GDPR FAQ

Learn about frequently asked questions related to GDPR. These explanations are for informational purposes only, and do not constitute professional legal advice. Please consult independent legal advice for information specific to your country and circumstances.

Why does Shopify not include an 'Agree to Terms and Conditions and Privacy Policy' checkbox at checkout?

Shopify has thought about the GDPR very carefully and we have designed our platform to provide our merchants with a best-in-class commerce experience that can comply with privacy and data protection laws like the GDPR.

Obtaining explicit, affirmative consent from customers to process their data can, when implemented properly, be a helpful way to provide transparency to and gain the trust of the customer. But when not implemented appropriately checkboxes can be confusing to the customer, can create mismatched expectations, and can even create legal issues for merchants under the GDPR. We have chosen not to modify our checkout workflow to include an "Agree to Terms and Conditions and Privacy Policy" checkbox during checkout because of these concerns.

In particular, the GDPR makes clear that merchants can collect and process customer personal data for many reasons, including if the customer has provided their informed consent. But the GDPR recognizes that there may be many circumstances in which personal data might need to be processed separate and apart from the customer's consent, such as:

Merchants are likely to rely on many of these legal grounds with respect to the different ways that they might process their customers' data. For example, a merchant might need to use a customer's shipping address to actually fulfill the order and satisfy the merchant's contract with the customer. Similarly, a merchant may be legally required to process personal data to respond to a subpoena or in the context of a tax audit. And a merchant may process personal data for any number of other legitimate interests.

At the same time, European regulators have made clear that consent is the most important of these different justifications. In particular, regulators have suggested that, once a merchant asks for consent to process data for a particular purpose, they may no longer be able to rely on the legal grounds above (such as contracts or legitimate interests). Additionally, regulators have cautioned that consent cannot be made a condition to receiving goods or services.

Why does all of this matter? Let's think about what would happen if a merchant did add an "Agree to Terms and Conditions and Privacy Policy" checkbox at checkout. If the customer does not choose to consent (or, if the customer consents and then withdraws their consent -- which is a right provided to individuals under the GDPR), then a merchant may no longer be able to rely on the other justifications listed above. So the merchant may be in a position where under the GDPR the merchant cannot legally process the customer's personal data to process or fulfill an order. At the same time, if the merchant modifies checkout so this checkbox was mandatory to complete the transaction, consent would be a precondition to receiving the goods or services and so may not be valid under the GDPR in the first place.

This complexity has led a number of regulators to caution against asking for or relying on consent where it may not be appropriate. For example, the UK Information Commissioner's Office has advised:

"Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.

If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis.

Public authorities, employers and other organizations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given."

We want to do our best to support our merchants and help them avoid problematic legal consequences. But at the same time, we understand that merchants ultimately need to feel comfortable that they have the trust of their customers. As a result, we have made sure that merchants can add an 'Accepts Terms and Conditions' checkbox to the Cart page (not the Checkout page). For more information on how to do this, please see our help docs.

Why can't I sign a Data Processing Agreement (DPA) with Shopify?

The GDPR requires that data processors be bound by a contract in writing (which includes contracts in electronic formats) to each data controller in order to process personal data. These contracts should specify what personal data is being processed, and the obligations and rights of the processor and controller. These contracts are often called Data Processing Agreements (DPA). In essence, a DPA is an agreement that Shopify will only process the personal data given to it in the manner that the merchant specifies, because the merchant is the controller of the data.

To fulfill this requirement, Shopify has added a Data Processing Addendum to our Terms of Service. (It is called an 'Addendum' and not an 'Agreement' because it is added on to the Terms of Service, and isn't an agreement on its own.)

As a merchant, you agree to the Terms of Service and, by extension, the Data Processing Addendum, when you sign up for Shopify's services, and you agree to any updates to the Terms of Service (for example, our update which added the Data Processing Addendum) by continuing to use the services.

It is important to note that the Terms of Service are governed by Ontario law, and not the law of the jurisdiction in which you reside. So while other regional laws, like the GDPR, may certainly cover your business and how you process data, and may require you to have a binding contract with your service providers (like Shopify), those other regional laws do not necessarily dictate whether a contract is binding or not. In case of your contract with us, that question of whether the DPA is a binding contract is determined by reference to Ontario law.

As a result, even if your jurisdiction requires that a contract (like the DPA) be signed, that may not matter with respect to your DPA. Under Ontario law, we believe that by continuing to use our service once our terms are updated, both Shopify and you are bound by the new, modified Terms of Service. When you continue to use Shopify, we believe you have entered into a binding contract with us that includes our Data Processing Addendum, as required by the GDPR.

What do I do if I have more questions about the GDPR or my local privacy laws?

Contact a local lawyer who specializes in privacy or data protection law.

Who can I contact for more information on Shopify's practices?

Contact privacy@shopify.com for more information on Shopify's practices.

If I use Shopify to host my store, does my business comply with GDPR?

Not automatically. While Shopify's operations will comply with the GDPR, and Shopify will provide tools to help its merchants comply, it is the responsibility of each merchant to ensure that its business is compliant with the laws of the jurisdiction in which it operates.

Using Shopify's platform alone does not guarantee that a company complies with the GDPR.

Will Shopify sign Standard Contractual Clauses?

No. As described in the Data transfers section of our whitepaper, Shopify has structured its data flows so that merchants transfer data to Shopify's Irish affiliate within Europe. For that reason, Standard Contractual Clauses are not appropriate, as they are approved for transfers between a European party and a non-European party.

In addition, regarding transfers directly to Shopify Inc., Shopify would rely in such cases on the European Commission's adequacy decision regarding Canada's privacy law, which extends to Shopify Inc. as a Canadian corporation.

Ready to start selling with Shopify?

Try it free