Shopify GDPR Compliance - A Quick Start Guide in 2022

Introduction

The General Data Protection Regulation (GDPR) affects any Shopify merchants who are based in Europe or who serve European customers. While Shopify is working hard to make sure that it complies, and allows its merchants to comply with the GDPR as of May 25, 2018, it is important to note that the GDPR will also require you to take action independently from the Shopify platform and this can be done by using a GDPR application.

‍

Shopify cannot handle GDPR compliance for merchants

The GDPR imposes different obligations on controllers and processors of data. As a processor of data, Shopify fulfills its own legal obligations under the GDPR. However, merchants (as controllers) also have their own separate obligations that they must consider.

Shopify provides merchants with a platform that can be configured to be GDPR compliant, but you must consider how you would like to run your business.

While Shopify does what it can to set you up for success, there are also steps you will need to take on your own, and ultimately, compliance with the GDPR is the responsibility of each individual merchant. If you have legal questions specific to your obligations under the GDPR, consult with a local lawyer who is familiar with data protection laws.

Merchants can add external scripts, additional apps and in general add more features and services that will change the data that are tracked and the way that is used. So they need to use an app that can help them do this work easier and provide them with compliance under the law.

‍

The importance of data privacy laws

As a Shopify store owner, you’re likely collecting some type of information about your customers. It could be their email address, phone number, cookies, or other trackers that are on your website.

A lot of this information is essential to a successful store because you need to ensure you’re targeting the correct customers and capitalizing on website visitors. However, customers and lawmakers are becoming more aware of the value of data, how it’s collected, what it’s being used for, and who has access to it.

To help combat these issues, many countries around the world have put some kind of data privacy laws into place. They typically include:

• how data and customer information is collected
• how customers are informed about your website’s data collection practices
• what control a customer has over their data once it’s collected

‍

You’ll want to make sure you’re compliant with the laws and regulations applicable to you to avoid any legal trouble, but you’ll also build trust with your customers by being transparent about your data collection practices.

Here are a few recent examples (Source: Tessian) of companies that failed to comply with data privacy laws:

• Google – Fined $56.6 million
• Marriott – Fined $23.8 million
• Iliad Italia – Fined $976,000

‍

Where it is applied

While the European Union has some of the most extensive data privacy laws (we’ll dive more into this later on), there are still a bunch of places around the world that have very similar laws and regulations.

If you have users in a country with data privacy laws, your Shopify store must comply with those policies. Here’s a list of some countries that already have data privacy laws as of June 2021:

• United States
• UK
• Canada
• Australia
• New Zealand
• Japan
• South Korea
• China
• Thailand
• India
• Chile
• Brazil
• South Africa
• Most European countries in and out of the EU

‍

Making your Shopify store GDPR compliant

When it comes to your Shopify store, you will need to put in place a number of systems and tools, though.

‍

Here they are:

1. First, make sure you complete a thorough audit of all the data you are collecting on citizens of the EU. This includes any analytics and tracking systems you use on your store, but also all of the third-party apps and themes you have deployed.
2. Second, Article 30 of the GDPR requires you to maintain a current map of your data practices. This means that you should be aware of how you are processing the data you collect, and how these are being used.
3. The GDPR, and specifically Articles 12 to 14, requires that you provide specific information to individuals whose data you are processing, generally in the form of a privacy notice or privacy policy. Shopify provides a privacy policy generator that can help you with this, and it can be found here.
4. If your business’s core activities include large-scale online tracking, the GDPR requires that you also appoint a Data Protection Officer (DPO). There is detailed guidance on how to do that, provided by the ICO, here.
5. Article 28 of the GDPR requires that when you engage a data processor (like Shopify) to process your customers’ data, you impose strict contractual requirements on how they may use and process that data. Shopify has automatically incorporated a Data Processing Agreement into its terms of service, which is designed to address the requirements of Article 28.
6. Finally, be aware that the concept of “consent” in the GDPR is a complex one. Under the GDPR, you need to explicitly define a legal basis for doing so, and ensure that every user has access to this information. You can find Shopify’s own guide to collecting personal data here.

These processes and tools may only cover a small portion of those you need to be aware of, depending on how you use Shopify.

‍

The bottom line

As you can understand, becoming GDPR compliant is a complex task. But there are apps such as GDPR Compliance Center that can deal with most of the hard tasks in order for you to focus on your business. If we could summarise the basic tasks to become GDPR compliant we could conclude the following:

• Prepare a Privacy Policy page that covers all the tracking & data storage details of your store. Furthermore, it is good to have a page for Terms and Conditions and a Disclaimer page (if applicable to your store).
• Install a Cookie Consent Banner that is compatible with GDPR standards and with Shopify’s Customer Privacy API.
• Provide a Personal Data Management mechanism, which is done in the form of requests (called Data Subject Requests), that allows users to view, download and delete their data from your store.

‍

If you are looking for a complete GDPR solution and seek the help of professionals, visit Pandectes the company behind the GDPR Compliance Center app, a leading GDPR  platform that helps thousands of merchants worldwide.