As consumers, we’re pretty much in agreement that it’s great to know who holds your personal data and what they do with it.
While these laws only apply to California residents, you never know where your next customer is coming from — so it pays to be proactive and cover all your bases.
In Canada, users’ data is protected by the Personal Information Protection and Electronic Documents Act (PIPEDA). This country-wide law helps inform people about the data that’s collected on them and how it may be used.
Consumers in Europe and the UK benefit from the widely talked-about and often disliked General Data Protection Regulation (GDPR). While some people feel that GDPR is too complicated and difficult to understand, it does provide individuals with strong control over their personal data.
You also need to explain your safeguards for transferring that data outside the EU — which is especially applicable if you’re based in another country, or you use third-party services that are. It’s also important to cover your data retention policy and let people know how they can request and update personal information.
In this section you’ll want to feature the following information:
If you have any other relevant business contact details, include them here too. This might include the specific email address for data requests, or further business addresses for different regions you serve.
Some privacy legislation (such as the GDPR) requires you to state whether or not you’re a data controller. A data controller is someone that “determines the processes and means of processing personal data”. If that’s the case, you’ll want to state clearly that you’re the data controller.
Some of the most popular types of personal data collected include:
Outside of this, you’ll also have ecommerce-specific data that you collect. If you offer the opportunity for people to create an account with you, you’ll be storing usernames and passwords. It’s also likely that you collect more technical personal data — like IP addresses, browser type, device type, and referral data.
It’s not enough for people to simply know which information about them you collect, they also need to know how it falls into your hands in the first place.
Most Shopify store owners gather personal data in two main ways — through the user providing you with this information at checkout, or through collection by third-party tracking cookies from tools like the Facebook Pixel or Google Analytics. You might also collect personal data through a mobile app, if you have one.
You’ll often gain key personal data like names, addresses, email addresses, and payment details directly from your customer or user. Examples of this include:
Personal data can also be collected by third parties, usually through tracking cookies. This type of data is often more technical and relates to an individual’s device, browsing preferences, or history. Examples of how this can be collected include:
It’s worth keeping in mind that personal data doesn’t always come directly from the individual. Someone can easily supply you with another individual’s address — for example, if they’re buying one of your products to be shipped to them as a gift.
Here are some key reasons why you might process personal data:
You also need to tell people how you process their personal data. In practice, this can look like:
Some legislation, like the GDPR, requires you to have a ‘legitimate interest’ to hold and process data. You might find it helpful to detail your legitimate interest for doing this alongside each use within a table. This makes it really clear to people how their data is used, and why you believe you have the right to do this.
When it comes to running a Shopify store, you’re often making use of third-party tools to provide an amazing experience for your customers. Whether that’s to offer a more personalized experience by tailoring social media advertising, or analyzing how customers use your website so you can make future improvements.
Examples of popular third service providers for Shopify users include marketing tools and payment processors, including:
With some legislation, like GDPR, these third parties will be known as ‘data processors’ — and it’s your responsibility to make sure they too have robust privacy policies and treat your customers’ data appropriately.
Most Shopify store owners don’t sell personal information. Indeed, it’s likely a very bad idea, as it’s forbidden in most countries — including those covered by the GDPR.
While most places consider this a no-no, you can do this within the United States. In this case, you need to clearly state the following as per the CCPA:
Seeing as you most likely won’t be selling personal data, you can instead use this section as an opportunity to confirm that to your customers. Without a statement, either way, they may assume their data could end up being sold to the highest bidder.
Most data protection laws don’t cover incentives programs, but in the US the CCPA does. This means that if you offer incentives to users, you need to include the following details:
Wider marketing-related consent also comes into play here, as the GDPR requires users to explicitly provide their consent for marketing. This means it makes sense to include a statement about your incentives program and how it works, even if you’re not sure if CCPA applies to you.
It makes good sense to only hold on to the data you need to keep, for as long as you need to keep it. In this section, outline your approach to personal data retention. Make it clear how long data is held for, and any set timescales you have for this.
Sometimes you’ll need to keep hold of data, like invoices and transactions, in order to fulfil your own accounting, business, or legal requirements. In most cases, you’ll want to retain data for as long as you have an ongoing relationship with the individual — so that you can provide services, ship orders, and provide communication.
Ecommerce lets us operate from anywhere in the world, using services from any country. This means that customer data is often transferred from one location to another.
Some data protection legislation, like GDPR, requires you to share information about data transfer and make sure that any data is properly looked after wherever it goes. This can include stating which countries data is transferred to, and confirming that there are suitable contracts in place to safeguard it.
People will often willingly give you their information and need to in order to do business with you. That’s not the end of the transaction though, as they always have the right to access, change, or request the deletion of their data that you hold.
Most Shopify store owners don’t hold the personal data of children. If that includes you, include a statement here that confirms that to be the case. If you do collect personal data on children, you need to make sure you comply with the Children’s Online Privacy Protection Rule (COPPA). This requires you to confirm how their data is used, and places other requirements on you like collecting parental consent.