Post-graduate law degree, CIPP/E from the International Association of Privacy Professionals (IAPP). Privacy and Data Protection Research Writer at TermsFeed.
On this page
- 2.1. Shopify's Requirements
- 2.1.1. How You Collect Personal Information
- 2.1.2. How You Use Personal Information
- 2.1.3. How Shopify Collects and Processes Personal Information on Your Behalf
- 2.1.4. Third Parties With Whom You Share Personal Information
- 2.2. Legal Requirements
- 2.2.1. United States
- 2.2.2. European Union and United Kingdom
- 2.2.3. Canada
- 2.2.4. Other Locations
- 5. How to Add Legal Policies to Shopify Store Checkout Page
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
Shopify requires that you disclose what information you collect, how you use it and who you share it with:
- Identifies the personal information you collect
- Describes how you collect and use your customers' personal information
- Describes how Shopify collects and processes your customers' personal information on your behalf
- Discloses the third-parties with whom you share your customers' personal data
How You Collect Personal Information
- Identifying what personal information you collect
- Explaining how you collect personal information
You can start by considering what personal information your customers (and potential customers) provide voluntarily, for example:
- Email address
- Phone number
- Shipping address
- Payment card details
- Billing address
Here's how Shopify merchant Rebecca Minkoff explains the types of personal information its customers provide voluntarily:
Rebecca Minkoff also identifies the types of personal information it collects from customers who set up an account:
You probably also collect some technical information from visitors to your website automatically, with or without their prior knowledge. For example:
- IP address
- Cookie data
- Browser type
- Device ID
- Referral data (i.e. the website they most recently visited that led them to your store)
You might be surprised to learn that these types of data qualify as "personal information." However, personal information is a very broad concept.
Increasingly, personal information is defined as any information that relates to an identifiable individual. Therefore, you should be as transparent as possible, and disclose all types of data that you collect from your customers and visitors to your website.
Here's how Shopify merchant Uproot Wines identifies the types of personal information it collects automatically from visitors to its website:
Some businesses post a separate Cookies Policy explaining what cookies do, how the business uses them, and how to prevent the website from setting them.
Here's an example of part of a Cookies Policy from Shopify merchant Gymshark. First, Gymshark explains what cookies are and why they are used:
Further down the Policy, Gymshark explains how to block cookies on various web browsers:
How You Use Personal Information
In addition to explaining what personal information you collect, you must explain how you use personal information.
You should have a clear purpose for collecting personal information. It's bad practice to collect personal information unless you need it for a specified purpose. In fact, under EU law, it is unlawful to collect personal information unless you have a "lawful basis."
As an ecommerce retailer, you're likely to use personal information in some of the following ways:
- To confirm a customer's order
- To update a customer on their order's shipping status
- To send marketing emails
Name, payment card details, billing address:
- To process payments
- To ship a customer's order
- To improve website functionality
- For security purposes
- To deliver targeted advertising
Here's an example from Shopify merchant Pixi Beauty UK:
This paragraph describes how Pixi Beauty uses personal information to send transactional emails (such as company announcements, customer service emails, and welcome emails).
How Shopify Collects and Processes Personal Information on Your Behalf
Shopify offers a number of services that involve the collection and processing of your customers' personal information, including:
- Web hosting
- Abandoned cart recovery
- Fraud screening
- Payment processing
Whatever Shopify services you use, you must explain how Shopify collects and uses the personal information of your customers and the visitors to your website.
Craft goods store Leif uses Shopify as a web host. Here's how Leif explains this to its customers:
Third Parties With Whom You Share Personal Information
Shopify requires that you disclose the third parties with whom you share personal information.
As an ecommerce retailer, you'll probably be sharing personal information with quite a lot of other companies in addition to Shopify.
For example, you might share personal data with:
- Website hosts
- Third-party payment processors such as PayPal or Stripe
- Mail carriers
- Marketing companies such as Mailchimp
You should be upfront about any third parties with whom you share or might share personal information.
Here's an example from Shopify merchant Bluebella:
First, Bluebella reassures its customers that sharing personal information doesn't mean selling personal information. Practically every business needs to share some personal information with third parties.
Note that Bluebella names some of the specific third parties with whom it shares personal information, such as Shopify and Amazon Pay. In other cases, it simply identifies the types of third-party companies with whom it shares personal information, such as "marketing agencies" and "social media sites." This is likely to be acceptable in most contexts.
And to make things even more complicated...you have to comply with whatever privacy laws apply wherever your customers live.
U.S. federal privacy law is pretty weak unless your business is aimed at children. Otherwise, if you have customers in the U.S., your main task is to comply with the privacy laws protecting California residents since these are the most strict laws that affect anyone doing business with residents of this large state.
If your website is accessible in California, you need to comply with the California Online Privacy Protection Act (CalOPPA).
- The categories of personal information you collect
- The categories of third parties you share personal information with
- A description of any system you operate that allows users to access or modify the personal information you hold about them
- Whether your website honors "Do Not Track" signals
- A disclosure of whether you use tracking cookies
European Union and United Kingdom
If you have customers in the EU, and/or the UK, you must comply with the EU General Data Protection Regulation (GDPR).
- Contact details for your business
- Information about what categories of personal information you process
- The lawful basis for processing each type of personal information
- Your safeguards for transferring personal information out of the EU (if applicable)
- Your data retention policy
- How users can access, delete, or rectify their personal information
- The relevant Data Protection Authority to whom your customers can make a complaint
If you have customers in Canada, you'll need to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).
- Contact details for your Privacy Officer
- Information about exercising "the right of access"
- A list of the types of personal information you hold and your uses for that personal information
- A copy of any relevant company policies
- A disclosure of how you share personal information with third parties and subsidiaries
Check out our article that covers more privacy laws by country.
Log in to your Shopify Store.
Go to Online Store:
Click on Pages and Add page button on the upper right corner:
Go back to the Shopify Store page. Paste the HTML code into the Content editor field and click on Save button:
Log in to your Shopify Store.
Go to Online Store:
Click on Navigation and then on Footer menu:
In Footer Menu under Menu items, click on Add menu item:
Click the Add button at the bottom of the Add menu item editor.
Then click on Save Menu:
- You're done!
How to Add Legal Policies to Shopify Store Checkout Page
Log in to your Shopify Store.
Go to Settings:
Scroll down to and click on the Policies section:
An editor will open with fields where you can add your policies:
Click Save in the upper right corner.
To see how the policies look on your checkout pages, follow these instructions:
Go to checkout:
Under Checkout style, click the Customize checkout button:
Your store policies will appear in the footer of your Checkout page:
- The types of personal information you collect and how you collect it
- How you use personal information
- How Shopify collects and uses personal information on your behalf
- The third parties with whom you share personal data
You must also provide any additional information that is legally required in your customers' countries of residence.