GDPR & Privacy Compliance for Shopify Stores
You're probably not GDPR compliant. Most Shopify merchants aren't.
The EU issued 1.2 billion EUR in GDPR fines last year. Shopify stores account for roughly 20% of e-commerce in EU/UK markets. Yet 78% of Shopify merchants say they "don't have time" to implement full GDPR compliance. They're betting the fine never arrives.
It will.
If you sell to anyone in the EU, the GDPR applies to you. Ignorance doesn't exempt you. A single data breach can cost you 4% of global revenue or 20 million EUR—whichever is higher. For most merchants, one fine ends the business.
This guide shows you exactly what compliance requires, what's already built into Shopify, and where you need custom action.
The GDPR Basics You Actually Need to Know
GDPR regulates any data "processing" of EU residents. Processing includes: collecting, storing, using, sharing, or deleting data.
Your customer data includes:
- Email address
- Name
- Postal address
- Phone number
- Payment info (processed by Shopify, but you control retention)
- Browsing data (via cookies, analytics, pixels)
- Purchase history
- Location data (IP-based geolocation)
If you collect any of this from EU residents, GDPR applies.
The Six Core GDPR Principles
| Principle | What It Means | How Shopify Helps | What You Must Do |
|---|---|---|---|
| Lawfulness | You need a legal basis to collect data | Shopify handles payment data | Set up consent management for marketing data |
| Transparency | Customers must know what data you collect | Privacy policy dashboard | Write a clear, granular privacy policy |
| Purpose Limitation | You can only use data for stated purposes | Shopify enforces this by default | Don't sell customer lists to third parties |
| Data Minimization | Collect only what you need | Shopify reduces data surface | Delete customer data after X years |
| Accuracy | Keep data current and correct | Your responsibility | Set up regular data audits |
| Accountability | You must prove compliance | Shopify provides compliance tools | Document your data flows (DPA, DPIA) |
The operator insight: GDPR isn't a feature you buy. It's a legal obligation you engineer into your business processes.
What Shopify Gives You (For Free)
Shopify has invested heavily in GDPR compliance tools. Most infrastructure is already built in.
1. Consent Management (Partially Provided)
Shopify's Checkout Settings let you require explicit consent for marketing emails and SMS. But here's the catch: it's opt-in at purchase only. It doesn't cover:
- Cookie consent (pixel tracking, analytics)
- Third-party pixels (Facebook, TikTok, Google)
- Affiliate cookies
- Chatbot tracking
You need a cookie consent manager for full compliance. Solutions: OneTrust, Termly, CookieBot, or TrustArc. Budget $200–$500/month for enterprise-grade.
2. Privacy Policy Generator
Shopify has a built-in Privacy Policy generator in Settings > Legal. It auto-generates compliant language. But it's barebones and doesn't account for custom apps or third-party integrations.
Best practice: Use the Shopify template as a baseline, then customize for:
- Email marketing (Klaviyo, Klaviyo consent data)
- Analytics (Google Analytics, Littledata, Heap)
- Chat (Gorgias, Intercom)
- Reviews (Judge.me, Yotpo)
- Retargeting pixels (Facebook, TikTok, Google)
Every third-party app you install is a data processor. You need to document it.
3. Data Deletion
Shopify's Admin includes a "Customer Data Deletion" tool. Customers can request deletion via "My account > Delete account" (if you enable it) or via a Data Subject Access Request (DSAR). Shopify handles deletion of core customer records.
But it doesn't delete:
- Order history (you can keep this for tax/fraud purposes, but must anonymize the customer)
- Analytics records
- Email records (in Klaviyo, etc.)
- Pixel data (Facebook, Google)
You must manually delete third-party data.
4. DPA (Data Processing Agreement)
Shopify has a signed DPA with every merchant. This means Shopify is a "data processor" on your behalf. You're the "data controller." The DPA outlines your respective responsibilities.
You need a separate DPA with every third-party app. Most apps (Klaviyo, Gorgias, Judge.me) have standard DPAs. If an app doesn't have a DPA, don't use it.
Check your apps: Shopify Admin > Apps and Sales Channels > see if each app has a signed DPA.
The 5 Compliance Action Items You Must Do
1. Write a Compliant Privacy Policy (Not Shopify's Auto-Generated One)
Shopify's auto-generated policy is generic and weak. GDPR requires specific, granular disclosure.
Your privacy policy must explicitly state:
- Legal basis for each type of data collection (consent for marketing, legitimate interest for security, contract for orders)
- Data retention periods (e.g., "customer emails retained for 3 years for tax purposes")
- Third parties who access data (Stripe, Shopify, Klaviyo, etc.)
- Data subject rights (right to access, modify, delete, port)
- Cookie categories (essential, analytics, marketing)
- DPA/processor list (which third parties are data processors)
- Data breach notification (how quickly you'll notify if data is breached)
Tools: PrivacyPolicy.com, Iubenda, or Termly generate compliant policies ($50–$300 one-time). Use them, then customize.
Example statement (good):
"We use customer email addresses for two purposes:
- Order fulfillment and customer support (legal basis: contract)
- Marketing emails (legal basis: consent—customers opt-in at checkout)
Retention: Customer order data retained for 7 years (tax compliance). Email marketing data deleted 12 months after last purchase unless customer re-engages. Customer can delete account anytime via My Account."
2. Implement Granular Consent Management
GDPR requires consent for:
- Marketing emails
- SMS marketing
- Cookies and tracking pixels
- Data sharing with third parties
Shopify's consent checkboxes at checkout are a start, but insufficient. You need a consent manager that:
- Tracks which customer consented to what
- Allows customers to withdraw consent anytime
- Separates essential cookies (payment, security) from analytics/marketing cookies
- Provides an audit trail (for GDPR compliance proof)
Best-in-class tools: OneTrust ($15K+/year enterprise), TrustArc ($10K+/year), or CookieBot ($500–$3K/year for SMBs).
Budget-conscious option: Use Shopify's built-in consent + Google Consent Mode (free) + manual DSAR tracking spreadsheet. Not perfect, but reduces risk by 70%.
3. Document Data Flows (DPIA - Data Protection Impact Assessment)
GDPR requires you to document:
- What data you collect
- Where it goes (Shopify, Klaviyo, Google, etc.)
- How long you keep it
- Who has access
This is a DPIA (Data Protection Impact Assessment). You don't need a fancy tool; a spreadsheet works:
| Data Type | Source | Processors | Retention | Deletion Process |
|---|---|---|---|---|
| Email address | Checkout | Shopify, Klaviyo, Stripe | 3 years (tax) | Manual deletion from Klaviyo + Shopify |
| IP address | Browser | Shopify, Google Analytics | 26 months | Automatic (GA4 default) |
| Payment method | Checkout | Stripe (PCI DSS, not GDPR-bound) | PCI compliance (7 years) | Stripe handles deletion |
| Purchase history | Order | Shopify | 7 years (tax) | Customer can request anonymization |
This spreadsheet is your GDPR defense. Keep it updated.
4. Set Up DSAR (Data Subject Access Request) Handling
GDPR gives customers the right to request their data. You must respond within 30 days with:
- All data you hold on them
- How you use it
- Who has access
Shopify has a built-in DSAR tool (Admin > Settings > Legal > Data Requests). Use it. It auto-generates a customer data file.
But you must also:
- Document DSAR requests you receive
- Manually compile third-party data (Klaviyo, Google, Facebook, etc.)
- Send everything to the customer within 30 days
Process:
- Customer requests data
- You get notification in Shopify DSAR tool
- You download Shopify data
- You manually export Klaviyo data (email, clicks, segment history)
- You manual export Google Analytics reports for that customer
- You compile everything into a single file
- You send to customer within 30 days
Shopify helps with step 3, but steps 4–6 are manual. Consider a DSAR automation tool (OneTrust, Ping Identity) to streamline.
5. Implement Data Deletion for Non-Customers
GDPR requires you to delete data for people who never bought from you (e.g., newsletter signups, chatbot interactions, pixel tracking).
Set a data retention policy:
- Newsletter subscribers who never purchased: Delete after 24 months of inactivity
- Chatbot/support interactions: Delete after 12 months
- Analytics data: Delete after 26 months (GA4 default)
- Pixel data (Facebook, TikTok, Google): These platforms handle deletion per their DPA
Document this policy and execute quarterly. Example:
Quarterly GDPR Data Deletion Process:
1. Extract Klaviyo email list of non-customers (no purchase)
2. Filter for last email engaged >24 months ago
3. Segment: "GDPR Delete - Inactive Newsletter"
4. Delete from Klaviyo + unsubscribe
5. Export deleted count for audit trail
The Third-Party App Compliance Layer
Every app you install is a data processor. Most are GDPR-compliant, but you need to verify.
Check your apps:
| App | Function | GDPR-Compliant | Notes |
|---|---|---|---|
| Klaviyo | Email marketing | Yes, has DPA | Ensure consent data is logged |
| Gorgias | Support chatbot | Yes, has DPA | May store customer support messages; retention policy needed |
| Judge.me | Reviews | Yes, has DPA | Collects customer email/name; set deletion policy |
| Google Analytics | Analytics | Yes (with Consent Mode) | Enable Data Anonymization + Consent Mode in GA4 |
| Facebook Pixel | Retargeting | Partially (Limited in EU) | Facebook's DPA covers data, but EU caps some functionality |
| TikTok Pixel | Retargeting | Questionable (EU investigations) | High compliance risk; consider alternatives |
Red flags:
- App doesn't have a signed DPA (don't use it)
- App stores data indefinitely (require deletion policy)
- App doesn't allow DSAR/deletion (high risk)
Real-World Compliance Checklist
Here's what a fully GDPR-compliant Shopify store looks like:
- ✓ Written privacy policy (granular, not Shopify's auto-generated)
- ✓ Consent management tool (OneTrust, CookieBot, etc.)
- ✓ Signed DPA with Shopify, Stripe, and all third-party apps
- ✓ DPIA spreadsheet (data flows documented)
- ✓ DSAR process documented (30-day response time)
- ✓ Data deletion policy (quarterly execution)
- ✓ Cookie consent at site load (essential vs. marketing)
- ✓ Email consent at checkout (marketing, SMS)
- ✓ Audit trail of all DSAR/deletion requests
Cost:
- Privacy policy: $100–$300
- Consent manager: $500–$3K/year
- DPA review: $2K–$5K (legal review)
- Manual processes (DSAR, deletion): 5–10 hours/quarter
Total annual: $1.5K–$5K
Not cheap, but 1 GDPR fine costs 4% of global revenue. The math is clear.
CTA: Make GDPR Your Competitive Advantage
GDPR compliance builds trust. Customers see a privacy-first store and convert 8–12% higher. Let's audit your current compliance and fill gaps.
Schedule a free GDPR audit with Tenten.
Editorial Note
The best-performing Shopify stores in EU/UK markets treat GDPR as brand strategy, not legal checkbox. They publish transparent privacy policies, implement robust consent management, and own data deletion. This builds trust and differentiates them in a market where most competitors cut corners. The ROI is real: compliant stores see 2–3% higher customer LTV because trust drives repeat purchases.
Article FAQ
Q: Do I need to comply with GDPR if I don't explicitly target EU customers?
A: Yes. If any of your traffic comes from EU (Google Analytics shows this), GDPR applies. You can't opt out.
Q: What happens if a customer requests their data?
A: You have 30 days to provide a complete file with all data you hold on them. Shopify provides core customer records, but you must manually compile third-party data (Klaviyo, Google, etc.).
Q: Can I store customer email addresses forever?
A: No. GDPR requires data minimization and retention limits. Delete after 3 years of inactivity, or 12 months after last purchase, depending on your stated policy.
Q: Is Shopify Payments GDPR compliant?
A: Yes. Shopify and Stripe both have signed DPAs. But you're responsible for the customer data you collect (name, email, address). They're responsible for payment data.
Q: What's the fine if I'm not GDPR compliant?
A: Up to 4% of global revenue or 20 million EUR, whichever is higher. For a $5M revenue store, that's $200K minimum. For larger stores, it's potentially millions.
