Shopify & GDPR: How to Make Sure Your Site is Compliant

Being compliant with privacy laws will help you earn trust with customers and keep the business out of hot water.

Shopify & GDPR: How to Make Sure Your Site is Compliant

If your store is accepting payments online and collecting, processing or storing visitor information (which all Shopify websites are), then you need to make sure that your website is compliant with privacy regulations of your customers’ countries. The most stringent regulations being the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA).

What is GDPR & CCPA

GDPR and CCPA are regulations that offer customers access, transparency, and control over their personal data. The regulations apply to any business, regardless of the location of the business, that processes the data of citizens in the regulated country or state. Failing to comply with these regulations can result in huge fines depending on the severity and type of violation, so it’s in a business’ best interest to do their best to comply in order to build customer trust and protect the brand.

How to be GDPR & CCPA Compliant on Shopify

The below is not legal advice and we do recommend seeking the advice of a legal expert who specializes in GDPR and data protection.

To meet compliance of these regulations, you’ll need to make sure you’re doing a few things:

  • Show a cookie consent bar on your website, which blocks tracking technologies until users manage their privacy preferences.

  • Provide a privacy policy page & cookie policy pages.

  • Provide a way to collect and manage customer data and data requests.

To get started on this, there are some necessary elements to implement in a store: 

1. Cookie Consent Bar

You must get explicit consent from customers before using cookies to collect their data. You cannot assume that they have consented because they have not objected. A cookie bar or pop-up provides visitors with information about which cookies you use and what they’re used for. This appears on the customer’s first visit, and they usually have to accept all cookies, or manage their preferences to select which types of data the website can collect (as some cookies are necessary for the site to function). 

Shopify Privacy Cookie bar

You’ll need to install a cookie consent app which will quickly and easily add a cookie banner to your site. Our personal favorite is Consentmo GDPR which is very robust, offering compliance tools for various privacy regulations as seen below:

Consentmo GDPR Shopify app screenshot

It also offers a lot of customization options within the app to style it and configure content to your needs. There is a free plan to start with, and depending on usage, you may need to upgrade to a paid tier.

Shopify has its own cookie bar app, Shopify Privacy & Compliance. This app integrates well with any Shopify store, but like most apps made by Shopify, its customization options are more basic. Once you’ve set it up, you’re ready to test it.

Cookie Bar Testing

You’ll only be able to see the cookie bar in places that you’ve set it to show. For example, if you’re in Toronto, you won’t be able to see a the notice that is set up for customers in California. Visibility depends on your IP address, so in order to see how it looks on your site, you’ll need to use a VPN and select the location you’d like to test.

Once your VPN is set to the correct location, open your store in an Incognito browser window. Without clicking on the cookie banner, open the browser dev tools by: Right click > Inspect > select the Application tab at the top > under the Storage section, select Cookies > select your store’s URL. This will open a list of the site’s active cookies. You should only see the cookies that are strictly required. See here for a list of Shopify’s necessary cookies for the functioning of the site. If you are seeing other cookies such as ones from Google Analytics or Facebook, then the cookies are not being correctly blocked and you need to do some troubleshooting. Click “Decline” on the cookie bar, and confirm that no new cookies are added. Repeat the process but this time click “preferences” on the cookie bar, adding some cookie permissions and see how more cookies become active on the site.

Continued consent

Although the cookie bar shows only on the first visit, if you change your processes about how you collect or store data, then you need to request consent again, which these apps make it easy to do.

2. Adjust your store Customer Privacy Settings

From the Shopify Admin, go to Online Store > Preferences > Customer Privacy. Here you can adjust how data is collected from customers in different locations. Be sure to select that data should be “collected after consent” to block cookies from functioning before the user gives consent.

Shopify Customer Privacy Settings screenshot

In the same section, you’re also able to make adjustments that refer specifically to US laws. Activating this on does require the Shopify Privacy & Compliance app.

Shopify Customer Privacy Settings screenshot

3. Add a Privacy Policy

Every store should have a privacy policy. This privacy policy should be linked in the cookie banner, as well as in your website footer.

Make sure that it includes:

  • A list of the cookies your website collects (defining which are necessary and which are optional)
  • What personal data you collect from customers, and how this is stored and accessed
  • How customers' personal data is processed by third-party services
  • A description of the rights of individuals under different privacy policies
  • Description of how you will respond in the event of a data breach
  • Information regarding request for parental consent (when applicable)
  • More details depending on your products

We recommend this Terms & Conditions + Privacy Policy which is specifically created by for e-commerce stores, and it is GDPR and CCPA Compliant. It even comes with a GDPR checklist written by a lawyer to help you make sure you’ve covered all your bases. Or, you can use Shopify’s template that’s added from your store Policies section.

Some regulations may also require you to have cookie policy pages. The Consentmo GDPR app also has a feature to automatically add these pages to your store: 

Consentmo GDPR Shopify app screenshot

4. Manage customer personal data requests

You must provide customers a way to make requests about their personal data. They have the right to know what data you have collected from them, why you have collected it and how you are using it. At a minimum, in your privacy policy you can provide instruction on how customers can contact you to make a request and what the process is. However, some US State Laws require a specific data collection opt-out page, otherwise called a “do not sell or share my personal information” page.

Visitors have the right to delete their data and you are required to delete it from your and any third-party applications that you use when it is requested. Third-party applications would include anything that receives customer data out of Shopify, such as an email marketing app, CRM or accounting software.

For example, when deleting a profile from Klaviyo, it will ask you if you’d like to “Delete profile in compliance with data privacy request”. Make sure to select the checkbox if this is the case.

Klaviyo GDPR delete profile

You must respond to customer requests in a timely manner. GDPR requires you to respond to a customer request within 30 days.

Hopefully this has given you a good start to making your website GDRP & CCPA compliant. Please note that we’re not experts on this matter. Privacy laws can be complex and we recommend consulting a lawyer who is familiar with data protection laws if you have specific questions.

Shopify Data Protection FAQ

Do I need GDPR on Shopify sites?

Any company that makes its website or services available to EU citizens must be GDPR compliant, even if the company does not have a physical presence in the EU itself. By this definition, all Shopify websites need to be GDPR compliant. Compliancy includes not collecting EU customer data without explicit consent, and handling personal data according to regulations. Shopify makes it easy to be compliant with these regulations by allowing store owners to adjust their store privacy settings.

Do Shopify stores need a privacy policy?

Every Shopify store needs a privacy policy to let customers know how their personal information is being used. Shopify provides a template that can be generated with one click for store owners to customize based on their unique website. In addition to basic customization of the template, merchants must include any additional third-party applications that will be collecting data in the policy.

Does Shopify collect personal data?

Shopify stores collect necessary data from customers in order to provide customers with a seamless and personalized experience. For example, contact information and payment information must be collected in order to allow a purchase. You may have rights to manage your personal data depending on where you live.

How do I find my privacy policy on Shopify?

To edit your privacy policy, from the Shopify dashboard go to Settings > Policies, scroll down to Privacy Policy and make edits. You may also replace the content with a template. In order to display your privacy policy in your website footer, it should be added to the footer menu under Online Store > Navigation > Menus.

Try Shopify for just $1 today.

Enjoyed this post?

Watch our
Free Training

Watch now
Free Shopify Training for Designers