Is Your Shopify Ecommerce Business GDPR Ready?

The EU’s General Data Protection Regulation (GDPR) (or "Die Datenschutz-Grundverordnung" - DSGVO - in German) comes into effect 25 May 2018. But what does this mean for your Shopify e-commerce business? 

What is the GDPR?
The GDPR will force any company in the European Union, and those who do business inside the EU, to comply with strict new rules regarding the collection, storage and use of customer data.

The GDPR places equal gravitas on all forms of customer data: photos, social media posts, IP addresses, bank details and any identifying numbers such as NI or SSNs. All customer data regardless of origin should be opt-in only, stored securely and used only with the customer's permission.

However, the GDPR rules are not set in stone. They have asked for a “reasonable” level of security to be provided, leaving a grey area as to if social media data should be treated the same as bank credentials. One thing is clear, users must give clear opt-in consent for their data to be stored and used in any way. Pre-filled consent checkboxes and consent hidden in long T&C's will be a thing of the past.

What has Shopify already done to prepare for the GDPR?

- They have updated their Terms of Service (TOS) for all merchants to automatically include a Data Processing Addendum governing how Shopify processes the personal data of European customers. More info here

- They have updated their Privacy Policy to make sure they provide information around the rights individuals have under the GDPR and to include more details around our processing of personal data. More info here

- They have updated their privacy policy generator to include some of the information that merchants may be required to provide under the GDPR. Click here to access the FREE Policy Generator. 

- They have updated their marketing opt-in to allow merchants to set it up as unchecked for their store, and also allowed merchants to tie abandoned cart notifications to whether the customer has opted into marketing. More info here.  

- They've prepared a white-paper to explain how they are approaching certain legal requirements under the GDPR. Download their PDF info here

- They’ve updated their Cookie Policy to include specific information about the categories of cookies that they place through a storefront. More info here

Shopify has also rolled out a feature that allows you to request that individual customer records be deleted. Additionally, you can request all of the information Shopify has collected about a certain customer. Both features you can find on each customer's profile in Shopify (see screenshot below). When you request that individual customer records be deleted, Shopify will also be propagating these requests to the relevant apps you have installed on your store.

GDPR - Shopify customer privacy

Last but not least, we also recommend you manually update your Privacy Policy. The easiest way to do this is to go to "Settings" > "Checkout" > "Refund, privacy, and TOS statements". In most cases, the templates provided by Shopify are sufficient. However, it never hurts to speak to a lawyer to make sure you're fully covered. 


If you have further questions or if you need help on your Shopify journey just send us a email or leave a comment below.  

Leave a comment

Please note, comments must be approved before they are published