General Data Protection Regulation (GDPR) Privacy Policy Shopify

GDPR has come into effect s of yesterday. It doesn’t only affect social media websites instead online stores are also affected by it. If you have a Shopify store then you need a GDPR compliant privacy policy.

You need to ensure that your Shopify store is GDPR compliant otherwise you might get into hot waters with regulators of this policy.

Keep reading to learn what’s GDPR, how it affects your online store, how it works, and how you can create your GDPR compliant privacy policy.

What is GDPR and how it affects shopify stores?

GDPR is short for General Data Protection Regulation. It was adopted in April 2016, GDPR creates regulations for how all European residents’ data must be managed. GDPR took effect in May 2018 and impacts the handling of data pertaining to everything from online activity to financial records to medical history.

In this evolving process, GDPR will revamp what it means to do online business in Europe, impacting how you engage with your customers/users, the tools you use on your website, and how you use these tools.

GDPR is NOT a technical document. In fact, ecommerce is only mentioned once in GDPR. And that too is in a footnote. And they write it as “electronic commerce.” GDPR is less of a digital rulebook than a clear statement on fundamental rights: “The data processing of personal information should be designed to serve humankind.”

But, there is more to it than what meets the eye. There’s plenty for online store owners to be aware of. So let’s get started with understanding GDPR and how you can make your store GDPR compliant.

What you need to comply with it?

GDPR consists of 88 pages and it’s more than 50,000 words, and the writing is completely boring, more boring than the Windows Terms & Conditions. If you are not interested in reading the GDPR, we understand.

But the rules included in the GDPR are applicable to all online stores selling to customers in Europe. So even if you don’t want to read GDPR, there are still some things you should keep in mind about GDPR compliance.

Always Ask for Consent

Don’t assume what your users want. If you want your users to do something, opt-in, subscribe, etc, you need to get their clear consent for it.

Only Collect The Date That You Require

GDPR emphasizes user’s data protection. So, it’s a great idea to keep your hands off the data that you don’t need to be o the safe side.

Make Everything Straightforward and Clear

Regulators enforcing GDPR love online transparency. You need to be as clear as possible on your website. If you have a subscribe button then make sure there’s a clearly visible unsubscribe button as well.

Don’t be Shady

If you are a company with a small number of employees then GDPR compliance pretty much comes down to not being shady. Keep everything transparent and clear to avoid any trouble with the GDPR law.

Find a complete tutorial on how you can create your own GDPR compliant privacy policy along with a ready-made downloadable privacy policy template.

Free GDPR Template

If you want to create your own set of privacy policies that are in compliance with the GDPR then here’s what you need.

If you just want a ready-made GDPR privacy policy template for your Shopify store or any other website then you can find a download at the bottom as well.


This is where you put a brief introduction and include:

  •         Why the privacy matters to you
  •         All the information included in the privacy notice (summary)
  •         What kind of services the privacy notice applies to (ie. your website, software/application, purchases, subscriptions, etc)

You should also include an encouragement for your users to carefully read the privacy policy and contact you with any type of queries and questions about your privacy practices.

Who we are?

Include the name and contact details of your data controller. Normally this will be you or your business. Wherever applicable, you should also provide the identity and contact details of the representative of the controller or the data protection officer.

What information do we collect?

Here you need to specify the types of data and information you collect on your website, eg name, address, email, etc. You should include specific details on:

  •         How you are collecting the data (ie. when a user signs up, places an order or uses your services, submits a contact form, opts in for a newsletter, etc)
  •         What type of specific data you are collecting through each data collection method.
  •         If you are collecting data from third party sources, you must specify categories of data collected and the source.
  •         If you are processing sensitive personal information or financial data, and how you handle this type of information.

You may also want to include relevant definitions in relation to personal information and sensitive personal data.

How do we use personal information?

Provide in detail information regarding all the business-related purposes for which you will use the user’s data. For example, this could include things like:

  •         Personalisation of website content, business information, or improving user experience
  •         Setting up account and administration
  •         Sending marketing and events communication

   Polls and surveys

  •         Internal R&D purposes
  •         Providing services and goods
  •         Legal obligations (to prevent fraud)
  •         Internal audit requirements

Do note that this list is not exhaustive. You may have to include all extra purposes for which you use personal data.

What legal basis do we have for processing your personal data?

Include the relevant data processing conditions that are contained within the GDPR. There are six possible legal conditions:

  •                     contract
  •                     consent
  •                     legal obligation
  •                     vital interests
  •                     public task
  •                     legitimate interests

Provide your users with very detailed information on all grounds that apply to your data processing, and why it does. If you are relying on consent, explain to your users how they can withdraw and manage their consent for your website. If you are relying on legitimate interests, clearly explain what it means.

If you are processing special category personal information, you have to satisfy at least one of the above-mentioned six data processing conditions, as well as any other additional requirements for data processing under the GDPR.

When do we share personal data?

Explain that you will treat all the personal data with complete confidentiality and describe any circumstances under which you might disclose or share it. ie, when it’s necessary to provide your services or run your business operations. You should also provide details regarding:

  •                     how will you share their data
  •                     what kind of safeguards you will have in place to protect the data
  •                     what kind of third-parties you may share their data with and why

Where do we store and process personal data?

If possible, tell your users if you are going to save and process their data outside of the data subject’s country of residence. Outline all the steps that you will take to make sure that their data is processed exactly in line with your privacy policy and also the applicable data protection laws of the country where the data is stored.

If you are transferring the data outside the European Economic Area, outline all the steps you will take to provide a secure level of data privacy protection.

How do we secure personal data?

Explain how you are keeping the data secure and what type of technologies and security measures you take to protect the personal information. For example, these measures may include:

  •                     to protect all the data against any accidental loss
  •                     to prevent any type of unauthorised access, destruction, use, or disclosure
  •                     to ensure business continuity and recovery from any disaster
  •                     to limit all the access to personal data
  •                     to carry out privacy impact assessment in accordance with your business policies and local law
  •                     to extensively train your staff and contractors on importance of data security
  •                     to manage any risks associated with third-parties, through use of extensive contracts and regular security reviews

Do note that this list of measures is also not exhaustive. You should include all the mechanisms and measures you rely on to protect personal information.

How long do we keep your personal data for?

Give your users the specific length for which you will keep their information. The GDPR requires you to only keep data as reasonably necessary and no longer than that. Include specific details of your data retention timings.

If you are unable state a specific time period, you need to set a criteria you will use to understand how long to retain the data for.

You should also mention how securely you dispose of the data after you no longer require it.

Your rights in relation to personal data

Under the GDPR, you have to respect the right of individuals to control and access their personal information. In your privacy policy, you must clearly state their rights in respect of:

  •                     access to personal data
  •                     deletion of data/correction
  •                     withdrawal of their consent
  •                     portability of data
  •                     processing restrictions  and objection
  •                     lodging any type of complaint

You should also clearly explain how users can legally exercise their rights, and how you are planning to respond to their requests. Clearly state if any relevant exemptions may apply and setup identity verifications procedures you must be relying on.

Also provide the details of the circumstances where the rights of the data subject may be limited, For example, if you are asked to delete personal data which you are actually required to keep by the law.

How to contact us?

Explain to the individuals how they can get in touch with you if they have any questions about your privacy policies, usage of their personal data, or if they want to lodge a complaint. Describe all the different ways in which they can get in touch with you – ie. online, by email, or postal mail.

Use of cookies and other technologies

Clearly describe within the privacy policy if you intend to use cookies, tracking, and similar technologies to store user choices on your website, optimize advertisement, enable content, or otherwise analyse user’s data. Provide clear information on what kind of cookies and technologies you are using, why you are using them, and how an individual can manage them.

Linking to other websites/third party content

If you are linking to external sites and resources from your own website, be clear about whether this constitutes endorsement, and whether you take any responsibility for the content on any linked third-party website.

You may also choose to add other optional clauses to your privacy policy, depending on your business’ circumstances.

If you are looking for a ready-made GDPR compliant Privacy Policy template for your website then you can download our sample template.

Just change the required fields within the document and you will have a GDPR-ready privacy policy in minutes.

Example emails and policy pages from big stores

Here are some of the best examples of GDPR compliant privacy policy pages on some of the top Shopify stores and also GDPR compliant repermission emails.

Here’s the privacy policy page of Taylor Stitch – one of the top clothing brands. You can see how they have laid out everything clearly and provide the users with all the necessary information that they might find useful.

Another great privacy policy is available at WPStandard that includes all the information regarding their data collection, how they use it, and why they do it.

Check out this email by ASOS that’s asking for re opt-in. So customers who still want to receive their emails can opt-in manually.

Here’s a very confident email by Little Green Sheep that asks the users for permission.


So, what does GDPR mean for your online business? Well, in short, as long as you are not being sneaky and indulging in any shady practices, you are clear.

You have nothing to worry about as long as you change your privacy policy to reflect GDPR compliance.

You don’t even have to come up with your own privacy policy document. Just use the template provided above or create one using our guidelines, and you are good to go.

Also, let us know what you think about GDPR and data protection laws. Comment below.

Don’t forget to subscribe to our newsletter for weekly ecommerce updates!

Dilawar Hussain

Dilawar Hussain is a professional blogger who loves gaming, technology, and ecommerce. He spends his time testing new strategies, hacks, and tricks to help the ecommerce community.

Leave a Reply

Your email address will not be published. Required fields are marked *