How does the GDPR affect you?

The General Data Protection Regulation (GDPR) affects any Shopify merchants who are based in Europe or who serve European customers. While Shopify is working hard to make sure that it complies, and allows its merchants to comply with the GDPR immediately on May 25, 2018, it is important to note that the GDPR will also require you to take action independently from the Shopify platform.

Shopify wants to help place merchants in the best possible position to comply with the law. This article includes questions you should consider to help you assess your obligations to make sure that you have set up your store in a way that complies with the law.

That said, this is not legal advice. The GDPR is a complicated regulation, and it will apply differently to different merchants. You should consult with a lawyer to figure out what you specifically need to do.

For information about processing data requests, see Processing GDPR data requests.

Why can't Shopify handle GDPR compliance for merchants?

The GDPR imposes different obligations on controllers and processors of data. As a processor of data, Shopify fulfills its own legal obligations under the GDPR. However, merchants (as controllers) also have their own separate obligations that they must consider.

Shopify provides merchants with a platform that can be configured to be GDPR compliant, but you must consider yourself how you would like to run your business.

For further guidance, the following regulators within the European Union have provided specific guidance on the GDPR:

Collecting personal data

The GDPR protects the fundamental rights of individuals within the European Union in relation to the processing of personal data.

Examples of personal data include:

  • Name
  • Address
  • Email address
  • Social media account
  • Digital identifier such as an IP address or a cookie ID.

Think about the following questions:

  • Are you collecting personal data from customers in Europe? Most websites are available to residents of Europe, and will fall under the GDPR.
  • If your store uses third-party apps or themes, then do they collect and process data in accordance with the GDPR? To simplify this process, Shopify is requiring all apps to post a privacy policy detailing their data handling practices, so that you can assess whether you are comfortable with that app’s data practices. Shopify-developed apps fall under the Data Processing Addendum, and Shopify is responsible for their compliance.
  • Do the channels or payment gateways you use collect and process data in accordance with the GDPR? You should follow up with them to make sure.
  • Do you have a list of all of the types of personal data that you collect from your customers, and all of the ways in which you use this data? Article 30 of the GDPR requires you to maintain a current map of your data practices.

Privacy notice

The GDPR (and particularly Articles 12 to 14) requires that you provide specific information to individuals whose data you are processing, generally in the form of a privacy notice or privacy policy.

You can use Shopify's privacy policy generator to get you started. You can find it in your settings under Checkout or online.

Think about the following question:

  • Do you have a privacy policy on your site that includes all of the information that you are required to provide under the regulation? At minimum, does it include how customers can get in contact with you about privacy questions and how customers can exercise their rights, for example the rights to erasure (deletion) or rectification (modification or correction) of their data and the right to access it?
  • Does your privacy policy include how Shopify may use your customers' personal data for automated risk and fraud scoring? The GDPR requires you to disclose when you (or your service providers) use their information in connection with automated decision-making. Shopify uses your customers’ personal information to block certain transactions that appear to be fraudulent through automated decision-making. Shopify's Privacy Policy Generator includes this information. For more information about this system, see Automated decision-making.

Appointing a Data Protection Officer

A Data Protection Officer (DPO) oversees how your organization collects and processes personal data. If your business’s core activities include large scale online tracking, the GDPR requires that you appoint a DPO and provide contact information for the DPO in your Privacy Policy.

The GDPR includes specific tasks that a DPO needs to do, such as conducting data protection impact assessments when your organization changes how it collects and processes personal data. The DPO can be an internal person who has expertise in the GDPR and data protection requirements, but you can also consider working with an consultant or firm to serve as an external DPO.

Think about the following questions:

  • How many people are affected by tracking technologies on your storefront? These can include behavioral advertising apps, or even retargeting apps. Whether or not the number of people affected is “large scale” is a legal decision, and you should consult with a lawyer depending on your circumstances.
  • Should you voluntarily appoint a DPO? Even if you are not legally required to appoint a DPO, if your presence in Europe is large enough, you may wish to do so voluntarily to make sure that you adequately protect your customers’ data.

Data processing agreements

As a data controller under the GDPR, Article 28 requires that when you engage a data processor (like Shopify) to process your customers’ data, you impose strict contractual requirements on how they may use and process that data. This is typically done through a Data Processing Addendum, or DPA.

Shopify has automatically incorporated a Data Processing Agreement (https://www.shopify.com/legal/dpa) into its terms of service, which is designed to address the requirements of Article 28.

For Shopify Plus merchants, their negotiated contracts will govern their relationship with Shopify. Plus Merchants can sign a Data Processing Addendum to address their needs. Shopify Plus merchants who do not sign a Data Processing Addendum will be governed by Shopify’s online Data Processing Addendum.

Think about the following questions:

  • Are other data processors that you work with outside of Shopify contractually committed to protecting your customers’ data? Many third-party apps, channels, payment gateways, or other data processors will also automatically incorporate a Data Processing Agreement into their terms. Have you consulted with each of these third-parties?

  • Are you a Plus merchant with a negotiated contract? If you want to sign a Data Processing Addendum, then reach out to your Merchant Success Manager. They can provide you with Shopify's template DPA to sign.

Under the GDPR, you might need to obtain consent to process the personal data of your customers or change how you currently obtain that consent.

For example, you might need to obtain consent from your customers if you are sending your customers marketing messages, or if you are using online advertising or retargeting apps.

Where you need to obtain consent, the GDPR says that it must be:

  • Freely given: it must be entirely voluntary, and should not be bundled with other goods or services.
  • Specific: it must be tied to clearly explained use cases.
  • Informed: it can only be given if the data subject is provided enough information about the personal data that will be collected and used.
  • Unambiguous: it must be demonstrated by an affirmative act by the merchant (that is, not simply by continuing to use the services).

This means that the customer needs to be given detailed information about the particular use case, and some affirmative action needs to be taken by the consumer to show consent.

Finally, if you offer your customers the opportunity to provide consent, the GDPR also requires that your customers have a way to withdraw consent. This can often be accomplished through an unsubscribe functionality. If you have questions about when and how you should obtain consent for collection of personal data, or the extent to which your customers should be allowed to withdraw their consent, then you should speak with a lawyer familiar with data protection laws.

However, consent is only one of many legal bases in the GDPR that can justify processing of personal data. You might also process personal data to fulfill contractual requirements, or if you are required by law to process data.

Some European regulators have suggested that if you at first ask for consent and your customer declines or agrees but then withdraws their consent, then you may no longer be able to rely on any other legal basis to process personal data. As a result, you should only rely on consent where you do not intend to (or need to) rely on another legal basis to process personal data.

Think about the following questions:

  • For each different way that you use or process your customers’ data, what is the legal basis for doing so? Are you processing based on their consent? Are you processing to fulfill a contractual obligation to the customer? Are you processing to further your legitimate business interests? You should record the legal basis as part of your map of your data practices, described in Collecting personal data.
  • Where you are relying on consent, is the consent you are getting bundled with the goods or services you are offering? For example, statements like by purchasing these goods, you agree to our use of your personal information may no longer be allowed under the GDPR.
  • Are you providing enough details about how you will be using the personal data at issue to make sure that the customer’s consent is informed?
  • Is the customer’s consent recorded and stored somewhere?
  • Do you require consent to send marketing communications to your customers? Even if you do not need consent under the GDPR, local laws may or may not require you to obtain consent to send marketing communications to your customers. Speak with a lawyer about the specific requirements that might apply to your store.
  • If you believe you require consent to send marketing communications, then is the marketing consent checkbox for your store unchecked by default? Consider setting your storefront up so that the marketing consent checkbox presented to customers is not pre-checked by default to ensure that your customers have to act affirmatively to provide consent.

The GDPR includes specific parental-consent requirements for processing the personal data of users under the age of 16 (although this age can be lower in certain countries).

Think about the following question:

  • Do you need to change how you process customer data to either stop processing the data of those users under the age of 16, or to get parental consent? You might do this by prohibiting users under the age of 16 from accessing your site using an age-gating app from Shopify's App Store, or by asking visitors to confirm that they are over the age of majority.

Automated decision-making

The GDPR requires you to notify merchants if you are using their personal information to engage in any automated decision-making.

Automated decision-making means using automatic algorithms to make a decision about whether an individual is eligible for certain services or offers, should be charged a particular price, or is likely interested in certain types of goods or services.

If you are using any processes that include fully automated decision-making (that is, without any human intervention) that will have a significant legal effect on the customer, then you need the customer’s consent.

Process Requirement
Automated decision making Notification
Fully automated decision making with significant legal effect Consent

In general, Shopify does not engage in fully automated decision-making with your customers’ personal data.

The one exception is Shopify's risk and fraud screening, where Shopify might automatically block a payment card number or IP address after a certain number of unsuccessful payment attempts. Shopify does not believe this has a significant legal effect on customers because the automated blocking lasts only for a short period of time.

Think about the following questions:

  • Have you included in your privacy policy that Shopify's risk and fraud screening might use customers' personal information for automated decision-making? You can read more about Shopify's automated decision-making practices in Section 13 of the Privacy Policy. You should also confirm with a lawyer based on your particular circumstances that this service doesn't have a significant legal effect on your customers.
  • Are you using any third-party apps that might be engaged in automated decision-making? You should pay particular attention to reviewing any third-party risk or fraud services you are using in connection with your storefront, or any types of marketing or advertising apps that might build profiles or that target segments of your customers.
  • If you use third-party apps engaged in automated decision-making, then do you need to notify your customers or gather consent to use these apps?

Data breach notification

If the GDPR applies to you and you experience a data breach, then you might be required to notify affected users or specific regulatory bodies.

In particular, the GDPR requires notice where a data breach is likely to cause a high risk of adversely affecting individuals’ rights and freedoms.

This is likely to be the case if the breached information:

  • Includes payment details.
  • Could be used to reveal embarrassing or personal information.
  • Could be used to access an individual’s accounts or services.

Where applicable, you're required to provide notice as quickly as 72 hours after you become aware of the breach.

Think about the following questions:

  • Have you spoken with a lawyer to determine what information you collect and process might require you to provide notice if you experience a data breach?
  • Do you have a data breach response plan for your business so you are prepared for such an incident?

Third-party apps

The GDPR requires that you take a number of affirmative steps relating to your and your third-party service providers’ collection and use of personal data. This includes Shopify, but also any third-party apps that you might use in connection with your Shopify store.

Shopify has taken steps to make it easier for you to understand what personal data the apps you install have access to.

To review the personal data your apps have access to, complete the following steps:

  1. From your Shopify admin, click Apps.

  2. Click View details on the app you want to review permissions for.

You can also review app permissions before you install an app on the install screen in the app store.

Additionally, there is a section of the app store for each app to link to a privacy policy that explains in more detail exactly what data app developers are collecting and how they are using it.

While Shopify wants to make it as easy as possible for you to assess the data practices of the apps you choose to install, it is up to you to ensure that you are using third-party apps in a way that complies with the GDPR.

Think about the following question:

  • Based on your location, your customers' locations, your app developers' locations, and your implementation of each app, are you using third-party apps in a way that complies with the GDPR? Consult with a lawyer if you have questions about whether a particular app’s data practices may require additional consideration or work on your part to ensure compliance with the GDPR.

International data transfers

The GDPR prohibits exporting the personal data of Europeans outside of Europe unless that information will be adequately protected.

Shopify protects personal data according to the requirements of the GDPR as it is transferred to and processed in the United States and Canada.

Shopify has set up its data flows to take care of these requirements for merchants. As described in Section 12 of Shopify's Privacy Policy, all European personal data is initially received from merchants and processed in Ireland by Shopify's Irish affiliate Shopify International Ltd. Shopify then transfers that data onward in compliance with the GDPR:

GDPR international data transfers

For more information about how personal data from the European Economic Area (EEA) is received and processed by Shopify according to GDPR standards and information security best practices, see Shopify’s GDPR whitepaper.

Think about the following question:

Have you ensured that other parties you transfer data to will transfer that data across international borders in a way that complies with the GDPR? You can do this by looking at the privacy policies of your third-party apps, channels, payment gateways, or other vendors, and seeing if they explain how they protect European data.

Download Shopify's GDPR whitepaper

For more information about how Shopify is working to make sure that it will comply with the GDPR when it takes effect on May 25, and to make sure that you will be in a position to comply in relation to your use of Shopify, download Shopify's GDPR whitepaper document.

Want to discuss this page?

Visit the Shopify Community

Ready to start selling online with Shopify?

Try it free