generator.

Step 2: Answer a few simple prompts and questions, and go through all of the steps until you reach “Final Details.”

privacy-policy-termly-final-step-screenshot

Step 3: Once you’ve filled in everything and you are satisfied with the preview, click “Publish.” You will then be prompted to create an account on Termly so you can save and edit your privacy policy further.

Template

A privacy policy template gives you much more legroom than a managed solution since you aren’t limited to answering specific questions. In addition, you can add, modify, and remove clauses and language from the template as needed.

A template also saves time since you don’t have to write anything from scratch if you like what’s already on the template. Furthermore, you’re free to change as little or as much of the template as needed.

Do-It-Yourself (DIY)

If you want complete control over the creation process, you can write your own privacy policy. However, this method takes more time than templates or managed solutions and should only be considered if you know what you’re doing.

Here are some tips if you want to go ahead with writing your own:

What To Include in Your Dropshipping Privacy Policy

Regardless of your jurisdiction, your dropshipping website’s privacy policy needs to include the following at a minimum:

  • Last updated date, introduction, and contact details
  • Why you’re requesting personal information from consumers
  • What types of personal information you collect
  • The rights consumers have over their data
  • How you process this information
  • Who you’re sharing the information with
  • How customers can contact you to opt out of data collection or for further information

You should cover these requirements in the following clauses:

Last Effective Date

Drop a short sentence about when your privacy policy was last updated. Here’s what this section looks like in Spotify’s privacy policy:

spotify-privacy-policy-example

Introduction

Begin your dropshipping site’s privacy policy with a brief explanation of how you use, process, and share personal data.

Here’s an example from Modalyst, a dropshipping service:

modalyst-privacy-policy-introduction-example

Your Contact Details

Next, you need to list your contact details to make it easy for your customers to contact you if they have any questions or concerns about your dropshipping store’s privacy policy.

An email address should do the trick in most cases, although larger companies with physical stores may also include postal addresses and telephone numbers.

Put your contact information somewhere prominent, like at the beginning or end of the privacy policy. Modalyst chose to include theirs at the bottom:

modalyst-privacy-policy-contact-example

Personal Data Collected

Talk about what kind of data you collect and for what reasons. Be as specific as possible when listing the types and categories of data you collect from consumers.

For example, if your dropshipping store collects email addresses, names, credit card numbers, and mobile phone numbers every time someone makes a purchase — you need to tell customers that you do so.

Here’s how Modalyst lists the kind of information it collects from customers:

modalyst-privacy-policy-personal-info-collection-example

How and When You Collect Personal Data

It’s not enough to just list what kinds of information you collect. Most privacy laws require you to explain how and when you collect personal data.

If you only use a few simple ways to collect data, this section doesn’t have to be very long. Like Modalyst, you can just write a sentence or two explaining when and how you gather information from customers:

modalyst-privacy-policy-when-we-collect-data-example

As you can see, you need to be as thorough as possible. If you gather data whenever users subscribe to your newsletter and submit forms, for instance, you need to mention that.

If you have many ways of collecting data, particularly complex methods of gathering and processing data, you may need to disclose how and when you acquire this information.

How You Use Personal Data

Most data privacy laws require companies to state why they’re using customers’ personal data. As such, you need to explain how you use personal data in your dropshipping website’s privacy policy.

Although you should be as detailed as possible, don’t overwhelm the reader. Instead, sort different data types into categories so customers will have an easier time processing this section.

As an example, check out what Modalyst did for their “How We Use Your Personal Information” section:

modalyst-privacy-policy-how-we-use-your-personal-info-example

Consumer Privacy Rights

Next, list out the rights that customers have. But, don’t be overly broad — be specific about what rights consumers have and what they can do to exercise these rights.

The specific rights depend on what laws apply, but since anyone can buy products from your dropshipping store, you should consider as many jurisdictions as possible.

So, for example, if you have customers from the EU, you should list out EU citizens’ consumer privacy rights in this section even if you’re located in the US.

Similarly, if you have customers from California, you must inform Californian consumers that they have the right to opt out of data collection.

That’s what Modalyst did in theirs:

modalyst-privacy-policy-consumer-rights-example

As you can see, Modalyst has listed out EU citizens’ right to amend, delete, or access their personal data at any time, which are consumer rights granted to them by the GDPR.

Information You Disclose or Share

Finally, you need to outline who you share your customers’ data with.

Some companies may share customers’ personal data with third parties and their affiliated partners. For example, some dropshipping businesses may share customers’ data with payment processing providers such as PayPal to process payments.

List out what information is sold or shared and under what circumstances. You should also be clear about the identities and natures of the third parties and partners with whom you share information.

Here’s how Levi Strauss & Co did it:

levis-privacy-policy-example

Tips for Making a Good Dropshipping Privacy Policy

Making a good privacy policy from scratch for your dropshipping business can be challenging — particularly if you’ve never done it before. So keep these tips in mind as you draft your dropshipping privacy policy:

  • Be clear and concise. Keep things simple and easy to understand. If you have a lot of information, consider using charts.
  • Tailor it to your business. As tempting as it may be simply to use an unedited template or, worse, copy and paste from someone, you need to have a privacy policy specific to your dropshipping business.
  • Update regularly. Ensure your privacy policy reflects your current privacy management practices. If your privacy management practices change, you need to update your policy immediately. Let people know when the information is updated by sending out emails and stating when the last update or review is at the top of your privacy policy for dropshipping.

Where To Put Your Dropshipping Privacy Policy

Once you’ve created your policy, you need to put it in a prominent area of your site or app. It must be easy to find so users can agree to its terms before sharing personal data with you.

Here are three places you should put your privacy policy on your dropshipping website:

Website Footer

Your website or app footer is one of the best places to put a link to your privacy policy. It’s easily accessible and can be seen on every page. It would help if you placed it next to your other key policies so customers can quickly find it.

Partake Foods, for instance, places its privacy policy link under “Terms” and above “Shipping and Returns.”

partake-foods-privacy-policy-in-footer

In Other Policies

You should also put a link in other key documents, such as your shipping policy, acceptable use policy, and Terms of Service. This will enable customers to move quickly between policies to find the information they need without having to search through your site.

A good example is Shopify’s Terms of Service. It contains links to their Privacy Policy, Acceptable Use Policy, Supplementary Terms of Service, and more.

shopify-terms-of-service-example

Points of Data Collection

Finally, you need to include a link to your policy at points of data collection to ensure that customers know what they’re consenting to before agreeing to share their personal information with you.

You should place links to your privacy policy at the following points of data collection:

  • Before a consumer completes a transaction
  • When a customer creates an account
  • When a consumer signs up to receive communications, newsletters, and marketing from you

Summary

If you run a dropshipping business, you must create a clear and concise privacy policy. It is required by various laws around the world, including the EU’s GDPR, California’s CCPA and CalOPPA, Canada’s PIPEDA, and more.

After you’ve created your privacy policy for your dropshipping store, post links to it in your site’s footer, within other policies, and at points of data collection so customers can read it before doing business with you.

Whenever you’re confused about what you should include, look at the laws that apply to your store and customers and go from there.

For instance, if you have customers from the EU, you need to comply with the GDPR. So read through the GDPR and incorporate some of its languages into your privacy policy. Make sure that you’ve covered everything that needs to be covered in an easily-digestible format, so your customers know how to exercise their rights.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources