A practical guide to a GDPR-compliant Shopify Store

Introduction

The GDPR, which has influenced and is still influencing current legislation, is undoubtedly the most well-known and significant worldwide privacy law to date. However, it is not the first worldwide privacy law. For instance, the PIPEDA in Canada and the POPIA in South Africa were both passed in 2000. In the German state of Hesse, the first data protection law in history was passed in 1970.

Below we provide a practical guide to staying compliant with GDPR, and then we answer questions based on our experience with many Shopify merchants. We know that many people are affected by that, so we try to make this process simpler.

Action Items for a Shopify Store to be GDPR Compliant

Under the general data protection regulation, you as a business will need to:

1. Show a cookie consent bar upon the user’s first visit, which blocks tracking technologies (ex., cookies) from firing before the user gives consent
2. Provide a privacy policy page on your Shopify store
3. Provide a cookie policy page or details about cookies inside the banner (cookie declaration)
4. Provide a way to collect and manage customer (data subject) data requests

Practical Guide

Step 1: Ensure you can access your store from a European Union IP address

If you are located in the European Union, then you are ready to test it else please use any VPN software and select a European country to be able to access your Shopify store address.

Step 2: Show a cookie consent bar

You will need to have a GPDR application installed on your store that can give you such a banner. Pandectes GDPR Compliance is 5 stars rated app and a great solution that provides multiple banners. The banner must:

• inform customers that your store (or any third-party service used by your store) uses cookies;
• clearly, a state in which action will signify consent;
• be sufficiently conspicuous so as to make it noticeable;
• link to a cookie/privacy policy or make details of cookies’ purposes, usage, and related third-party activities available to the user
• be visible to all visitors from all devices
• provide an option to change consent preference or even withdraw consent by your customers
• provide explicit consent and not implicit consent

Step 3: Check Shopify Store Customer Privacy Setting

Navigate to your store admin on Sales Channels > Online Store > Preferences. There, select the 3rd option, “Collected after consent”. With this option, data is not collected until a customer gives consent.

Step 4: Access your Store and open Dev Tools on your browser

In this step, you need to:

1. visit your store in a clear environment (it is better to use an incognito mode to be sure that it is the first time you access this page)
2. don’t interact with the GDPR banner
3. open the dev tools (use Chrome to follow the next substeps) and select the Application tab
4. On the left of the Storage Section, select the Cookies, and under it, select your store URL address
5. On the right side, you should see only the strictly required cookies provided by your GDPR application
6. If you see only these cookies (for example, the payment gateways are strictly required), then on the main window of the browser, click on the banner’s decline button and move to the next step
7. Else if you see cookies from services like Facebook, Google Analytics, Google Adwords and other Google services, TikTok, Twitter, or even from third-party apps, etc., then you have a problem, and you will need to check your GDPR app or any other service that manages your scripts to configure it properly

Step 5: Check consent to all modes

Make the same check with step 4 but now accept all cookies on the banner and check that all cookies are firing. For example, check on the dev tools if the common services like Google and Facebook are loading.

Step 6: Implementing a privacy policy

1. if you already have a privacy policy page, then you need to:
   1. Verify that describes properly the data processors or third-party services that you use in your store and how these deal with your customer’s personal data.
   2. you describe what personal data you hold from your customers, where it is stored, and who has access to it.
   3. you analyze and mitigate any possible scenario of a data breach.
   4. depending on the products you sell you may describe that you request for parental consent
   5. you link this page to the banner of your store.
2. Else prepare one – Shopify provides a template if you visit the Store Settings > Policies page
3. at this step, you may consider having a written data processing agreement in place with all your data processors.

Step 7: Implementing a cookie policy

1. If you already have a cookie policy page, then you need to include here the cookies declaration (if you can do this on your cookie banner, you can skip this page).
2. Else prepare one – Pandectes GDPR Compliance application provides an auto-generated cookie declaration that is auto-updated when new cookies are detected

Step 8: Collect and manage personal data requests from customers

You will need to prepare a page in which you will give your customers a form to make their requests about their data. At a minimum level, you need to have a simple form or a text that explains to them how they can contact you to make the request and inform them about the process. Pandectes GDPR Compliance application provides such an option that works as a page block.

Finish!

You are all set! Our partners at Analyzify offer a complete tracking solution service that’s GDPR compliant. Pandectes GDPR Compliance is completely integrated with Analyzify and together provides a complete solution for GDPR and data analytics setup.

Next, we answer questions based on our experience with several Shopify merchants. Customer’s personal data and, in general, the ways to process data properly have been of great interest during the last few years. The use of the right tools for these online stores is really important both for European customers and for Shopify merchants.

What is GDPR compliance?

GDPR compliance means that all businesses dealing in European Union countries will have to follow specific laws to be protected. The reason for GDPR was a desire to give the customer access to his personal data.

Why is GDPR important?

The General Data Protection Regulation (GDPR) offers a uniform, Europe-wide possibility for so-called commissioned data processing, which is the gathering, processing, or use of personal data by a processor in accordance with the instructions of the controller based on a contract.

In digital commerce, GDPR has a huge impact on the online retail industry because the store processes all the data every day. Many details. As we have previously mentioned, some customers have complained that data privacy laws are being violated by spammers.

It is important to note that customer data will never be sold without a fair price. The government could punish any hacking of personal data that was intentionally uncovered in an attempt to avoid hefty charges in the past.

How does GDPR affect Shopify?

GDPR compliance has affected Shopify’s operations. eCommerce platforms have significantly improved privacy practices and security measures for their customers. Shopify has restructured its privacy team and upgraded its contracts with external partners to meet compliance requirements.

Shopify is updating its security policies so it can provide more information about GDPR. An added section describing exporting, unsubscribing from emails, and opt-in to email lists. A further new limitation has occurred regarding the data collected by Shopify customers.

Why do you need a Shopify cookie banner?

As Shopify stores collect and use customer data, you must keep track of important legislation, such as the Privacy Directive and GDPR. Even if you don’t have any offices within the EU, your company must comply with European privacy laws.

You need to provide people with enough information on how you use the cookie. It can be done using a cookie banner on your page when a person is visiting. It can appear as a pop-up in the center of the page or as a banner at the head or bottom.

How often can consent be collected and the banner re-shown?

The data subject (user) gives permission for the business to process their personal data for one or more processing activities. Consent must be freely given, clear, and easy to withdraw, so businesses need to be careful when using consent as their legal basis. For example, the age of automatically-checked consent boxes is coming to an end through GDPR.

After displaying the cookie banner on a user’s first visit, you do not need to display the banner again on each visit. However, you should consider giving users the option to redisplay the banner in case they need to change their settings. Also if you change your processes about stored data or the way you collect them, then you need to request new consent from them. This can be achieved by using a proper GDPR app to do this job easily for your customers.

What is a Data Subject Request?

GDPR is not a law that requires only a banner to collect consent from your visitors. To comply with it you need to be able to provide your customers with a way to make requests about their rights regarding their data. The GDPR applies to any company or business, regardless of its location, that collects and processes the personal data of customers in the EU. 

What does a data processing agreement need to have?

GDPR Article 28, Section 3, explains in detail the eight topics that need to be covered in a DPA. In summary, here’s what you need to include:

• The processor agrees to process personal data only on written instructions of the controller.
• Everyone who comes into contact with the data is sworn to confidentiality.
• All appropriate technical and organizational measures are used to protect the security of the data.
• The processor will not subcontract to another processor unless instructed to do so in writing by the controller, in which case another DPA will need to be signed with the sub-processor (pursuant to Sections 2 and 4 of Article 28).
• The processor will help the controller uphold its obligations under the GDPR, particularly concerning data subjects’ rights.
• The processor will help the controller maintain GDPR compliance with regard to Article 32 (security of processing) and Article 36 (consulting with the data protection authority before undertaking high-risk processing).
• The processor agrees to delete all personal data upon the termination of services or return the data to the controller.
• The processor must allow the controller to conduct an audit and will provide whatever information necessary to prove compliance.

GDPR fines await those who don’t comply

Since the GDPR came into force, data protection authorities have shown a willingness to impose sanctions. Don’t forget small businesses. GDPR fines can reach up to €20 million, or 4% of the company’s global revenue.

However, there are two levels of fines depending on the severity and type of violation based on the GDPR law. GDPR fines for data processor-related violations are generally classified as Tier 1. According to guidelines, this stage could bring him up to 10 million euros or 2% of global earnings.

Conclusion

Technology is constantly evolving, and so must data protection laws. The GDPR has been updated several times since it came into effect in 2018, and we expect to see more changes in the future.

Are third-party cookies going away? How do you protect your kids from social apps that collect biometric data? How is AI used and regulated? This is just one example of the issues that need to be addressed by regulators, businesses, and citizens and ultimately reflected in regulation.