The GDPR is a uniform law released in May 2018 and instituted in the twenty-seven European states. This data protection law aims to protect the privacy of European citizens in digital infrastructures on a global scale. As a web entrepreneur with a Shopify site, you need to comply with data protection regulations. But how do you comply with the Shopify GDPR? In this article, we’ll help you understand how to get into compliance with the Shopify GDPR. But before that, we will first explain to you why such a regulation.
What is shopify’s GDPR?
The GDPR (General Data Protection Regulation) is the European law that took effect on May 25, 2018. It introduces new ways of looking at data online. This data belongs to the user. Thus, he alone must approve any collection and processing of the latter.
The Shopify GDPR therefore regulates how companies are allowed to process the personal data of European citizens. Therefore, Shopify GDPR compliance requires respecting users’ privacy and confidentiality. The Shopify GDPR grants individual rights to EU citizens. This includes that their personal data is not collected or processed without their prior consent. The regulation defines personal data as any information that directly or indirectly identifies an individual. It can therefore be a name, an address, a telephone number, an email address, a photo, an IP address, an activity on the Internet, content posted on the Internet, medical information, etc.
Shopify GDPR: Who does it apply to and what does it take to comply?
The Shopify GDPR is applicable to any Shopify merchant based in Europe or with a European customer base that processes data deemed personal. In other words, if you own a store on Shopify and you have customers in Europe, then you need to comply with the GDPR on Shopify.
What’s important to know about Shopify and the GDPR is that the platform empowers merchants to comply with the law as best they can. For this, an update has been made on:
- marketing registration;
In addition, the purpose of the GDPR in general is to limit the way data is used, there are among other things that you must have on your website to be compliant with the Shopify GDPR.
Shopify GDPR: How to comply?
Here’s a list of things you can do to comply with the Shopify GDPR.
Enable GDPR on Newsletters on Shopify
The Shopify GDPR requires that when collecting data like email address, one must obtain the explicit consent of the customer. To obtain the customer’s consent with regard to the newsletter, you can propose the following wording:
Apart from the first consent text, it is also important to fill in a second Shopify GDPR consent text. You must always specify to the user that he has the possibility to unsubscribe at any time and that you can delete his data at any time.
“You can update your preferences or unsubscribe using the unsubscribe links.”
Update your terms and conditions
Shopify GDPR: Respecting your customers’ rights
The GDPR gives your customers several rights. Let’s look at them!
Right to erasure (right to be forgotten)
If a customer requests the deletion of his data, this must be done within one month. There are, however, some exceptions to this rule. For example, if it is associated with a current order or if it is during the chargeback period (usually 180 days). A customer may also request the erasure of personal data concerning him in the event that the data in question is no longer used for the purpose for which it was collected. This is also the case when he withdraws his consent for the processing of his personal data.
Right to rectification (correction)
The customer has the right to rectify at any time, the data you hold about him. This may be due to the fact that the information is incomplete or inaccurate. If you receive such a request, you must do so as soon as possible. You can edit customer data directly in the Shopify admin.
Right of access to data
Customers have every right under the new regulations to have access to their data. Upon request, as a data controller (if you have not appointed someone), you are responsible for providing this information. Allow your customers to directly apply the right of access to their data from the space reserved for them on your site.
Right to data portability
Upon request, the data controller must provide this information in a readable and intelligible format. This information may concern:
- personal information;
- transaction or order history;
- the list of products;
It is important to comply with cookie regulations. If you haven’t already done so, it’s time to allow cookie management on your site. From now on, you must give visitors the opportunity to choose for themselves the type of cookies they want to leave active when browsing your sire. You may already have a statement that says, for example, “By using this site, you accept cookies…” ». That is no longer enough.
The customer must give his prior consent and show his consent by means of a positive action. For this, a banner appears as soon as the visitor arrives on any page of the site. This banner must not disappear until the latter has performed an action among the proposed choices. This banner includes a legal notice and allows access to the personalization of the site’s cookies. Regarding the text of the banner, as an example, you can propose the following:
In the event that the visitor continues his navigation without making a confirmation, the default maximum privacy setting will be applied throughout the duration of the session. As for cookie management, in the Shopify App store you can download the GDPR + Cookie Management app that allows you to get a GDPR-compliant website and cookie bar. By downloading the GDPR Shopify App, you get a 15-day free trial. Additional charges may apply thereafter.
Review third-party apps
As a Shopify store owner, you undoubtedly use third-party apps on your site. So it’s important that you only use third-party apps that comply with the GDPR. Shopify works together with developers to make sure they comply with these rules. However, that is ultimately your responsibility.
If you’re not sure if your app is compliant with the new regulations, you can always contact the developer to make sure it’s compliant. If you have any doubts about the full compliance of the application, we advise you to remove it.
Collect only the data you need
Ask yourself what data you really need from your customers or prospects? Do you need a date of birth? No? So don’t ask for it. You only need to collect essential information. You also need to be very clear about how you’re going to use your customers’ data and how long you’re going to keep it.
Ensuring full transparency
- Put an unsubscribe link next to any subscription link;
- Remove pre-checked boxes from the forms you use;
- Link directly to your terms and conditions from the footer of your site;
- Make sure that unsubscribe links appear on all your marketing materials afterwards, you must make them visible.
Recontact all former subscribers and customers
If you already have former subscribers and customers, you should contact them and ask them if they still agree to receive your commercial offers. Remember that this only applies to European citizens and not to your entire subscriber list. For those who do not renew their consent, if you want to comply with the law to the letter, you will unfortunately have to remove these users from your database. This applies not only to their email address, but also to any data you hold about these people.
Prepare your organization
Explain the requirements of the GDPR to the leaders of your organization. Your entire team needs to be trained on this. Organize training for your employees on the procedures to react in case of data theft. If you employ more than 250 people in your company, you must appoint a data protection officer, a data controller.
Shopify GDPR: What if your store isn’t targeting visitors from the EU?
Despite the fact that the GDPR is a European law, the aim is to protect the data and personal lives of all EU citizens. As a result, any website serving EU citizens and processing their personal data must comply with the GDPR, even if the site is not hosted in the European Union.
Any non-compliant shop is likely to face heavy penalties. For large companies, the penalty can go up to 20 million euros and 4% of annual turnover. Complying with the Shopify GDPR is not a complex task. It is better to do that than to be punished. By the way, Shopify paid themes like Speedly already include GDPR standards.