How to Prepare Your Shopify Store for GDPR

As a Shopify seller, if you are selling to any EU countries, you should have been already familiar with GDPR or General Data Protection Regulation. If not, then this is the high time you know about it and prepare your store to comply with it.

What is GDPR?

One of the most radical changes affecting the online businesses in 2018 will be the European Union General Data Protection Regulation (GDPR). This new and unified approach to personal data protection gives EU citizens a lot more control over their personal data.

Perhaps the biggest change in the GDPR is redefining what personal data is and how it should be handled. Under the new regulation, personal data is defined as any information that can be used to directly or indirectly identify a person.

This far-reaching definition includes:

A person’s name
A person’s photo
An email address
A mailing address
Bank details
Medical information
Users IP address
And more.

The GDPR was first adopted on 27th April 2016. Now, it becomes enforceable on 25th May 2018 after a two-year transition period given to businesses to adopting with the changes. 

The essence of the GDPR concerns the following three areas:

i) Get consent: the user must agree to get marketing campaigns from you.

ii) Provide adequate protection: you must protect the user’s personal data adequately.

iii) Delete, correct, or restrict when asked: If the user requests you delete, correct, or restrict the personal data you have, you must comply.

Who the GDPR applies to?

Any entity who handles EU citizens or residents personal data.

It doesn’t matter where your business is based. It only matters that you are collecting and using the personal data of EU citizens and residents.

Why should you comply with GDPR?

For any business that does not comply with the new GDPR may attract a fine up to €10 million or up to 2% of the annual worldwide turnover for the previous year, whichever is higher!

However, GDPR isn’t a threat to your business anyway, it’s a huge opportunity. European customers will like you more if you are GDPR compliant. It will certainly boost the trust factor for your brand.

Right now, data privacy is a big deal in not only in Europe but in the whole world. And you can see topics related to GDPR compliance pop up all over the web. In fact, if you comply with GDPR you should highlight that to EU customers to boost your brand image.

How to prepare your Shopify store for GDPR:

First of all, this article does not constitute legal advice and you should seek professional legal advice where appropriate. The purpose of this guide is to give you some idea of what you can immediately do to comply with GDPR for your Shopify store.

Here are some measures you should take:

1) Get active consent from the user for sending promotion emails:

As a store owner, you should have been collecting user emails at different places in your store. At those places, you need to take active consent from the users to send promotional emails.

For consent to be valid under GDPR, a customer must actively confirm their consent, such as ticking an unchecked opt-in box. Pre-checked boxes that use customer inaction to assume consent aren’t valid under GDPR.

i) On the register/sign-up page:

As mentioned earlier, if you intend to send promotional emails (which you should do) to one who registers on your store, you should take the consent first.

Here are some examples of what you can do on your registration page.

On OTTO’s registration page they have a checkbox to opt for promotional emails.

Need help from our theme experts to add this feature to your store? We are here to jump in!

Sainbury’s goes one step further and asks for the permissions in detail. It certainly helps to boost customer’s confidence to opt in.

taking consent for gdpr

How Sainsbury’s get consent for promotional emails/SMS on their registration page.

ii) On the checkout page:

On the customer information page, below the input box for email, there’s a default checkbox for opting in newsletters and offers. You should keep that unchecked by default to comply with the active consent policy of GDPR.

gdpr compliant consent on checkout page
Keep the consent checkbox unchecked by default

iii) If you are collecting email id at any other place on your store:

If you are collecting email id anywhere on your website and send emails more than what the user signs up for, then to comply with GDPR, you need to take consent for the additional emails.

For example, OTTO has an opt-in for the newsletter in its footer. Here they have clearly mentioned the followings:

i) All the emails the user may receive.

ii) From whom (the company name) they will receive it

iii) How the user can revoke the consent.

iv) Get consent from the existing contacts in your list:

Now that you’ve updated your forms to comply with GDPR, you’ll be able to collect consent from new contacts. But, you still need your existing contacts to opt-in to your marketing permissions. The best way to do this is to send a campaign to each list affected by the GDPR.

Omnisend has inbuilt email template like this for getting GDPR consent. 

v) Respect the consent:

It’s not only about having the option to get the consent, you actually need to respect it. Make sure your list is tagged properly so that you can easily create segments depending upon the consent and send emails accordingly.

Major email service providers like MailChimp and Omnisend has already started adopting the changes and has build system in accordance with GDPR.

2) Get consent for storing data using cookies:

As a Shopify store owner, it’s most probable that you are using cookies on your store. Cookies are mainly used to store user’s data for different purposes like personalized shopping experience or retargeting users on different channels like Facebook or youtube.

The EU directive for using cookies was adopted by all EU countries in May 2011. The Directive gave individuals rights to refuse the use of cookies that reduce their online privacy.

If you are not taking the consent yet, it’s time to set this up.

Compliance with the cookie law comes down to three basic steps:

i) Work out what are the cookies your site uses with a cookie audit.

ii) Tell your visitors what data you collect with cookies and how do you use them to improve their shopping experience. Create a cookie policy and use the link of the policy while taking consent from the user. You can include the cookie policy in your privacy policy as well.

Sainbury’s cookie policy is a good example in which all the necessary details have been clearly explained:

iii) Take consent from the EU users for using cookies. There are plenty of Shopify apps like EU Cookie Bar by Booster Apps which you can use to set this up very easily.


3) GDPR compliant privacy policy:

The main focus of the General Data Protection Regulation (GDPR) is the protection of personal data and digital privacy.

Because of this, your Privacy Policy is going to be an important part of your GDPR compliance plan.

Here’ a GDPR compliant privacy policy generator which you can use to create your new privacy policy.

To conclude:

The whole world including you and me is concerned about the privacy of our personal data. With GDPR, EU is the first to take the initiative for safeguarding it’s resident’s interest. There’s no doubt that more countries will follow the path and bring their own regulation in line with GDPR.

It’s time to you prepare your store for GDPR now. In long run it will be beneficial to your business in many ways.

If you have any question regarding the GDPR compliance for Shopify store, please comment below.

Rate the read
[Total: 2 Average: 5]


  1. Andre May 28, 2018 at 6:06 pm

    Regarding the consent for using cookies section, the app that you recommended, Cookie Bar by Booster Apps, doesn’t ask for consent, it simply indicates that the website is using cookies. Shouldn’t there be a “No thank you”, “Don’t allow” or “x”?


Leave A Comment

Your email address will not be published. Required fields are marked *