GDPR – Information and Checklist For Your Shopify Store

Is your Shopify store ready for GDPR (General Data Protection Regulation)?

There are hundreds and hundreds of articles and videos on the internet with information on steps you need to take to make sure your website is GDPR compliant. I hope you’ve had time to read articles about preparing for GDPR and I hope you’ve been able to do your own research into what you need to do to prepare.

I am not an attorney and I don’t claim to have all the answers to the GDPR situation. I’m not sure anyone does at this point, as you can also find hundreds of articles online talking about how no one is really ready for GDPR. With so many questions about “exactly” what you need to do to prepare, I thought I would share with you a list of things I have done for my own shop. Is this a complete list? I’m not sure. But hopefully it will at least give you some things to think about in regards to what you could also be doing for your shop.

PREPARATION CHECKLIST

(I’ve numbered these tasks to make it easier to identify them, but this list is not in any particular order)

  1. Update your Shopify Privacy Policy
    1. Use the canned Privacy Policy provided by Shopify, then edit it as you see fit.
    2. Your Privacy Policy must include information about third-parties you use to process visitor data (Google Analytics, HotJar, Facebook, Pinterest, Instagram, and any other third-party app or sales channel).
    3. Make sure your Privacy Policy covers age of consent, as the GDPR requires parental consent to process personal data of anyone under age 16.
    4. I also recommend making a list of all the personal information you collect about your visitors and your customers, and the information that is collected by your apps, themes, sales channels, payment gateways, etc. This information should be included in your Privacy Policy, and you should have a record of this information in your files.
    5. See Help pages from Shopify regarding what must be included in your Privacy Policy.
  2. Add a note / opt in regarding how your website collects Cookies so visitors can choose to opt in or not
    1. There are apps in the App Store that you can use for this.
    2. Make sure your Privacy Policy includes a Cookie policy, explaining to visitors what data you collect and how you use that data.
  3. Turn off the checkbox on your Checkout Page for customers to opt in to your email marketing (this forces a customer to opt in, if they choose – as it is not checked by default)
    1. Make sure the text for this opt in checkbox clearly explains what a customer is signing up for, and that they can opt out at any time by unsubscribing.
  4. Add an opt in checkbox on your stores Create Account page for visitors to opt in to your email marketing (make sure to explain exactly what that email marketing is so visitors have a clear understanding of what they are signing up for).
  5. If you have a newsletter signup box in your store footer, make sure to include text there that let’s people know exactly what they are signing up for and that they can revoke their consent at any time by unsubscribing.
    1. If you have a newsletter signup tab on your Facebook Page (or any other place on social media), make sure that signup form includes information about GDPR. (If you are using MailChimp, you can use the GDPR form on their website).
  6. If you currently use an email marketing program, such as MailChimp, to send email marketing to your customers, you will need to send your entire list an email telling them about your new Privacy Policy, that your shop is GDPR compliant (if it is), and give them direction on how to continue to receive email marketing from you. You also need to allow them to be able to opt out if they no longer wish to receive emails from you.
    1. If you use MailChimp, there is an email template there you can use to obtain this reconfirmation from your subscribers.
    2. Include a link to your new Privacy Policy in this email that you send to your subscribers so they can read your policy and accept it.
    3. If your subscribers do not reconfirm their opt in, you need to remove them from your mailing list.
    4. Keep a record of when and how you obtained consent to send email marketing! This is very important! That database of visitors and customers needs to include this information. If you are using MailChimp, you need to create segments in your list to store this information. Here is a link to a video that might help you – GDPR Options for MailChimp
  7. Assess/audit ALL the ways your website or you collect (and store) personal data on your visitors and your customers. Make sure all these methods are in compliance with GDPR. This means contacting any third party vendors to make sure they are also in compliance.
    1. I recommend creating a list of all third party software providers that you use, and when necessary, get a copy of their Privacy Policy regarding how they use, handle, and store your visitors personal information. Save this copy in your records!
    2. If a third party app you are currently using is NOT GDPR compliant, I recommend finding another similar app that is.
    3. I recommend deleting any apps you no longer use.
  8. Make sure all your payment gateway are GDPR compliant. Obviously Shopify Pay and PayPal are, as well as the other well-known services, but you do want to make sure.
    1. Get a copy of the Privacy Policies of these payment gateways to add to your records.
  9. Have a plan in place for how you will handle data breaches, if and when they occur. Under the GDPR, you have 72 hours to report any breaches to anyone who potentially could be affected.
    1. Keep VERY accurate records of any data breaches, the time of occurence, and the time of notification sent to those who might be affected. You will need these records to be in compliance.
  10. Have a plan in place for how you will delete personal data if you are asked to do so.
    1. If an EU visitor or customer contacts you to request you delete their personal information, make sure you act accordingly and quickly to remove their data.
    2. Keep records of the steps you took to remove that information.

ADDITIONAL NOTES

  • Make sure you DO NOT email any EU visitor or customer without their consent!
  • Make sure to keep your email marketing lists up to date. Remove users who you have had no contact with, within a timeframe that you are comfortable with.
  • If you are using the embedded signup forms available through MailChimp, note that MailChimp does not have the GDPR feature on this type of form. I’ve contacted MailChimp about this to see if it’s something they will be adding, and their reply was that “it’s on our radar”. Let’s hope they implement this soon! I’ll update this note if that happens.

ADDITIONAL INFORMATION

Here is a digital version of the new GDPR requirements and regulations – https://gdpr-info.eu

A link to the official GDPR website – https://www.eugdpr.org

Shopify’s GDPR information for merchants – https://help.shopify.com/manual/your-account/GDPR/GDPR-merchants

Shopify’s White Paper regarding GDPR – https://help.shopify.com/assets/pdfs/gdpr-whitepaper.pdf

 

QUESTIONS?

If you have questions about this information, please post them in a comment below and I will do my best to answer them.

4 thoughts on “GDPR – Information and Checklist For Your Shopify Store”

  1. Great article! And thanks for the PRINT button on the side menu. Makes it so easy to print off an article to highlight and take notes.

    1. Thanks for your note Mrs. A. Glad you found the article helpful, and that Print button, too (thanks for suggesting the button). 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.