Blog

Privacy policy for Shopify Stores the Easy Way

We have easy-to-use eCommerce platforms like Shopify to thank for making it possible for small business owners to reach a worldwide audience in just a few clicks!

The beauty of Shopify is in all the possibilities that it offers: from being able to get a store online in a matter of minutes by using an existing theme to using the services of a professional to create a fully custom website, the options are endless.

Whether you are an eCommerce newbie or an experienced online seller, you need to make sure that you remain compliant with all applicable laws, including the ones protecting the privacy of your potential and existing customers.

Expert tip: Take the hassle of writing a privacy policy for your ecommerce store away with our privacy policy generator. It will save you hours of work and possible costly legal mistakes.

Why Do You Need a Privacy Policy For Your Shopify Store?

If you operate a transactional website, such as a Shopify store, you are no doubt processing personal information - whether you realize it or not.

From the moment a potential customer lands on your website and signs up to your email list to receive a promotional offer to when that person finally checks out and provides you with their name, shipping address, and credit card details, you have collected information that could be used to identify them and thus can be considered personal.

Required by Law

Nowadays, most countries have enacted privacy laws that provide guidelines as to how businesses should go about informing, collecting, handling, and processing the personal information of their residents.

While you likely have a target market for your products, chances are that you will get some visitors and potential customers from other countries - even if they don’t purchase right away, they might decide to sign up to your newsletter or create an account to save their favorite items for later.

These are all ways in which you can be involuntarily collecting personal information from international customers, thus the need to have a privacy policy that takes into account global laws that may apply to your business, and not just the laws of the country in which your business is based.

Europe

The General Data Protection Regulation (GDPR) applies to businesses that either operate in the European Economic Area (EEA) or that process the data of people located in the EEA.

Under the GDPR, those businesses have to have a privacy policy that is easily accessible and understandable in order to obtain affirmative and clear consent from users before collecting any personal information. To be GDPR-compliant, a privacy policy must fulfill some basic requirements and contain all the essential elements mentioned in this piece of legislation.

Failure to comply with the GDPR can have some serious implications, notably in the form of monetary penalties. Have a look at our article How to Write a GDPR Compliant Privacy Policy to learn more.

United States

In the United States, while there is to date no privacy legislation at the federal level, the California Online Privacy Protection Act (CalOPPA) and the California Consumer Privacy Act (CCPA) should be taken into account.

While the CalOPPA requires that any commercial website that collects personal information from California residents have a conspicuously placed privacy policy that explains how it is collected, used, and shared, the CCPA requires that users be served with a notice at the collection at or before personal information is collected (this notice needs to be linked to a privacy policy that is to be updated on a yearly basis).

To confirm if the CalOPPA and the CCPA apply to your business as well as what your privacy policy should contain, read our article on the subject here.

Australia

If you’re a bigger business with an annual turnover of more than $3 million (or are a smaller organization that buys or sells personal information, provides health services, or is otherwise targeted by this piece of legislation), you will need to comply with Australia’s Privacy Act of 1988 and its Australian Privacy Principles.

This means that you will need to have an updated and clearly expressed privacy policy available free of charge, in an appropriate format and that contains all the information required under the law.

Worldwide

Many other countries other than the ones mentioned above require that businesses take steps to protect the personal information that they collect from their residents and require privacy policies to provide constituents with transparency and control over the data that they share.

Before you start doing business online, stop and take a moment to consider which laws apply to you (i.e. where your customers could potentially be located) and make sure that you have an all-encompassing privacy policy before collecting personal information from your website visitors.

Required by Shopify

Now, if the fact that a privacy policy is required by law isn’t enough for you, Shopify itself requires that you have one in its terms of service, which includes their privacy policy and a section that is applicable to merchants.

Shopify's privacy policy requirement for users to state what information they collect from users

This section specifies that because you, as a Shopify store owner, ultimately decide what information is collected from your customers and how it will be used, you have the responsibility to let them know how both you and Shopify treat their personal information.

It specifically mentions that you should do so by “at a minimum” having a privacy policy on your store. It also states that this privacy policy should address: what information both you (and Shopify on your behalf) collect, how you use the information collected and who you share it with (likely third-party integrations such as payment processing service providers and marketing analytics tools).

Shopify reserves the right to suspend or terminate accounts at any time, without notice, and for any reason; failing to comply with their terms of service by not having a privacy policy on your store could potentially give them a reason to cancel your account and if this is the only eCommerce platform that you use, your business. Don’t risk it!

Shopify's privacy policy on reserving the right to modify or terminate users' accounts on white background

How To Write a Privacy Policy For Your Shopify Store?

First things first, you will want to analyze your website and consider all the ways in which you may be collecting personal information from your website visitors.

This could include collecting their:

  • IP address when someone lands on your homepage
  • Name and email address when they sign up for your email list or create an account
  • Home address and telephone number when they make a purchase and enter their shipping information
  • Credit card details when they proceed to make a payment
  • Usage data, gender, and location if you use marketing analytics tool such as Google Analytics

Additionally, consider all the plug-ins or applications that you have added to your Shopify store. Whether it be a payment processing provider, a currency conversion tool or a shipping tool that integrates with your store, the personal information of your customers is likely being shared with these third parties as it would be necessary for them to be able to provide their services.

Then, you can think about writing a privacy policy that will provide transparency to your future customers, make them trust you, and give them a way to contact you should they have any questions in regards to your data collection practices.

This privacy policy should notably address:

  • What personal information you collect
  • How you collect that personal information
  • How you use that personal information
  • If and why you share that information with third parties (payment processors, shipping providers, etc.)
  • How long you will be holding on to that data and how you will protect it from unauthorized access
  • If you use cookies and other similar tracking technologies
  • Your contact information
  • Any other elements required by the various privacy laws that may be applicable to your business (the lawful basis for processing, rights of the data subjects, contact information for your data protection officer, etc.)

Whether you choose to retain the services of an attorney to draft your privacy policy or use a privacy policy generator, you should be reviewing it regularly to make sure that it remains relevant and compliant with ever-changing privacy laws - our generator provides you with automatic updates so that you can focus your attention on your online store.

Over 100,000 businesses have used our attorney-drafted privacy policy generator to get their ecommerce stores compliant in minutes. Don’t waste time writing legal documents and avoid common mistakes. Create your privacy policy now.

How To Add a Privacy Policy on Shopify?

Adding a privacy policy to your Shopify store couldn’t be easier!

1. Log in to your Shopify account and, from the admin screen, navigate to Settings - click on Legal.

Shopify's settings menu to add privacy policy

2. Copy and paste the privacy policy that you have generated in the box:

Shopify's privacy policy template

3. Hit Save and voilà, you have just added a privacy policy to your Shopify store!

Shopify's unsaved changes on privacy policy

Alternatively, you could choose to manually create a new page in your Shopify admin menu by clicking on Online Store and Pages.

Shopify's Sales Channels of the Online Store and Pages display in a column

Click Add page, enter the title and text of your privacy policy and hit Save.

Shopify's add page to insert privacy policy text
Shopify's Add page for placing Privacy policy

Note: if you have an additional or temporary policy such as for Black Friday, holidays, or a pandemic, manually adding a page could be the way to go.

Where To Display Your Privacy Policy?

You should make your privacy policy easily accessible and hard-to-miss.

By following the steps above, a link to your privacy policy will automatically be added to your checkout page’s footer. However, you will want to add a reference to it in other places - most importantly your website footer.

In addition, it is good practice to make reference to your privacy policy anytime you collect personal information from your customers: at the time of account creation, during the checkout process, when filling out a customer service request, with any pop-up that prompts users to share their email address, etc.

To add your privacy policy to your store’s menus:

1. Go to your Online Store and click on Navigation

Shopify's Sales Channels navigation display in column in dropdown menu

2. Select the menu in which you want to add your privacy policy (such as the Footer menu)

3. Click on Add menu item, type in Privacy Policy

Shopify's menu
Shopify's Add menu item

4. Click on Link and Policies - select your privacy policy from the drop-down or, if you chose to create a new page, add the link to the page that hosts your privacy policy

Shopify's link policies

5. Click on Add and Save menu

Shopify Privacy Policy Examples

Crabtree & Evelyn

Body care and fragrance retailer Crabtree & Evelyn’s website is powered by Shopify.

As soon as new website visitors land on its homepage, they are served with this pop-up offering 15% off their first order in exchange for their email address:

Crabtree & Evelyn's pop up sign-up form with 15% off discount

Notice that the retailer mentions under the sign-up button that “by providing your email address, you agree to our Privacy Policy and Terms of Service”.

Said privacy policy is accessible through the website footer under Terms & Conditions:

Crabtree & Evelyn's website footer with legal policies on black background

There, visitors can see all policies at a glance: the terms of sale, privacy policy, cookie policy, terms of use, and promotions and competitions are all hosted on one page, which makes it easy to navigate.

The privacy policy is fairly straightforward and addresses both the personal information collected by Crabtree & Evelyn as volunteered by the customer under the circumstances below:

Crabtree & Evelyn privacy policy on what information is collected from users

And the one collected automatically by the retailer:

Crabtree & Evelyn's privacy policy on users' information is being collected automatically

Crabtree & Evelyn addresses the measures taken to protect the personal information of their customers:

Crabtree & Evelyn's My personal Information Secure? statement on white background

The retailer mentions that it shares information with service providers, such as shipping, customer service, and fraud detection companies, and specifically mentions its use of Google Analytics, which collects personal data from website visitors.

Crabtree & Evelyn's Google Analytics statement on white background

This is a good reminder, as a Shopify store owner, to check the terms of use of the third-party services that you use; some, such as Google Analytics, require that users have a privacy policy in place in order to be able to use their services.

Bailey Nelson

Eyewear retailer Bailey Nelson sells optical and sunglasses both online and through brick and mortar locations. Like many retailers, Bailey Nelson has chosen Shopify as its eCommerce platform.

Its privacy policy is accessible through its website footer:

Bailey Nelson’s term of use and privacy policy on its website footer

And is also referenced during the checkout process, where shoppers have to confirm having read, understood, and agreed to the terms of use and privacy policy:

Bailey Nelson’s checkout process displays privacy policy and terms and conditions

Bailey Nelson makes it clear to shoppers what types of personal information may be collected about them:

Bailey Nelson's privacy policy on white background

Note that the mention of sensitive information is very specific to this retailer, as it holds deeply personal data about its customers such as prescriptions, medical histories, and medication regimes.

This is the UK version of Bailey Nelson’s privacy policy, thus the reference to its legal basis for processing information - consent and performance of a contract - under the GDPR.

When explaining how it shares information with third parties, Bailey Nelson specifically mentions Shopify:

Bailey Nelson’s Shopify privacy policy

It is common practice to do so and to explain for what purposes, as well as to link to those third parties' respective privacy policies.

Outdoor Voices

US-based activewear retailer Outdoor Voices has a significant online presence and has chosen Shopify to sell direct-to-consumer.

Scrolling down to the footer of the website, one can see that the privacy policy and terms are made accessible, next to the email newsletter sign-up form:

Outdoor Voices' website footer with legal policies on white background

Customers are also reminded of its existence during the checkout process when prompted to give their phone number, which is optional:

Outdoor Voices optional phone for users on white background

The privacy policy itself is easy to navigate as the clickable table of contents allows shoppers to see everything at first glance and read the sections that are of particular interest to them.

Outdoor Voices' Privacy Policy on white background

Outdoor Voices does a good job of explaining what information it collects from website visitors by using plain language and bullet points:

Outdoor Voices' on "Collection of Information", what information the website will collect from users

Being based in the United States, Outdoor Voices likely has a good number of Californian customers. For that reason, its privacy policy includes a section dedicated to the CCPA:

Outdoor Voices' California Privacy Rights and California Consumer Privacy Act

It specifically mentions the right of California residents to request details about how their information is shared with third parties for direct marketing purposes:

Outdoor Voices' right of California residents for direct marketing purposes

As you can see, there is no one-size-fits-all privacy policy. The location of your customer base needs to be taken into account in order to ensure that you are complying with all international privacy laws that may apply to your Shopify store.

Final Words

Whether you have already started selling online or are just in the planning phases of your eCommerce business, it’s never too late to start thinking about your privacy policy or to give it a bit of a refresh.

Note that while you have the option to generate a privacy policy directly in Shopify, you do remain responsible for its content and for ensuring that all elements pertaining to your business, privacy practices, and applicable legislation are included.

And ensuring that’s the case doesn’t have to be complicated. Once you have identified where you operate, where your potential customers could be located, which privacy laws apply to you, and which third-party services and plug-ins you will be using (as well as their respective requirements) give our privacy policy generator a try - it will ask you easy-to-answer questions and generate a custom privacy policy for your Shopify store in a matter of minutes.

For more information, read What is a Privacy Policy: The Definitive Guide.