Privacy policy for Ecommerce website

POPI has set very specific guidelines on the requirements for your privacy policy's. We take all of these into account when creating documentation in our store.

Placeholder Image

Many eCommerce shop owners don’t regard themselves as needing a Privacy Policy. This is based on a number of reasons, but some include that they believe their shops are too small to warrant a Privacy Policy, as Privacy Policies are for big businesses only. No matter the size of your business, as long as you collect and process personal data from entities, you will need a Privacy Policy. It is required by law. 

When do you need a Privacy Policy?

You need a privacy policy for as long as your website collects personal information of users. 

Personal information comprises any information which allows for you to identify a user, such as e-mail addresses, physical addresses, names and the like.

In order to run an eCommerce store, you will always be required by law to have a Privacy Policy. 

What should be included in a Privacy Policy?

What Personal information you collect

You are required to disclose the various types of personal information that you collect from users, and where such personal information is collected. For example, if you collect customers names, email addresses and credit card details when they buy something from your website, you must record this in the Privacy Policy.

The Budweiser Privacy Policy above clearly outlines which personal information the company collects and where they collect the information. 

Why you need to collect Personal Information 

Privacy laws require you to collect only the personal data that you need, and to explain why you need it. As such, your Privacy Policy must clearly record this.

This is probably one of the most important clauses in your Privacy Policy. As such, it should be clear, simple to understand and accurate in order to ensure compliance with the law and that customers are comfortable that their Personal Information will only be used for the purposes stated in the Privacy Policy.

A great example of this is Nestle (below):

Nestle provides a step by step account of why they need the Personal Information they collect.

Airbnb is another great example of a webshop that clearly defines what reasons the collection of Personal Information is needed for.

Who such Personal Information is shared with

Most websites use one or more third party tools to enhance site performance and user experience. Examples might include Google Analytics to understand your website visitors, or AdSense for personalized advertising.

Further, in order to fulfil the delivery of items ordered from your online store, you might have to appoint external couriers. In doing so, you will have to share at least the physical address of the user with the courier.

The categories of all third parties to which personal data is shared with must be recorded in your Privacy Policy.

Here’s how Instagram does this:

How to Opt Out of Data Collection

Your users are allowed to request a change, correction or deletion of their Personal Information. Your Privacy Policy should include guidelines for the opting out of ongoing data collection, correcting or deleting Personal Information, as well as for obtaining a copy of any personal data already collected. 

Nike clearly provides this information in its Privacy Policy:


Although not a requirement in terms of South African law, the European GDPR requires that a Privacy Policy (of a separate cookie policy) state whether or not cookies will be used and require users to consent to such use prior to any cookie processing. 

In this disclosure, you must identify the cookies or data trackers, explain their purposes and detail the type of data retrieved from the cookies or data trackers. 

You should also list all sites, companies and organizations that will collect or receive data retrieved from cookies or data trackers.


Your Privacy Policy should address data-security concerns of shop users. The policy should include language that expresses your stores’ commitment to safeguarding personal data and explain the steps used to ensure that it is safeguarded at all times.

Orders from outside South Africa

What happens if your eCommerce website takes international orders with you having to collect Personal Information from customers outside South Africa? You could be required to ensure that you draft a Privacy Policy that complies with the privacy regulations in the countries in which your customers reside. 

For example, if your shop collects any Personal Information from any European Union (EU) resident, your Privacy Policy needs to comply with the General Data Protection Regulation (GDPR). The General Data Protection Regulation is a regulation in terms EU law pertaining to data protection and privacy. 

Non- compliance 

Ensuring that your business protects the personal information entrusted to it is very important and there are severe consequences put in place to ensure that businesses comply with POPI.  Non-compliance with the requirements of the POPI Act may lead to the imposition of an administrative fine or even imprisonment. It is therefore essential that you ensure that your Privacy Policy is POPI compliant.

How can you ensure that your Privacy Policy is GDPR compliant?

The GDPR requires you to give at least one legal basis for processing personal data of customers. There are 6 legal bases, which are as follows:

  • The data subject has given consent to the processing

  • Processing is necessary for performance of a contract between the two parties

  • Processing is necessary for compliance with a legal obligation

  • Processing is necessary to protect the data subject’s vital interests

  • Processing is necessary in order to protect a public interest or exercise official authority

  • Processing is necessary for the purpose of legitimate interests, so long as fundamental rights and freedoms aren’t infringed

How long you’re going to store the data

The GDPR obliges you to inform your customers about “the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period”.

Who Your Data Controller is and Contact Information

If you control the personal information of your customers or you process it for some other company, inform your customers about it. Tell them who you are and what your role is when it comes to their data. If it is not you who processes the data, your policy should clearly state the name and details of the company that will be controlling and processing the personal data. 

Whether You Use Data to Make Automated Decisions

If you use automated decision making (for example for credit scoring or for profiling users) to provide services/products to your users, disclose this.

Inform Users of the 8 Rights They Have Under the GDPR

The GDPR requires you to tell your users about their 8 rights under the GDPR, which are:

  • The right to be informed

  • The right of access

  • The right to rectification

  • The right to erasure

  • The right to restrict processing

  • The right to data portability

  • The right to object

  • Rights related to automated decision making and profiling

  • You can comply with this requirement by merely stating the rights of your customers as above or you can provide details about the rights afforded to them. 

Whether You Transfer Data Internationally

If you transfer personal data internationally, you will have to mention it in your Privacy Policy. It is important to state why and to whom the data will be transferred to. Your policy should also mention how you will secure the information of the customers.