The EU-based Etsy sellers or merchants who offer their listings to shoppers in the territory are required to have a GDPR policy for their Etsy shop. However, merchants embarking on such a mission may wonder where to start. Here is a guide for sellers aiming to create a GDPR policy for an Etsy shop:
Understanding the GDPR
The General Data Protection Regulation (GDPR) guards how personal information is collected and used by businesses and protects the privacy rights of online shoppers. It grants buyers entitlement to certain information, including when, why, how, by whom, and for what purpose personal information is collected, used, and shared.
Creating a GDPR policy for Etsy shop
Giving buyers information about how and why a seller is going to use their personal data is the heart of a privacy policy.
Sellers should first ask for ‘express consent’ from their buyers. Express consent means that merchants can send them marketing or promotional messages, if a buyer has indicated their consent for sellers to do so through an explicit affirmative action, such as a buyer agreeing in an Etsy Convo or email to receive marketing messages from merchants. Otherwise, merchants can run a risk of breaching an Etsy policy and face a criminal offence in some countries.
Merchants should also note that even once they have express consent to send marketing messages, they must respect buyers’ requests to opt out of receiving further marketing messages, as consent can be revoked at any time.
The GDPR requires a seller to provide certain information to their buyers in their privacy policy, including:
- the personal information a seller collects.
- the legal bases a merchant relies on to collect, use, and share personal information.
- how they will use it to fulfil orders.
- the third parties with whom a seller shares personal information.
- the length of time a seller keeps personal information.
- if their transferring personal information outside of Europe (for example, if a merchant moves their business to the United States and continues to sell to buyers in Europe, or uses a third-party provider located outside of Europe, or uses Google Cloud to host some of their buyers’ information), how the transfer will be handled.
- a buyers’ rights regarding the use of their personal information.
- how a buyer can contact a seller with privacy-related requests.
How to introduce a privacy policy to buyers?
Etsy say that sellers can use this template to introduce the GDPR policy to their buyers:
“This Privacy Policy describes how and when I collect, use, and share information when you purchase an item from me, contact me, or otherwise use my services through Etsy.com or its related sites and services.
This Privacy Policy does not apply to the practices of third parties that I do not own or control, including Etsy or any third party services you access through Etsy.”
Sellers can reference the Etsy Privacy Policy so buyers can learn more about Etsy’s privacy practices.
Sticking to this how-to guide for marketing messages and creating a privacy policy for sellers’ businesses will help them to comply with their obligations under the GDPR. It will also signal to buyers that merchants take privacy seriously and have their customers’ best interests at heart.
However, Etsy says that this information is for educational and informational purposes only. The content should not be construed as legal advice. It is not intended to create, and receipt of it does not constitute a lawyer-client relationship.
Sellers are advised to visit this EU GDPR help site and read Articles 13 and 14 for more details on the information that must be included in sellers’ privacy policy to comply with the GDPR.
