Privacy Policy for Dropshipping

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 01 March 2023.

Privacy Policy for Dropshipping

Dropshipping often appeals to people new to online businesses but it carries some significant data privacy implications. The way you handle customer data means you may be covered by several data processing laws.

A clear Privacy Policy will help you follow these laws while keeping customers informed and building your credibility.

Let's take a look at what's required for your dropshipping Privacy Policy and how to create your own compliant agreement.


How Does Dropshipping Work?

Dropshipping is a business model where the seller does not hold stock or deliver products themselves. Instead, they take an order from a customer and then pay a third party (such as a manufacturer or wholesaler) to provide the product and deliver it directly to the customer.

Most commonly, dropshipping works where the manufacturer or wholesaler either doesn't or can't market itself to potential customers. This could involve a specialist audience that's hard to identify and reach, creating an opportunity for the dropshipper. Another common situation is a dropshipper in one country finding local customers for a product manufactured in another country.

The key is that the customer is willing to pay a higher price for the product than the manufacturer or retailer is willing to accept to sell and deliver it. This leaves a profit margin for the dropshipper that effectively acts as a reward for finding the customer.

Although profits for the dropshipper may be lower than from more traditional business models, the main advantage is not having to cover the costs or logistics of handling stock. It also means not having to take risks on purchasing or ordering stock that might not sell.

Dropshipping can have drawbacks, particularly where manufacturers and wholesalers are unreliable or have poor quality products, so you should always investigate any opportunities carefully.

Why Does Dropshipping Require a Privacy Policy?

Why Does Dropshipping Require a Privacy Policy?

Having a Privacy Policy for your dropshipping business can be both a legal requirement and a sensible idea.

Publishing a Privacy Policy builds trust with customers. It shows that you treat them with respect and are not out to scam them. This can be particularly important if you are selling goods cheaply or selling goods which aren't readily available in stores in a particular market.

If you use any online services for dropshipping such as a website builder or online payment facility, the service's Terms and Conditions agreement may require a Privacy Policy.

The nature of a dropshipping business means several elements of your activity may come under laws that require a Privacy Policy and related actions. Not only do you collect and process data about customers, but you inherently share it with third parties (suppliers, wholesalers or manufacturers.) These third parties will often be in different countries to you, the customer, or both.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.


Which Laws Could Affect Dropshipping?

The following are just some of the laws that may require a Privacy Policy. Remember that you need to take into account the locations of your business, your customers, the business supplying and shipping the goods, and any data centers you use.

General Data Protection Regulation (GDPR)

The GDPR applies in any of three circumstances:

  • You are in a European Union country
  • Your customer is in a European Union country
  • Data processing takes place in a European Union country (for example, in a data center or by a supplier)

The key requirement of the GDPR is to only process personal data under specific lawful conditions, most commonly that you have advanced consent.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA applies if you are in Canada and use personal information for commercial purposes. The main exemption is if a similar province or territorial law applies and you are only handling data within that province or territory.

The key requirement of PIPEDA is to follow 10 fair information principles, including getting consent and publishing a Privacy Policy.

Stop Hacks and Improve Electronic Data Security Act (SHIELD)

This New York state law applies if you handle computer data about a New York resident, regardless of your location.

The key requirements of the SHIELD Act are to use reasonable administrative, technical and physical safeguards to protect personal data, and to notify affected individuals and relevant state agencies of any data breach.

Children's Online Privacy Protection Act (COPPA)

COPPA is a U.S. federal regulation that applies if your website is aimed at people under 13 or you know that people aged under 13 are using it. (Remember that dropshipping goods to children could cause problems in some jurisdictions as your contract with them may be unenforceable.)

If COPPA applies, you must get the consent of a parent or guardian to collect and use personal data about the child. You must verify the identity of the parent or guardian.

California Consumer Privacy Act (CCPA/CPRA)

The CCPA is a state law that is unlikely to affect a new dropshipping business, but is worth bearing in mind if you plan to grow. It applies if your business has annual gross revenues of more than $25 million, if you buy or sell personal data of more than 100,000 California residents a year, or if you make more than half your revenue from sharing or selling personal data about California residents.

The key requirements are to tell people what data you have about them and how you use it, and to let them opt out of you selling their data.

Note that the CCPA was amended by the California Privacy Rights Act (CPRA).

Consumer Data Protection Act (CDPA)

The CDPA is a Virginia state law that's similar in concept to California's CCPA. It applies if you use the personal data of more than 100,000 Virginia residents or make at least half of your revenue from selling personal data.

The key requirements are to tell people what data you have about them and how you use it, and to let them opt out of you selling their data, using sensitive data, or using data for targeted advertising and profiling.

Lei Geral de Proteção de Dados (LGPD)

The LGPD is a Brazilian national law that applies in four cases:

  • You process data about somebody living in Brazil
  • You process data in Brazil
  • You collect data in Brazil
  • You process data to offer or provide good or services in Brazil

It doesn't matter whether you are in Brazil yourself.

The key requirements of the LGPD are similar to those of the GDPR. You must get consent to process data for a specific, stated purpose.

What to Include in Your Dropshipping Privacy Policy

What to Include in Your Dropshipping Privacy Policy

Different laws (and Terms and Conditions from online platforms) have different requirements for your Privacy Policy. The simplest approach is to use all of the following, even if a specific law does not require it. This will make your life easier if you expand your dropshipping business to deal with customers or suppliers in new jurisdictions.

Your Identity and Contact Details

Most data protection laws require that you tell people who you are and how to contact you. Ideally you should let people contact you regarding data protection in the same way that they can contact you for other enquiries. Don't create special conditions for data protection contact (for example, making it physical mail only) as this may breach the spirit or letter of data privacy laws.

Some laws say you must have a dedicated data protection officer. If you run a dropshipping business and have no staff, this can be yourself, though you should make sure you have a good understanding of the applicable laws and regulations.

The Open University provides a range of contact methods:

Open University Privacy Policy: Contact clause

What Data You Collect

In most cases your Privacy Policy can give a broad outline of the types of data that you collect or use, including using categories rather than precise details. You can then tell customers individually if you collect any data in their case that goes beyond what's in your Privacy Policy.

Aim to follow the principle that a customer who reads your Privacy Policy and any individual communications should be able to reasonably work out whether or not you collect a particular piece of data. This principle is at the heart of most data protection laws, even if they don't require advance consent to use data.

Azets gives a clear yet extensive breakdown of the types of data it collects:

Azets Privacy Statement: Personal data that we process about you clause excerpt

How You Use the Data

Most data protection laws say people have a right to know how and why you will use their personal data. Often any right you get to use the data by informing people or getting their consent will be limited to using that data for a specific purpose.

Aim for a sensible balance between giving enough detail about the different ways you use data to be useful and informative, but not giving so many examples that you overwhelm the reader. Again, the customer should be able to reasonably work out whether or not you use their data in a particular way.

Belmond covers both specific examples and general principles for using data:

Belmond Privacy Policy: Use of Personal Data clause

Whether You Share Data

Many data protection laws say you must tell people whether you pass on their data to third parties. Depending on the law, this could simply cover selling the data or also include sharing it without a fee.

This is particularly likely to be relevant to dropshipping as you inherently need to give your customer's delivery address and other contact details to your supplier.

With some data protection laws, the fact a customer has ordered a particular product is also classed as personal data as, for example, it could build up a profile of their tastes and interests.

As with collecting data, in most cases your Privacy Policy can give a broad outline of the types of data that you share, including using categories rather than precise details. You can then tell customers individually if you share any of their data in a way beyond what's in your Privacy Policy.

Different laws have different requirements on whether you must tell people the precise identity of who you share data with, or if you can give a broad outline such as "with suppliers."

Forbes gives extensive details on when, how and why it shares personal data:

Forbes Privacy Policy: Sharing of Information clause

Data Access Rights

Depending on which data protection laws apply, customers may have rights including the following:

  • Knowing what data you have about them
  • Correcting any mistakes in the data
  • Asking you to delete any outdated or irrelevant data
  • Getting a copy of the data in a form that's easy to transfer to another business ("data portability")

Your Privacy Policy should do the following:

  • List the applicable rights
  • Give contact details and other information needed to exercise these rights
  • Give guidelines for how long you'll take to respond
  • Explain what happens if you can't or won't do what the customer has asked

Happn gives specific instructions for exercising specific rights:

Happn Exercise Your Rights page: Access, modification, rectification and deletion of data clauses

International Data Transfers

Some data protection laws, most notably the GDPR, limit the way you transfer data to countries other than those where you or the customer are based. The main principle of those rules is that you must make sure the data enjoys the same level of protection as it does in the customer's country.

In some cases this is covered by a set of rules. For example, the GDPR's "data adequacy" program means it's fine to send the data to specific countries that have been judged as having equivalent levels of protection for personal data to European Union countries.

In other cases, you may have to include an enforceable contract term in your arrangements with suppliers to make sure they protect the data to the appropriate standards.

If any international data transfer laws apply, you should mention them in your Privacy Policy and explain how you meet the laws.

Stripe explains that it does transfer data internationally and how it protects the data:

Stripe Privacy Policy: International Data Transfers clause

Now that you have an idea of what sections to add to your dropshipping Privacy Policy, let's take a look at the best ways to display it to your customers.

Displaying Your Dropshipping Privacy Policy

Displaying Your Dropshipping Privacy Policy

For most data protection laws, publishing your Privacy Policy on your website is the most appropriate way to make sure customers can access it. You should prominently highlight the policy, for example by including it in site navigation menus and in your website footer.

You should also link directly to the policy from any point in the ordering process when the customer is about to provide personal data, for example when creating an account or placing an order.

Several data protection laws explicitly state that your Privacy Policy must use clear and understandable language. To aid comprehension, break your policy up into relevant sections with clear subheadings.

If your policy is particularly long, consider using drop down sections where users can click on a heading to see the relevant text.

Nestle uses a summary Privacy Policy with links to more detailed information on specific topics:

Nestle Privacy Policy: excerpt with More Information links highlighted

Summary

Let's recap what you need to know about dropshipping and Privacy Policies:

  • Dropshipping involves finding customers and taking orders but having a third party provide and ship the products.
  • Having a Privacy Policy builds trust with customers. It's also useful or necessary to comply with various privacy laws including the following:

    • GDPR (customers or data processing in the European Union)
    • PIPEDA (business and customers both in Canada)
    • SHIELD (customers in New York state)
    • COPPA (customers aged under 13)
    • CCPA (CPRA) (large customer base California)
    • CDPA (large customer base in Virginia)
    • LGPD (customers in Brazil)
  • Your Privacy Policy should include the following:

    • Your contact details
    • What data you collect
    • How you use the data
    • Whether you share data
    • What data rights the customer has and how to exercise them
    • Whether you transfer data to other countries and, if so, how you protect it
  • You should display your privacy policy on your website, highlight it, and link to it from any point where you collect data.
  • Use clear language and break your policy down into clear sections.