Articles

Create a Shopify data privacy plan for GDPR & CCPA

Written by Osano Staff | April 26, 2022

More than 2 billion people purchased goods and services online in 2021, entrusting their data to the e-commerce platforms that process the data. With over one million businesses using the e-commerce company, Shopify data privacy has never been more critical. 

Data privacy laws vary by state and country, and businesses are responsible for their compliance in each destination. This post will dive into everything you need to know about privacy in e-commerce and how to stay compliant. 

Why you need a Shopify data privacy plan

Shopify is a global platform that makes it easy to sell products worldwide. With the ease of business comes the not-so-easy task of implementing an e-commerce data privacy plan. 

To deliver goods or services to a customer, you will need to collect personal information. This information can include: 

  • Name.
  • Email address.
  • Mailing address.
  • Social media handles.
  • IP address.

 

Protecting a customer’s data isn’t just an excellent way to build trust with your customers — it’s the law in many places. No matter where your business is located, you’re responsible for complying with the data privacy laws in each customer’s location. 


As a data processor, Shopify is subject to a specific set of laws under GDPR. Shopify fulfills the obligations required of them. However, GDPR imposes additional requirements on data collectors. Businesses can configure their Shopify platforms to be GDPR compliant and must actively choose adherence. 

How to protect your Shopify store

Running an e-commerce business is challenging. There are many moving parts, and staying on top of branding, digital marketing, SEO, and social media can feel like a full-time job. Before launching any of those strategies, build a store with GDPR, CCPA, and CPRA in mind.

To comply with e-commerce data privacy regulations around the world, include the following on your Shopify website:

 

Shopify & GDPR: Protect the privacy of customers in the EU

The GDPR guarantees the following rights to residents of the EU: 

  • The right to be informed.
  • The right of access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.
  • Rights concerning automated decision-making and profiling.


While Shopify allows businesses to configure their shop to protect these rights, it’s not the default. Complying with GDPR on Shopify is a business’s responsibility.

If you collect personal data from European residents, the GDPR applies to you. To avoid penalties, you must: 

  • Request permission from each visitor to your site if you collect any data from their visit, including analytic data when it comes to a visitor from the EU.
  • Declare in the privacy policy why you gather data and how you will use it.
  • Provide a way for users to request their data and allow its removal if asked.
  • Ensure the GDPR compliance of any third party that will receive the data you collect.
  • Maintain a current map of your data practices.
  • Respond to data subject access requests (DSARs) within one month.  

I’m compliant with GDPR. What do I need to know about Shopify, CCPA, and CPRA?

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) are laws designed to protect the privacy of California residents. The CCPA was voted into law in 2018. In 2020, Californians voted for CPRA to add even more privacy protections.

If your shop is available to Californians, you’re responsible for CPRA compliance on Shopify if your business: 

  • Has a gross annual revenue of over $25 million.
  • Buys, sells, or shares the personal information of 100,000 or more consumers or households in California.
  • Earns more than 50% of its annual revenue by selling or sharing the personal information of California residents.

GDPR compliance does not guarantee compliance with CCPA or CPRA. The CCPA focuses heavily on restricting the sale of personal data. If you sell or share the personal data of California residents, you must: 
  • Include a “Do Not Sell My Personal Information” link on every page of your storefront so customers can opt-out of the sale of their personal information. 
  • Upon request, provide a list of companies, or categories of companies, you sold their information to in the past year.  
  • Include a description of their rights and an opt-out link in your privacy policy. 
  • Train your team members on the rights of Californians under the CCPA and CPRA. 

How to craft a privacy policy for a Shopify site

Shopify does not use the data you provide for independent purposes. Can all other vendors and apps you use promise the same? Before crafting your disclosures, take the time to fully understand how the third parties you work with protect customer data.

Privacy legislation around the world calls for privacy policies, and so does Shopify. To gain the trust of new customers and to avoid penalties by the supervisory authorities, your privacy policy should include: 

  • How you collect personal information.
  • What you do with personal information.
  • How Shopify collects and processes personal data for you.
  • Third parties that will receive their information.

A privacy policy checklist can help. 

Guarantee compliance when you use Osano with Shopify

Complying with GDPR, CCPA, and CRPA legislation isn’t easy. Just ask the team at Reshoevn8r. They used to spend up to 8 hours on every data request. Now, they save up to 6 hours with Osano’s Consent Management and Data Discovery tools. You can, too. 

With just one line of code, you can stay compliant on Shopify and with more than 100 other apps and vendors. Request a demo to find out how Osano integrates with your Shopify page, or try Osano for free for 30 days.