Getting GDPR wrong isn't just a legal risk. It's the kind of liability that has resulted in fines reaching into the tens of millions of euros for companies far bigger than most Shopify stores. Smaller merchants have been caught too. The regulation has been in force since May 2018, and a surprising number of stores are still running with outdated privacy policies, no real cookie consent setup, and no process for handling customer data requests.
We've helped Shopify merchants across the UK and EU audit their stores for ecommerce gdpr compliance, fix their cookie consent setup, and build data handling processes that actually hold up. Let's take a deep dive into what is GDPR for Shopify merchants.
What GDPR Actually Is?
The General Data Protection Regulation is EU law that governs how businesses collect, store, and use personal data. It came into force on May 25, 2018, and it's still very much being enforced. In 2024 alone, EU regulators issued over €2.1 billion in fines, many targeting e-commerce businesses.
GDPR defines three roles that matter for Shopify merchants:
Data Subject — your customer. The person whose data you're collecting.
Data Controller — you, the merchant. You decide what data to collect, why, and how it's used.
Data Processor — Shopify. It processes data on your behalf, according to your instructions.
Here's what Shopify does for you and what you need to do.
| Dimension | What Shopify Handles | What You Must Handle |
|---|---|---|
| Platform data security | Yes, fully | Not required |
| Customer data storage | Shopify's servers are GDPR-ready | Your data practices and policies |
| Cookie consent banner | Not included by default | Must be implemented by you |
| Privacy policy | Template provided | Must be customized for your store |
| Data deletion requests | GDPR webhooks available | Must be set up and acted on |
| Third-party app compliance | Not Shopify's responsibility | You must audit each app |
| Data Processing Addendum | Available on request | Merchants must sign and store it |
Shopify is the data processor. You're the data controller. Those are two different roles under the regulation, and the obligations that come with each are different.
Is Shopify GDPR Compliant?
Shopify is GDPR compliant as a platform. It operates as a data processor, meaning it handles your customers' personal data on your behalf and has the technical and organizational measures in place that GDPR requires for processors.
But that doesn't make your store compliant. You're the data controller. You decide why customer data is collected and what it's used for. You're responsible for making sure that processing is lawful, that customers are informed, and that you can respond to data requests.
When a merchant's store violates GDPR, regulators go after the merchant. Not Shopify.
What GDPR Actually Requires From You as a Shopify Merchant?
GDPR applies to any business that collects or processes personal data of people in the EU. Doesn't matter where your business is based. If your Shopify store sells to EU customers, GDPR applies to you.
1. Lawful Basis for Data Collection
You need a lawful reason for every type of personal data you collect. For most Shopify stores, there are three that matter.
Contract covers data you need to fulfill an order, like a shipping address. Consent covers email marketing lists where the customer has actively opted in. Legitimate interest covers situations where you have a valid business reason that doesn't override the customer's rights.
Email marketing built from checkout signups needs clear consent. Order data collected to ship a product falls under the contract. Getting this mapping right is step one before anything else.
2. Privacy Policy
Your privacy policy needs to clearly explain what data you collect, why you collect it, how it's stored, who it's shared with, and how customers can request access to or deletion of their data.
Shopify provides a privacy policy template through its policy generator. That template is a starting point, not a finished document. A store running five third-party apps that each collect customer data needs a policy that reflects all of that. A store that runs email retargeting campaigns needs to say so.
3. Cookie Consent
Cookies that aren't essential for your store to function require consent from EU visitors before they're set. Analytics cookies, marketing pixels, retargeting tags. All of it.
Shopify doesn't include a cookie consent banner by default. You need to add one. And the banner needs to appear before any non-essential cookies are set, not after.
The most common mistake we see: stores with a banner that loads after the page and after the marketing pixels have already fired. That's not consent under GDPR. The cookies have to wait for the visitor's decision. If they load first and ask for permission second, you are already in breach.
4. Shopify GDPR Cookie Consent Implementation
There are two ways to handle this on Shopify.
The first is a third-party app. Consentmo, CookieYes, and GDPR Legal Cookie are the most widely used shopify gdpr apps. They handle banner display, preference storage, and consent logging. They integrate with most themes without custom code and stay updated as regulations change.
The second is a custom implementation using Shopify's Customer Privacy API. This is the developer route. Cookie consent logic is built directly into the theme, and Shopify's native API manages consent status for Shop Pay and other Shopify features. More control over the experience, but it needs a developer to build and maintain it.
In our work with Shopify merchants, apps solve cookie consent faster for most stores. Custom implementation makes sense when the theme is heavily customized,, and app-based solutions cause conflicts or slow the page down.
5. Customer Data Requests
GDPR gives EU residents the right to request their personal data, the right to have it corrected, and the right to have it deleted. You have 30 days to respond.
For smaller stores, this means a dedicated email address in the privacy policy for data requests and a clear internal process for pulling or deleting customer records in the Shopify admin when a request comes in. Shopify lets you export customer data and delete customer accounts, so the mechanics are there. You just need the process.
For stores with higher volumes, you need more structure. A documented intake process, a response template, and someone responsible for actioning requests on time.
Shopify GDPR Webhooks Explained
Shopify GDPR webhooks are specific webhook topics that fire when data requests come in. There are three.
customers/data_request fires when a customer requests their data. customers/redact fires when a customer requests deletion. shop/redact fires when a merchant requests deletion of their own shop data.
These webhooks are mandatory for any app listed in the Shopify App Store. For merchants, they're the right tool when you have custom integrations or external databases that hold customer data alongside Shopify.
If your store only uses standard Shopify features and doesn't store customer data anywhere outside the platform, the admin tools handle the practical side. If you have external systems with customer data in them, setting up shopify gdpr webhooks ensures that deletion requests hit every system, not just Shopify.
A UK-based fashion retailer with 80,000 customer records was running a custom loyalty app that stored purchase history in an external database. Deletion requests through Shopify cleared the Shopify records but left the loyalty database untouched. Setting up the customers/redact webhook to trigger deletion in both systems fixed it.
Shopify Data Processing Addendum
The Data Processing Addendum (DPA) is the contract between you as the data controller and Shopify as the data processor. It documents the terms under which Shopify handles personal data on your behalf. GDPR formally requires this kind of agreement when you engage a third-party processor.
Shopify's DPA is available to all merchants. You can accept it through the Shopify admin or request it directly from Shopify. It takes under five minutes. If you're ever asked by a client, partner, or regulator to show documentation of your processor agreements, this is the document you need.
Most small merchants haven't done this. It's worth doing now.
Third-Party Apps and GDPR
Every third-party app you install on your Shopify store potentially has access to customer data. Under GDPR, you're responsible for making sure each app processes that data lawfully.
Before you install any app, check whether it has its own privacy policy that covers what data it accesses. Check whether it stores customer data outside Shopify, and if so, where. Check whether it can respond to data deletion requests if a customer exercises their right to erasure.
This doesn't mean avoiding apps. It means being deliberate about what you install and what access you grant. An email marketing app that stores customer email addresses and purchase history in its own system is a processor relationship. It needs to be documented in the same way your Shopify relationship does.
Concluding
Shopify does its part well. The platform is GDPR-ready, the infrastructure is secure, and the tools for merchants to manage shopify gdpr compliance are all there. But the regulation puts obligations on store owners that the platform genuinely can't carry for you.
The practical list for most Shopify merchants isn't long. Review and update the privacy policy. Implement cookie consent that actually waits for the visitor's decision before setting cookies. Set up a process for customer data requests. Accept the DPA. Audit the apps you're running. None of these requires significant technical work for a standard store.
Where things get more complex is when stores have custom integrations, external databases, or heavy app stacks that each touch customer data in different ways. Those situations need a proper audit to map the data flows and close the gaps before they become a problem.
Not sure if your Shopify store is actually GDPR compliant?
Connect with us today. Lucent Innovation is a certified Shopify development agency with 12 years of experience building and optimizing Shopify stores for merchants across the UK, EU, and beyond. We work with store owners to audit compliance gaps, implement cookie consent solutions that work correctly, set up GDPR webhook integrations for custom systems, and build privacy infrastructure that scales with the business.
