How does the GDPR affect Shopify?

The General Data Protection Regulation (GDPR) requires Shopify to make the following changes to its platform and internal privacy program:

  • Reorganize the privacy team, and document and keep records of certain privacy-related decisions made by Shopify so that Shopify is accountable for its privacy practices.

  • Make sure that Shopify is able to honor the rights of European merchants and customers over their personal data, and that when using Shopify's services, merchants are able to do the same.

  • Make certain contractual commitments to merchants and get certain contractual commitments when Shopify uses a third-party subprocessor to provide services.

What has Shopify done to prepare for the GDPR?

Shopify has been preparing for the GDPR in the following ways:

Policies and documentation

  • Updated Shopify's privacy policy to include more information about the rights extended by the GDPR, as well as more detailed information about how Shopify processes personal data, as required by Articles 13 and 14 of the GDPR.
  • Added a data processing addendum to Shopify's online terms of service, as required by Article 28 of the GDPR.
  • Implemented a detailed procedure to deal with data subject access requests, deletion requests, and government access requests.

Product features

  • Updated the privacy policy generator to include some of the information merchants will need to include in their privacy policies, as required by Articles 13 and 14 of the GDPR.
  • Added functionality to the Shopify platform so that merchants are able to obtain independent consent for marketing purposes, and can choose whether or not to pre-check the consent checkbox depending on their requirements.
  • Updated abandoned cart notifications to allow merchants to be able to tie them to whether or not a customer has opted in to marketing communications.

App store

  • Updated Shopify App Store displays so that app developers can link to a privacy policy that explains exactly what personal data the app collects and processes.
  • Provided app developers with a template privacy policy to help them draft a privacy policy that will include the types of information merchants will need to be able to update their own privacy policies, as required by the GDPR.

Corporate governance

  • Appointed an experienced Data Protection Officer to oversee Shopify's data protection program and GDPR implementation plan.
  • Prepared a registry of our data processing activities, as required by Article 30 of the GDPR.
  • Implemented a Data Protection Impact Assessment process, as required by Articles 35 and 91 of the GDPR.
  • Documented the subprocessors that Shopify uses to deliver its platform and other services, and started to review the contractual arrangements with these subprocessors, to make sure that they are required to protect personal data through robust technical and organizational measures.
  • Began the process of applying for approval of Binding Corporate Rules to support Shopify's data processing operations.
  • Started to deliver GDPR-focused training to key teams and personnel, so that they are aware of the law’s requirements and can design Shopify products and business plans with privacy in mind.

What else is Shopify doing to comply with GDPR?

In addition to the preparations listed above, Shopify is rolling out the following features:

  • Tool to request all of the information Shopify holds about a customer on their behalf through the Shopify admin, in case the merchant receives a subject access request under the GDPR.
  • Tool to request that Shopify delete all personal information associated with a particular customer through the Shopify admin, in case the merchant receives an erasure request under the GDPR. When a merchant uses this tool to request erasure, Shopify will also forward this request to apps the merchant has installed at the time of the request that were granted access to customer personal information.
  • More informative channel installation process that tells merchants exactly what personal data the channel will have access to after it is installed.
  • More robust Cookie Policy that includes specific information about the categories of cookies that Shopify places, not just on its own online properties but also through Shopify storefronts and mobile apps, to make sure that merchants have the information they need to get effective consent for Shopify to place the cookies necessary to provide service.
  • More transparent process through which merchants install apps so that merchants can fully understand exactly what personal data an app is requesting access to before installing the app.
  • More descriptive listings for already-installed apps so that merchants can check specific app data access permissions at any time.

Will Shopify enter into Data Processing Agreements with its merchants?

For merchants who use Shopify's services subject to the online terms of service, Shopify has revised its terms to incorporate a data processing addendum.

You don't have to sign this document, because it is appended to the terms of service and you agree to it by continuing to use Shopify services. This fulfills the requirement of Article 28(3) of the GDPR. Shopify is not able to sign an individual agreement with each merchant.

For Shopify Plus merchants, Shopify has a data processing agreement to cover its processing of personal data. Contact Shopify Plus Support for more details.

Ready to start selling with Shopify?

Try it free