Understanding GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to any business processing personal data of EU residents. The UK has its own version (UK GDPR) that applies post-Brexit and is nearly identical.

If your Shopify store sells to customers in the EU or UK, GDPR applies to you regardless of where your business is located. Non-compliance can result in fines up to 4% of annual global turnover or €20 million, whichever is higher.

Key GDPR Principles

•Lawfulness: You must have a legal basis for processing personal data
•Transparency: Customers must know what data you collect and why
•Purpose limitation: Only use data for stated purposes
•Data minimisation: Only collect what you actually need
•Accuracy: Keep personal data accurate and up to date
•Storage limitation: Do not keep data longer than necessary
•Security: Protect data from unauthorised access or loss

GDPR is not just about ticking boxes. It is about respecting customer privacy and handling their data responsibly. Done well, compliance builds trust.

Data Collection Audit

The first step to GDPR compliance is understanding exactly what personal data you collect, where it comes from, and where it goes. This is called a data audit or data mapping exercise.

What Counts as Personal Data

Personal data is any information that can identify a person, directly or indirectly. In ecommerce, this includes:

•Names and email addresses
•Postal addresses and phone numbers
•Payment card details (last 4 digits)
•IP addresses
•Cookie identifiers
•Order history
•Browsing behaviour on your store

Conducting Your Audit

1
List all data collection points
Checkout, account creation, newsletter signup, contact forms, reviews, etc.
2
Document what data is collected at each point
Be specific. List every field and data type.
3
Identify the legal basis for each
Contract (order fulfilment), consent (marketing), legitimate interest (fraud prevention).
4
Map data flows
Where does data go? Shopify, email provider, analytics, shipping apps, etc.
5
Define retention periods
How long do you keep each type of data? This should be justified.

Pro Tip

Create a spreadsheet documenting your data audit. You will need this for your privacy policy, for responding to data requests, and potentially for demonstrating compliance to regulators.

Privacy Policy

Your privacy policy is a legal requirement under GDPR. It must clearly explain what data you collect, why, and how it is used. It should be written in plain language that customers can understand.

Required Elements

✓Identity and contact details: Your business name, address, and contact information
✓Types of data collected: List all categories of personal data
✓Purposes of processing: Why you collect and use each type of data
✓Legal basis: The lawful basis for each processing activity
✓Data sharing: Who you share data with (Shopify, apps, shipping providers)
✓International transfers: If data is transferred outside UK/EU
✓Retention periods: How long you keep each type of data
✓Customer rights: Access, rectification, erasure, etc.
✓How to contact you: For privacy queries or complaints
✓Right to complain: To the Information Commissioner's Office (ICO)

Adding Your Privacy Policy

1
Go to Settings → Legal
Shopify provides a template you can customise.
2
Customise for your business
The template is a starting point. Add details specific to your data practices.
3
Link from footer and checkout
Make sure customers can find it easily.
4
Review regularly
Update whenever you change your data practices, add apps, or change processors.

Avoid These Mistakes

×Using a generic template without customisation
×Overly complex legal language that customers cannot understand
×Failing to mention third-party apps and their data access
×Not updating when you change your practices

Customer Consent

Consent under GDPR must be freely given, specific, informed, and unambiguous. Pre-ticked boxes or bundled consent are not valid. Customers must actively opt in.

When You Need Consent

•Marketing emails: Always requires explicit consent
•Non-essential cookies: Analytics, advertising, social media tracking
•Remarketing: Using customer data for targeted advertising
•Sharing with third parties for their marketing: Rarely done, always needs consent

When Consent is Not Needed

•Processing orders: Legal basis is contract performance
•Order confirmations and shipping updates: Transactional, not marketing
•Fraud prevention: Legal basis is legitimate interest
•Tax records: Legal basis is legal obligation

Implementing Consent in Shopify

Newsletter Signup

Use unchecked opt-in boxes. Do not pre-select marketing consent. Clearly state what they are signing up for: "Receive marketing emails about new products and offers."

Checkout Marketing Opt-in

In Settings → Checkout, ensure the marketing opt-in checkbox is not pre-selected. Customers must actively choose to receive marketing.

Cookie Consent

See our separate guide on cookie consent. You need a proper consent mechanism that blocks non-essential cookies until consent is given.

Pro Tip

Keep records of consent. Shopify stores when customers opted in to marketing, but ensure you can demonstrate consent if questioned. This includes the date, time, and what they were told when consenting.

Data Subject Rights

GDPR gives individuals rights over their personal data. You must be able to respond to these requests within one month.

The Eight Rights

1. Right to Be Informed

Customers must know how you use their data. Your privacy policy fulfils this.

2. Right of Access

Customers can request a copy of all data you hold about them. In Shopify: Customers → select customer → Request customer data.

3. Right to Rectification

Customers can ask you to correct inaccurate data. Update their record in Shopify when requested.

4. Right to Erasure (Right to Be Forgotten)

Customers can request deletion of their data. In Shopify: Customers → select customer → Erase personal data. Note: You can retain data needed for legal obligations (tax records).

5. Right to Restrict Processing

Customers can ask you to limit how you use their data while disputes are resolved.

6. Right to Data Portability

Customers can request their data in a machine-readable format to transfer to another service.

7. Right to Object

Customers can object to processing based on legitimate interests. For marketing, they can unsubscribe at any time.

8. Rights Related to Automated Decision Making

Customers have rights regarding automated decisions that significantly affect them. Rarely applies to standard ecommerce.

Handling Requests

1
Verify identity
Ensure the request is from the actual customer. Ask for verification if unsure.
2
Acknowledge receipt
Confirm you received the request and will respond within one month.
3
Process the request
Use Shopify's built-in tools for data access and erasure requests.
4
Notify third parties
If you have shared data with apps or services, notify them of erasure requests.
5
Respond to the customer
Confirm what action you have taken within the one-month deadline.

Third-Party Processors

When you use apps, email services, or other tools that handle customer data, you remain responsible for that data. You must ensure your processors are GDPR compliant.

Shopify as a Processor

Shopify acts as a data processor on your behalf. They have a Data Processing Addendum (DPA) that covers GDPR requirements. You can find this in your Shopify admin under Settings → Legal.

App Compliance

•Review app privacy policies: Check what data they collect and how they use it
•Check for DPAs: Legitimate apps should have Data Processing Addendums available
•Understand data transfers: Where does the app store data? If outside EU/UK, what safeguards exist?
•Limit app permissions: Only grant the access apps actually need

Common Third-Party Services

•Email marketing: Klaviyo, Mailchimp, Omnisend (all have GDPR compliance features)
•Analytics: Google Analytics (configure for GDPR, enable IP anonymisation)
•Reviews: Judge.me, Loox, Yotpo (check their GDPR documentation)
•Shipping: Your shipping provider also processes customer data

Documentation

GDPR requires you to demonstrate compliance. This means keeping records of your data processing activities, consent, and any data requests handled.

What to Document

✓Data audit: What data you collect, why, and where it goes
✓Legal bases: Your justification for each processing activity
✓Consent records: When and how consent was obtained
✓Data subject requests: Log of all requests received and how you responded
✓Processor agreements: Copies of DPAs with apps and services
✓Privacy policy versions: Keep dated copies when you update

Pro Tip

Create a simple compliance folder with your data audit spreadsheet, current privacy policy, list of processors with their DPAs, and a log for data requests. Review and update quarterly.

Next Steps

Implement GDPR compliance in this order:

1
Conduct your data audit
You cannot be compliant without knowing what data you process.
2
Update your privacy policy
Make it comprehensive and easy to understand.
3
Implement cookie consent
See our dedicated cookie consent guide for implementation details.
4
Review marketing consent
Ensure all opt-ins are explicit and unchecked by default.

How to Make Shopify GDPR Compliant

Data Collection Audit

What Counts as Personal Data

Conducting Your Audit

Pro Tip

Privacy Policy

Required Elements

Adding Your Privacy Policy

Avoid These Mistakes

Data Subject Rights

The Eight Rights

1. Right to Be Informed

2. Right of Access

3. Right to Rectification

4. Right to Erasure (Right to Be Forgotten)

5. Right to Restrict Processing

6. Right to Data Portability

7. Right to Object

8. Rights Related to Automated Decision Making

Handling Requests

Third-Party Processors

Shopify as a Processor

App Compliance

Common Third-Party Services

Documentation

What to Document

Pro Tip

Next Steps

Related Resources

Cookie Consent Guide →

Security Guide →

Need GDPR Compliance Help?