Hi, and welcome to another ‘1st of the month’ blog post here on AidanBooth.com!
Following last month’s deep dive into GDPR, this month I’m going to concentrate on GDPR for Shopify (pretty much all of this blog post will also apply to non-Shopify eCommerce sites).
First though, the mandatory disclaimer that I have to give:
Please note that this article is for information purposes only and is based on my understanding of GDPR. The tips I’m providing are not intended to be legal advice and in no way represent a comprehensive standard for ensuring the GDPR compliance. I recommend you seek your own legal advice.
What Is GDPR & Does It Affect You?
If you don’t have a good grasp of the basics of GDPR, go and read my introductory blog post here:
https://www.aidanbooth.com/gdpr
The short answer: GDPR are a set of new laws that impact how you can collect visitor data, privacy rules, and much more. And yes, regardless of where you are in the world, GDPR almost certainly DOES affect you.
What If Your Shopify Store Doesn’t Target EU Visitors?
If there’s a chance you might get EU visitors, then you need to be compliant (you could lock your entire site down and simply not show up for EU, but being compliant isn’t that hard, so I recommend you just do it).
Hefty fines up to €20m euros or 4% annual turnover could be dished out to offenders, whichever is greater.
Will your Shopify store be a target? Probably not… but I’d rather be safe than sorry.
Data Controller Vs. Processor
The GDPR data protection responsibilities are made up of the following roles (there are also ‘sub’ roles, but these won’t affect 99% of people, so I’ve chosen not to dive into them here):
- Data Controllers
- Data Processors
1. Data Controller
In the majority of cases, you as the merchant, you will be the Controller in your business as you collect information from the buyer.
Controllers must be able to provide certain information which MUST be made available to the buyer if requested.
2. Data Processor
Generally Shopify will be the Processor with respect to buyers personal data.
The Processor needs the Controllers authorization to process the data.
If you’ve got a subscriber list on your Shopify store, and you’re using a tool like Aweber or MailChimp to manage that, then they’d be the Data Processor.
Before we dive into the 10-step action plan, sign up right now to get access to our GDPR software and checklist:
Once you’ve done that, it’s dive into the 10-step action plan…
10-Steps GDPR Compliance Action Plan
To try to cut to the chase here, I’ve prepared a 10-step plan for you to follow… if you follow this from start to finish, you should be pretty solid as far as GDPR compliance goes.
The 10 steps are as follows:
- Update Your Privacy Policy
- Update Your Terms And Conditions
- Understand Your Buyers Rights
- Comply With Cookie Regulations
- Review 3rd Party Apps
- Review Software Tools
- Review Email & Marketing Activities
- Check The Data You’re Collecting
- Ensure Total Transparency
- Re-contact All Previous Subscribers & Customers
Let’s now work through each step in more detail:
1. Update Your Privacy Policy
Your privacy policy needs to clearly explain the data you collect from your customers and why.
Shopify provides the relevant information in their own Privacy Policy, but it is down to the merchant (you) to provide their own.
Here’s what I recommend…
- Your Privacy Policy MUST reflect how you collect, use, share and secures your customers personal information.
- You MUST document how long you intend to keep your customers data for.
- Your privacy policy should also describe your customers choices regarding use, access and correction of their personal information.
- Ensure your Privacy Policy is easily accessible, for example, place a link in the footer of your site so your customers can find it easily.
If your Privacy Policy doesn’t contain the above information, you need to update it.
The Shopify Privacy Policy generator is a HUGE help:
https://www.shopify.com/tools/policy-generator
This tool has recently been updated to take GDPR into consideration, it’s free to use, and you don’t even need to be a Shopify user to be able to use it.
2. Update Your Terms And Conditions
The main changes are required to your Privacy Policy as we discussed above, however, bear in mind your Terms and Conditions (aka Terms of Service) may need amending to include the new GDPR terminology.
Furthermore, since you’re updating this anyway, you may as well link back to your Privacy Policy from this page too.
Shopify have come to the party again here, by providing a useful Terms and Conditions generator:
https://www.shopify.com/tools/policy-generator/terms-and-conditions
3. Understand Your Buyers Rights
Your buyers (known as data subjects), have many more rights under the GDPR, let’s have a look at those here.
Erasure of their personal data (deletion):
If a buyer asks for their information to be deleted this must be carried out within one month, however, there are a couple of exceptions to this rule such as:
- If it is associated with a pending order
- If it is during the chargeback period (usually 180 days)
Rectification of their data (correction):
The buyer has the right to at anytime, correct the data you may hold on them, this may be because the information is incomplete or inaccurate.
If you receive such as request, you must do this as soon as possible, you can change the customer’s data directly within the Shopify store admin.
Access to their data:
Data subjects (buyers) have every right under the new regulations to have access to their data.
Upon request, as the Data Controller, you have the responsibility of providing this information.
If you can not sufficiently fulfil this request, you can contact Shopify via their support, or email them at: privacy@shopify.com
Shopify will then take the appropriate action to provide the buyer with the relevant information.
Export of their data in a common portable format:
If requested, the Data Controller must provide this information in a readable and commonly used format.
Some of this data may be exported directly from the store’s admin page using a common format such as excel or a csv file.
The following can be downloaded with one click:
- Transaction history
- Payouts
- Product lists
- Customer lists
4. Comply With Cookie Regulations
It’s important to comply with Cookie regulations, if you don’t already have this in place, you need to act now!
You may already be familiar with the current EU Cookie Law, but from May 25th this will be replaced by GDPR, which requires that you can show “unambiguous” opt-in consent for cookie and data use.
You may already have a cookie statement that says something like:
“By using this site, you accept cookies”…
This is no longer sufficient, the subscriber needs to actively show that they agree, but clicking on an acknowledgement button, or choosing a preference or setting to confirm consent.
The good news here is that we (Steve and I) have developed our very own free tool to make Cookie notification and compliance easy, click here to create an account:
http://www.gdprcompliancechecklist.net
Using our GDPR compliance tool, you’ll be able to create cookie notifications that appear site wide, they look a bit like this:
Furthermore, you can select to only show the notification in certain regions, and customise lots of other settings too:
Here’s a demo video I made to show you how the tool works:
5. Review 3rd Party Apps
As a Shopify site owner, you no doubt use 3rd party apps on your site, and it is therefore essential that you only use 3rd party apps that comply with the GDPR regulations.
Shopify is working closely with developers to ensure they comply, however, ultimately this responsibility lies with you.
If you are unsure if your app complies with the new regulations, reach out to the developer of the app to ensure compliance.
If you can’t be 100% sure the app complies, then our advice would be to remove it.
6. Review Software Tools
We’ve talked about reviewing your 3rd party apps, but what other software tools do you use, and how do you know if they are GDPR compliant?
For example, Google, Facebook, AWeber, GetResponse, Mailchimp etc.
I think it’s safe to say these big players will have certainly done their homework with regards to GDPR compliance, but smaller players might not have.
Think carefully about any lesser known software you may be using, if you do not know if they are GDPR compliant, then reach out to them and ask.
If you can’t get a satisfactory response, or if you’re unsure, I would advise removing the software to be on the safe side.
7. Email & Marketing Activities
We broadly refer to the process of collecting email addresses as ‘Email Marketing’.
Email Marketing, when done in a legitimate way, is a form of ‘permission marketing’, because every person who adds their email address to your mailing list has explicitly chosen to be add it (you haven’t just acquired their email address somehow, and started blasting spam).
You need to treat email marketing leads (email addresses) with the same rules that you treat buyer email addresses (and other personal information). This means:
- Making it crystal clear what the email subscriber will receive from you (in exchange for giving you their email address)
- Giving your subscriber the right to know what their data is being used for
- The right to request the data you’re holding about them
- The right to update their data
- The right to erase their data
- The right to object (unsubscribe from your mailings)
Also bear in mind, your optin forms need to be compliant, and you need to give your subscribers (not only your buyers) the choice of opting in or opting out, i.e., unsubscribing from your mailing list.
Find out more about these ‘rights’ in my first GDPR blog post.
8. Only Collect Data You Need
Ask yourself what data do you really need from your customers or prospects (visitors who are not yet customers)?
Do you need a date of birth? No, then don’t ask for it.
Do you need a telephone number? Maybe, if you are using SMS marketing.
You MUST only collect vital information and you need to be really clear about what you are going to use your customers data for, and how long you are going to keep it for.
It’s good practice to explain this in your Privacy Policy.
Make sure you understand the process behind your store, specifically, at what other stages you collect customer data, for example;
- Sign up pages
- Opt-in forms
- Abandoned carts
- Product reviews
- Etc.
Most likely, the only data you will require from your customer is their name, address, and email address, and the only data you’ll require from non-customers is an email address, and possibly a name.
9. Ensure Total Transparency
Following on from only collecting data you need, you need to be completely transparent with your customer.
We’ve talked about the importance of the Privacy Policy, but there are other things you can do to make sure you’re totally transparent such as:
- Put an ‘unsubscribe’ link next to any ‘subscribe’ link
- Remove pre-ticked boxes on forms you may be using
- Link directly to your Privacy Policy from your sites footer
- Link directly to your Terms and Conditions from your site’s footer
- Ensure ‘unsubscribe’ links are on all your marketing material and make them visible
Also, does any of your customers data go via a 3rd party? If so you need to declare this information in your Privacy Policy.
10. Re-contact All Previous Subscribers & Customers
If you already have subscribers and existing customers, you need to contact them and ask them to re opt-in.
Remember, this ONLY applies to EU citizens (not your full list of subscribers).
For those who don’t re opt-in, if you want to abide by the letter of the law, then unfortunately you’ll need to delete these users from your subscriber database, which includes not only their email address, but also any data you hold on that person.
Data Breaches & Security
Last but not least, although we haven’t included this in the 10 part plan, it’s important to know that you need to be aware of any data breaches and security.
You must protect your customer from the following:
- Unauthorised or unlawful processing
- Accidental loss
- Destruction or damage
The good news is Shopify encrypts data sent to and from merchants and buyers using the HTTPS protocol.
There are other security features that Shopify owners can set up which can be done from the Shopify admin, such as setting up role-based permissions for staff accounts as one example.
Hungry for more GDPR info?!
For further information on Shopify and GDPR, check out the following link:
This covers the following information:
- How does the GDPR affect Shopify?
- What has Shopify already done to prepare for the GDPR?
- What’s next in Shopify’s preparation for the GDPR?
And don’t forget to register for access to our GDPR Tool and Checklist:
Still want more? Shopify’s GDPR Whitepaper
if you’re a sucker for torture (or just love reading about this stuff), then the Shopify Whitepaper on GDPR has some useful info, you can check that out here:
Got A Question?
As I stated at the very beginning, the tips I’m sharing shouldn’t be considered legal advice, and you should seek your own council… in saying that, I’ve spent a silly number of hours researching all of this, and would love to be able to help you out.
If you’ve got a question or a comment, use the comment box below, and I’ll reply!
Thanks for reading,
Aidan
im still not sure where to install the code in shopify please help
Hi Felipe, contact Shopify, and ask them to install it for you 🙂 Or.. if you want to install it yourself, they can show you where.
Will Shopify apps/widgets that show recent items ordered be compliant with GDPR when they show first name, location and item(s) bought?
My thought is that this information should be changed from «Kurt in Stockholm bought these sneakers 7 hours ago» to «Someone near you recently bought these sneakers».
Hi Maia, best just to ask them I think, I’m sure they’ve thought of this.