Shopping Cart

Your cart is currently empty.

Continue browsing here.

Enable cookies to use the shopping cart

Cart Updated
Variant Title has been added to your shopping cart.    View Cart   or   Checkout Now
Variant Title has been removed from your shopping cart.

What Shopify Merchants Need To Know About GDPR

Rebecca Gatesman

On May 25th, the EU’s General Data Protection Regulation, or GDPR, will come into effect. This legislation, which is the most comprehensive data privacy law to date, will have a significant impact on how companies collect, process and store personal data. Shopify merchants who want to start or continue to sell to European customers will need to be in compliance - but what does that mean?

What Is GDPR?

social connections for branding

The General Data Protection Regulation is designed to give data control back to individuals. The document covers fourteen major points, all of which are related to the privacy and safety of online consumers. Much of the GDPR document is aimed at larger organizations that handle a lot of personal information (we’re looking at you, Facebook), but there’s plenty that even the smallest online retailers will need to take into account.  

Plainly put, the GDPR places strict rules around how your company can collect, store, and use customer data. This includes the expected financial details, identifying numbers (such as social security or national insurance numbers), and IP addresses, but also encompasses information that you may not already think of in the same light, such as their email address, social media accounts and posts, photos, location data, and their name. This means that if your site uses cookies, is linked to social media profiles, or logs IP addresses, the data you collect is legislated in the EU.

While being part of a larger cloud service like Shopify does greatly ease your journey to GDPR compliance, it’s important to note that, in GDPR’s terms, you’re considered a Data Controller. That means you’re responsible for the data your store collects (not Shopify).

If Your Store Is Available In Europe, GDPR Applies To You!

GDPR does not necessarily apply to every online store, but we do suggest becoming compliant regardless, as the legislation will likely spread globally sooner rather than later. However, if you’re wondering if you have to hit that May 25th deadline, the answer depends on where you’re based, and whether you ever collect information from EU citizens.

If your store is based in the EU, or if your store is available to EU customers, then you must comply with GDPR. However, if your store isn’t available to EU customers, you don’t technically need to comply with the legislation. That said, there is significant benefit to becoming compliant, even if you don’t have to: according to data from Statista, as of 2016, Europe accounts for almost a quarter of total online revenue, so it’s not a market you want to avoid or ignore!

What Happens If I’m Not Compliant?

The GDPR has a bite as bad as it’s bark: organizations can be fined up to 4% of their annual global turnover, or up to €20 Million, whichever comes first. While there is a tiered approach that considers the severity of the infringement, we suggest becoming compliant - or halting EU activity until you are.

Key Shopify Merchant Activities That May Be Impacted

Shopify merchant bracing for GDPR

Staying compliant with GDPR is important for the continuing success of your store, and you’ll need to be vigilant about vetting the apps that you use; we highly recommend finding ones that are GDPR-compliant, if you aren’t already using them. As a Shopify merchant, you’ll likely put the most effort into staying compliant in a few key areas:


Online marketing is all about social proof, personalization, and sharing, right? Well, guess what - all of those involve your company collecting and storing data about your customers that fall under GDPR. Don’t worry, you can still conduct these types of marketing activities, you’ll just need to make sure you’re doing them the right way.

Get Clear Consent

GDPR is, at its core, about enabling customers to give informed, clear consent about how their data is used. That means you’ll need to explain - in clear and simple terms - how your going to use the data you’re collecting. Yep, this new legislation aims to kill the era of hundred-page-long Terms & Conditions documents, which can actually be a great thing for your brand!

Could GDPR Actually Improve Your Revenue?

Think about it - your marketing wants to appeal to what your customers actually desire to see, right? Instead of thinking of GDPR as a burden, think of it as a prompt to revamp and retarget your data so that you’re spending your precious marketing and advertising budgets on customers who are actually receptive, instead of silently annoyed. Your new and improved informed consent strategies are also a great opportunity to build brand trust and customer relationships.

Data Management

All of the information you collect through your marketing efforts is stored in a repository of some sort - of which you, the owner of the Shopify store, are the Data Controller, legally speaking. It’s important to know what your new responsibilities are regarding that information, both to your customers and to the EU legislative body.

The Right To Be Forgotten

One key element of GDPR that may challenge your company’s data management is The Right To Be Forgotten, or the built in legislation that mandates customers should be able to easily edit their data and remove consent for marketing, delete their account, or even all of their information from your system.

Data Breaches

While we all hope that it will never happen to us, security breaches are a fact of online business. If your store is victim to a hack or other security failure, you’ll need to notify your national supervisory authority within 72 hours. Be prepared to explain to them how you’re going to build up data protection safeguards - and then actually do it.

Only Collect What You Need

The best way to make GDPR compliance as easy as possible is to make sure you’re only collecting the data you actually need. The days of collecting every piece of information your customers make available is over - not only does it clog up your CMS and make your marketing and personalization services lower quality, it’s now illegal for a quarter of the market, so cut it out.

Luckily, You’re A Shopify Merchant!

Happy Shopify merchant

If your store was custom built, or you relied on an in-house server, complying to GDPR would be a massive undertaking involving hiring an audit team and tests. Lucky for you, you’re on Shopify, which means most of that is taken care of, given that Shopify as a business is compliant. That means you don’t need to worry about any Shopify apps you use.

Shopify checkout settings

 Additionally, Shopify makes it a bit easier to be GDPR compliant in the settings. For example, in Checkout, you’ll be able to select exactly what information you need, so you aren’t collecting anything extra.

GDPR For Small Businesses Boils Down To: Don’t Be A Creep

While larger businesses have more regulations to comply to, for smaller businesses - such as the majority of Shopify stores - GDPR is really about demonstrating that you respect your customers’ right to privacy, invest in protecting their data, and let them stay in control of the information they give you. That means talking to your customers as humans, explaining in easy terms how they can modify the information they give you, and resisting the urge to hide the “unsubscribe” button from them.

You can learn more in-depth information by reading Shopify’s whitepaper on GDPR compliance, and referencing the super helpful website, GDPR And You. We still recommend consulting with a legal professional to be sure that you’re in the clear, but the EU isn’t trying to trick you into noncompliance. They want you to succeed in building a healthy, respectful, and productive relationship with your customers that will last for years to come.

Share this

Additional Articles