Dropshipping often appeals to people new to online businesses but it carries some significant data privacy implications. The way you handle customer data means you may be covered by several data processing laws.
- 1. How Does Dropshipping Work?
- 3. Which Laws Could Affect Dropshipping?
- 3.1. General Data Protection Regulation (GDPR)
- 3.2. Personal Information Protection and Electronic Documents Act (PIPEDA)
- 3.3. Stop Hacks and Improve Electronic Data Security Act (SHIELD)
- 3.4. Children's Online Privacy Protection Act (COPPA)
- 3.5. California Consumer Privacy Act
- 3.6. Consumer Data Protection Act (CDPA)
- 3.7. Lei Geral de Proteção de Dados (LGPD)
- 4.1. Your Identity and Contact Details
- 4.2. What Data You Collect
- 4.3. How You Use the Data
- 4.4. Whether You Share Data
- 4.5. Data Access Rights
- 4.6. International Data Transfers
- 6. Summary
How Does Dropshipping Work?
Dropshipping is a business model where the seller does not hold stock or deliver products themselves. Instead, they take an order from a customer and then pay a third party (such as a manufacturer or wholesaler) to provide the product and deliver it directly to the customer.
Most commonly, dropshipping works where the manufacturer or wholesaler either doesn't or can't market itself to potential customers. This could involve a specialist audience that's hard to identify and reach, creating an opportunity for the dropshipper. Another common situation is a dropshipper in one country finding local customers for a product manufactured in another country.
The key is that the customer is willing to pay a higher price for the product than the manufacturer or retailer is willing to accept to sell and deliver it. This leaves a profit margin for the dropshipper that effectively acts as a reward for finding the customer.
Although profits for the dropshipper may be lower than from more traditional business models, the main advantage is not having to cover the costs or logistics of handling stock. It also means not having to take risks on purchasing or ordering stock that might not sell.
Dropshipping can have drawbacks, particularly where manufacturers and wholesalers are unreliable or have poor quality products, so you should always investigate any opportunities carefully.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
Which Laws Could Affect Dropshipping?
General Data Protection Regulation (GDPR)
The GDPR applies in any of three circumstances:
- You are in a European Union country
- Your customer is in a European Union country
- Data processing takes place in a European Union country (for example, in a data center or by a supplier)
At the time of writing, the GDPR's measures also applied in the United Kingdom under domestic law.
The key requirement of the GDPR is to only process personal data under specific lawful conditions, most commonly that you have advanced consent.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA applies if you are in Canada and use personal information for commercial purposes. The main exemption is if a similar province or territorial law applies and you are only handling data within that province or territory.
Stop Hacks and Improve Electronic Data Security Act (SHIELD)
This New York state law applies if you handle computer data about a New York resident, regardless of your location.
The key requirements of the SHIELD Act are to use reasonable administrative, technical and physical safeguards to protect personal data, and to notify affected individuals and relevant state agencies of any data breach.
Children's Online Privacy Protection Act (COPPA)
COPPA is a U.S. federal regulation that applies if your website is aimed at people under 13 or you know that people aged under 13 are using it. (Remember that dropshipping goods to children could cause problems in some jurisdictions as your contract with them may be unenforceable.)
If COPPA applies, you must get the consent of a parent or guardian to collect and use personal data about the child. You must verify the identity of the parent or guardian.
California Consumer Privacy Act
The CCPA is a state law that is unlikely to affect a new dropshipping business, but is worth bearing in mind if you plan to grow. It applies if your business has annual gross revenues of more than $25 million, if you buy or sell personal data of more than 50,000 California residents a year, or if you make more than half your revenue from selling personal data about California residents.
The key requirements are to tell people what data you have about them and how you use it, and to let them opt out of you selling their data.
Consumer Data Protection Act (CDPA)
The CDPA is a Virginia state law that's similar in concept to California's CCPA. It applies if you use the personal data of more than 100,000 Virginia residents or make at least half of your revenue from selling personal data.
The key requirements are to tell people what data you have about them and how you use it, and to let them opt out of you selling their data, using sensitive data, or using data for targeted advertising and profiling.
Lei Geral de Proteção de Dados (LGPD)
The LGPD is a Brazilian national law that applies in four cases:
- You process data about somebody living in Brazil
- You process data in Brazil
- You collect data in Brazil
- You process data to offer or provide good or services in Brazil
It doesn't matter whether you are in Brazil yourself.
The key requirements of the LGPD are similar to those of the GDPR. You must get consent to process data for a specific, stated purpose.
Your Identity and Contact Details
Most data protection laws require that you tell people who you are and how to contact you. Ideally you should let people contact you regarding data protection in the same way that they can contact you for other enquiries. Don't create special conditions for data protection contact (for example, making it physical mail only) as this may breach the spirit or letter of data privacy laws.
Some laws say you must have a dedicated data protection officer. If you run a dropshipping business and have no staff, this can be yourself, though you should make sure you have a good understanding of the applicable laws and regulations.
The Open University provides a range of contact methods:
What Data You Collect
Azets gives a clear yet extensive breakdown of the types of data it collects:
How You Use the Data
Most data protection laws say people have a right to know how and why you will use their personal data. Often any right you get to use the data by informing people or getting their consent will be limited to using that data for a specific purpose.
Aim for a sensible balance between giving enough detail about the different ways you use data to be useful and informative, but not giving so many examples that you overwhelm the reader. Again, the customer should be able to reasonably work out whether or not you use their data in a particular way.
Belmond covers both specific examples and general principles for using data:
Whether You Share Data
Many data protection laws say you must tell people whether you pass on their data to third parties. Depending on the law, this could simply cover selling the data or also include sharing it without a fee.
This is particularly likely to be relevant to dropshipping as you inherently need to give your customer's delivery address and other contact details to your supplier.
With some data protection laws, the fact a customer has ordered a particular product is also classed as personal data as, for example, it could build up a profile of their tastes and interests.
Different laws have different requirements on whether you must tell people the precise identity of who you share data with, or if you can give a broad outline such as "with suppliers."
Forbes gives extensive details on when, how and why it shares personal data:
Data Access Rights
Depending on which data protection laws apply, customers may have rights including the following:
- Knowing what data you have about them
- Correcting any mistakes in the data
- Asking you to delete any outdated or irrelevant data
- Getting a copy of the data in a form that's easy to transfer to another business ("data portability")
- List the applicable rights
- Give contact details and other information needed to exercise these rights
- Give guidelines for how long you'll take to respond
- Explain what happens if you can't or won't do what the customer has asked
Happn gives specific instructions for exercising specific rights:
International Data Transfers
Some data protection laws, most notably the GDPR, limit the way you transfer data to countries other than those where you or the customer are based. The main principle of those rules is that you must make sure the data enjoys the same level of protection as it does in the customer's country.
In some cases this is covered by a set of rules. For example, the GDPR's "data adequacy" program means it's fine to send the data to specific countries that have been judged as having equivalent levels of protection for personal data to European Union countries.
In other cases, you may have to include an enforceable contract term in your arrangements with suppliers to make sure they protect the data to the appropriate standards.
Stripe explains that it does transfer data internationally and how it protects the data:
You should also link directly to the policy from any point in the ordering process when the customer is about to provide personal data, for example when creating an account or placing an order.
If your policy is particularly long, consider using drop down sections where users can click on a heading to see the relevant text.
Let's recap what you need to know about dropshipping and Privacy Policies:
- Dropshipping involves finding customers and taking orders but having a third party provide and ship the products.
- GDPR (customers or data processing in the European Union)
- PIPEDA (business and customers both in Canada)
- SHIELD (customers in New York state)
- COPPA (customers aged under 13)
- CCPA (large customer base California)
- CDPA (large customer base in Virginia)
- LGPD (customers in Brazil)
- Your contact details
- What data you collect
- How you use the data
- Whether you share data
- What data rights the customer has and how to exercise them
- Whether you transfer data to other countries and, if so, how you protect it
- Use clear language and break your policy down into clear sections.