Shopify

GDPR and Shopify – A Guide for Shopify Store Owners

By Vsourz - 11 February 2022
GDPR and Shopify – A Guide for Shopify Store Owners
On May 25, 2018, the General Data Protection Regulation (GDPR) replaced the Data Protection Directive 1995 and became law in all 28 member states of the European Union (EU). It protects consumer privacy rights by regulating how companies collect and store data of customers located within the EU. It affords individuals rights over their data and requires companies to explain how they collect and use personal information.

This was the most significant development for data protection regulation in 20 years and affects all online businesses. It’s the reason why Shopify store owners as well as Shopify developers must understand these regulations.

How Does GDPR Affect Shopify?

GDPR compliance requirements have changed some of the ways that Shopify operates. As a company, the eCommerce platform has made significant changes to its privacy policy and security processes.  As part of the compliance process, Shopify has reorganised its privacy team and updated its contractual agreements with external partners. The Shopify privacy policy was updated to include more information about what data is collected and why. The platform also added sections explaining how users can export their data, delete their accounts, or opt out of targeted emails.

Moreover, there are new additional restrictions on the personal data that merchants can access in Shopify. An additional layer of authorisation is now a requirement for merchants to access the billing address, tax information, email address, and phone number of customers.

Although Shopify has worked hard to ensure the platform protects the rights of European customers and enables merchants to do the same, Shopify store owners must still ensure that their stores abide by the GDPR and Shopify guidelines.

Who does GDPR Apply to & How? 

Under GDPR, if you collect or process any personal data of individuals located within the European Economic Area (EEA), you must be compliant with these regulations. This still applies even if your store is located outside of the EEA.

Merchants & Partners
The penalties for not complying with GDPR are significant. The maximum penalty is up to 4% of your worldwide annual turnover, or €20 Million. That’s why it’s important that store owners understand the GDPR and Shopify regulations and follow the policies being enforced.

While Shopify has made changes to its internal processes to ensure its GDPR compliance, individual store owners still have responsibilities of their own. This includes reviewing and revising privacy policies, cookie use, email subscriber opt-in processes, among other things. Even though Shopify will do everything they can to help their store owners, GDPR policies are ultimately the responsibility of individual Shopify store owners.

Customers
GDPR provides certain rights to customers or identified persons resident in the EEA. As Shopify merchants, you need to ensure you have the right processes in place so that you comply with the rights granted under GDPR. They include the following rights.

The Right to Access Information
You must give users the right to access all personal data that is stored on them. This may include an export of their data in a portable format. You must be able to respond quickly with access or proof of why it cannot be provided whenever a customer makes a data access request.

The Right to be Forgotten
Under GDPR, users have the right to be forgotten. This means that if a user wishes for all personal information held on them to be erased, then you must delete it.

The Right to Rectify Information
Your customers also have the right to update, rectify, or make changes to their personal information stored in your Shopify store. This includes processing a change in a person’s name, address, contact number, and so on.

How to Make Your Shopify Store GDPR Compliant

GDPR protects consumer privacy rights by regulating how companies collect and store data of customers located within the European Union. It affords individuals rights over their data and requires companies to be transparent about how they collect customer data and what they use it for.

Privacy Notices
Every Shopify merchant must provide privacy notices to all their European customers which are concise, transparent, intelligible, and easily accessible. Your privacy policy must include the following information:

  • How you process an individual’s personal data
  • The kind of information you collect from customers
  • How your store uses cookies and similar tracking technology
  • Who has access to the information you collect and for what purposes
  • How long data is retained for

Data Processing Officer
If you sell goods or services to individuals in Europe and track large amounts of customer data, you will likely need to appoint a Data Protection Officer. The contact information for this person must be included in your privacy policy.

Data Processing Agreements
If you share personal data with third-party partners, GDPR requires you to have a written agreement in place that specifies what the third party is allowed to do with the information and under what circumstances it can be transferred to another party. This is called a Data Processing Addendum.

Customer Consent
Under new data protection requirements, the moment data is collected, customers must be informed and you must provide a legitimate reason for why you are collecting that data. This means you need to specify it upfront for personal information such as names, addresses, and phone numbers.

To make sure you are complying, consider the following:

  • Obtain consent before sending marketing emails or messages
  • You need a legal basis for processing customer information
  • You must provide enough information to inform them about how their data will be used
  • Your consent boxes must be automatically unchecked

Parental Consent
You need to make sure you have parental consent for the use of any data on persons under the age of 16. You may need to prohibit access to your site for people under the age of 16 using an age-gating app or ask customers to confirm their age before granting access.

Automated Decision Making
Under GDPR, customers must be informed when their data is being used in automated decision-making such as targeted marketing or special offers. This also includes third-party apps, so you need to check with each one to ensure that it is also complying.

In cases where the automated decision making may have significant legal ramifications for the customer and it is fully automated (with no human involvement), then you also need to obtain consent.

The only exception to this is in cases where Shopify uses automated processes to mitigate fraud and risk, but even in these cases, customers must still be notified of this possibility.

Third-Party Apps Compliance

Shopify now requires all third-party apps to make their data collection policies public. As a Shopify store owner or a Shopify developer, you must examine individual policies to ensure that they are compliant and that you’re comfortable using their app for your store.

Any payment gateways you use within your store must also comply with GDPR if you are serving European customers. This means you must ensure their own policies are transparent and they have measures in place to keep your customer data safe.

Data Breach Notifications
If your store experiences any form of a data breach then your customers must be notified. A data breach may include:

  • Customer passwords
  • Names, addresses, contact details
  • Payment details
  • Personal or embarrassing information

You must provide notice within 72 hours and consult with a lawyer to consider legal ramifications.

Ensure Your Online Store is GDPR and Shopify Compliant

This guide has covered some of the most important aspects for you to consider if you’re trying to ensure your Shopify store remains GDPR-compliant. Anyone handling large-scale quantities of personal data must be aware of the broad new responsibilities that GDPR places on them. Shopify store owners may want to consult Shopify experts or use GDPR compliance services to ensure that they are not in breach of any regulations.

Have any question?

Contact us today to explore how we can help you achieve digital advantage.

Contact

More Insights

An Informative Guide to Shopify Accessibility Compliance
A Comprehensive Guide to CCPA (California Consumer Privacy Act) & GDPR Compliance for Shopify Store Owners
Store Migration Made Simple: How to Migrate WooCommerce to Shopify