GDPR and Shopify – A Guide for Shopify Store Owners
This was the most significant development for data protection regulation in 20 years and affects all online businesses. It’s the reason why Shopify store owners as well as Shopify developers must understand these regulations.
Moreover, there are new additional restrictions on the personal data that merchants can access in Shopify. An additional layer of authorisation is now a requirement for merchants to access the billing address, tax information, email address, and phone number of customers.
Although Shopify has worked hard to ensure the platform protects the rights of European customers and enables merchants to do the same, Shopify store owners must still ensure that their stores abide by the GDPR and Shopify guidelines.
Under GDPR, if you collect or process any personal data of individuals located within the European Economic Area (EEA), you must be compliant with these regulations. This still applies even if your store is located outside of the EEA.
Merchants & Partners
The penalties for not complying with GDPR are significant. The maximum penalty is up to 4% of your worldwide annual turnover, or €20 Million. That’s why it’s important that store owners understand the GDPR and Shopify regulations and follow the policies being enforced.
While Shopify has made changes to its internal processes to ensure its GDPR compliance, individual store owners still have responsibilities of their own. This includes reviewing and revising privacy policies, cookie use, email subscriber opt-in processes, among other things. Even though Shopify will do everything they can to help their store owners, GDPR policies are ultimately the responsibility of individual Shopify store owners.
GDPR provides certain rights to customers or identified persons resident in the EEA. As Shopify merchants, you need to ensure you have the right processes in place so that you comply with the rights granted under GDPR. They include the following rights.
The Right to Access Information
You must give users the right to access all personal data that is stored on them. This may include an export of their data in a portable format. You must be able to respond quickly with access or proof of why it cannot be provided whenever a customer makes a data access request.
The Right to be Forgotten
Under GDPR, users have the right to be forgotten. This means that if a user wishes for all personal information held on them to be erased, then you must delete it.
The Right to Rectify Information
Your customers also have the right to update, rectify, or make changes to their personal information stored in your Shopify store. This includes processing a change in a person’s name, address, contact number, and so on.
GDPR protects consumer privacy rights by regulating how companies collect and store data of customers located within the European Union. It affords individuals rights over their data and requires companies to be transparent about how they collect customer data and what they use it for.
- How you process an individual’s personal data
- The kind of information you collect from customers
- Who has access to the information you collect and for what purposes
- How long data is retained for
Data Processing Officer
Data Processing Agreements
If you share personal data with third-party partners, GDPR requires you to have a written agreement in place that specifies what the third party is allowed to do with the information and under what circumstances it can be transferred to another party. This is called a Data Processing Addendum.
Under new data protection requirements, the moment data is collected, customers must be informed and you must provide a legitimate reason for why you are collecting that data. This means you need to specify it upfront for personal information such as names, addresses, and phone numbers.
To make sure you are complying, consider the following:
- Obtain consent before sending marketing emails or messages
- You need a legal basis for processing customer information
- You must provide enough information to inform them about how their data will be used
- Your consent boxes must be automatically unchecked
You need to make sure you have parental consent for the use of any data on persons under the age of 16. You may need to prohibit access to your site for people under the age of 16 using an age-gating app or ask customers to confirm their age before granting access.
Automated Decision Making
Under GDPR, customers must be informed when their data is being used in automated decision-making such as targeted marketing or special offers. This also includes third-party apps, so you need to check with each one to ensure that it is also complying.
In cases where the automated decision making may have significant legal ramifications for the customer and it is fully automated (with no human involvement), then you also need to obtain consent.
The only exception to this is in cases where Shopify uses automated processes to mitigate fraud and risk, but even in these cases, customers must still be notified of this possibility.
Third-Party Apps Compliance
Shopify now requires all third-party apps to make their data collection policies public. As a Shopify store owner or a Shopify developer, you must examine individual policies to ensure that they are compliant and that you’re comfortable using their app for your store.
Any payment gateways you use within your store must also comply with GDPR if you are serving European customers. This means you must ensure their own policies are transparent and they have measures in place to keep your customer data safe.
Data Breach Notifications
If your store experiences any form of a data breach then your customers must be notified. A data breach may include:
- Customer passwords
- Names, addresses, contact details
- Payment details
- Personal or embarrassing information
You must provide notice within 72 hours and consult with a lawyer to consider legal ramifications.
This guide has covered some of the most important aspects for you to consider if you’re trying to ensure your Shopify store remains GDPR-compliant. Anyone handling large-scale quantities of personal data must be aware of the broad new responsibilities that GDPR places on them. Shopify store owners may want to consult Shopify experts or use GDPR compliance services to ensure that they are not in breach of any regulations.