Jun 27, 2018 - Justin Emond

Seven Must-Do Checks to Ensure Your Shopify Plus Site is GDPR Compliant

Instead of being recognized for better data protection, May 25, 2018, will live in infamy as the day when privacy policies were updated and sent out to inboxes everywhere. But concerns for GDPR compliance are far from over.

Remember: Even if your operations are based in the U.S., if you market or sell goods to European Union citizens, you likely will have to comply with the regulations (see our guide on determining your organization’s GDPR risk).

Ignoring the regulations is not an option, as merchants can be fined up to four percent of their annual revenues.

We’ll all see if GDPR enforces what they say long-term but Facebook and Google have already been hit with $8.8 billion in lawsuits on day one of GDPR.

Here are our seven must-do checks to ensure your Shopify site is ready for GDPR:

Check 1: Make sure you have explicit consent checkboxes on all data-gathering forms.

Here is a screenshot of Death Wish Coffee’s email newsletters sign up:

Death Wish Coffee newsletter sign up

This form is not GDPR-compliant because it doesn’t have an explicit checkbox or another form field that explains to the user how their data will be used, nor does it ask for affirmative consent.

To fix a problem like this one, you will need to go into the settings of the form to add clarifying language on intended data use and add a control for affirmative consent. If you are using the popular Shopify App Form Builder, this will be easy to do in the Shopify admin.

Here is a quick refinement to their existing form that would make this newsletter sign up GDPR compliant:

Death Wish Coffee newsletter sign up that has been edited to be gdpr compliant

If you are using MailChimp here is a great article on making a MailChimp newsletter form GDPR compliant.

Check 2: Audit every cookie created by your Shopify site.

GDPR protects all personal data, which can include IP addresses, cookies, and other non-obvious means of associating data with an individual person. IT Compliance puts it best:

“When cookies can identify an individual via their device, it is considered personal data.”

Cookies in your store can originate from three sources: the Shopify platform itself, Shopify apps you install, or custom JavaScript code in the theme. You don’t need to worry about the cookies created by the core Shopify platform.

One of the benefits of Shopify being a cloud solution is that Shopify takes care of GDPR compliance at the platform level.

However, you must pay careful attention to the cookies that may be created by the Shopify apps you installed, and by custom JavaScript code written into the site theme by your developers.

And remember too that not every cookie your site creates is created on every page. You will need to have your engineering team search the theme code for cookie logic and visit a representative sample of pages on your site top carefully document and evaluate every unique cookie you identify for GDPR compliance.

How to make a cookie GDPR compliant?

Once you have compiled an inventory of cookies you next have to determine the GDPR compliance of every cookie. To do this you have to look at what information the service that created the cookie stores in relation to the individual cookie.

Put more simply, if the cookie allows the service to track personal information about individual users (even an IP address) the cookie is not compliant. If no service uses the cookie to track information that isn’t tied to an individual person, you are fine.

GDPR Cookie compliance example


The trick is you often can’t tell if the cookie is an offender by just looking at the cookie, you actually need to look at what data the service collects and if that data is tied to an individual person. Looking at the cookies just provides an easy way to inventory what every offending service might be.

Check 3: Audit every Shopify app.

Every third-party app needs to be audited for GDPR compliance.  Popular apps like Google Analytics are likely to be compliant, but many others may not be. You may have to defer their use until after you fix the second-page load (see check #6), refine the integration configuration, or find another app altogether.

Here is the GDPR compliance status (as of 06/22/2018) for some of most popular Shopify Plus apps:

Shopify Plus App

GDPR Compliant?

Notes about GDPR Compliance:


GDPR Compliance for Ecommerce: What Store Owners Can Do

Google Shopping


Plug in SEO


Shopify Facebook Store


Bulk Discounts


Free Shipping Bar


ALT Text


Digital Downloads


Social Media Stream


MailChimp for Shopify

All newsletter signup forms likely have to be updated

Product Reviews

The standard review form itself should be GDPR compliant out-of-the-box, but you can’t use the information gathered for any marketing purposes. If you want to market to people that leave reviews, make sure you obtain their consent by modifying the review form.


You need to obtain consent before sending email marketing emails like abandoned cart emails using Receiptful.


Given the amount of data collected with Yotpo’s various services you likely will need to make refinements to your integration to be GDPR compliant.

Improved Contact Form

You will need to update the form’s UI to comply with GDPR.

Better Coupon Box

You will need to update the form’s UI to comply with GDPR.


There are unlikely any UI changes needed but you will need to be sure to include the customer information stored in AfterShip in customer deletion requests and data portability requests.


There are unlikely any UI changes needed but you will need to be sure to include the customer information stored in AfterShip in customer deletion requests and data portability requests.


Kit itself is GDPR compliant. However, the tool touches with your email marketing efforts so you need to be sure that you have obtained consent from any emails gathered with Kit.


Create an inventory of every Shopify app your team has installed by going into the Shopify admin and going to the Apps section.

For each app, identify if it has the potential to gather data that might be covered by GDPR, and if it does, contact the app provider to determine their compliance status. You can find the contact information for app developers in the Shopify App Store.

Definitions are crucial in GDPR, but any information that can be used to identify a person is considered protected by the regulations, like:

  • Name

  • Email address

  • Timestamped location information

  • Address

  • Government or other ID number assigned by other entities, public or private

  • Your Customer ID for the person

  • Any kind of database ID you use

  • IDs in a browser cookie

  • Pseudonymisation, that is, information that could be tied back to a person with additional information

Check 4: Make sure you have an easy-to-use deletion request page.

An important part of GDPR compliance is providing a page that visitors can use to request the removal of their data from your systems. (It’s called the “right to be forgotten.”) This process for requesting data removal must be as simple and easy as the form they used to provide consent.

In Shopify, you will want to create a new deletion request page using a Shopify App like the popular Form Builder app that gathers the basic information you need for your customer service team to process the request. You can configure the form to flow the data from the form submission to your customer support system (if you are using Zendesk or Gorgias.io, for example) to ensure no request is missed.

Be sure to put a link to this page somewhere on every page of your site—in the footer, for example. Use Shopify’s Navigation section in the admin to add the link globally.

Check 5: Review the data flow of any referral systems.

If your site experience has any kind of referral system—like a feature to email a coupon to a friend—be sure to audit the data flow of the email address used to send the deal.

If your system sends the email to the friend and then doesn’t store the email address, you don’t need to do anything.

However, if you store that recipient email address, or if you store it and send it along to another system for marketing purposes (like in a drip campaign), you will need to obtain consent from the recipient.

Email forwarding GDPR compliance

Check your Shopify app settings for whatever drip tool you are using (Klaviyo, Bronto, MailChimp, Emma, Rare.io, etc.), to ensure consent is part of the flow.

Check 6: Make sure your implied consent flow does not gather data on the first page load.

Implied consent is when a new visitor comes to your site for the first time and has already accessed the content before accepting the terms and conditions.  Here is a common example:

Common implied consent cookie policy which violates gdpr compliance

But here’s the thing: Before users even click that button, the site has already gathered data.  That’s why it’s called implied consent because just by visiting the URL, a user’s data has been collected.

Sure, they can leave immediately, but your site has already gathered their data. Many of our clients use this approach to comply with existing regulations, and this experience flow is common across mid-market and enterprise US-based organizations.

The problem is that GDPR invalidates implied consent. The new standard under the law is called affirmative consent, which must be given by the user.

Any company using implied consent flow has to make a critical change to be GDPR compliant: Personal data cannot be collected until second-page load. This puts the choice in the hands of the visitor; they can stay and share data, or leave without sharing any at all.

Addressing this issue in Shopify is going to be tricky. You can get your engineers to write code to defer cookies created by the Shopify theme layer until the second-page load easily enough. But the other major source of cookies, Shopify apps, are out of your control. You will likely need to contact each Shopify app creator to see if cookie deferment is supported. If not, you will likely need to use a new Shopify app.

Check 7: See if your data is being properly segmented.

Whether you choose to future-proof your organization or comply today, it is important to ensure you are collecting the data necessary to segment your records for EU and non-EU citizens.

You should consider refining the data gathering form flows, as you have to include a checkbox for citizenship. (To reduce the friction added by GDPR compliance, you can use a progressive form that adapts to the affirmative answer of that question by adding additional fields for GDPR.)

Make sure all of the Shopify apps you use for newsletter sign-ups and customer marketing emails flow into a system that carefully tracks their geography and citizenship status.

Bonus tip: Shopify maintains a great set of information on how the regulations impact merchants and the Shopify platform itself. Be sure to check out these great resources: