With the migration of business from the traditional ‘brick and mortar’ store to online platforms or online market as a result of technological growth and advancement, business operations now have a wide online presence where transactions are made by consumers filling various information to finalize their transactions. The nature of online transactions is very different from when businesses only had physical outlets where business transactions were made, and the transactions ended with customers paying cash in exchange for goods.
Data has been described as the oil of the digital era.1 Data “means characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or any device”.2 Data are pieces of information gathered from various sources or observations.
Personal Data means information such as name, address, photo, email address, bank details, posts on social networking websites, medical information, cultural or social identity, etc. belonging to an individual.
- what constitutes the data subject’s consent;
- description of collectable personal information;
- purpose of collection of personal data;
- technical methods used to collect and store personal information, cookies, JWT, web tokens etc.;
- access (if any) of third parties to Personal Data and purpose of access;
- the time frame for remedy; and
- provided that no limitation clause shall avail any Data Controller who acts in breach of the principles set out in this Regulation.
The General Data Protection Regulation (GDPR) is a European Union (EU) law that came into effect in 2018 with an aim to regulate how companies obtain and process the personal information of EU citizens as well as protect customer’s data by giving individuals more control over how their data are collected, used and protected online. While the GDPR is made for EU citizens, it extends to any website or online service provider outside the EU but with an EU reach.
- Information of who the data controller is and their contact
- Identity of the company/website’s Data Protection Officer and contact information
- Whether the data collected is used to make automated decisions
- Provide information to users of their 8 rights (which are right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, rights related to automated decision making and profiling),
- whether you transfer data internationally,
- you must give a legal basis for processing data
- Details of the types of personal information collected
- Affiliates or third parties with whom the personal data collected will be shared
- Information on how users can change personal data
- How a “Do Not Track” request is handled
The Children’s Online Privacy Protection Act (COPPA) 1988 is another data protection law in the United States which protects the privacy of children under 13 years of age, where their personal information will be taken. This includes businesses in the United States or businesses outside the United States but with a US reach. The website or online service provider must display a notice of what information it collects from the children and how the information is used. In addition, parental consent of the child or children must be obtained as the parent can refuse the use of the personal information collected after review.
- What constitutes the user’s consent
- Description of the personal information collected
- Purpose of collection of the personal information
- Technical methods used to collect and store personal information
- Whether any third party has access to the personal information and reason why they have access
1 Economist (2017, May 6). Data Is Giving Rise to a New Economy. The Economist.
2 Analysis of the Privacy Policies of Nigerian Online Shops
3 Section 2.5 of the Nigeria Data Protection Regulation 2019
4 Art 2.5 Nigeria Data Protection Regulation 2019
5 Section 1.3 of the Nigerian Data Protection Regulation 2019