Shopify and GDPR Compliance

What is Shopify?

Shopify is a cloud-based e-commerce platform that allows merchants to create and operate online stores without any programming knowledge. Shopify takes care of hosting and administration. Shopify stores can be easily expanded with accounting, logistics, marketing or legal security functions via an ecosystem of external “apps” that can be integrated into your own store.

Shopify Inc. is a Canadian company and has its headquarters at 151 O’Connor Street, Ground floor, Ottawa, Ontario, K2P 2L8. Shopify operates online presences for over 2 million merchants, the Shopify App Store contains 13,000 apps.

Shopify operates online presences for over 2 million merchants, the Shopify App Store contains 13,000 apps.

Is Shopify GDPR compliant?

For an assessment of GDPR compliance, it is relevant, among other things, in which countries Shopify processes personal data, whereby not only the locations of the data centers, but also the headquarters of the companies involved must be taken into account.

Shopify is a Canadian company and uses the Google Cloud Platform (USA) as its hosting infrastructure. In addition, the content delivery network of the company Cloudflare (also USA) is used for scaling.

Data processing is generally only permitted for countries in the EU or for those for which there is an adequacy decision. This is the case for Canada. For the USA, there is an adequacy decision for companies that are certified in the EU-US Data Privacy Network. Cloudflare and Google are both certified in the DPF (as of 05.08.2024), so their use is initially legally permissible.

However, Shopify stores practically always use additional external services, some of which also process personal data or set cookies and are therefore relevant for the assessment of GDPR compliance.

For GDPR-compliant use, additional obligations must also be fulfilled (see below).

Does Shopify set cookies?

Shopify states that it uses the following cookies:

How to check external services and cookies in a Shopify store?

An essential part of the GDPR compliance of a Shopify store is the use of a consent banner so that users can give legally compliant consent. Before this has been given, no services that require consent may be loaded and no cookies may be set that are not necessary for the operation of the store.

If apps are used in the store, connections to the app operator’s web server are often established and the apps may also set cookies. An assessment must be made on a case-by-case basis.

Ideally, the store should not make any network calls to servers that do not belong to Shopify without consent, i.e. to domains other than

• Your store domain
• shopify.com
• shopifycdn.com
• shopifycloud.com
• shop.app

Which of Shopify’s cookies can be considered technically necessary is controversial, but of those mentioned above, at most the cookies _identity_session, checkout and user should be set without consent.

To carry out these checks, we recommend using an automated solution such as decareto Compliance Monitoring, as manual checks are usually difficult to implement. In addition, the use of marketing measures in online stores requires permanent and regular monitoring.

How to use Shopify in compliance with the GDPR?

The legally compliant use of Shopify is not trivial, especially due to the use of apps that may also process personal data. The following points, among others, must be observed

• Adaptation of the privacy policy
• Use of a correctly configured consent banner
• Conclusion of contracts for commissioned data processing with Shopify and the operators of the apps

We recommend seeking external data protection advice for this.