From providing a customer-friendly live chat function to engaging pop-ups or streamlining shipment and payment processes, third-party apps available in the Shopify store can help scale your business to new heights.
In this article, we will talk about:
- What personal data third party Shopify apps collect;
- What are the main privacy law issues to be concerned about;
- Best practices you should follow to ensure GDPR compliance.
Before you get click-happy, adding dozens of apps to your store, it's essential to highlight the implications of adding plugins to your Shopify store.
One of the most common mistakes new Shopify owners make is installing too many Shopify Apps and spending the time to evaluate them for trust, useability and cost.
Most third-party apps collect your customers' data, which could include the following:
- IP address
- device ID
- email address
- customer account information (mailing address, phone number, etc.)
- credit card data and more
When third-party Shopify apps access and use your customers' data, you are legally responsible under the GDPR to ensure that personal data is collected and used in compliance with the GDPR.
For example, some Shopify Store owners report that certain apps ask for customer data like IP addresses or website interactions when it's not required for any app features or functionality. This is a red flag to watch out for.
What personal data do third-party Shopify apps collect?
Every Shopify app you install on your store will need access to different data types to provide certain functionality, whether live chat, a marketing automation tool or a personal recommendation app.
For example, while an email marketing tool may work perfectly well with access to email addresses and country of your customers, a personalized recommendation app can ask for access to more types of personal data like IP address, device ID, geolocation and last purchase details to build a more accurate customer profile.
Think about Klaviyo, a top-rated eCommerce marketing tool that you can use to send personalized and automated emails and SMS messages, for instance.
What is the relationship between Shopify, the Shopify Store Owner and Third-Party App Provider?
As Shopify Store owner, you decide what type of customer data is collected, what purposes it can be used and how it will be processed. Therefore, you are considered the data controller under the GDPR.
The Shopify platform and the third-party app provider are considered data processors, as they only process personal data on behalf of your business.
However, both Shopify and third-party app owners can be data controllers if they choose to collect and use your customer and store data.
In other words, you are either joint-controllers with third-party app providers or the data controller and the data processor.
In both cases, you are responsible for ensuring compliance with all GDPR requirements.
It's your responsibility to guarantee that the third-party app providers you're using are compliant with the GDPR and take all necessary security measures to protect data.
What are the main privacy law issues to know?
1. What categories of personal data third-party apps collect
Depending on the functionality a third-party app provides, collecting some types of data may be excessive and unnecessary, exposing you to risk of GDPR violation.
For example, suppose you install a simple app to design the sidebar of your Shopify store. In that case, it is unlikely that the third-party app needs access to your customers' contact details for the smooth functioning of the app itself.
On the other hand, an email service platform like Privy would need access to customer data to offer personalized marketing campaigns such as a win-back campaign or abandoned cart. To leverage all of Privy's beneficial features, they will need to access your customer data.
Whether the third-party app provider collects the personal data of your customers as a data controller or processor, it will have to comply with the GDPR standards.
When third-party apps gain access to customers' data, it imposes a higher burden on you for GDPR compliance because now you also have to ensure that the third-party provider complies with the GDPR standards.
For example, use a payment service app that allows access to your customer's data. The app provider will have to take necessary data security measures such as encrypting data stored on its servers.
2. How long third-party apps retain personal data
Data retention periods must be proportionate to the data use and should not be stored longer than needed under the GDPR. If the third-party apps retain customers’ data for longer than necessary or keep it indefinitely, you will risk legal action for non-compliance.
3. If the third-party app transfers data to third countries
Some of the third-party apps may use US-based cloud service providers such as AWS or Microsoft Azure. If that is the case, this means that your customers' data are transferred to the USA and since the USA is not a safe country for international data transfers, you, as data controller, will have to find ways to guarantee that transfer of personal data to the USA complies with the GDPR.
In most cases, the use of US-based cloud providers is not considered legal under the GDPR. You may have to implement certain additional technical measures such as anonymization or enter into complex contractual agreements.
4. How third-party apps protect personal data
As a data controller, you will have to guarantee that the third-party app provider implements technical and organizational measures appropriate to the type of personal data at hand to prevent data breaches or unauthorized data losses.
Best practices to follow when installing a new Shopify App
Review all permissions and evaluate
When you first install an app, you will be asked to give permission for access to different categories of personal data. It is best to go through each category of data that a third-party app asks to access and evaluate whether collection of customers’ data is necessary.
If you believe that the collection of customers’ personal data by third-party Shopify app is not necessary, you may first want to contact the app developer and ask about why you need to give access to customer data.
If you do not get a satisfactory answer and believe that access to your customers’ data is not justifiable, then you can refuse to install the app to protect yourself from any future legal risks.
The most trustworthy and best Shopify Apps will only request what's absolutely necessary.
You need to review these privacy policies to understand the following to achieve GDPR compliance:
- What type of data does an app collect,
- How it uses it,
- Whether it sells personal data to third parties
- For how long it stores it.
- Appropriate technical and organizational measures are taken to protect personal data.
In the DPA, make sure you set a timeframe for responding to data subject requests such as deletion and change requests. Furthermore, you should include rules and standards on security measures that the app must implement.
Shopify requires that Third-Party apps handle GDPR requests, but likely not heavily (or quickly) enforced, which is why it's essential to self-educate as a business owner.
Check on the data retention periods
In accordance with the storage limitation under the GDPR, the third-party app should retain personal data only so long as it is necessary and proportionate.
You need to ensure that the DPA includes a clear limit on the retention period.
For example, some third-party apps on Shopify Store collect personal data but do not set a time limit to erase personal data.
If you have an app installed, check the permissions you provide and revoke them if access to data is not necessary.
Shopify allows you to review permissions you gave earlier and revoke them if need be in two simple steps.
To review the previous permissions you provide:
- Go to Shopify Admin and click Apps;
- Click on "About' beside the app to view the types of personal data that you provided the app access with.
Installing third-party apps on your Shopify stores, such as marketing analytics and customer service tools, can bring direct and measurable benefits, but it is not without risks.
Because you are the data controller under the GDPR, it's your responsibility to make sure third-party apps only collect data that they truly need. They only use the personal data of your customers for legitimate business purposes.