As consumers, we’re pretty much in agreement that it’s great to know who holds your personal data and what they do with it.
Why You Need One
It’s a Legal Requirement
While these laws only apply to California residents, you never know where your next customer is coming from — so it pays to be proactive and cover all your bases.
In Canada, users’ data is protected by the Personal Information Protection and Electronic Documents Act (PIPEDA). This country-wide law helps inform people about the data that’s collected on them and how it may be used.
Consumers in Europe and the UK benefit from the widely talked-about and often disliked General Data Protection Regulation (GDPR). While some people feel that GDPR is too complicated and difficult to understand, it does provide individuals with strong control over their personal data.
You also need to explain your safeguards for transferring that data outside the EU — which is especially applicable if you’re based in another country, or you use third-party services that are. It’s also important to cover your data retention policy and let people know how they can request and update personal information.
Rest of World
Shopify Requires You to Have One
Your Identity and Contact Information
In this section you’ll want to feature the following information:
- Business name
- Business address
- Phone number
- Email address
If you have any other relevant business contact details, include them here too. This might include the specific email address for data requests, or further business addresses for different regions you serve.
Some privacy legislation (such as the GDPR) requires you to state whether or not you’re a data controller. A data controller is someone that “determines the processes and means of processing personal data”. If that’s the case, you’ll want to state clearly that you’re the data controller.
Personal Data Collection Categories
Some of the most popular types of personal data collected include:
- Email addresses
- Phone numbers
- Payment information or credit card details
- Billing and shipping addresses
Outside of this, you’ll also have ecommerce-specific data that you collect. If you offer the opportunity for people to create an account with you, you’ll be storing usernames and passwords. It’s also likely that you collect more technical personal data — like IP addresses, browser type, device type, and referral data.
How You Collect Personal Data
It’s not enough for people to simply know which information about them you collect, they also need to know how it falls into your hands in the first place.
Most Shopify store owners gather personal data in two main ways — through the user providing you with this information at checkout, or through collection by third-party tracking cookies from tools like the Facebook Pixel or Google Analytics. You might also collect personal data through a mobile app, if you have one.
You’ll often gain key personal data like names, addresses, email addresses, and payment details directly from your customer or user. Examples of this include:
- Signing up to an email list
- Contacting support or sales with a query
- Making a purchase through checkout
Personal data can also be collected by third parties, usually through tracking cookies. This type of data is often more technical and relates to an individual’s device, browsing preferences, or history. Examples of how this can be collected include:
- Clicking through to your Shopify store from a Facebook Ad
- Discovering your product page from a Pinterest pin
- Taking an action on your site — e.g. visiting a product page
It’s worth keeping in mind that personal data doesn’t always come directly from the individual. Someone can easily supply you with another individual’s address — for example, if they’re buying one of your products to be shipped to them as a gift.
How and Why You Process Personal Data
Here are some key reasons why you might process personal data:
- To fulfil orders and shipments
- To provide customer service and support
- To send out marketing materials (with consent)
- To personalize a user’s shopping experience with you
- To perform market research or obtain feedback
You also need to tell people how you process their personal data. In practice, this can look like:
- Sending text updates about orders
- Sending emails with promotional offers
- Sharing your delivery address and contact details with your fulfilment partner
- Targeting personalized ads on Facebook or Instagram
Some legislation, like the GDPR, requires you to have a ‘legitimate interest’ to hold and process data. You might find it helpful to detail your legitimate interest for doing this alongside each use within a table. This makes it really clear to people how their data is used, and why you believe you have the right to do this.
Who You Share Personal Data With
When it comes to running a Shopify store, you’re often making use of third-party tools to provide an amazing experience for your customers. Whether that’s to offer a more personalized experience by tailoring social media advertising, or analyzing how customers use your website so you can make future improvements.
Examples of popular third service providers for Shopify users include marketing tools and payment processors, including:
- Google Analytics
With some legislation, like GDPR, these third parties will be known as ‘data processors’ — and it’s your responsibility to make sure they too have robust privacy policies and treat your customers’ data appropriately.
Sale of Personal Information
Most Shopify store owners don’t sell personal information. Indeed, it’s likely a very bad idea, as it’s forbidden in most countries — including those covered by the GDPR.
While most places consider this a no-no, you can do this within the United States. In this case, you need to clearly state the following as per the CCPA:
- A disclosure of the sale
- Who you sold the data to
- An opportunity for users to opt-out of the sale
Seeing as you most likely won’t be selling personal data, you can instead use this section as an opportunity to confirm that to your customers. Without a statement, either way, they may assume their data could end up being sold to the highest bidder.
Most data protection laws don’t cover incentives programs, but in the US the CCPA does. This means that if you offer incentives to users, you need to include the following details:
- Information on your incentives program
- How to opt-in or opt-out of the incentives program
Wider marketing-related consent also comes into play here, as the GDPR requires users to explicitly provide their consent for marketing. This means it makes sense to include a statement about your incentives program and how it works, even if you’re not sure if CCPA applies to you.
It makes good sense to only hold on to the data you need to keep, for as long as you need to keep it. In this section, outline your approach to personal data retention. Make it clear how long data is held for, and any set timescales you have for this.
Sometimes you’ll need to keep hold of data, like invoices and transactions, in order to fulfil your own accounting, business, or legal requirements. In most cases, you’ll want to retain data for as long as you have an ongoing relationship with the individual — so that you can provide services, ship orders, and provide communication.
Ecommerce lets us operate from anywhere in the world, using services from any country. This means that customer data is often transferred from one location to another.
Some data protection legislation, like GDPR, requires you to share information about data transfer and make sure that any data is properly looked after wherever it goes. This can include stating which countries data is transferred to, and confirming that there are suitable contracts in place to safeguard it.
Data Subject Rights
People will often willingly give you their information and need to in order to do business with you. That’s not the end of the transaction though, as they always have the right to access, change, or request the deletion of their data that you hold.
- Understand the data that you hold on them
- Access their personal data
- Know about data processing
- Object or consent to data processing
- Opt-out of the sale of data, if applicable
- Make a request to edit or delete some or all of the data you hold
Most Shopify store owners don’t hold the personal data of children. If that includes you, include a statement here that confirms that to be the case. If you do collect personal data on children, you need to make sure you comply with the Children’s Online Privacy Protection Rule (COPPA). This requires you to confirm how their data is used, and places other requirements on you like collecting parental consent.