The Ultimate Guide to Being GDPR Compliant on Shopify

General Data Protection Regulation for Shopify sites

If you are reading this guide then you may be looking to brush up on your GDPR compliance on your Shopify or Shopify Plus Store. We always recommend seeking expert advice with this as GDPR can be complex.

Contact us today to see if we can assist you with GDPR compliance on your Shopify site.

GDPR doesn’t just affect large businesses. Any website that holds personal identifiable information for clients, suppliers, partners or employees must be GDPR compliant. However, it does not apply to any non-personal or commercial data.

The European General Data Protection Regulation is created to give people more control over how organizations use personal data. Often the regulations overlap with The Privacy and Electronic Communications Regulations (PECR) which covers the use of cookies and e-marketing communications. It is always important to correctly follow GDPR as there can be large fines for failing to comply.

Most Shopify stores do not comply.

What is GDPR?

GDPR stands for General Data Protection Regulation which came into place on May 25th 2018. The European Union’s GDPR imposes obligations on controllers and processors of data. Although GDPR is a European regulation, it may apply to your business if your products or services are available in Europe, even when you or your business are not directly located in Europe. Read more about GDPR here.

GDPR and the Shopify platform

As a Shopify merchant, you are in control of a customers’ data including how it is collected and how it is handled. The Shopify platform is a processor for your customers data, and believes strongly in protecting your customer’s and your own personal data.  On top of that any apps which feed data customer data out of Shopify are also processors of your data (e.g. accountancy software, CRM or email marketing app.)

Shopify has aided this by building a platform with GDPR compliant features built in, which includes providing your customers with full transparency and control over their personal data and technical aspects to ensure customer data is protected as it crosses borders. Whilst Shopify helps merchants with GDPR, there are still steps required to take on your own. GDPR compliance is ultimately the responsibility of each individual merchant.

Shopify is required by GDPR to make the following changes to its platform and internal privacy program:

-Organize the privacy team, document and store record of privacy related decisions made by Shopify so they can be accountable for all privacy practices

-Honor the rights of European merchants and customers’ personal data, and that merchants can easily do the same when using Shopify’s services

-Provide contractual commitments to merchants and obtain contractual commitments when Shopify uses third parties to provide services

Ultimately however your store front end and all apps are not controlled by Shopify.  The onus is on the Shopify merchant (you) to make sure you are compliant.

What do I need to do for GDPR?

Although Shopify aids merchants on the right path to GDPR compliance, it is important for merchants to set up the store to comply with the law. Please note, the below is not legal advice. GDPR compliance can be a complicated regulation as it applies differently to each merchant, and we recommend you seek an expert audit.  We typically manage this for our clients with the guidance and experience of a legal expert who specialises in GDPR and data protection.

Overall when looking at how your website is collating data, there are several areas that need attention to make sure you are GDPR compliant.

These include:

-Website security
-Cookie consent
-Contact form design
-Collecting personal data
-Processing data of under 18’s
-Marketing ‘opt-in’ forms design
-Privacy notices / privacy policies
-Data breaches and your obligations

GDPR protects individuals within the European Union on the processing of their personal data. This form of personal data can include:

-Name
-Address
-Email address
-Social media account
-Digital identifiers such as IP address or cookie ID – although this aspect is at times questionable depending on the legal jurisdiction.

Shopify has some settings for GDPR but these alone will not make you compliant. To do that you will need to have a full audit of your Shopify site + any integrations.

Collecting personal data

There are some things to consider when collecting personal data. For example, if your sites are available to residents of Europe you will fall under GDPR. Also If you use third-party apps, themes or payment gateways then you will need to check if they collect and process data in compliance with GDPR.

Article 30 of GDPR compliance requires you to maintain a current map of your data, this includes listing all the types of data you collect from your customers and all the ways in which you use it.

At present, there are six types of lawful basis for gathering consent – consent, contract, legal obligation, vital interests, public task or legitimate interest.

Privacy notice

Articles 12 and 14 in particular of the GDPR, requires merchants to provide specific information to the customers whose data you are processing, which normally comes in the form of a privacy notice or policy.

Shopify features a privacy policy generator to help get you started, which can be found in settings under checkout or online. However, merchants must make sure that the privacy policy on their site includes all information that is required under regulation.

For example the minimum should include how customers can get in contact with your business regarding privacy questions, and how customers can exercise their rights over their data.

The GDPR also requires merchants to disclose when businesses, including the service providers, use personal information in connection with automated decision-making. An example of Shopify using automated decision-making is blocking possible fraudulent transactions by using customers personal information.

Appointing a Data Protection Officer for your Shopify store.

If your business performs large scale online tracking, GDPR requires you to appoint a Data Protection Officer and make the contact information for your DPO accessible in your privacy policy.

A Data Protection Office supervises how your business collects and processes customers data. The GDPR compliance requires a DPO to complete specific tasks such as conducting data protection impact assessments.
A Data Protection Officer can be someone within your business who has expertise with GDPR compliance, or you can also choose to work with an expert or a consultant firm to serve externally. If you are not legally required to appoint someone, but your presence in Europe is large enough, it may be best to choose a DPO voluntarily to make sure your personal data is protected.

We always recommend speaking with a lawyer or legal expert.

Data processing agreements

Under article 28 of GDPR, as a data controller it requires merchants to maintain that a data processor, like Shopify, will have strict contractual requirements on how they may use and process that data. This is normally done through a Data Processing Addendum (DPA), which Shopify has automatically incorporated into its terms of service.

If you are a Shopify Plus merchant, your negotiated contracts will govern the relationship with Shopify. You can reach out to Shopify Plus support where they can provide you with their template DPA to sign to address your needs.

If you don’t sign Shopify’s Data Processing Addendum you will be governed by Shopify’s online Data Processing Addendum.

If you use third-party apps or payment gateways outside of Shopify it is also worth checking that they are also abiding by GDPRs data processing.

Customer consent

An important factor under the GDPR is obtaining consent to processing the personal data of your customers. This is needed if you are sending customers marketing messages, and even when you are using online advertising or retargeting apps.

The GDPR requires the obtaining of consent to be freely and voluntarily given, it must be specific with the uses clearly explained, and the customer has to be clearly informed of how their data will be used. An example of this is a customer checking an empty box for a newsletter sign up. This box cannot be preticked as it will go against the compliance of GDPR. The GDPR also requires that customers have a way to withdraw consent at any time. This is usually done via an unsubscribe functionality.

Consent is one of many legal bases in GDPR compliance that can justify processing personal data. Your business may also process personal data to fulfill contractual requirements, or you may be required by law to process data.

A few things worth noting:

We recommend always being up to date on GDPR, as some forms of consent may no longer be allowed. For example relying on consent via goods services. This is where by purchasing goods customers agree for the merchant to use their personal information.

If you require consent to send marketing communications then it is worth noting where you store personal data and the different ways that you use or process it.

Some EU regulators have suggested that if a merchant asks for consent but the customer later withdraws it, then the merchant will no longer be able to rely on any other legal basis to process the personal data. This is worth noting as merchants should only rely on consent where they do not need to rely on any other legal basis to process it.

Always speak to a lawyer about the requirements of your store. Even if GDPR does not apply, then local laws may still require consent on marketing communications.

Parental consent

GDPR compliance requires merchants to follow parental-consent requirements, for processing data of users under 16 years of age- or the age that each country considers minors.

Some merchants may want to change how to process under 16s customer data or either stop processing it altogether. For example, this could be done by prohibiting under 16s from accessing the site using an age-gating app from Shopify’s App Store. An alternative way may be by asking visitors to confirm that they are over the age of 16.

Automated decision-making

GDPR compliance also requires merchants to notify customers when their personal information is engaged in any automated decision-making. This can be used to see whether a customer is eligible for certain services and offers, what prices they should be charged or shows them certain types of goods or services they may be interested in, based on their browsing and purchase history.

If you are using any of these processes that include full automated decision-making and will have a legal impact on the customer, then the customer’s consent is always needed.

An exception of the above is Shopify’s risk and fraud screening. Shopify may automatically block payment or the customers IP address after a number of unsuccessful payment attempts. This automated blocking does not last long, therefore it does not have a significant legal effect. It is worth making sure it is included in your privacy policy. This is normally seen in Section 13.

Another thing to consider for automated decision-making is the use of third-party apps. Remember to also review, notify or gather consent from customers for any relevant third-party risk or fraud services you use in connection to your storefront.

Data breach notification

If you experience a data breach and are governed by GDPR regulations, you will need to notify affected users or specific regulatory persons. This is even more important when there is a data breach that is a high risk of affecting individuals rights and freedoms, therefore GDPR has to be notified. This can include the following breached information:

-Any payment details
-Anything that can be used to access embarrassing or personal information
-Anything that can be used to access an individual’s accounts

Where applicable, you’re required to provide notice as quickly as 72 hours after you become aware of the breach. To help plan in case of any incidents, it’s recommended to have a data breach response plan and to speak with a lawyer to determine what data you might be required to provide if any incidents happen.

The GDPR applies to any company – including third-party vendors and service providers that process personal data of its users. It is important to review the privacy practices of the vendors you may be using, even including Shopify, to make sure they protect your customers personal data.

Third-party Shopify apps

As stated above, the GDPR requires you as a merchant to take actionable steps relating to your third-party service providers collection and use of customers data, including Shopify and Shopify apps in connection with your store.

Shopify has aided this and made it easier to understand what personal data the apps have access to. Simply head to Shopify admin, then apps, and click view details on an individual app to review permissions. You should always review the app permissions before you install an app on the install screen, as ultimately it is always down to you the merchant to ensure third-party apps comply with GDPR. If you are still unsure, we recommend speaking to a legal expert or having our team audit your site.

International data transfers

GDPR does not allow the exporting of EU personal data outside of Europe, unless the information will be extremely protected. Shopify does protect personal data when it is transferred to and processed in the US and Canada according to the requirements of GDPR.

Shopify takes care of these requirements for merchants through its data flows, as they’ve described in their Shopify’s Privacy Policy. All EU personal data is initially received from merchants and processed in Ireland by Shopify’s Irish affiliate Shopify International Ltd. Shopify proceeds to transfer that data onward, in compliance with GDPR.

Although Shopify follows GDPR, merchants must ensure that third parties will transfer data internationally in a way that complies. This can be again checked in the privacy policies of the apps, to see if they protect EU data.

Need help with Shopify GDPR compliance?

At Liquify we have worked with large listed companies and small brands to help them be GDPR compliant. We can’t promise that the experience will be interesting (sorry) but will try to make it as painless as possible.  Usually it’s a simple case of: audit by external legal expert (we know a great one), suggestion of revisions, discussion around these things and eventual implementation of the changes.

Talk to us today for help with GDPR compliance on Shopify.