GDPR Compliance Checklist for Shopify and BigCommerce

May 19, 2018

If You Are a Shopify or BigCommerce Merchant, Here’s What You Need to Know About GDPR Right Now

You’ve probably seen it all over the news and maybe even received emails warning you about the impending implementation of GDPR. Yes, there are lots of changes and important things for eCommerce merchants to consider. But it’s not big and scary. In reality it’s a new set of laws and regulations that make a lot of sense.

All of the articles and guidance you see online mentions that this is very new law, and that the information provided does not constitute legal advice. We say the same thing about this article. That said, after some basic information, this article provides a basic 9-point GDPR Checklist to help Shopify and BigCommerce merchants get to compliance.

What is GDPR and Why Does it Matter?

“GDPR” stands for “General Data Protection Regulation.” It was adopted a few years ago to expand and supplement previous consumer data protection laws cover the European Union. You are hearing a lot about it in the news now because it goes into full effect on May 25, 2018.

We give a lot of details at the end of this article about specific rules and regs in the GDPR, but everything boils down to this: The GDPR states that each individual person owns their data no matter how individuals and businesses collect it and no matter what clauses exist in their website terms of service.

Does GDPR Apply to Your Shopify or BigCommerce Store?

Legally, GDPR applies to residents of the EU. But the GDPR likely applies to you and your business no matter where you are located. There are two reasons for this. The first is that GDPR is widely viewed as a successful and reasonable set of regulations to protect online shoppers and internet users. Already, governments outside of the EU are drafting legislation of their own using GDPR as the model. We suspect that substantially similar – and even identical – regulations will be in place soon in many countries.

The second reason that GDPR applies to you and your eCommerce store is that the rules don’t apply just inside the EU. There are some questions around enforcement, but the rules apply to all EU residents whether or not the individuals (referred to as “data subjects”) are in the EU at the time they visit your site. And it also doesn’t matter if your site is hosted in the EU. This law – at its core – is about protecting the data rights of individual citizens, and that’s something we can all support, right?

So, because of those two reasons, we say that GDPR applies to every business website … period. And since there are potential financial penalties involved, we all have to pay attention. Fortunately, Shopify and – to some extent – BigCommerce are on-the-ball with their platforms and make it easier for their merchants to comply.

Enhanced Rules for Acquiring eCommerce Data Consent

Under the old rules, a business could put a few clauses in their website terms of service and put a cookies notification on their website and probably be in compliance. The new rules are greatly strengthened. If your website is collecting data about a customer – any customer – there needs to be a clearly visible consent notification and it needs to link to a clearly-written, easy to understand policy that states what specific data is being collected and how it is going to be used.

New Individual User Rights In the GDPR for Data Subjects

As we’ve said above, a “data subject” could be anyone who visits your site. If you use tracking pixels and cookies, this applies even if they never fill out a form or make a purchase. The new rules give data subjects the following rights:

Data Breach Notification – if there is a breach or if your website or third-party apps are hacked, you have to let everyone who might be impacted know within a specific time period of when you discover the breach.
Right of Data Access – all of your site users and customers have the right to see and even get a copy of all the data you collect on them.
Data Portability – customers and visitors can take that data and give it to someone else … even a competitor of yours if they want to. We don’t see this as a huge risk.
Data Erasure … “The Right to Be Forgotten” – this means that if a customer or visitor requests it, you have to delete all of the information that you have about them from your files and systems (except data that you are otherwise required to keep by law such as revenue and taxes collect, etc.).

Remember ... GDPR is built on the concept that the person – the data subject – owns the data about themselves, so they have control of it.

“Privacy by Design” – The Importance of the Platform

One of the big advantages for Shopify and BigCommerce merchants is that they are responsible for maintaining the core architecture and infrastructure. GDPR require privacy and security provisions to be built into the core systems. As a merchant on a managed platform you don’t have to worry about that side of it. But you do have to worry about how you hand data, your privacy policy, and how data might be handled by any third-party apps that your site has installed. The terms that GDPR uses for this difference is “data processors” and “data controllers.” Shopify and BigCommerce are data processors, and you are a data controller because you tell the platforms what to do and when to do it.

Which brings us to our GDPR eCommerce Compliance Checklist.

GDPR Compliance 9-point Checklist for eCommerce Sites on Shopify and BigCommerce

1) Review Your Third-Party Apps #1 – Delete Unused Apps

First things first … since we help so many Shopify and BigCommerce sites with development projects and performance improvements, we have seen hundreds of sites that have lots of unused apps installed. This is perfectly natural. Entrepreneurs like to experiment and try to things to improve. But even if they are not “active,” take this opportunity now to uninstall anything that you are not using and getting value from.

It is a good idea to get rid of unused apps on a regualr basis on a regular basis anyway (improves site performance). The TaskHusky team can help you with app deletion if you need it (start a task).

2) Review Your Third-Party Apps #2 – App Inventory and Documentation

Al the third-party apps and themes that you want to keep will have their own privacy policies. Download copies of them and store them in a safe file on your computer. Make a list of these apps and note their GDPR statements, including what data they keep and how to contact them if you get a data request from one of your site visitors. Shopify is requiring that all apps post a privacy policy, so that helps. And if the theme or app is owned or controlled by Shopify, they are taking the responsibility to make sure that they comply.

If a third-party app of theme does not have a privacy policy or is not GDPR compliant, you might need to replace them to be compliant.

3) Sales Channels

You can bet that if you are using Amazon, eBay, or Facebook as sales channels they are on top of this GDPR change-over. You still need to document them in your privacy policy, but those big guys will likely have their GDPR act together. If you are using other sales channels and affiliate services, you have to verify that they are GDPR compliant.

4) Payment Gateways

Same goes for payment gateways. Shopify Pay is reporting compliance, and so are PayPal and the other big services. But still get their documentation in your files to keep yourself safe. If you are using a smaller payment gateway service, take a hard look at their GDPR policies and statements and – if they don’t have any, you have to act on that.

5) Product Drop Shippers and Logistics Vendors

A lot of Shopify and BigCommerce stores use drop shipping suppliers that ship directly to your customers. They need to be complaint too. Ditto if you are sending your products to a third-party logistics/delivery company

6) Make a List, Check It Twice

Gather a complete list of all the personal information that you collect about your customers and site visitors AND all the kinds of information collected by your apps, themes, sales channels, payment gateways, product drop-shippers, and logistic companies. You will need to include it in your revised privacy policy.

7) Appoint a Data Protection Officer

Even if you are a one-man shop, GDPR needs to have you create a point of contact for regulators and the public. That can be you, or it can be an employee. But this person has to have real authority to ensure compliance with GDPR and – if they are negligent – they can be held accountable. This info needs to be included in your new privacy policy.

8) Revise Your eCommerce Privacy Policy

Now that you have this comprehensive list of the kinds of data collected by your site and all the services running on your site, you have to include this list in your privacy policy telling potential visitors and customers what data you might be collecting if they visit your site or place an order with you. Some of that data will be the same. For example, the customer’s name and shipping address might be collected by you and several of your apps and services (you only have to list it once).

You also need to let people know that they can request a copy of their data and even have their data deleted. And you need to provide them a written, easy-to understand and follow set of instructions on how to get those things done that aligns with your internal process to actually do them. This will include the contact info (usually an email address) of your Data Protection officer if they need help or have a question.

To be clear, unless you are a big company with high volume, we think that these kinds of requests are going to be few and far between. But you need to understand that you are obliged to have these policies and be ready to comply.

If you are on the Shopify eCommerce platform, then the Shopify Privacy Policy Generator can help, and even include the required information from Shopify as far as their data collection practices.

9) Gaining Customer Consent in GDPR

Whenever you are collecting information, the customer must be empowered. This means that in all cases, consent must be:

Freely given – which means not coerced, tricked, or bundled with other things.
Specific – you must clearly identify why that info is being collect and why it’s important.
Informed – you must tell folks how that information will be used.
Clear and Unambiguous – writing things in simple, everyday language that can be easily understood (no “fine print” or “legalese” allowed).

For example, if you are collecting email addresses for your marketing campaigns your opt-in form must state that the email will be used for marketing, promotions, special offers, etc. You can’t just say “get our newsletter” because that’s not super-clear.

More Shopify and BigCommerce Resources for GDPR

Don’t let all of this overwhelm you. It seems like a lot, and sure, it’s going to be work that you may not “want” to do. But it’s important and as time goes on customers are going to want to see businesses comply with GDPR and similar regulation because everyone wants to have data privacy and protection.

There is a lot more information online. You can read Shopify’s guidelines and instructions here, and you can access BigCommerce’s help files on GDPR here. And there are some other, less-common requirements – such as special rules for websites that do business with children – so we have also included a more general listing of links and external resources below if you want to dive deeper into the regulations for all kinds of websites and businesses.

Thanks for reading.