How to Prepare Your Shopify Store for GDPR

How to Prepare Your Shopify Store for GDPR

As a Shopify seller, if you are selling to any EU countries, you should have been already familiar with GDPR or General Data Protection Regulation. If not, then this is the high time you know about it and prepare your store to comply with it.

Table of Contents:

What is GDPR?

The most radical changes affecting the e-commerce businesses in 2018 will be the GDPR (European Union General Data Protection Regulation). This new regulation will make sure that the business give much more stress on using and securing personal data of EU citizens.

The most effective change in the GDPR law is the definition of the personal data. According to GDPR, any information which can identify a person (directly or indirectly) should be treated as personal data.

This far-reaching definition includes:

A person’s name
A person’s photo
User’s email address
A mailing address
User’s bank details
Medical information
Users IP address
And more.

The GDPR was first adopted on 27th April 2016. Now, it becomes enforceable on 25th May 2018 after a two-year transition period given to businesses to adopting with the changes. 

Three main concerns of the GDPR:

i) Get active consent: the user should actively give consent to receive marketing campaigns from you.

ii) Protect user’s data: you must protect the user’s personal data at any cost.

iii) Option to update or remove user’s data: On user’s request you must delete or update any personal data you store. Also, you should have the option for the users to request deletion and updation.

Who the GDPR applies to?

Any entity who handles EU citizens or residents personal data.

It doesn’t matter where your business is based. It only matters that you are collecting and using the personal data of EU citizens and residents.

Why should you comply with GDPR?

For any business that does not comply with the new GDPR may attract a fine up to €10 million or up to 2% of the annual worldwide turnover for the previous year, whichever is higher!

However, GDPR isn’t a threat to your business anyway, it’s actually an opportunity to woo EU customers by being GDPR compliant. It will certainly boost the trust factor for your brand.

Right now, data privacy is a most discussed topic in not only in Europe but in the whole world. So if you comply with GDPR you should highlight that to EU customers to boost your brand image.

How to prepare your Shopify store for GDPR:

First of all, this article does not constitute legal advice and you should seek professional legal advice where appropriate. The purpose of this guide is to give you some idea of what you can immediately do to comply with GDPR for your Shopify store.

Here are some measures you should take:

As a store owner, you should have been collecting user emails at different places in your store. At those places, you need to take active consent from the users to send promotional emails.

To make sure that the consent is actually valid , you have to take active consent from the customer. For example a customer need to check an unchecked check box to actively give consent. A per-checked checkbox on a form is not a valid consent.

i) On the register/sign-up page:

As mentioned earlier, if you intend to send promotional emails (which you should do) to one who registers on your store, you should take the consent first.

Here are some examples of what you can do on your registration page.

On OTTO’s registration page they have a checkbox to opt for promotional emails.

Need help from our theme experts to add this feature to your store? We are here to jump in!

Sainbury’s goes one step further and asks for the permissions in detail. It certainly helps to boost customer’s confidence to opt in.

taking consent for gdpr

How Sainsbury’s get consent for promotional emails/SMS on their registration page.

ii) On the checkout page:

On the customer information page, below the input box for email, there’s a default checkbox for opting in newsletters and offers. You should keep that unchecked by default to comply with the active consent policy of GDPR.

gdpr compliant consent on checkout page
Keep the consent checkbox unchecked by default

iii) If you are collecting email id at any other place on your store:

If you are collecting email id anywhere on your website and send emails more than what the user signs up for, then to comply with GDPR, you need to take consent for the additional emails.

For example, OTTO has an opt-in for the newsletter in its footer. Here they have clearly mentioned the followings:

i) All the emails the user may receive.

ii) From whom (the company name) they will receive it

iii) How the user can revoke the consent.

Now that you’ve updated your forms to comply with GDPR, you’ll be able to collect consent from new contacts. But, you still need your existing contacts to opt-in to your marketing permissions. The best way to do this is to send a campaign to each list affected by the GDPR.

Omnisend has inbuilt email template like this for getting GDPR consent. 

It’s not only about having the option to get the consent, you actually need to respect it. Make sure your list is tagged properly so that you can easily create segments depending upon the consent and send emails accordingly.

Major email service providers like MailChimp and Omnisend has already started adopting the changes and has build system in accordance with GDPR.

As a Shopify store owner, it’s most probable that you are using cookies on your store. Cookies are mainly used to store user’s data for different purposes like personalized shopping experience or retargeting users on different channels like Facebook or youtube.

In May 2011, all EU countries has adopted the EU guideline for using cookies. This EU Directive has given individuals the right to accept or refuse the use of cookies on their browser to protect their online privacy.

If you are not taking the consent yet, it’s time to set this up.

Compliance with the cookie law comes down to three basic steps:

i) Work out what are the cookies your site uses with a cookie audit.

ii) Tell your visitors what data you collect with cookies and how do you use them to improve their shopping experience. Create a cookie policy and use the link of the policy while taking consent from the user. You can include the cookie policy in your privacy policy as well.

Sainbury’s cookie policy is a good example in which all the necessary details have been clearly explained:

iii) Take consent from the EU users for using cookies. There are plenty of Shopify apps like EU Cookie Bar by Booster Apps which you can use to set this up very easily.


3) GDPR compliant privacy policy:

The ultimate purpose of the GDPR is to protect the personal data and to provide more online privacy to the EU citizens.

That’s why, to make your business GDPR compliant, you privacy policy will play an important role.

Here’ a GDPR compliant privacy policy generator which you can use to create your new privacy policy.

To conclude:

The whole world including you and me is concerned about the privacy of our personal data. With GDPR, EU is the first to take the initiative for safeguarding it’s resident’s interest. There’s no doubt that more countries will follow the path and bring their own regulation in line with GDPR.

It’s time to you prepare your store for GDPR now. In long run it will be beneficial to your business in many ways.

If you have any question regarding the GDPR compliance for Shopify store, please comment below.

Read more articles