We have easy-to-use eCommerce platforms like Shopify to thank for making it possible for small business owners to reach a worldwide audience in just a few clicks!
The beauty of Shopify is in all the possibilities that it offers: from being able to get a store online in a matter of minutes by using an existing theme to using the services of a professional to create a fully custom website, the options are endless.
Whether you are an eCommerce newbie or an experienced online seller, you need to make sure that you remain compliant with all applicable laws, including the ones protecting the privacy of your potential and existing customers.
Table of Contents
PRO TIP: Save time & money with this complete compliance bundle trusted by 100K+ businesses and create essential legal policies personalized to your needs in minutes.
If you operate a transactional website, such as a Shopify store, you are no doubt processing personal information – whether you realize it or not.
From the moment a potential customer lands on your website and signs up to your email list to receive a promotional offer to when that person finally checks out and provides you with their name, shipping address, and credit card details, you have collected information that could be used to identify them and thus can be considered personal.
Required by Law
Nowadays, most countries have enacted privacy laws that provide guidelines as to how businesses should go about informing, collecting, handling, and processing the personal information of their residents.
While you likely have a target market for your products, chances are that you will get some visitors and potential customers from other countries – even if they don’t purchase right away, they might decide to sign up to your newsletter or create an account to save their favorite items for later.
The General Data Protection Regulation (GDPR) applies to businesses that either operate in the European Economic Area (EEA) or that process the data of people located in the EEA.
In the United States, while there is to date no privacy legislation at the federal level, the California Online Privacy Protection Act (CalOPPA) and the California Consumer Privacy Act (CCPA) should be taken into account.
If you’re a bigger business with an annual turnover of more than $3 million (or are a smaller organization that buys or sells personal information, provides health services, or is otherwise targeted by this piece of legislation), you will need to comply with Australia’s Privacy Act of 1988 and its Australian Privacy Principles.
Many other countries other than the ones mentioned above require that businesses take steps to protect the personal information that they collect from their residents and require privacy policies to provide constituents with transparency and control over the data that they share.
Required by Shopify
This section specifies that because you, as a Shopify store owner, ultimately decide what information is collected from your customers and how it will be used, you have the responsibility to let them know how both you and Shopify treat their personal information.
First things first, you will want to analyze your website and consider all the ways in which you may be collecting personal information from your website visitors.
This could include collecting their:
- IP address when someone lands on your homepage
- Name and email address when they sign up for your email list or create an account
- Home address and telephone number when they make a purchase and enter their shipping information
- Credit card details when they proceed to make a payment
- Usage data, gender, and location if you use marketing analytics tool such as Google Analytics
Additionally, consider all the plug-ins or applications that you have added to your Shopify store. Whether it be a payment processing provider, a currency conversion tool or a shipping tool that integrates with your store, the personal information of your customers is likely being shared with these third parties as it would be necessary for them to be able to provide their services.
- What personal information you collect
- How you collect that personal information
- How you use that personal information
- If and why you share that information with third parties (payment processors, shipping providers, etc.)
- How long you will be holding on to that data and how you will protect it from unauthorized access
- Your contact information
- Any other elements required by the various privacy laws that may be applicable to your business (the lawful basis for processing, rights of the data subjects, contact information for your data protection officer, etc.)
1. Log in to your Shopify account and, from the admin screen, navigate to Settings – click on Legal.
Alternatively, you could choose to manually create a new page in your Shopify admin menu by clicking on Online Store and Pages.
Note: if you have an additional or temporary policy such as for Black Friday, holidays, or a pandemic, manually adding a page could be the way to go.
1. Go to your Online Store and click on Navigation
5. Click on Add and Save menu
Crabtree & Evelyn
Body care and fragrance retailer Crabtree & Evelyn’s website is powered by Shopify.
As soon as new website visitors land on its homepage, they are served with this pop-up offering 15% off their first order in exchange for their email address:
And the one collected automatically by the retailer:
Crabtree & Evelyn addresses the measures taken to protect the personal information of their customers:
The retailer mentions that it shares information with service providers, such as shipping, customer service, and fraud detection companies, and specifically mentions its use of Google Analytics, which collects personal data from website visitors.
Eyewear retailer Bailey Nelson sells optical and sunglasses both online and through brick and mortar locations. Like many retailers, Bailey Nelson has chosen Shopify as its eCommerce platform.
Bailey Nelson makes it clear to shoppers what types of personal information may be collected about them:
Note that the mention of sensitive information is very specific to this retailer, as it holds deeply personal data about its customers such as prescriptions, medical histories, and medication regimes.
When explaining how it shares information with third parties, Bailey Nelson specifically mentions Shopify:
It is common practice to do so and to explain for what purposes, as well as to link to those third parties’ respective privacy policies.
US-based activewear retailer Outdoor Voices has a significant online presence and has chosen Shopify to sell direct-to-consumer.
Customers are also reminded of its existence during the checkout process when prompted to give their phone number, which is optional:
Outdoor Voices does a good job of explaining what information it collects from website visitors by using plain language and bullet points:
It specifically mentions the right of California residents to request details about how their information is shared with third parties for direct marketing purposes: