How does GDPR affect my Shopify store?

Back to all articles
Article Shopify Guide Download Start a project

GDPR is upon us. On May 25th 2018, the General Data Protection Regulation (GDPR) will take effect.

The GDPR is the European Union’s new data privacy law. It impacts how all companies, big and small, collect and handle personal data about their customers. Shopify has been working to fully comply with GDPR rules the moment it takes effect, so merchants will be able to use the platform in a way that complies with the GDPR from the outset.

What has Shopify already done to prepare for GDPR?

The Shopify team has been hard at work preparing for the GDPR for a while. So far:

  • They’ve updated Terms of Service for all merchants to automatically include a Data Processing Addendum governing how they process the personal data of European customers.
  • They’ve updated their Privacy Policy to make sure they provide information around the rights individuals have under the GDPR and to include more details around processing of personal data.
  • They’ve updated Shopify’s privacy policy generator to include some of the information that merchants may be required to provide under GDPR.
  • They’ve updated marketing opt-in to allow merchants to set it up as unchecked for their store, and also allowed merchants to tie abandoned cart notifications to whether the customer has opted into marketing.
  • They’ve prepared a whitepaper to explain how they’re approaching certain legal requirements under GDPR.
  • They’ve updated their Cookie Policy to include specific information about the categories of cookies that are placed through a storefront.

And what’s new for developers building on Shopify?

By May 25th, for developers, Shopify will have:

  • Updated the Shopify App Store interface to allow you to link to a privacy policy, so that merchants can understand the full extent of personal data that your app collects, and how your app uses that personal data.
  • Provided a template for Privacy Policies that includes some of the information merchants will need to know to ensure that usage of your app complies with GDPR.
  • Updated app permissions and listing screens so merchants can see exactly what personal data the apps they have installed (or want to install) request access to, and the option to click through to a more detailed privacy policy.
  • Updated the platform to allow merchants to request access to all of the personal information that they hold about a particular customer.
  • Updated the platform to allow merchants to request that Shopify and all installed apps delete specific customer records upon request, and/or upon uninstall of an app.
  • Plans to releasing two mandatory webhooks for all apps, through which we will notify installed apps when a merchant requests personal data deletion - which will need to be connected to with these webhooks to delete information as required by merchants.

If you have any additional questions or concerns around how GDPR affects your business specifically, it’s important to remember it’s a legal framework, not a technical or creative one - so we’d always recommend seeking legal advice.