How to make sure your Singapore e-commerce business complies with privacy laws

Singapore’s economic development boom and the increasing penetration of mobile and internet services in the region has increased the need for cyber law reform in the area. Singapore has led the charge on a number of fronts, including privacy law, cloud computing law, and electronic transactions. With these changes in place, it’s important that new e-commerce businesses in Singapore and those who have customers in Singapore are aware of the laws in place that they must comply with.

What is the law?

In Singapore, the primary governing act is called the Personal Data Protection Act 2012 (PDPA). The PDPA provides for the rights of consumers to have their personal data protected, as well as the rights of companies such as your e-commerce business to collect that data for legitimate and reasonable purposes.

The purpose of the PDPA is to regulate the flow of personal data, and satisfy the concerns of individuals about how their data is used. In this way, the PDPA hopes to strengthen Singapore’s role as a trusted, competitive hub for businesses to be based.

The PDPA has three main concepts that make it up:

1. Consent;
2. Purpose; and
3. Reasonableness.

This means that your e-commerce business should only collect, use, or disclose personal data with your customers’ consent, and make sure that you only use that data in an appropriate way (considering the circumstances). You must inform your customers of the purposes for which you will use their data.

The “reasonableness” concept means that you can only use your customers’ data for uses that are considered appropriate or reasonable in the circumstances.

For example, for your e-commerce business, it would be reasonable to collect customer data so that you can target new markets, send out special deals, or order more of a popular product.  Here’s an example from Adafruit asking me for my credit card and shipping details so that I can buy a Raspberry Pi:

Given that I am trying to purchase an item from their e-commerce store, it is completely reasonable that they need to collect this information.

On the other hand, it wouldn’t be reasonable to collect customer data through a store to sell to a recruitment company so that they can find more potential employees to market to their clients.

Your privacy policy and how to comply

A Privacy Policy is a legal document that describes how one party collects, uses, manages and discloses customer or user data. Its purpose is explain to the customer how their privacy and personal information will be protected. The contents of any given Privacy Policy will depend on what country the person or company collecting the information is in, what country the users are in, what information is being collected, and what that information is used for.

TermsFeed can help you to generate a Privacy Policy.

Contents of your privacy policy

To make sure that your Privacy Policy complies with the law, you should first consider your customer base. Are your customers only from Singapore, or are they international?

If they are international, you should make sure that not only do you comply with the PDPA, but also the privacy laws of other major jurisdictions, such as the US, Canada, the UK, and the EU. Luckily, the PDPA was heavily influenced by the law in the EU (the EU Data Protection Directive), so many of the principles are the same.

The main principles that are enshrined by privacy laws around the world are:

• Give notice that you are collecting the data;
• Obtain consent from your customers and users;
• Collect the data for a reasonable and legitimate purpose;
• Keep the data safe and secure;
• Tell the user when you will disclose the data (if ever);
• Be accountable to your users and customers; and
• Provide access to the data and allow changes to be made.

Singapore law includes the “reasonableness” principle, which isn’t normally covered in UK, EU, or US law.

As a result, to comply with the law both in Singapore and overseas, your Privacy Policy should contain clauses covering the following:

• What data you will collect;
• How you will protect and store data;
• What you will do with the data;
• In what circumstances will you release the data;
• How your users can see what data you hold on them, and change or update it;
• Dispute resolution;
• Effective date; and
• Changes to the policy and where notices should be sent.

You should also carefully think through what things you will use the data for, and decide whether those uses are reasonable given the circumstances in which you collect the data, and your relationship with your customers.

Placement of Your Privacy Policy

For your Privacy Policy to be enforceable, your customers need to have agreed to it. This means that the placement of your Privacy Policy on your e-commerce store is very important.

How can your customers agree to your Privacy Policy if they can’t see it? There are two main ways of obtaining agreement to your Privacy Policy in an e-commerce store, called (1) browsewrap and (2) clickwrap.

Browsewrap

Browsewrap is a method of having your customers agree to your Privacy Policy by browsing your website to find it. Most American Courts have found that browsewrap agreements are not enforceable, unless the terms have been displayed frequently and prominently enough so that your customer has “actual or constructive knowledge” of the terms.

Most websites use a browsewrap method to display their Privacy Policy, with a link at the bottom of the page. Here’s an example from Box.com:

You can see the link to their Privacy Policy at the very bottom of the page. The link is not distinguishable from other links, and it is not displayed very prominently. It is unlikely that a US court would find that this Privacy Policy had been seen and agreed to by a customer.

Clickwrap

Clickwrap on the other hand is a method that has been found by American courts to be enforceable; this method requires the customer to actually click a tickbox saying “I Agree”, or includes a statement at the end of a web form along the lines of “By clicking submit you agree to our Privacy Policy”.

Here’s an example of a clickwrap “I Agree” tickbox from HostGator:

One of the problems with approaching this question in Singapore is that there is no current Singapore case law on this point.

However, general contract law in Singapore is largely based on the contract law in England. This means that the basic elements of contract formation are generally what is required both online and offline to form any contract. These elements are:

• Offer;
• Acceptance;
• Certain and clear terms;
• Consideration (something in exchange for a promise, e.g. “I will sell you my goods if you promise to follow these rules of using my website); and
• Intention to create legal relations (in a commercial setting, this is usually presumed).

This means that, like in the UK and the US, it is likely that clickwrap style agreement will be held to be enforceable in Singapore, even though there is no current case law on this matter.

In Singapore, the Electronic Transactions Act 1999 allows offer and acceptance to be made electronically, but for a customer to accept a Privacy Policy or set of Terms of Use, they need to be able to find the policy and read its terms.

Browsewrap methods may be sufficient if the Privacy Policy is made easily accessible and visible to the customer, but clickwrap methods are significantly stronger.

Conclusion

Be sure to comply with Singapore’s PDPA as well as other legislation around the world, by reflecting relevant privacy principles in your Privacy Policy.

Display your Privacy Policy in a clickwrap-style method, or use a browsewrap method but be sure to display your documents prominently and frequently.