GDPR for Shopify: What you need to know now

GDPR for Shopify: What you need to know now

The General Data Protection Regulation is a new set of rules and regulations put in place to control the way that the personal data of EU citizens can be collected and used by businesses.

This has been in the works for a while. Though it might seem like a response to recent privacy concerns surrounding Amazon, Facebook, and Google, the law was adopted in early 2016, and replaces an older data protection law from 1995.

The GDPR defines personal data as “any information relating to an identified or identifiable natural person ('data subject').” Names, ip addresses, physical addresses, email addresses, purchase history, and a lot more. It is quite broad, and many data-driven marketing methods will be affected in one way or another.

Remember, that this is concerning only users and customers in the EU. This kind of policy may be adopted by the United States or other nations/groups in the coming years, but here we are specifically talking about an EU/UK law.


We aren’t lawyers

We’d just like to say one thing before we dive into this… we aren’t lawyers. We are designers, developers, writers, and marketers. We are great at helping Shopify merchants grow their business. But we don’t know the difference between mens rea and malfeasance.

If you want or need legal help, contact a good lawyer, because nothing here is even close to legal advice.


But we are Shopify specialists and app creators

So we created an app to help Shopify Merchants deal with GDPR information requests from customers. It will let you:

  • Receive and respond to customer personal data access requests.
  • Easy for customers to request their personal data from their customer account page.
  • Simple, secure export of customer data in a common, interoperable format.


Get the GDPR Access app now


Why is GDPR a big deal?

You might think that this would only apply to businesses based inside the EU. Not so much. GDPR applies to all companies that collect data on EU users or customers at all.

Details of exactly how strict enforcement will be and how potential violations will be reported and handled are fuzzy so far. What we do know is that the fines faced by those who are found guilty can be huge. Facebook and Google potentially face fines reaching into the billions of Euro in the first days of GDPR.

This wouldn’t be bureaucracy without a few complicated terms.  Let’s start off by defining some of those terms.

Personally Identifiable Data- This is what the EU is regulating the collection and use of.
  • Email addresses
  • Physical addresses
  • Postal codes
  • IP addresses
  • Names
  • Purchase history connected to a user
  • Analytics user IDs
  • Virtually anything else remotely related to a human being


    Explanation of what qualifies as personal data under GDPR infographic

    Source: MarketingProfs 

    Sensitive personal data- An even more tightly controlled subset of personal data. This should not affect most of our readers, if any at all.


      • Racial or ethnic information
      • Political opinions and affiliations
      • Religious or philosophical beliefs
      • Union membership
      • Genetic or biometric data
      • Health data
      • Data concerning sexual activity, preferences, or health

    Data Subject- A person who’s data you may process or store. This can be customers, clients, employees. If you are using analytics, personalization technology, email marketing, etc, you are processing data that applies.

    Data Controller- Any private or public entity that collects user data. This includes anyone collecting and processing orders or collecting marketing data through cookies, analytics, marketing automation, etc.

    Data Processors- These are service providers that handle data processing on behalf of a data controller.

      • Email service providers
      • eCommerce platforms such as Shopify
      • Analytics platforms such as Hotjar or Google Analytics
      • Apps that receive and use data from your customers

      Data Protection Officer- Someone either within a company or acting in a consultant role, who’s job is to ensure that data is collected and protected within the terms of GDPR.

      Not every business will have to have a DPO. This depends on the size and scope of your data collecting and use. Another factor is whether you actively pursue business activity inside the EU or are focused elsewhere.

      Accountability- The ability to show what measures you have taken to be GDPR compliant.

      Processing- Manual or automatic operations performed with personal data, including:
      • Creation
        • Collection
        • Storage
        • Viewing
        • Transport
        • Use
        • Modification
        • Transfer
        • Deletion
          Consent- GDPR states that consent must be “freely given, specific, informed and unambiguous”.
          • This means that consent for collecting and using personal data can no longer be obtained by assumption or as a condition of using our websites and services. We can not make opt-in the default, or even use pre-checked forms that assume users will wish to opt-in.
          • We must tell people exactly what data we collect and what we do with it in plain, forthright language. Then we must give them the ability to opt-in to that collection and use, separate from use of a site or purchase of a product.
          • Consent will have to be given freely for specific activities such as email or text message marketing. Consent for one type of activity, such as email marketing, does not give automatic consent for other types, such as SMS marketing.

            How does GDPR affect Shopify stores?

            GDPR is concerned with the collection of data. As eCommerce merchants, we collect data. We collect analytics data. We collect email addresses. We use automation tools to collect data on customer trends and preferences.

            Any of these things by themselves could be used to learn a lot about a person. When used all together, we could actually put together a pretty comprehensive picture of who our customers are.

            That is a lot of power. As merchants, we are supposed to serve our customers, but we should also safeguard their privacy. Customers entrust us with not only their payment information, but insight into what matters to them.

            If that is not a big enough motivation, there are the fines.

            Whether you are a tiny Shopify store or a Facebook-sized monolith, you are subject to these rules now.

            Example of how GDPR applies to Shopify owners

            To put this into perspective for readers who own or manage an online store, here’s an example.

            Lydia runs a Shopify store. Customers come to her site to buy widgets. In the course of marketing her widgets, Lydia takes advantage of several modern marketing tools and tactics.

            • Shopify processes orders and payments
            • Facebook provides a tracking pixel that allows FB ad targeting
            • Google Analytics tracks on-site user behavior
            • Klaviyo provides email marketing services
            • Bold Brain and Product Upsell track purchase behavior
            • A fulfillment service picks, packs, and ships orders
            • An agency handles marketing and conversion rate optimization

            In this scenario, there is a fair amount going on, and a lot of touchpoints to consider for GDPR:

            • The people visiting the site, joining the email list, or buying widgets are data subjects.
            • Lydia is the one responsible for the site existing and collecting this data to begin with, so she is the data controller.
            • Shopify, Google Analytics, Facebook, Klaviyo, Bold, the fulfillment provider, and the marketing agency are data processors in the case of Lydia’s store.

            So Lydia is collecting data and processing it through these various means. What is her burden of responsibility for GDPR compliance?

            Responsibility #1- Consent

            Lydia should obtain consent to collect, store, and use any data that could potentially identify her users and customers. That means she must inform them of what information she is collecting and how she is using it. Users (data subjects) must then give explicit consent to these uses of her data.

            Consent to store user information concerning her purchases is required as part of  buying from the site. But that can no longer be used as blanket permission to sign a customer up for marketing emails, text messages, etc. That consent must be obtained separately and can’t be made a prerequisite of service.

            There is one contentious part of the consent puzzle that many GDPR experts seem to disagree on: The use of snippets of code called cookies. Cookies that are simply a part of the most basic functionalities of your website are allowed without issue. Cookies that can tie users directly to identifiable information such as name, social media accounts, email addresses or phone numbers now require direct, explicit consent, and you cannot simply deny use of your website if users do not consent.

            The contentious area is that of tools such as Google Analytics. While you can take steps to anonymize data collected there, there are still pseudonymous user id’s. These can be linked to specific users and their actions on site. It seems that as long as the data linked to these user id’s is anonymized, explicit consent for their use is not necessary.

            Responsibility #2- Verification of third parties

            Lydia should verify that all of the tools she is using to capture, process, and store user data are GDPR compliant and are securely storing data. If Lydia were to be reported and audited, she could be held responsible for lack of compliance by her third-party tools and partners.

            Responsibility #3- Security of data

            Lydia is also responsible for any data breaches that reveal her users and customer personal data. In this case, that means Shopify and her other third-party partners that may store or use her user data. If they are compliant, Lydia should be as well.

            If Lydia or her partners have a data breach of any sort, she has 72 hours to notify those who may have been affected.

            Responsibility #4- Viewing, editing, and deleting data

            Lydia must have a way to allow any EU resident user who requests to view, change, or erase any personal data that she has collected on them. This is huge part of GDPR. Merchants must be able to show users the data collected on them, and allow them to change or delete that data.

            Using out of the box solutions such as Shopify or Klaviyo, puts Lydia in a much stronger position here. Instead of needing a custom solution, you can use their built-in systems to make these difficult functions easier.

            When a request is made, merchants have 72 hours to acknowledge the request, and 30 days to comply. When you handing over that information, it must be in a format that is portable, which means that the data can be easily viewed and used by anyone. CSV is the preferred format as it is universal and can be accessed by virtually any spreadsheet software.

            Responsibility #5- Documentation

            Now that Lydia has done all of this, she needs to document the fact that she has done it. The goal here is to show that she has resources and processes in place that move her toward compliance.

            Even if Lydia is not completely compliant or is still working towards compliance, this documentation showing an honest effort towards becoming compliant could make a huge difference if she runs into any trouble.

            This documentation involves:

            • What kind of data you collect
            • What purposes you use it for
            • How long you keep records
            • Who you keep data on
            • Your plan for securing data

            A detailed guide to compliance documentation can be found here.

            If you want help to ease the burden of delivering on Shopify customer data requests, check out the UWP Access app. 


            Get the GDPR Access app now



            GDRP Infographic
            Source: Varonis security


            Good and bad

            GDPR seems like a bad thing to those who have to work to comply. Some companies will simply stop doing any business with EU citizens. Many companies have spent millions to make sure they can continue to do serve those inside the EU.

            In some ways, GDPR is bad. It has complicated and disrupted the way we do business online. It will likely lead to other nations and blocs passing similar laws so that there is no escaping this work and expense if you want to keep doing business online.

            That doesn’t mean everything is bad. GDPR actually does protect the rights of our users and customers. If we care about those people and the safety of their personal data (and our own, since we are also consumers), this is a step in the right direction.

            We need to create an environment where people are not afraid that their personal information can be easily stolen or used against them. Recent issues with Facebook and a disastrous American election are a growing pain that highlight the need for this kind of law.

            The good news is that increased trust is good for business. If you are ahead of the curve and enthusiastic about creating a safer, more trusting environment, you will win the hearts of your customers and beat out your competitors who are unwilling to put customers first.

            Getting your store up to GDPR compliance

            If you have even one user or customer that lives in the EU, you are subject to GDPR law. What that means varies based on your activities and the types of data you collect and process.

            We’re going to outline some of the basics for online merchants and their most common activities and give you more resources to help get your store up to compliance standards. Please note that we are absolutely NOT lawyers. If you need further advice, you should get in touch with a lawyer or a GDPR expert to make sure that you are covered.

            Audit your data collection, storage, and use

            Sit down and think about how and why you collect personal data within your business.

            • What data am I capturing?
            • What am I doing with that data?
              • Do I have a legitimate reason for collecting the data?
              • Do I actually use it?
            • What third-party processors or capture points do I have? Are they secure and GDPR compliant?
              • Apps
              • Analytics
              • Fulfillment services
              • Marketing Platforms
              • Personalization- Behavior, location, etc.
            • Is my data storage secure?
              • Are any tools you use to store data GDPR compliant?
              • Do you ever access data in a way that it touches your own computer or email servers?


            Make sure you are getting consent

            • Opt-in, not opt-out
            • Separate from providing services or selling products whenever possible
              • Example: You cannot assume that purchasing a product means you have permission to add to a marketing email list.
            • Are you explaining in clear, plain language as a part of your privacy policy?
              • What data you are collecting
              • What you are doing with it (apps, service providers)
              • Who has access to it (your staff, third parties, consultants)
              • How users can deny access or view and edit their personal data
            • Are you tracking consent?
              • When it was given
              • How it was given
              • What the user consented to
            • Do you have a way for users to easily withdraw consent?

            Allow users to view, edit, and delete their data

            • Do you have an easy way for users to request their data?
              • Acknowledge request in 72 hours
              • Comply within 30 days
            • Do you have a process to gather users data and allow them to view it?
              • Must be in a “portable” format- One that can be easily accessed by the user or by others. CSV format is recommended.
              • Do you have a way to do this without storing on your own email servers or computers?
            • Do you have a way to allow users to edit or erase their data presence from your business?

            In the coming months, you will see many new options and tools to help automate the process and make compliance easier. UWP’s Access app is one of those new tools. We’re making it easy for you to receive and comply with customer data requests. You can automate your required 72 hour confirmation, and easily send all Shopify data to your customers.

            Document what you do

            Tracking your efforts to comply is important. You must be able to show the steps you have taken to be GDPR compliant and to limit the risk to your data subjects.

            Here is an in-depth guide to documenting your compliance efforts, including spreadsheet templates provided by the UK’s Information Commissioner’s Office.

            Your documentation will be needed in the event that any complaint of non-compliance is filed against you. Even if you missed something and have gaps in your plan, showing that you made serious efforts and were not willfully non-compliant could keep you safe from killer fines.


            Get the GDPR Access app now


            More GDPR fun for Shopify merchants

            If you can’t get enough of the thrilling world that is GDPR, here are some more resources you shouldn’t be without.

            We’ve arrived

            Whether you are ready or not. Whether you want it or not, the era of dealing with GDPR and data safety is here. The more you get on board and get ahead of the pack, the better chance you have to turn this into a serious advantage of your competition who have to be brought on board kicking and screaming.